Arbutus object storage: Difference between revisions
(Created page with "= Rados Gateway Bucket Management = We create the project for the users when we are generating the users for the project. The users are responsible for operations inside of...") |
(Changes as per Mike Cave's request (https://git.computecanada.ca/uvic-rcs/documentation/-/blob/master/procedures/storage/Ceph/Rados%20Gateway%20(ObjectStorage)/bucketPermissions.md)) |
||
Line 1: | Line 1: | ||
= | = Arbutus Object storage = | ||
We | Object storage at Arbutus can be requested via cloud@computecanada.ca. | ||
You can either apply for a RAS allocation or a RAC allocation. | |||
We offer access to the Object Store via three different protocols: | |||
# S3 | |||
# Swift | |||
# Radosgw | |||
== Access Request Information == | |||
When requesting access we will ask you for the following: | |||
* Project code (e.g. rrg_piUserName) | |||
* CC username of the user(s) to add | |||
* Actual name of user(s) (e.g. Mike Cave) | |||
* Expiry date of user(s) - This is used if the user is a temp member of the group (e.g. grad student, lab assistant, temporary group member) | |||
* Permission type (read, write, both), per user | |||
* Do you need a Swift key? | |||
Once we have the basic users and account setup on the object storage service, we will let you know how to collect the keys for access. | |||
== Bucket Management == | |||
Admins will create the project for new requests and users are generated for the project at the time. | |||
The users are responsible for operations inside of the 'tenant'. As such, the buckets and management of those buckets are up to the user. | The users are responsible for operations inside of the 'tenant'. As such, the buckets and management of those buckets are up to the user. | ||
The tool "s3cmd" which is available in Linux is the perferred way to access our S3 gateway, however ther are other tools out there that will also work. | |||
The | |||
== Some | === Some General Information === | ||
* Buckets are owned to the user that creates them and no other users can manipulate them | * Buckets are owned to the user that creates them and no other users can manipulate them | ||
Line 15: | Line 38: | ||
* Bucket policies are managed via json files | * Bucket policies are managed via json files | ||
== Example Bucket operations == | === Example Bucket operations === | ||
<ul> | <ul> |
Revision as of 14:59, 25 May 2021
Arbutus Object storage[edit]
Object storage at Arbutus can be requested via cloud@computecanada.ca.
You can either apply for a RAS allocation or a RAC allocation.
We offer access to the Object Store via three different protocols:
- S3
- Swift
- Radosgw
Access Request Information[edit]
When requesting access we will ask you for the following:
- Project code (e.g. rrg_piUserName)
- CC username of the user(s) to add
- Actual name of user(s) (e.g. Mike Cave)
- Expiry date of user(s) - This is used if the user is a temp member of the group (e.g. grad student, lab assistant, temporary group member)
- Permission type (read, write, both), per user
- Do you need a Swift key?
Once we have the basic users and account setup on the object storage service, we will let you know how to collect the keys for access.
Bucket Management[edit]
Admins will create the project for new requests and users are generated for the project at the time.
The users are responsible for operations inside of the 'tenant'. As such, the buckets and management of those buckets are up to the user.
The tool "s3cmd" which is available in Linux is the perferred way to access our S3 gateway, however ther are other tools out there that will also work.
Some General Information[edit]
- Buckets are owned to the user that creates them and no other users can manipulate them
- You can make a bucket world accessible which then gives you a URL to post that will serve content in the bucket
- Bucket policies are managed via json files
Example Bucket operations[edit]
Making a bucket public so that it is web accessible:
s3cmd setacl s3://testbucket --acl-public
Make the bucket private again:
s3cmd setacl s3://testbucket --acl-private
Example bucket policy:
You need to first create a policy json file:
"testbucket.policy": { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Principal": {"AWS": [ "arn:aws:iam::rrg_cjhuofw:user/parsa7", "arn:aws:iam::rrg_cjhuofw:user/dilbar" ]}, "Action": [ "s3:ListBucket", "s3:PutObject", "s3:DeleteObject", "s3:GetObject" ], "Resource": [ "arn:aws:s3:::testbucket/*", "arn:aws:s3:::testbucket" ] }] }
This file allows you to set specific permissions for any number of users of that bucket.
You can even specify users from another tenant if there is a user from another project working with you.
Now that you have your policy file, you can implement that policy on the bucket:
s3cmd setpolicy testbucket.policy s3://testbucket
More extensive examples and actions can be found here: https://www.linode.com/docs/platform/object-storage/how-to-use-object-storage-acls-and-bucket-policies/