Ceph使用---对象存储网关RadosGW

一、RadosGW 对象存储网关简介

http://docs.ceph.org.cn/radosgw/
对象存储特性:

  • 数据不需要放置在目录层次结构中, 而是存在于平面地址空间内的同一级别
  • 应用通过唯一地址来识别每个单独的数据对象
  • 每个对象可包含有助于检索的元数据
  • 通过 RESTful API 在应用级别(而非用户级别) 进行访问

      RadosGW 是对象存储(OSS,Object Storage Service)的一种访问实现方式, RADOS 网关也称为 Ceph 对象网关、 RadosGW、 RGW, 是一种服务, 使客户端能够利用标准对象存储API 来访问 Ceph 集群, 它支持 AWS S3 和 Swift API, 在 ceph 0.8 版本之后使用 Civetweb(https://github.com/civetweb/civetweb) 的 web 服务器来响应 api 请求, 客户端使用http/https 协议通过 RESTful API 与 RGW 通信, 而 RGW 则通过 librados 与 ceph 集群通信, RGW 客户端通过 s3 或者 swift api 使用 RGW 用户进行身份验证, 然后 RGW 网关代表用户利用 cephx 与 ceph 存储进行身份验证。
      S3 由 Amazon 于 2006 年推出, 全称为 Simple Storage Service,S3 定义了对象存储, 是对象存储事实上的标准, 从某种意义上说, S3 就是对象存储, 对象存储就是 S3,它是对象存储市场的霸主, 后续的对象存储都是对 S3 的模仿

RadosGW 存储特点

  • 通过对象存储网关将数据存储为对象, 每个对象除了包含数据, 还包含数据自身的元数据。
  • 对象通过 Object ID 来检索, 无法通过普通文件系统的挂载方式通过文件路径加文件名称操作来直接访问对象, 只能通过 API 来访问, 或者第三方客户端(实际上也是对 API 的封装) 。
  • 对象的存储不是垂直的目录树结构, 而是存储在扁平的命名空间中, Amazon S3 将这个扁平命名空间称为 bucket, 而 swift 则将其称为容器。
  • 无论是 bucket 还是容器, 都不能再嵌套(在 bucket 不能再包含 bucket)。
  • bucket 需要被授权才能访问到, 一个帐户可以对多个 bucket 授权, 而权限可以不同。
  • 方便横向扩展、 快速检索数据。
  • 不支持客户端挂载,且需要客户端在访问的时候指定文件名称。
  • 不是很适用于文件过于频繁修改及删除的场景。

ceph 使用 bucket 作为存储桶(存储空间), 实现对象数据的存储和多用户隔离, 数据存储在bucket 中, 用户的权限也是针对 bucket 进行授权, 可以设置用户对不同的 bucket 拥有不同的权限, 以实现权限管理。

bucket 特性

  • 存储空间(bucket)是用于存储对象(Object) 的容器, 所有的对象都必须隶属于某个存储空间, 可以设置和修改存储空间属性用来控制地域、 访问权限、 生命周期等, 这些属性设置直接作用于该存储空间内所有对象, 因此可以通过灵活创建不同的存储空间来完成不同的管理功能。
  • 同一个存储空间的内部是扁平的, 没有文件系统的目录等概念, 所有的对象都直接隶属于其对应的存储空间。
  • 每个用户可以拥有多个存储空间
  • 存储空间的名称在 OSS 范围内必须是全局唯一的, 一旦创建之后无法修改名称。
  • 存储空间内部的对象数目没有限制。

bucket 命名规范:

https://docs.amazonaws.cn/AmazonS3/latest/userguide/bucketnamingrules.html

  • 只能包括小写字母、 数字和短横线(-) 。
  • 必须以小写字母或者数字开头和结尾。
  • 长度必须在 3-63 字节之间。
  • 存储桶名称不能使用用 IP 地址格式。
  • Bucket 名称必须全局唯一。

radosgw 架构图

radosgw 逻辑图

对象存储访问对比:

Amazon S3: 提供了 user、 bucket 和 object 分别表示用户、 存储桶和对象, 其中 bucket隶属于 user, 可以针对 user 设置不同 bucket 的名称空间的访问权限, 而且不同用户允许访问相同的 bucket。
OpenStack Swift: 提供了 user、 container 和 object 分别对应于用户、 存储桶和对象, 不过它还额外为 user 提供了父级组件 account, account 用于表示一个项目或租户(OpenStack用户), 因此一个 account 中可包含一到多个 user, 它们可共享使用同一组 container, 并为container 提供名称空间。
RadosGW: 提供了 user、 subuser、 bucket 和 object, 其中的 user 对应于 S3 的 user, 而subuser 则对应于 Swift 的 user, 不过 user 和 subuser 都不支持为 bucket 提供名称空间,因此, 不同用户的存储桶也不允许同名; 不过, 自 Jewel 版本起, RadosGW 引入了 tenant( 租户) 用于为 user 和 bucket 提供名称空间, 但它是个可选组件, RadosGW 基于 ACL为不同的用户设置不同的权限控制, 如:
Read 读权限
Write 写权限
Readwrite 读写权限
full-control 全部控制权限

部署 RadosGW 服务:

ceph-mgr1ceph-mgr2 服务器部署为高可用的 radosGW 服务

安装 radosgw 服务并初始化:

[root@ceph-mgr1 ~]# apt install radosgw -y
[root@ceph-mgr2 ~]# apt install radosgw -y

#在 ceph deploy 服务器将 ceph-mgr1 初始化为 radosGW 服务:
[cephadmin@ceph-deploy ~]$ cd ceph-cluster/
[cephadmin@ceph-deploy ceph-cluster]$ ceph-deploy rgw create ceph-mgr2
[cephadmin@ceph-deploy ceph-cluster]$ ceph-deploy rgw create ceph-mgr1

操作执行过程

cephadmin@ceph-deploy:~/ceph-cluster$ ceph-deploy rgw create ceph-mgr1
[ceph_deploy.conf][DEBUG ] found configuration file at: /home/cephadmin/.cephdeploy.conf
[ceph_deploy.cli][INFO  ] Invoked (2.1.0): /usr/local/bin/ceph-deploy rgw create ceph-mgr1
[ceph_deploy.cli][INFO  ] ceph-deploy options:
[ceph_deploy.cli][INFO  ]  verbose                       : False
[ceph_deploy.cli][INFO  ]  quiet                         : False
[ceph_deploy.cli][INFO  ]  username                      : None
[ceph_deploy.cli][INFO  ]  overwrite_conf                : False
[ceph_deploy.cli][INFO  ]  ceph_conf                     : None
[ceph_deploy.cli][INFO  ]  cluster                       : ceph
[ceph_deploy.cli][INFO  ]  subcommand                    : create
[ceph_deploy.cli][INFO  ]  cd_conf                       : <ceph_deploy.conf.cephdeploy.Conf object at 0x7f36ede91850>
[ceph_deploy.cli][INFO  ]  default_release               : False
[ceph_deploy.cli][INFO  ]  func                          : <function rgw at 0x7f36ede71b80>
[ceph_deploy.cli][INFO  ]  rgw                           : [('ceph-mgr1', 'rgw.ceph-mgr1')]
[ceph_deploy.rgw][DEBUG ] Deploying rgw, cluster ceph hosts ceph-mgr1:rgw.ceph-mgr1
[ceph-mgr1][DEBUG ] connection detected need for sudo
[ceph-mgr1][DEBUG ] connected to host: ceph-mgr1 
[ceph_deploy.rgw][INFO  ] Distro info: ubuntu 20.04 focal
[ceph_deploy.rgw][DEBUG ] remote host will use systemd
[ceph_deploy.rgw][DEBUG ] deploying rgw bootstrap to ceph-mgr1
[ceph-mgr1][INFO  ] Running command: sudo ceph --cluster ceph --name client.bootstrap-rgw --keyring /var/lib/ceph/bootstrap-rgw/ceph.keyring auth get-or-create client.rgw.ceph-mgr1 osd allow rwx mon allow rw -o /var/lib/ceph/radosgw/ceph-rgw.ceph-mgr1/keyring
[ceph-mgr1][INFO  ] Running command: sudo systemctl enable ceph-radosgw@rgw.ceph-mgr1
[ceph-mgr1][INFO  ] Running command: sudo systemctl start ceph-radosgw@rgw.ceph-mgr1
[ceph-mgr1][INFO  ] Running command: sudo systemctl enable ceph.target
[ceph_deploy.rgw][INFO  ] The Ceph Object Gateway (RGW) is now running on host ceph-mgr1 and default port 7480
cephadmin@ceph-deploy:~/ceph-cluster$ 
cephadmin@ceph-deploy:~/ceph-cluster$ 
cephadmin@ceph-deploy:~/ceph-cluster$ ceph-deploy rgw create ceph-mgr2
[ceph_deploy.conf][DEBUG ] found configuration file at: /home/cephadmin/.cephdeploy.conf
[ceph_deploy.cli][INFO  ] Invoked (2.1.0): /usr/local/bin/ceph-deploy rgw create ceph-mgr2
[ceph_deploy.cli][INFO  ] ceph-deploy options:
[ceph_deploy.cli][INFO  ]  verbose                       : False
[ceph_deploy.cli][INFO  ]  quiet                         : False
[ceph_deploy.cli][INFO  ]  username                      : None
[ceph_deploy.cli][INFO  ]  overwrite_conf                : False
[ceph_deploy.cli][INFO  ]  ceph_conf                     : None
[ceph_deploy.cli][INFO  ]  cluster                       : ceph
[ceph_deploy.cli][INFO  ]  subcommand                    : create
[ceph_deploy.cli][INFO  ]  cd_conf                       : <ceph_deploy.conf.cephdeploy.Conf object at 0x7f3f4d0e7880>
[ceph_deploy.cli][INFO  ]  default_release               : False
[ceph_deploy.cli][INFO  ]  func                          : <function rgw at 0x7f3f4d0c5b80>
[ceph_deploy.cli][INFO  ]  rgw                           : [('ceph-mgr2', 'rgw.ceph-mgr2')]
[ceph_deploy.rgw][DEBUG ] Deploying rgw, cluster ceph hosts ceph-mgr2:rgw.ceph-mgr2
[ceph-mgr2][DEBUG ] connection detected need for sudo
[ceph-mgr2][DEBUG ] connected to host: ceph-mgr2 
[ceph_deploy.rgw][INFO  ] Distro info: ubuntu 20.04 focal
[ceph_deploy.rgw][DEBUG ] remote host will use systemd
[ceph_deploy.rgw][DEBUG ] deploying rgw bootstrap to ceph-mgr2
[ceph-mgr2][INFO  ] Running command: sudo ceph --cluster ceph --name client.bootstrap-rgw --keyring /var/lib/ceph/bootstrap-rgw/ceph.keyring auth get-or-create client.rgw.ceph-mgr2 osd allow rwx mon allow rw -o /var/lib/ceph/radosgw/ceph-rgw.ceph-mgr2/keyring
[ceph-mgr2][INFO  ] Running command: sudo systemctl enable ceph-radosgw@rgw.ceph-mgr2
[ceph-mgr2][WARNIN] Created symlink /etc/systemd/system/ceph-radosgw.target.wants/ceph-radosgw@rgw.ceph-mgr2.service → /lib/systemd/system/ceph-radosgw@.service.
[ceph-mgr2][INFO  ] Running command: sudo systemctl start ceph-radosgw@rgw.ceph-mgr2
[ceph-mgr2][INFO  ] Running command: sudo systemctl enable ceph.target
[ceph_deploy.rgw][INFO  ] The Ceph Object Gateway (RGW) is now running on host ceph-mgr2 and default port 7480
cephadmin@ceph-deploy:~/ceph-cluster$ 
View Code

验证 radosgw 服务状态:

验证 radosgw 服务进程:

radosgw 的存储池类型:

cephadmin@ceph-deploy:~/ceph-cluster$ ceph osd pool ls
device_health_metrics
.rgw.root
default.rgw.log
default.rgw.control
default.rgw.meta
cephfs-metadata
cephfs-data
rbd-data1
default.rgw.buckets.index
default.rgw.buckets.data
k8s-rbd-pool
cephadmin@ceph-deploy:~/ceph-cluster$

查看默认 radosgw 的存储池信息:

cephadmin@ceph-deploy:~/ceph-cluster$ radosgw-admin zone get --rgw-zone=default --rgw-zonegroup=default

{
    "id": "a55c81f4-16a0-4cec-b6f1-d345e054f568",
    "name": "default",
    "domain_root": "default.rgw.meta:root",
    "control_pool": "default.rgw.control",
    "gc_pool": "default.rgw.log:gc",
    "lc_pool": "default.rgw.log:lc",
    "log_pool": "default.rgw.log",
    "intent_log_pool": "default.rgw.log:intent",
    "usage_log_pool": "default.rgw.log:usage",
    "roles_pool": "default.rgw.meta:roles",
    "reshard_pool": "default.rgw.log:reshard",
    "user_keys_pool": "default.rgw.meta:users.keys",
    "user_email_pool": "default.rgw.meta:users.email",
    "user_swift_pool": "default.rgw.meta:users.swift",
    "user_uid_pool": "default.rgw.meta:users.uid",
    "otp_pool": "default.rgw.otp",
    "system_key": {
        "access_key": "",
        "secret_key": ""
    },
    "placement_pools": [
        {
            "key": "default-placement",
            "val": {
                "index_pool": "default.rgw.buckets.index",
                "storage_classes": {
                    "STANDARD": {
                        "data_pool": "default.rgw.buckets.data"
                    }
                },
                "data_extra_pool": "default.rgw.buckets.non-ec",
                "index_type": 0
            }
        }
    ],
    "realm_id": "",
    "notif_pool": "default.rgw.log:notif"
}

#rgw pool 信息:

  • .rgw.root: 包含 realm(领域信息), 比如 zone 和 zonegroup。
  • default.rgw.log: 存储日志信息, 用于记录各种 log 信息。
  • default.rgw.control: 系统控制池, 在有数据更新时, 通知其它 RGW 更新缓存。
  • default.rgw.meta: 元数据存储池, 通过不同的名称空间分别存储不同的 rados 对象, 这些名称空间包括用户UID 及其 bucket 映射信息的名称空间 users.uid、用户的密钥名称空间users.keys、 用户的 email 名称空间 users.email、用户的 subuser 的名称空间 users.swift,以及 bucket 的名称空间 root 等。
  • default.rgw.buckets.index: 存放 bucket 到 object 的索引信息。
  • default.rgw.buckets.data: 存放对象的数据。
  • default.rgw.buckets.non-ec #数据的额外信息存储池
  • default.rgw.users.uid: 存放用户信息的存储池。
  • default.rgw.data.root: 存放 bucket 的元数据, 结构体对应 RGWBucketInfo, 比如存放桶名、 桶 ID、 data_pool 等。
cephadmin@ceph-deploy:~/ceph-cluster$ ceph osd pool get  default.rgw.meta  crush_rule 
crush_rule: replicated_rule #默认是副本池
cephadmin@ceph-deploy:~/ceph-cluster$ 
cephadmin@ceph-deploy:~/ceph-cluster$ ceph osd pool get  default.rgw.meta  size
size: 3 #默认的副本数
cephadmin@ceph-deploy:~/ceph-cluster$ 
cephadmin@ceph-deploy:~/ceph-cluster$ ceph osd pool get  default.rgw.meta  pgp_num
pgp_num: 8 #默认的 pg 数量
cephadmin@ceph-deploy:~/ceph-cluster$ 
cephadmin@ceph-deploy:~/ceph-cluster$ ceph osd pool get  default.rgw.meta  pg_num
pg_num: 8
cephadmin@ceph-deploy:~/ceph-cluster$ 

验证 RGW zone 信息:

cephadmin@ceph-deploy:~/ceph-cluster$ radosgw-admin zone get --rgw-zone=default
{
    "id": "a55c81f4-16a0-4cec-b6f1-d345e054f568",
    "name": "default",
    "domain_root": "default.rgw.meta:root",
    "control_pool": "default.rgw.control",
    "gc_pool": "default.rgw.log:gc",
    "lc_pool": "default.rgw.log:lc",
    "log_pool": "default.rgw.log",
    "intent_log_pool": "default.rgw.log:intent",
    "usage_log_pool": "default.rgw.log:usage",
    "roles_pool": "default.rgw.meta:roles",
    "reshard_pool": "default.rgw.log:reshard",
    "user_keys_pool": "default.rgw.meta:users.keys",
    "user_email_pool": "default.rgw.meta:users.email",
    "user_swift_pool": "default.rgw.meta:users.swift",
    "user_uid_pool": "default.rgw.meta:users.uid",
    "otp_pool": "default.rgw.otp",
    "system_key": {
        "access_key": "",
        "secret_key": ""
    },
    "placement_pools": [
        {
            "key": "default-placement",
            "val": {
                "index_pool": "default.rgw.buckets.index",
                "storage_classes": {
                    "STANDARD": {
                        "data_pool": "default.rgw.buckets.data"
                    }
                },
                "data_extra_pool": "default.rgw.buckets.non-ec",
                "index_type": 0
            }
        }
    ],
    "realm_id": "",
    "notif_pool": "default.rgw.log:notif"
}
cephadmin@ceph-deploy:~/ceph-cluster$ 

访问 radosgw 服务:

二、radosgw 服务高可用配置

radosgw http 高可用:

自定义 http 端口:

配置文件可以在 ceph deploy 服务器修改然后统一推送, 或者单独修改每个 radosgw 服务器的配置为统一配置, 然后重启 RGW 服务。
https://docs.ceph.com/en/latest/radosgw/frontends/

在ceph-mgr1、ceph-mgr2配置ceph.conf

# vi /etc/ceph/ceph.conf
[global]
fsid = 8dc32c41-121c-49df-9554-dfb7deb8c975
public_network = 172.16.88.0/24
cluster_network = 192.168.122.0/24
mon_initial_members = ceph-mon1,ceph-mon2,ceph-mon3
mon_host = 172.16.88.101,172.16.88.102,172.16.88.103
auth_cluster_required = cephx
auth_service_required = cephx
auth_client_required = cephx

mon clock drift allowed = 2
mon clock drift warn backoff = 30

[mds.ceph-mgr2]
mds_standby_for_name = ceph-mgr1
mds_standby_replay = true

[mds.ceph-mgr1]
mds_standby_for_name = ceph-mgr2
mds_standby_replay = true

[mds.ceph-mon3]
mds_standby_for_name = ceph-mon2
mds_standby_replay = true

[mds.ceph-mon2]
mds_standby_for_name = ceph-mon3
mds_standby_replay = true

[client.rgw.ceph-mgr1]
rgw_host = ceph-mgr1
rgw_frontends = civetweb port=9900

[client.rgw.ceph-mgr2]
rgw_host = ceph-mgr2
rgw_frontends = civetweb port=9900

[root@ceph-mgr1 ~]# systemctl restart ceph-radosgw@rgw.ceph-mgr1.service

[root@ceph-mgr2 ~]# systemctl restart ceph-radosgw@rgw.ceph-mgr2.service

访问测试

安装并配置反向代理:

在keepalive+haproxy节点添加如下配置

root@easzlab-haproxy-keepalive-01:~# vi /etc/haproxy/haproxy.cfg
root@easzlab-haproxy-keepalive-02:~# vi /etc/haproxy/haproxy.cfg

listen  ceph-rgw-9900
        bind 172.16.88.200:9900
        mode tcp
        server ceph-mgr1.example.local 172.16.88.111:9900 check inter 3s fall 3 rise 5
        server ceph-mgr2.example.local 172.16.88.112:9900 check inter 3s fall 3 rise 5

测试 http 反向代理:

radosgw https

rgw 节点生成签名证书并配置 radosgw 启用 SSL
自签名证书:

[root@ceph-mgr2 ~]# cd /etc/ceph/
[root@ceph-mgr2 ceph]# mkdir certs
[root@ceph-mgr2 ceph]# cd certs/
[root@ceph-mgr2 certs]# openssl genrsa -out civetweb.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
............+++++
....+++++
e is 65537 (0x010001)
[root@ceph-mgr2 certs]# openssl req -new -x509 -key civetweb.key -out civetweb.crt -subj "/CN=rgw.magedu.net"
[root@ceph-mgr2 certs]# cat civetweb.key civetweb.crt > civetweb.pem
[root@ceph-mgr2 certs]#
[root@ceph-mgr2 certs]# tree 
.
├── civetweb.crt
├── civetweb.key
└── civetweb.pem

0 directories, 3 files
[root@ceph-mgr2 certs]# 

SSL 配置:

同步key到mgr1

[root@ceph-mgr2 ceph]# scp -r /etc/ceph/certs root@172.16.88.111:/etc/ceph

修改/etc/ceph/ceph.conf

[global]
fsid = 8dc32c41-121c-49df-9554-dfb7deb8c975
public_network = 172.16.88.0/24
cluster_network = 192.168.122.0/24
mon_initial_members = ceph-mon1,ceph-mon2,ceph-mon3
mon_host = 172.16.88.101,172.16.88.102,172.16.88.103
auth_cluster_required = cephx
auth_service_required = cephx
auth_client_required = cephx

mon clock drift allowed = 2
mon clock drift warn backoff = 30

[mds.ceph-mgr2]
mds_standby_for_name = ceph-mgr1
mds_standby_replay = true

[mds.ceph-mgr1]
mds_standby_for_name = ceph-mgr2
mds_standby_replay = true

[mds.ceph-mon3]
mds_standby_for_name = ceph-mon2
mds_standby_replay = true

[mds.ceph-mon2]
mds_standby_for_name = ceph-mon3
mds_standby_replay = true

[client.rgw.ceph-mgr1]
rgw_host = ceph-mgr1
#rgw_frontends = civetweb port=9900
rgw_frontends = "civetweb port=9900+9443s ssl_certificate=/etc/ceph/certs/civetweb.pem"

[client.rgw.ceph-mgr2]
rgw_host = ceph-mgr2
#rgw_frontends = civetweb port=9900
rgw_frontends = "civetweb port=9900+9443s ssl_certificate=/etc/ceph/certs/civetweb.pem"

[root@ceph-mgr1 ceph]# systemctl restart ceph-radosgw@rgw.ceph-mgr1.service

[root@ceph-mgr2 ceph]# systemctl restart ceph-radosgw@rgw.ceph-mgr2.service

 

验证访问

本地测试

cephadmin@ceph-deploy:~/ceph-cluster$ vi /etc/hosts

172.16.88.112 rgw.magedu.net  #新增此行

访问 https 界面

在keepalive+haproxy代理节点下新增https转发

listen  ceph-rgw-9900
        bind 172.16.88.200:9900
        mode tcp
        server ceph-mgr1.example.local 172.16.88.111:9900 check inter 3s fall 3 rise 5
        server ceph-mgr2.example.local 172.16.88.112:9900 check inter 3s fall 3 rise 5

listen  ceph-rgw-9443
        bind 172.16.88.200:9443
        mode tcp
        server ceph-mgr1.example.local 172.16.88.111:9443 check inter 3s fall 3 rise 5
        server ceph-mgr2.example.local 172.16.88.112:9443 check inter 3s fall 3 rise 5

本地windows添加hosts解析

三、日志及其它优化配置

ceph-mgr1、ceph-mgr2创建日志目录

mkdir /var/log/radosgw

chown ceph.ceph /var/log/radosgw

ceph-mgr1、ceph-mgr2修改/etc/ceph/ceph.conf

# vi /etc/ceph/ceph.conf 

[global]
fsid = 8dc32c41-121c-49df-9554-dfb7deb8c975
public_network = 172.16.88.0/24
cluster_network = 192.168.122.0/24
mon_initial_members = ceph-mon1,ceph-mon2,ceph-mon3
mon_host = 172.16.88.101,172.16.88.102,172.16.88.103
auth_cluster_required = cephx
auth_service_required = cephx
auth_client_required = cephx

mon clock drift allowed = 2
mon clock drift warn backoff = 30

[mds.ceph-mgr2]
mds_standby_for_name = ceph-mgr1
mds_standby_replay = true

[mds.ceph-mgr1]
mds_standby_for_name = ceph-mgr2
mds_standby_replay = true

[mds.ceph-mon3]
mds_standby_for_name = ceph-mon2
mds_standby_replay = true

[mds.ceph-mon2]
mds_standby_for_name = ceph-mon3
mds_standby_replay = true

[client.rgw.ceph-mgr1]
rgw_host = ceph-mgr1
#rgw_frontends = civetweb port=9900
rgw_frontends = "civetweb port=9900+9443s ssl_certificate=/etc/ceph/certs/civetweb.pem error_log_file=/var/log/radosgw/civetweb.error.log access_log_file=/var/log/radosgw/civetweb.access.log request_timeout_ms=30000 num_threads=200"

[client.rgw.ceph-mgr2]
rgw_host = ceph-mgr2
#rgw_frontends = civetweb port=9900
rgw_frontends = "civetweb port=9900+9443s ssl_certificate=/etc/ceph/certs/civetweb.pem error_log_file=/var/log/radosgw/civetweb.error.log access_log_file=/var/log/radosgw/civetweb.access.log request_timeout_ms=30000 num_threads=200"

[root@ceph-mgr1 ~]# systemctl restart ceph-radosgw@rgw.ceph-mgr1.service

[root@ceph-mgr2 ~]# systemctl restart ceph-radosgw@rgw.ceph-mgr2.service

日志测试验证

本地windows客户端刷新https://rgw.magedu.net:9443/

四、客户端(s3cmd)测试数据读写

RGW Server 配置

在实际的生产环境, RGW1 RGW2 的配置参数是完全一样的。

配置/etc/ceph/ceph.conf

[global]
fsid = 8dc32c41-121c-49df-9554-dfb7deb8c975
public_network = 172.16.88.0/24
cluster_network = 192.168.122.0/24
mon_initial_members = ceph-mon1,ceph-mon2,ceph-mon3
mon_host = 172.16.88.101,172.16.88.102,172.16.88.103
auth_cluster_required = cephx
auth_service_required = cephx
auth_client_required = cephx

mon clock drift allowed = 2
mon clock drift warn backoff = 30

[mds.ceph-mgr2]
mds_standby_for_name = ceph-mgr1
mds_standby_replay = true

[mds.ceph-mgr1]
mds_standby_for_name = ceph-mgr2
mds_standby_replay = true

[mds.ceph-mon3]
mds_standby_for_name = ceph-mon2
mds_standby_replay = true

[mds.ceph-mon2]
mds_standby_for_name = ceph-mon3
mds_standby_replay = true

[client.rgw.ceph-mgr1]
rgw_host = ceph-mgr1
#rgw_frontends = civetweb port=9900
rgw_frontends = "civetweb port=9900+9443s ssl_certificate=/etc/ceph/certs/civetweb.pem error_log_file=/var/log/radosgw/civetweb.error.log access_log_file=/var/log/radosgw/civetweb.access.log request_timeout_ms=30000 num_threads=200"
rgw_dns_name = rgw.magedu.net

[client.rgw.ceph-mgr2]
rgw_host = ceph-mgr2
#rgw_frontends = civetweb port=9900
rgw_frontends = "civetweb port=9900+9443s ssl_certificate=/etc/ceph/certs/civetweb.pem error_log_file=/var/log/radosgw/civetweb.error.log access_log_file=/var/log/radosgw/civetweb.access.log request_timeout_ms=30000 num_threads=200"
rgw_dns_name = rgw.magedu.net

[root@ceph-mgr1 ~]# systemctl restart ceph-radosgw@rgw.ceph-mgr1.service 

[root@ceph-mgr2 ~]# systemctl restart ceph-radosgw@rgw.ceph-mgr2.service

创建 RGW 账户

cephadmin@ceph-deploy:~/ceph-cluster$ radosgw-admin user create --uid="user1" --display-name="user1"
{
    "user_id": "user1",
    "display_name": "user1",
    "email": "",
    "suspended": 0,
    "max_buckets": 1000,
    "subusers": [],
    "keys": [
        {
            "user": "user1",
            "access_key": "04XUIEYRYTDUXC332R7H",
            "secret_key": "uysQEmdYcp9UCv56UHimnMNKQwdiGFfuv4TsMPWy"
        }
    ],
    "swift_keys": [],
    "caps": [],
    "op_mask": "read, write, delete",
    "default_placement": "",
    "default_storage_class": "",
    "placement_tags": [],
    "bucket_quota": {
        "enabled": false,
        "check_on_raw": false,
        "max_size": -1,
        "max_size_kb": 0,
        "max_objects": -1
    },
    "user_quota": {
        "enabled": false,
        "check_on_raw": false,
        "max_size": -1,
        "max_size_kb": 0,
        "max_objects": -1
    },
    "temp_url_keys": [],
    "type": "rgw",
    "mfa_ids": []
}

cephadmin@ceph-deploy:~/ceph-cluster$ 

安装 s3cmd 客户端:

s3cmd 是一个通过命令行访问 ceph RGW 实现创建存储同桶、 上传、 下载以及管理数据到对象存储的命令行客户端工具。

cephadmin@ceph-deploy:~/ceph-cluster$ sudo apt-cache madison s3cmd
     s3cmd | 2.0.2-1ubuntu1 | https://mirrors.tuna.tsinghua.edu.cn/ubuntu focal-updates/universe amd64 Packages
     s3cmd |    2.0.2-1 | https://mirrors.tuna.tsinghua.edu.cn/ubuntu focal/universe amd64 Packages
cephadmin@ceph-deploy:~/ceph-cluster$ sudo apt install s3cmd

配置 s3cmd 客户端执行环境

客户端添加域名解析:

cephadmin@ceph-deploy:~/ceph-cluster$ sudo vi /etc/hosts
cephadmin@ceph-deploy:~/ceph-cluster$ 
cephadmin@ceph-deploy:~/ceph-cluster$ 
cephadmin@ceph-deploy:~/ceph-cluster$ cat vi /etc/hosts
cat: vi: No such file or directory
127.0.0.1 localhost
127.0.1.1 magedu

# The following lines are desirable for IPv6 capable hosts
::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

172.16.88.100 ceph-deploy.example.local ceph-deploy
172.16.88.101 ceph-mon1.example.local   ceph-mon1
172.16.88.102 ceph-mon2.example.local   ceph-mon2
172.16.88.103 ceph-mon3.example.local   ceph-mon3
172.16.88.111 ceph-mgr1.example.local   ceph-mgr1
172.16.88.112 ceph-mgr2.example.local   ceph-mgr2
172.16.88.121 ceph-node1.example.local  ceph-node1
172.16.88.122 ceph-node2.example.local  ceph-node2
172.16.88.123 ceph-node3.example.local  ceph-node3

172.16.88.200 rgw.magedu.net
cephadmin@ceph-deploy:~/ceph-cluster$ 

配置命令执行环境:

[root@ceph-deploy ~]# s3cmd --configure

Enter new values or accept defaults in brackets with Enter.
Refer to user manual for detailed description of all options.

Access key and Secret key are your identifiers for Amazon S3. Leave them empty for using the env variables.
Access Key: 04XUIEYRYTDUXC332R7H
Secret Key: uysQEmdYcp9UCv56UHimnMNKQwdiGFfuv4TsMPWy
Default Region [US]: #回车

Use "s3.amazonaws.com" for S3 Endpoint and not modify it to the target Amazon S3.
S3 Endpoint [s3.amazonaws.com]: rgw.magedu.net:9900

Use "%(bucket)s.s3.amazonaws.com" to the target Amazon S3. "%(bucket)s" and "%(location)s" vars can be used
if the target S3 system supports dns based buckets.
DNS-style bucket+hostname:port template for accessing a bucket [%(bucket)s.s3.amazonaws.com]: rgw.magedu.net:9900/%(bucket)

Encryption password is used to protect your files from reading
by unauthorized persons while in transfer to S3
Encryption password: redhat #随便设置一个密码
Path to GPG program [/usr/bin/gpg]: #回车

When using secure HTTPS protocol all communication with Amazon S3
servers is protected from 3rd party eavesdropping. This method is
slower than plain HTTP, and can only be proxied with Python 2.7 or newer
Use HTTPS protocol [Yes]: No

On some networks all internet access must go through a HTTP proxy.
Try setting it here if you can't connect to S3 directly
HTTP Proxy server name: #回车

New settings: #最终配置
  Access Key: 04XUIEYRYTDUXC332R7H
  Secret Key: uysQEmdYcp9UCv56UHimnMNKQwdiGFfuv4TsMPWy
  Default Region: US
  S3 Endpoint: rgw.magedu.net:9900
  DNS-style bucket+hostname:port template for accessing a bucket: rgw.magedu.net:9900/%(bucket)
  Encryption password: redhat
  Path to GPG program: /usr/bin/gpg
  Use HTTPS protocol: False
  HTTP Proxy server name: 
  HTTP Proxy server port: 0

Test access with supplied credentials? [Y/n] Y #是否保存以上配置
Please wait, attempting to list all buckets...
WARNING: Retrying failed request: /?delimiter=%2F (Remote end closed connection without response)
WARNING: Waiting 3 sec...
Success. Your access key and secret key worked fine :-)

Now verifying that encryption works...
Success. Encryption and decryption worked fine :-)

Save settings? [y/N] Y
Configuration saved to '/root/.s3cfg' #默认文件保存路径
[root@ceph-deploy ~]# 

[root@ceph-deploy ~]# cat /root/.s3cfg

[default]
access_key = 04XUIEYRYTDUXC332R7H
access_token = 
add_encoding_exts = 
add_headers = 
bucket_location = US
ca_certs_file = 
cache_file = 
check_ssl_certificate = True
check_ssl_hostname = True
cloudfront_host = cloudfront.amazonaws.com
content_disposition = 
content_type = 
default_mime_type = binary/octet-stream
delay_updates = False
delete_after = False
delete_after_fetch = False
delete_removed = False
dry_run = False
enable_multipart = True
encoding = UTF-8
encrypt = False
expiry_date = 
expiry_days = 
expiry_prefix = 
follow_symlinks = False
force = False
get_continue = False
gpg_command = /usr/bin/gpg
gpg_decrypt = %(gpg_command)s -d --verbose --no-use-agent --batch --yes --passphrase-fd %(passphrase_fd)s -o %(output_file)s %(input_file)s
gpg_encrypt = %(gpg_command)s -c --verbose --no-use-agent --batch --yes --passphrase-fd %(passphrase_fd)s -o %(output_file)s %(input_file)s
gpg_passphrase = redhat
guess_mime_type = True
host_base = rgw.magedu.net:9900
host_bucket = rgw.magedu.net:9900/%(bucket)
human_readable_sizes = False
invalidate_default_index_on_cf = False
invalidate_default_index_root_on_cf = True
invalidate_on_cf = False
kms_key = 
limit = -1
limitrate = 0
list_md5 = False
log_target_prefix = 
long_listing = False
max_delete = -1
mime_type = 
multipart_chunk_size_mb = 15
multipart_max_chunks = 10000
preserve_attrs = True
progress_meter = True
proxy_host = 
proxy_port = 0
put_continue = False
recursive = False
recv_chunk = 65536
reduced_redundancy = False
requester_pays = False
restore_days = 1
restore_priority = Standard
secret_key = uysQEmdYcp9UCv56UHimnMNKQwdiGFfuv4TsMPWy
send_chunk = 65536
server_side_encryption = False
signature_v2 = False
signurl_use_https = False
simpledb_host = sdb.amazonaws.com
skip_existing = False
socket_timeout = 300
stats = False
stop_on_error = False
storage_class = 
throttle_max = 100
upload_id = 
urlencoding_mode = normal
use_http_expect = False
use_https = False
use_mime_magic = True
verbosity = WARNING
website_endpoint = http://%(bucket)s.s3-website-%(location)s.amazonaws.com/
website_error = 
website_index = index.html

命令行客户端 s3cmd 验证数据上传
查看帮助信息

[root@ceph-deploy ~]# s3cmd --help
Usage: s3cmd [options] COMMAND [parameters]

S3cmd is a tool for managing objects in Amazon S3 storage. It allows for
making and removing "buckets" and uploading, downloading and removing
"objects" from these buckets.

Options:
  -h, --help            show this help message and exit
  --configure           Invoke interactive (re)configuration tool. Optionally
                        use as '--configure s3://some-bucket' to test access
                        to a specific bucket instead of attempting to list
                        them all.
  -c FILE, --config=FILE
                        Config file name. Defaults to $HOME/.s3cfg
  --dump-config         Dump current configuration after parsing config files
                        and command line options and exit.
  --access_key=ACCESS_KEY
                        AWS Access Key
  --secret_key=SECRET_KEY
                        AWS Secret Key
  --access_token=ACCESS_TOKEN
                        AWS Access Token
  -n, --dry-run         Only show what should be uploaded or downloaded but
                        don't actually do it. May still perform S3 requests to
                        get bucket listings and other information though (only
                        for file transfer commands)
  -s, --ssl             Use HTTPS connection when communicating with S3.
                        (default)
  --no-ssl              Don't use HTTPS.
  -e, --encrypt         Encrypt files before uploading to S3.
  --no-encrypt          Don't encrypt files.
  -f, --force           Force overwrite and other dangerous operations.
  --continue            Continue getting a partially downloaded file (only for
                        [get] command).
  --continue-put        Continue uploading partially uploaded files or
                        multipart upload parts.  Restarts/parts files that
                        don't have matching size and md5.  Skips files/parts
                        that do.  Note: md5sum checks are not always
                        sufficient to check (part) file equality.  Enable this
                        at your own risk.
  --upload-id=UPLOAD_ID
                        UploadId for Multipart Upload, in case you want
                        continue an existing upload (equivalent to --continue-
                        put) and there are multiple partial uploads.  Use
                        s3cmd multipart [URI] to see what UploadIds are
                        associated with the given URI.
  --skip-existing       Skip over files that exist at the destination (only
                        for [get] and [sync] commands).
  -r, --recursive       Recursive upload, download or removal.
  --check-md5           Check MD5 sums when comparing files for [sync].
                        (default)
  --no-check-md5        Do not check MD5 sums when comparing files for [sync].
                        Only size will be compared. May significantly speed up
                        transfer but may also miss some changed files.
  -P, --acl-public      Store objects with ACL allowing read for anyone.
  --acl-private         Store objects with default ACL allowing access for you
                        only.
  --acl-grant=PERMISSION:EMAIL or USER_CANONICAL_ID
                        Grant stated permission to a given amazon user.
                        Permission is one of: read, write, read_acp,
                        write_acp, full_control, all
  --acl-revoke=PERMISSION:USER_CANONICAL_ID
                        Revoke stated permission for a given amazon user.
                        Permission is one of: read, write, read_acp,
                        write_acp, full_control, all
  -D NUM, --restore-days=NUM
                        Number of days to keep restored file available (only
                        for 'restore' command).
  --restore-priority=RESTORE_PRIORITY
                        Priority for restoring files from S3 Glacier (only for
                        'restore' command). Choices available: bulk, standard,
                        expedited
  --delete-removed      Delete destination objects with no corresponding
                        source file [sync]
  --no-delete-removed   Don't delete destination objects.
  --delete-after        Perform deletes AFTER new uploads when delete-removed
                        is enabled [sync]
  --delay-updates       *OBSOLETE* Put all updated files into place at end
                        [sync]
  --max-delete=NUM      Do not delete more than NUM files. [del] and [sync]
  --limit=NUM           Limit number of objects returned in the response body
                        (only for [ls] and [la] commands)
  --add-destination=ADDITIONAL_DESTINATIONS
                        Additional destination for parallel uploads, in
                        addition to last arg.  May be repeated.
  --delete-after-fetch  Delete remote objects after fetching to local file
                        (only for [get] and [sync] commands).
  -p, --preserve        Preserve filesystem attributes (mode, ownership,
                        timestamps). Default for [sync] command.
  --no-preserve         Don't store FS attributes
  --exclude=GLOB        Filenames and paths matching GLOB will be excluded
                        from sync
  --exclude-from=FILE   Read --exclude GLOBs from FILE
  --rexclude=REGEXP     Filenames and paths matching REGEXP (regular
                        expression) will be excluded from sync
  --rexclude-from=FILE  Read --rexclude REGEXPs from FILE
  --include=GLOB        Filenames and paths matching GLOB will be included
                        even if previously excluded by one of
                        --(r)exclude(-from) patterns
  --include-from=FILE   Read --include GLOBs from FILE
  --rinclude=REGEXP     Same as --include but uses REGEXP (regular expression)
                        instead of GLOB
  --rinclude-from=FILE  Read --rinclude REGEXPs from FILE
  --files-from=FILE     Read list of source-file names from FILE. Use - to
                        read from stdin.
  --region=REGION, --bucket-location=REGION
                        Region to create bucket in. As of now the regions are:
                        us-east-1, us-west-1, us-west-2, eu-west-1, eu-
                        central-1, ap-northeast-1, ap-southeast-1, ap-
                        southeast-2, sa-east-1
  --host=HOSTNAME       HOSTNAME:PORT for S3 endpoint (default:
                        s3.amazonaws.com, alternatives such as s3-eu-
                        west-1.amazonaws.com). You should also set --host-
                        bucket.
  --host-bucket=HOST_BUCKET
                        DNS-style bucket+hostname:port template for accessing
                        a bucket (default: %(bucket)s.s3.amazonaws.com)
  --reduced-redundancy, --rr
                        Store object with 'Reduced redundancy'. Lower per-GB
                        price. [put, cp, mv]
  --no-reduced-redundancy, --no-rr
                        Store object without 'Reduced redundancy'. Higher per-
                        GB price. [put, cp, mv]
  --storage-class=CLASS
                        Store object with specified CLASS (STANDARD,
                        STANDARD_IA, or REDUCED_REDUNDANCY). Lower per-GB
                        price. [put, cp, mv]
  --access-logging-target-prefix=LOG_TARGET_PREFIX
                        Target prefix for access logs (S3 URI) (for [cfmodify]
                        and [accesslog] commands)
  --no-access-logging   Disable access logging (for [cfmodify] and [accesslog]
                        commands)
  --default-mime-type=DEFAULT_MIME_TYPE
                        Default MIME-type for stored objects. Application
                        default is binary/octet-stream.
  -M, --guess-mime-type
                        Guess MIME-type of files by their extension or mime
                        magic. Fall back to default MIME-Type as specified by
                        --default-mime-type option
  --no-guess-mime-type  Don't guess MIME-type and use the default type
                        instead.
  --no-mime-magic       Don't use mime magic when guessing MIME-type.
  -m MIME/TYPE, --mime-type=MIME/TYPE
                        Force MIME-type. Override both --default-mime-type and
                        --guess-mime-type.
  --add-header=NAME:VALUE
                        Add a given HTTP header to the upload request. Can be
                        used multiple times. For instance set 'Expires' or
                        'Cache-Control' headers (or both) using this option.
  --remove-header=NAME  Remove a given HTTP header.  Can be used multiple
                        times.  For instance, remove 'Expires' or 'Cache-
                        Control' headers (or both) using this option. [modify]
  --server-side-encryption
                        Specifies that server-side encryption will be used
                        when putting objects. [put, sync, cp, modify]
  --server-side-encryption-kms-id=KMS_KEY
                        Specifies the key id used for server-side encryption
                        with AWS KMS-Managed Keys (SSE-KMS) when putting
                        objects. [put, sync, cp, modify]
  --encoding=ENCODING   Override autodetected terminal and filesystem encoding
                        (character set). Autodetected: UTF-8
  --add-encoding-exts=EXTENSIONs
                        Add encoding to these comma delimited extensions i.e.
                        (css,js,html) when uploading to S3 )
  --verbatim            Use the S3 name as given on the command line. No pre-
                        processing, encoding, etc. Use with caution!
  --disable-multipart   Disable multipart upload on files bigger than
                        --multipart-chunk-size-mb
  --multipart-chunk-size-mb=SIZE
                        Size of each chunk of a multipart upload. Files bigger
                        than SIZE are automatically uploaded as multithreaded-
                        multipart, smaller files are uploaded using the
                        traditional method. SIZE is in Mega-Bytes, default
                        chunk size is 15MB, minimum allowed chunk size is 5MB,
                        maximum is 5GB.
  --list-md5            Include MD5 sums in bucket listings (only for 'ls'
                        command).
  -H, --human-readable-sizes
                        Print sizes in human readable form (eg 1kB instead of
                        1234).
  --ws-index=WEBSITE_INDEX
                        Name of index-document (only for [ws-create] command)
  --ws-error=WEBSITE_ERROR
                        Name of error-document (only for [ws-create] command)
  --expiry-date=EXPIRY_DATE
                        Indicates when the expiration rule takes effect. (only
                        for [expire] command)
  --expiry-days=EXPIRY_DAYS
                        Indicates the number of days after object creation the
                        expiration rule takes effect. (only for [expire]
                        command)
  --expiry-prefix=EXPIRY_PREFIX
                        Identifying one or more objects with the prefix to
                        which the expiration rule applies. (only for [expire]
                        command)
  --progress            Display progress meter (default on TTY).
  --no-progress         Don't display progress meter (default on non-TTY).
  --stats               Give some file-transfer stats.
  --enable              Enable given CloudFront distribution (only for
                        [cfmodify] command)
  --disable             Disable given CloudFront distribution (only for
                        [cfmodify] command)
  --cf-invalidate       Invalidate the uploaded filed in CloudFront. Also see
                        [cfinval] command.
  --cf-invalidate-default-index
                        When using Custom Origin and S3 static website,
                        invalidate the default index file.
  --cf-no-invalidate-default-index-root
                        When using Custom Origin and S3 static website, don't
                        invalidate the path to the default index file.
  --cf-add-cname=CNAME  Add given CNAME to a CloudFront distribution (only for
                        [cfcreate] and [cfmodify] commands)
  --cf-remove-cname=CNAME
                        Remove given CNAME from a CloudFront distribution
                        (only for [cfmodify] command)
  --cf-comment=COMMENT  Set COMMENT for a given CloudFront distribution (only
                        for [cfcreate] and [cfmodify] commands)
  --cf-default-root-object=DEFAULT_ROOT_OBJECT
                        Set the default root object to return when no object
                        is specified in the URL. Use a relative path, i.e.
                        default/index.html instead of /default/index.html or
                        s3://bucket/default/index.html (only for [cfcreate]
                        and [cfmodify] commands)
  -v, --verbose         Enable verbose output.
  -d, --debug           Enable debug output.
  --version             Show s3cmd version (2.0.2) and exit.
  -F, --follow-symlinks
                        Follow symbolic links as if they are regular files
  --cache-file=FILE     Cache FILE containing local source MD5 values
  -q, --quiet           Silence output on stdout
  --ca-certs=CA_CERTS_FILE
                        Path to SSL CA certificate FILE (instead of system
                        default)
  --check-certificate   Check SSL certificate validity
  --no-check-certificate
                        Do not check SSL certificate validity
  --check-hostname      Check SSL certificate hostname validity
  --no-check-hostname   Do not check SSL certificate hostname validity
  --signature-v2        Use AWS Signature version 2 instead of newer signature
                        methods. Helpful for S3-like systems that don't have
                        AWS Signature v4 yet.
  --limit-rate=LIMITRATE
                        Limit the upload or download speed to amount bytes per
                        second.  Amount may be expressed in bytes, kilobytes
                        with the k suffix, or megabytes with the m suffix
  --requester-pays      Set the REQUESTER PAYS flag for operations
  -l, --long-listing    Produce long listing [ls]
  --stop-on-error       stop if error in transfer
  --content-disposition=CONTENT_DISPOSITION
                        Provide a Content-Disposition for signed URLs, e.g.,
                        "inline; filename=myvideo.mp4"
  --content-type=CONTENT_TYPE
                        Provide a Content-Type for signed URLs, e.g.,
                        "video/mp4"

Commands:
  Make bucket
      s3cmd mb s3://BUCKET
  Remove bucket
      s3cmd rb s3://BUCKET
  List objects or buckets
      s3cmd ls [s3://BUCKET[/PREFIX]]
  List all object in all buckets
      s3cmd la 
  Put file into bucket
      s3cmd put FILE [FILE...] s3://BUCKET[/PREFIX]
  Get file from bucket
      s3cmd get s3://BUCKET/OBJECT LOCAL_FILE
  Delete file from bucket
      s3cmd del s3://BUCKET/OBJECT
  Delete file from bucket (alias for del)
      s3cmd rm s3://BUCKET/OBJECT
  Restore file from Glacier storage
      s3cmd restore s3://BUCKET/OBJECT
  Synchronize a directory tree to S3 (checks files freshness using size and md5 checksum, unless overridden by options, see below)
      s3cmd sync LOCAL_DIR s3://BUCKET[/PREFIX] or s3://BUCKET[/PREFIX] LOCAL_DIR
  Disk usage by buckets
      s3cmd du [s3://BUCKET[/PREFIX]]
  Get various information about Buckets or Files
      s3cmd info s3://BUCKET[/OBJECT]
  Copy object
      s3cmd cp s3://BUCKET1/OBJECT1 s3://BUCKET2[/OBJECT2]
  Modify object metadata
      s3cmd modify s3://BUCKET1/OBJECT
  Move object
      s3cmd mv s3://BUCKET1/OBJECT1 s3://BUCKET2[/OBJECT2]
  Modify Access control list for Bucket or Files
      s3cmd setacl s3://BUCKET[/OBJECT]
  Modify Bucket Policy
      s3cmd setpolicy FILE s3://BUCKET
  Delete Bucket Policy
      s3cmd delpolicy s3://BUCKET
  Modify Bucket CORS
      s3cmd setcors FILE s3://BUCKET
  Delete Bucket CORS
      s3cmd delcors s3://BUCKET
  Modify Bucket Requester Pays policy
      s3cmd payer s3://BUCKET
  Show multipart uploads
      s3cmd multipart s3://BUCKET [Id]
  Abort a multipart upload
      s3cmd abortmp s3://BUCKET/OBJECT Id
  List parts of a multipart upload
      s3cmd listmp s3://BUCKET/OBJECT Id
  Enable/disable bucket access logging
      s3cmd accesslog s3://BUCKET
  Sign arbitrary string using the secret key
      s3cmd sign STRING-TO-SIGN
  Sign an S3 URL to provide limited public access with expiry
      s3cmd signurl s3://BUCKET/OBJECT <expiry_epoch|+expiry_offset>
  Fix invalid file names in a bucket
      s3cmd fixbucket s3://BUCKET[/PREFIX]
  Create Website from bucket
      s3cmd ws-create s3://BUCKET
  Delete Website
      s3cmd ws-delete s3://BUCKET
  Info about Website
      s3cmd ws-info s3://BUCKET
  Set or delete expiration rule for the bucket
      s3cmd expire s3://BUCKET
  Upload a lifecycle policy for the bucket
      s3cmd setlifecycle FILE s3://BUCKET
  Get a lifecycle policy for the bucket
      s3cmd getlifecycle s3://BUCKET
  Remove a lifecycle policy for the bucket
      s3cmd dellifecycle s3://BUCKET
  List CloudFront distribution points
      s3cmd cflist 
  Display CloudFront distribution point parameters
      s3cmd cfinfo [cf://DIST_ID]
  Create CloudFront distribution point
      s3cmd cfcreate s3://BUCKET
  Delete CloudFront distribution point
      s3cmd cfdelete cf://DIST_ID
  Change CloudFront distribution point parameters
      s3cmd cfmodify cf://DIST_ID
  Display CloudFront invalidation request(s) status
      s3cmd cfinvalinfo cf://DIST_ID[/INVAL_ID]

For more information, updates and news, visit the s3cmd website:
http://s3tools.org

[root@ceph-deploy ~]# 
View Code

创建 bucket 以验证权限:
存储空间(Bucket)是用于存储对象(Object)的容器,在上传任意类型的 Object 前,您需要先创建 Bucket。

[root@ceph-deploy ~]# s3cmd mb s3://mybucket
Bucket 's3://mybucket/' created
[root@ceph-deploy ~]# 
[root@ceph-deploy ~]# s3cmd mb s3://css
Bucket 's3://css/' created
[root@ceph-deploy ~]# 
[root@ceph-deploy ~]# s3cmd mb s3://images
Bucket 's3://images/' created
[root@ceph-deploy ~]# 

验证上传数测试

[root@ceph-deploy ~]# s3cmd put v2.1.0.tar.gz s3://myserver

上传文件目录

[root@ceph-deploy ~]# s3cmd put rgw-test s3://images
ERROR: Parameter problem: Use --recursive to upload a directory: rgw-test
[root@ceph-deploy ~]# 
[root@ceph-deploy ~]# s3cmd put --recursive rgw-test s3://images
upload: 'rgw-test/bdlg.jfif' -> 's3://images/rgw-test/bdlg.jfif'  [1 of 7]
 337895 of 337895   100% in    0s     3.31 MB/s  done
upload: 'rgw-test/nqtgls1.jpg' -> 's3://images/rgw-test/nqtgls1.jpg'  [2 of 7]
 6895166 of 6895166   100% in    0s    16.91 MB/s  done
upload: 'rgw-test/nqtgls2.jpg' -> 's3://images/rgw-test/nqtgls2.jpg'  [3 of 7]
 5984471 of 5984471   100% in    0s    11.75 MB/s  done
upload: 'rgw-test/nqtgls3.jpg' -> 's3://images/rgw-test/nqtgls3.jpg'  [4 of 7]
 6923235 of 6923235   100% in    0s    16.50 MB/s  done
upload: 'rgw-test/nqtgls4.jpg' -> 's3://images/rgw-test/nqtgls4.jpg'  [5 of 7]
 4622031 of 4622031   100% in    0s    16.90 MB/s  done
upload: 'rgw-test/yzyc1.jpg' -> 's3://images/rgw-test/yzyc1.jpg'  [6 of 7]
 3979758 of 3979758   100% in    0s    12.51 MB/s  done
upload: 'rgw-test/yzyc2.jpg' -> 's3://images/rgw-test/yzyc2.jpg'  [7 of 7]
 3469897 of 3469897   100% in    0s    17.89 MB/s  done
[root@ceph-deploy ~]# s3cmd ls s3://images
                       DIR   s3://images/jpg/
                       DIR   s3://images/rgw-test/
[root@ceph-deploy ~]# 
[root@ceph-deploy ~]# s3cmd ls s3://images/rgw-test/  #查看上传的文件
2022-10-11 06:45    337895   s3://images/rgw-test/bdlg.jfif
2022-10-11 06:45   6895166   s3://images/rgw-test/nqtgls1.jpg
2022-10-11 06:45   5984471   s3://images/rgw-test/nqtgls2.jpg
2022-10-11 06:45   6923235   s3://images/rgw-test/nqtgls3.jpg
2022-10-11 06:45   4622031   s3://images/rgw-test/nqtgls4.jpg
2022-10-11 06:45   3979758   s3://images/rgw-test/yzyc1.jpg
2022-10-11 06:45   3469897   s3://images/rgw-test/yzyc2.jpg
[root@ceph-deploy ~]# 

下载测试

[root@ceph-deploy ~]# s3cmd get s3://myserver/v2.1.0.tar.gz /tmp
download: 's3://myserver/v2.1.0.tar.gz' -> '/tmp/v2.1.0.tar.gz'  [1 of 1]
 604573 of 604573   100% in    0s    22.83 MB/s  done
[root@ceph-deploy ~]# ll -h /tmp/
total 640K
drwxrwxrwt 12 root root 4.0K Oct 11 14:41 ./
drwxr-xr-x 19 root root 4.0K Jul 25 23:49 ../
drwxrwxrwt  2 root root 4.0K Oct 11 00:30 .ICE-unix/
drwxrwxrwt  2 root root 4.0K Oct 11 00:30 .Test-unix/
drwxrwxrwt  2 root root 4.0K Oct 11 00:30 .X11-unix/
drwxrwxrwt  2 root root 4.0K Oct 11 00:30 .XIM-unix/
drwxrwxrwt  2 root root 4.0K Oct 11 00:30 .font-unix/
drwx------  3 root root 4.0K Oct 11 00:31 snap.lxd/
drwx------  3 root root 4.0K Oct 11 00:31 systemd-private-19527b40241540bda8cd30087e14e984-ModemManager.service-cOQ69f/
drwx------  3 root root 4.0K Oct 11 00:31 systemd-private-19527b40241540bda8cd30087e14e984-systemd-logind.service-l4f6pi/
drwx------  3 root root 4.0K Oct 11 00:31 systemd-private-19527b40241540bda8cd30087e14e984-systemd-resolved.service-wJO8ei/
drwx------  3 root root 4.0K Oct 11 00:30 systemd-private-19527b40241540bda8cd30087e14e984-systemd-timesyncd.service-VCgbig/
-rw-r--r--  1 root root 591K Oct 11 06:38 v2.1.0.tar.gz
[root@ceph-deploy ~]# 

验证数据完整性

[root@ceph-deploy ~]# md5sum v2.1.0.tar.gz 
2e5b96084fe616c248b639c06a3b5e3c  v2.1.0.tar.gz
[root@ceph-deploy ~]# 
[root@ceph-deploy ~]# md5sum /tmp/v2.1.0.tar.gz 
2e5b96084fe616c248b639c06a3b5e3c  /tmp/v2.1.0.tar.gz
[root@ceph-deploy ~]#

删除文件

[root@ceph-deploy ~]# s3cmd ls s3://images/
                       DIR   s3://images/jpg/
                       DIR   s3://images/rgw-test/
[root@ceph-deploy ~]# s3cmd ls s3://images/jpg/
2022-10-11 06:18   6895166   s3://images/jpg/nqtgls1.jpg
2022-10-11 06:19   5984471   s3://images/jpg/nqtgls2.jpg
[root@ceph-deploy ~]# s3cmd rm s3://images/jpg/nqtgls2.jpg
delete: 's3://images/jpg/nqtgls2.jpg'
[root@ceph-deploy ~]# s3cmd ls s3://images/jpg/
2022-10-11 06:18   6895166   s3://images/jpg/nqtgls1.jpg
[root@ceph-deploy ~]# 

通过脚本管理

[root@ceph-test-02 ~]# cat ceph-rgw-client.py

#coding:utf-8
# python 3.8
from boto3.session import Session
# 新版本boto3
import os
class objectclient():
    def __init__(self):
        access_key = '04XUIEYRYTDUXC332R7H'
        secret_key = 'uysQEmdYcp9UCv56UHimnMNKQwdiGFfuv4TsMPWy'
        self.session = Session(aws_access_key_id=access_key, aws_secret_access_key=secret_key)
        #self.url = 'http://172.16.88.112:7480'
        self.s3_client = self.session.client('s3', endpoint_url='http://172.16.88.200:9900')

    def get_bucket(self):
        buckets = [bucket['Name'] for bucket in self.s3_client.list_buckets()['Buckets']]
        print(buckets)
        return buckets

    def create_bucket(self):
        #指定创建的存储桶名称,默认为私有的存储桶
        #self.s3_client.create bucket(Bucket='mytest1111111111')
        #指定存储桶的权限
        #ACL有如下几种"private","public-read","public-read-write","authenticated-read"
        self.s3_client_create_bucket(Bucket='20221011', ACL='public-read')

    def upload(self):
        file_list=os.listdir("./videos/")
        for name in file_list:
            print(name)
            resp = self.s3_client.put_object(
                ContentType='video/mp4',
                Bucket="video", #上传到这个存储桶里
                Key="%s" % name, #上传后的目录文件名称
                Boby=open("./videos/%s" % name, 'rb').read()
            )
            print(resp)
            #return resp

        #resp = self.s3_client.put_object(
        #    Bucket="20221011",#上传到这个存储桶里面
        #    Key='xxxxxx.txt',#上传后的目录文件名称
        #    Boby=open("xxx/xxx/xxx.txt", 'rb').read()
        #)
        #print(resp)
        #return resp
    
    def download(self):
        resp = self.s3_client.get_object(
            Bucket='test-s3cmd',
            Key='xxxxxxxx.tar.gz'
        )
        with open('./xxx.tar.gz', 'wb') as f: #保存到本地的此文件
            f.write(resp['Boby'].read())

if __name__ == " main ":
    # boto3
    s3_boto3 = objectclient()
#    s3_boto3.create_bucket() #创建bucket
    s3_boto3.get_bucket() #查询bucket
#    s3_boto3.upload() #上传文件
#    s3_boto3.download() #下载文件

分别选择开启创建、查询、上传、下载选项

#    s3_boto3.create_bucket() #创建bucket
#    s3_boto3.get_bucket() #查询bucket
#    s3_boto3.upload() #上传文件
#    s3_boto3.download() #下载文件

[root@ceph-deploy ~]# python3 ceph-rgw-client.py

五、ceph对象存储允许匿名用户访问案例

5.1、授权简介及预览

https://docs.aws.amazon.com/zh_cn/AmazonS3/latest/userguide/example-bucket-policies.html

  • Resources:授权的目的Buckets、objects等资源,必须指定。
  • Actions: 要授予的动作,CreateBucket、DeleteObject、GetObject、PutObject。必须指定
  • Effect:要授予的操作效果是允许(allow)还是拒绝(deny),默认为拒绝访问所有资源,必须指定。
  • Principal: 要授予的目的账号,必须指定。
  • Condition: 授权策略生效的条件,比如访问的TLS版本等,非必须,可不写。
"Condition": {
"NumericLessThan": {
 "s3:TlsVersion": 1.2
  }
}

5.2:权限集合

https://docs.aws.amazon.com/zh_cn/AmazonS3/latest/API/API_Operations.html

s3:AbortMultipartUpload
s3:CompleteMultipartUpload
s3:CopyObject
s3:CreateBucket
s3:CreateMultipartUpload
s3:DeleteBucket
s3:DeleteBucketAnalyticConfiguration
s3:DeleteBucketCor
s3:DeleteBucketEncryption
s3:DeleteBucketIntelligentTieringConfiguration
s3:DeleteBucketInventoryConfiguration
s3:DeleteBucketLifecycle
s3:DeleteBucketMetricConfiguration
s3:DeleteBucketOwnerhipControl
s3:DeleteBucketPolicy
s3:DeleteBucketReplication
s3:DeleteBucketTagging
s3:DeleteBucketWebite
s3:DeleteObject
s3:DeleteObject
s3:DeleteObjectTagging
s3:DeletePublicAcceBlock
s3:GetBucketAccelerateConfiguration
s3:GetBucketAcl
s3:GetBucketAnalyticConfiguration
s3:GetBucketCor
s3:GetBucketEncryption
s3:GetBucketIntelligentTieringConfiguration
s3:GetBucketInventoryConfiguration
s3:GetBucketLifecycle
s3:GetBucketLifecycleConfiguration
s3:GetBucketLocation
s3:GetBucketLogging
s3:GetBucketMetricConfiguration
s3:GetBucketNotification
s3:GetBucketNotificationConfiguration
s3:GetBucketOwnerhipControl
s3:GetBucketPolicy
s3:GetBucketPolicyStatu
s3:GetBucketReplication
s3:GetBucketRequetPayment
s3:GetBucketTagging
s3:GetBucketVerioning
s3:GetBucketWebite
s3:GetObject
s3:GetObjectAcl
s3:GetObjectAttribute
s3:GetObjectLegalHold
s3:GetObjectLockConfiguration
s3:GetObjectRetention
s3:GetObjectTagging
s3:GetObjectTorrent
s3:GetPublicAcceBlock
s3:HeadBucket
s3:HeadObject
s3:LitBucketAnalyticConfiguration
s3:LitBucketIntelligentTieringConfiguration
s3:LitBucketInventoryConfiguration
s3:LitBucketMetricConfiguration
s3:LitBucket
s3:LitMultipartUpload
s3:LitObject
s3:LitObjectV2
s3:LitObjectVerion
s3:LitPart
s3:PutBucketAccelerateConfiguration
s3:PutBucketAcl
s3:PutBucketAnalyticConfiguration
s3:PutBucketCor
s3:PutBucketEncryption
s3:PutBucketIntelligentTieringConfiguration
s3:PutBucketInventoryConfiguration
s3:PutBucketLifecycle
s3:PutBucketLifecycleConfiguration
s3:PutBucketLogging
s3:PutBucketMetricConfiguration
s3:PutBucketNotification
s3:PutBucketNotificationConfiguration
s3:PutBucketOwnerhipControl
s3:PutBucketPolicy
s3:PutBucketReplication
s3:PutBucketRequetPayment
s3:PutBucketTagging
s3:PutBucketVerioning
s3:PutBucketWebite
s3:PutObject
s3:PutObjectAcl
s3:PutObjectLegalHold
s3:PutObjectLockConfiguration
s3:PutObjectRetention
s3:PutObjectTagging
s3:PutPublicAcceBlock
s3:RetoreObject
s3:SelectObjectContent
s3:UploadPart
s3:UploadPartCopy
s3:WriteGetObjectRepone
View Code

授权匿名用户GetObject权限:

[root@ceph-deploy ~]# cat images-bucket-single_policy 
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": [
                "arn:aws:s3:::images/*"
            ]
        }]
}
[root@ceph-deploy ~]# 

[root@ceph-deploy ~]# s3cmd setpolicy images-bucket-single_policy s3://images
s3://images/: Policy updated
[root@ceph-deploy ~]#
[root@ceph-deploy ~]# s3cmd ls s3://images/rgw-test/
2022-10-11 06:45    337895   s3://images/rgw-test/bdlg.jfif
2022-10-11 06:45   6895166   s3://images/rgw-test/nqtgls1.jpg
2022-10-11 06:45   5984471   s3://images/rgw-test/nqtgls2.jpg
2022-10-11 06:45   6923235   s3://images/rgw-test/nqtgls3.jpg
2022-10-11 06:45   4622031   s3://images/rgw-test/nqtgls4.jpg
2022-10-11 06:45   3979758   s3://images/rgw-test/yzyc1.jpg
2022-10-11 06:45   3469897   s3://images/rgw-test/yzyc2.jpg
[root@ceph-deploy ~]# 

访问测试

5.3、测试video bucket

[root@ceph-deploy ~]# s3cmd mb s3://video #创建video视频目录bucket
Bucket 's3://video/' created
[root@ceph-deploy ~]#
[root@ceph-deploy ~]# mkdir video-test
#上传测试视频 [root@ceph
-deploy ~]# ll -h video-test/ total 2.7M drwxr-xr-x 2 root root 4.0K Oct 11 20:52 ./ drwx------ 10 root root 4.0K Oct 11 20:51 ../ -rw-r--r-- 1 root root 1.8M Oct 11 20:52 410a50fef9df7f06cbbe623f3057569f.mp4 -rw-r--r-- 1 root root 816K Oct 11 20:52 f9fc43f9c45b22f446657da53bf338a4.mp4 [root@ceph-deploy ~]# [root@ceph-deploy ~]# s3cmd put --recursive video-test s3://video #指定目录批量上传 upload: 'video-test/410a50fef9df7f06cbbe623f3057569f.mp4' -> 's3://video/video-test/410a50fef9df7f06cbbe623f3057569f.mp4' [1 of 2] 1882656 of 1882656 100% in 0s 12.75 MB/s done upload: 'video-test/f9fc43f9c45b22f446657da53bf338a4.mp4' -> 's3://video/video-test/f9fc43f9c45b22f446657da53bf338a4.mp4' [2 of 2] 835506 of 835506 100% in 0s 11.89 MB/s done [root@ceph-deploy ~]# [root@ceph-deploy ~]# s3cmd ls s3://video/video-test/ #查看上传到文件 2022-10-11 12:53 1882656 s3://video/video-test/410a50fef9df7f06cbbe623f3057569f.mp4 2022-10-11 12:53 835506 s3://video/video-test/f9fc43f9c45b22f446657da53bf338a4.mp4 [root@ceph-deploy ~]# [root@ceph-deploy ~]# vi video-bucket-single_policy #创建video bucket匿名访问授权json [root@ceph-deploy ~]# cat video-bucket-single_policy { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": "*", "Action": "s3:GetObject", "Resource": [ "arn:aws:s3:::video/*" ] }] } [root@ceph-deploy ~]# [root@ceph-deploy ~]# s3cmd setpolicy video-bucket-single_policy s3://video #对video目录匿名用户授权 s3://video/: Policy updated [root@ceph-deploy ~]#

 

posted @ 2022-10-11 16:51  cyh00001  阅读(1491)  评论(0编辑  收藏  举报