Last Updated: March 21, 2019


The Ceph connector enables use of a Globus data access interface on a Ceph storage system, via the Ceph Object Gateway. This requires the installation of Globus Connect Server. The connector is available as an add-on subscription to organizations with a Globus Standard subscription - please contact us for pricing.

This document describes how to install and configure the Ceph Connector as well as create a Ceph Storage Gateway. After the installation is complete, any authorized user can establish a connection to the Ceph buckets that they have access to by following the steps in this How To in order to create a guest collection using a configured Ceph Storage Gateway on the endpoint. The system administrator can also create a mapped collection using a configured high assurance Ceph Storage Gateway, by following the instructions in the mapped collection section of the high assurance Globus Connect Server version 5 guide.

The installation must be done by a system administrator, and has the following distinct set of steps:

  • Installation of the packages needed for Globus Connect Server version 5 endpoint as well as creation of the endpoint itself.

  • Create a storage gateway on the endpoint configured to use the Ceph Connector.

Please contact us at support@globus.org if you have questions or need help with installation and use of the Ceph Connector.


Table of Contents

Endpoint Installation

The Ceph Connector requires a functional Globus Connect Server 5 endpoint in order to be used. Instructions for installing and configuring and endpoint using Globus Connect Server 5 can be found here. The rest of this document assumes that a functional Globus Connect Server 5 endpoint is being used when attempting to configure the Ceph Connector.

Configuration

The Ceph DSI requires the following steps for configuration:

  • Create a RADOS Gateway User with users:read capabilities

Create a RADOS Gateway User with users:read capabilities

This identity is used by the Ceph DSI to look up keys associated with the Ceph user_id that the GridFTP session is authorized to run as.

This command must be run on a host with access to the ceph client.admin keyring in order to create the gridftp Ceph user_id:

# radosgw-admin user create \
    --uid=gridftp \
    --display-name "GridFTP Ceph Connector" \
    --caps="users=read"

Note in the output for this command the access_key and secret_access_key fields of the keys object, as those will be needed in the next step. If you forget to record those, you can use the following command to retrieve the same information:

# radosgw-admin user info --uid=gridftp

Creating a Storage Gateway using the Ceph Connector

To create an Ceph Storage Gateway on an endpoint, use the `globus-connect-server-config storage-gateway create’ command. For example:

$ sudo globus-connect-server-config storage-gateway create \
    --connector Ceph \
    --display-name "Ceph Storage Gateway" \
    --root "/" \
    --domain example.edu \
    --s3-endpoint https://radosgw.example.edu \
    --s3-bucket data-bucket1 \
    --s3-bucket data-bucket2 \
    --ceph-admin-key-id ACCESS-KEY \
    --ceph-admin-secret-key SECRET-ACCESS-KEY

Storage Gateway Created: 99d351bc-cdb4-4cee-be86-3bb01e4b1022

Note that the ID of the new storage gateway is given in the output.

This would create a storage gateway on the endpoint that:

  1. Uses the "Ceph" storage connector and is called "Ceph Storage Gateway".

  2. Causes new collections to be rooted in the bucket space of the radosgw.example.edu Ceph endpoint.

  3. Allows Globus users with an identity from the example.edu Identity Provider to create collections, if they have a Ceph account with a username that is the same as the username of their example.edu domain identity.

  4. Allows access to the data-bucket1 and data-bucket2 Ceph buckets as /data-bucket1 and /data-bucket2 on the storage gateway.

  5. Uses the values ACCESS-KEY and SECRET-ACCESS-KEY from the previous configuration step as to access the Ceph administration bucket and access user information.

The the globus-connect-server-config storage-gateway create command supports the following options for storage gateways configured to use the Ceph Connector, in addition to the common options supported for all storage connectors:

--s3-endpoint ENDPOINT

Full URL of S3 compatible storage location. May include a port. e.g. https://s3.amazonaws.com:443. A list of Amazon S3 endpoint hostnames by region can be found here: http://docs.aws.amazon.com/general/latest/gr/rande.html#s3_region This is a required parameter for this connector.

--s3-bucket BUCKET, -b BUCKET

S3 compatible bucket to make available in the root of the storage gateway. This option may be used 0 or more times. For an unauthenticated storage gateway, only buckets added by this option will be visible in the root of the storage gateway. If none are added, then the storage gateway root directory will appear empty. For an authenticated storage gateway, only these buckets will be made available in the root (if the S3 credential allows them). If none are added, then the storage gateway root directory will include all buckets for which the AWS S3 Credential has been granted access permissions.

--ceph-admin-key-id

The Ceph administrator key id with the users:read capability. This is a required parameter for a Ceph Storage Gateway.

--ceph-admin-secret-key

The Ceph administrator secret key associated with the Ceph admin key passed in with the previous parameter.

Creating a collection on a Ceph Storage Gateway

Once a Ceph Storage Gateway has been configured on the endpoint, permitted users can then create mapped collections using the storage gateway. These collections allow permitted Globus users access to the Ceph service using their Ceph username. The process of creating a new mapped collection using a storage gateway configured to use the Ceph Connector is found here. The system administrator can also create a mapped collection using a configured high assurance Ceph Storage Gateway, by following the instructions in the mapped collection section of the Globus Connect Server version 5 guide. Please also refer to the Globus Connect Server install document for the various options available in the tool to manage storage gateways.


© 2010- The University of Chicago Legal