Alliance Doc

Arbutus object storage

Revision as of 14:59, 25 May 2021 by Lwhittin (talk | contribs) (Changes as per Mike Cave's request (https://git.computecanada.ca/uvic-rcs/documentation/-/blob/master/procedures/storage/Ceph/Rados%20Gateway%20(ObjectStorage)/bucketPermissions.md))

Arbutus Object storage

Object storage at Arbutus can be requested via cloud@computecanada.ca.

You can either apply for a RAS allocation or a RAC allocation.

We offer access to the Object Store via three different protocols:

  1. S3
  2. Swift
  3. Radosgw

Access Request Information

When requesting access we will ask you for the following:

  • Project code (e.g. rrg_piUserName)
  • CC username of the user(s) to add
  • Actual name of user(s) (e.g. Mike Cave)
  • Expiry date of user(s) - This is used if the user is a temp member of the group (e.g. grad student, lab assistant, temporary group member)
  • Permission type (read, write, both), per user
  • Do you need a Swift key?

Once we have the basic users and account setup on the object storage service, we will let you know how to collect the keys for access.

Bucket Management

Admins will create the project for new requests and users are generated for the project at the time.

The users are responsible for operations inside of the 'tenant'. As such, the buckets and management of those buckets are up to the user.

The tool "s3cmd" which is available in Linux is the perferred way to access our S3 gateway, however ther are other tools out there that will also work.

Some General Information

  • Buckets are owned to the user that creates them and no other users can manipulate them
  • You can make a bucket world accessible which then gives you a URL to post that will serve content in the bucket
  • Bucket policies are managed via json files

Example Bucket operations

  • Making a bucket public so that it is web accessible:

    s3cmd setacl s3://testbucket --acl-public

  • Make the bucket private again:

    s3cmd setacl s3://testbucket --acl-private

  • Example bucket policy:

    You need to first create a policy json file:

    "testbucket.policy": 
{
"Version": "2012-10-17",
"Statement": [{
    "Effect": "Allow",
    "Principal": {"AWS": [
    "arn:aws:iam::rrg_cjhuofw:user/parsa7",
    "arn:aws:iam::rrg_cjhuofw:user/dilbar"
    ]},
    "Action": [
    "s3:ListBucket",
    "s3:PutObject",
    "s3:DeleteObject",
    "s3:GetObject"
    ],
    "Resource": [
    "arn:aws:s3:::testbucket/*",
    "arn:aws:s3:::testbucket"
    ]
}]
}

    This file allows you to set specific permissions for any number of users of that bucket.

    You can even specify users from another tenant if there is a user from another project working with you.

    Now that you have your policy file, you can implement that policy on the bucket:

    s3cmd setpolicy testbucket.policy s3://testbucket

    More extensive examples and actions can be found here: https://www.linode.com/docs/platform/object-storage/how-to-use-object-storage-acls-and-bucket-policies/

Rapid Access Service

Resource Allocation Competition

Retrieved from "https://docs.alliancecan.ca/mediawiki/index.php?title=Arbutus_object_storage&oldid=100324"