ViPR OpenStack Swift Object Service API Support

Table of Contents

Back to Top

OpenStack Swift API

ViPR includes support for the OpenStack Swift API. This article describes the supported operations and describes the mechanisms for authorization and authentication.

This article applies to EMC ViPR 2.0.

Examples showing the use of the OpenStack Swift API can be found here:
Back to Top

OpenStack Swift supported operations

The following sections list the OpenStack REST API requests that are supported by ViPR.

This information is taken from the Object Storage API V1 section of the OpenStack API Reference documentation.

Supported OpenStack Swift calls

The following OpenStack Swift REST API calls are supported in ViPR.

Unsupported OpenStack Swift calls

The following OpenStack Swift REST API calls are not supported in ViPR.

Back to Top

OpenStack Version 1 authentication

To communicate with ViPR through the OpenStack Swift API, follow these steps:

Procedure

  1. Acquire a UID and password from ViPR. The UID will be an LDAP or Active Directory name. Call the following ViPR REST API to generate a password.
    Request:

    PUT /object/user-password/myUser@emc.com <user_password_create> <password>myPassword</password> <namespace>EMC_NAMESPACE</namespace> </user_password_create>

    Response:

    HTTP 200

  2. Call the OpenStack authentication REST API shown below. Use port 9024 for HTTP, or port 9025 for HTTPS.
    Request:

    GET /auth/v1.0 X-Auth-User: myUser@emc.com X-Auth-Key: myPassword

    Response:

    HTTP/1.1 204 No Content Date: Mon, 12 Nov 2010 15:32:21 GMT Server: Apache X-Storage-Url: https://{hostname}/v1/account X-Auth-Token: eaaafd18-0fed-4b3a-81b4-663c99ec1cbb Content-Length: 0

Results

If the UID and password are validated by ViPR, the storage URL and token are returned in the response header. Further requests are authenticated by including this token. The storage URL provides the host name and resource address. You can access containers and objects by providing the following X-Storage-Url header:

X-Storage-Url: https://{hostname}/v1/{account}/{container}/{object}

The generated token expires 24 hours after creation. If you repeat the authentication request within the 24 hour period using the same UID and password, OpenStack will return the same token. Once the 24 hour expiration period expires, OpenStack will return a new token.

Example

In the following simple authentication example, the first REST call returns an X-Auth-Token. The second REST call uses that X-Auth-Token to perform a GET request on an account..

$ curl -i -H "X-Storage-User: tim_250@sanity.local" -H "X-Storage-Pass: 1fO9X3xyrVhfcokqy3U1UyTY029gha5T+k+vjLqS" http://vipr.yourco.com:9024/auth/v1.0

HTTP/1.1 204 No Content X-Storage-Url: http://vipr.yourco.com:9024/v1/s3 X-Auth-Token: 8cf4a4e943f94711aad1c91a08e98435 Server: Jetty(7.6.4.v20120524)

$ curl -v -X GET -s -H "X-Auth-Token: 8cf4a4e943f94711aad1c91a08e98435" http:/vipr.yourco.com:9024/v1/s3

* About to connect() to vipr.yourco.com port 9024 (#0) * Trying 203.0.113.10... * Adding handle: conn: 0x7f9218808c00 * Adding handle: send: 0 * Adding handle: recv: 0 * Curl_addHandleToPipeline: length: 1 * - Conn 0 (0x7f9218808c00) send_pipe: 1, recv_pipe: 0 * Connected to vipr.yourco.com (203.0.113.10) port 9024 (#0) > GET /v1/s3 HTTP/1.1 > User-Agent: curl/7.31.0 > Host: vipr.yourco.com:9024 > Accept: */* > X-Auth-Token: 8cf4a4e943f94711aad1c91a08e98435 > < HTTP/1.1 204 No Content < Date: Mon, 16 Sep 2013 19:31:45 GMT < Content-Type: text/plain * Server Jetty(7.6.4.v20120524) is not blacklisted < Server: Jetty(7.6.4.v20120524) < * Connection #0 to host vipr.yourco.com left intact

Back to Top

OpenStack Version 2 authentication

ViPR includes limited support for OpenStack Version 2 (Keystone) authentication.

Before you begin

OpenStack V2 introduces unscoped tokens. These can be used to query tenant information. An unscoped token along with tenant information can be used to query a scoped token. A scoped token and a service endpoint can be used to authenticate with ViPR as described in the previous section describing V1 authentication.

The two articles listed below provide important background information.

Procedure

  1. Retrieve an unscoped token.

    curl -v -X POST -H 'ACCEPT: application/json' -H "Content-Type: application/json" -d '{"auth": {"passwordCredentials" : {"username" : "swift_user", "password" : "123"}}}' http://203.0.113.10:9024/v2.0/tokens

    The response looks like the following. The unscoped token is preceded by id.

    {"access": {"token": {"id":"d668b72a011c4edf960324ab2e87438b","expires":"1376633127950"l},"user": {"name": "sysadmin", "roles":[ ], "role_links":[ ] },"serviceCatalog":[ ] }} , }

  2. Retrieve tenant info associated with the unscoped token.

    curl -v http://203.0.113.10:9024/v2.0/tenants -H 'X-Auth-Token: d668b72a011c4edf960324ab2e87438b'

    The response looks like the following.

    {"tenants_links":[], "tenants":[{"description":"s3","enabled":true, "name": "s3"}]}

  3. Retrieve scoped token along with storageUrl.

    curl -v -X POST -H 'ACCEPT: application/json' -H "Content-Type: application/json" -d '{"auth": {"tenantName" : "s3", "token":{"id" : d668b72a011c4edf960324ab2e87438b"}}}' http://203.0.113.10:9024/v2.0/tokens

    An example response follows. The scoped token is preceded by id.

    {"access":{"token":{"id":"baf0709e30ed4b138c5db6767ba76a4e ","expires":"1376633255485","tenant":{"description":"s3","enabled":true,"name":"s3"}}, "user":{"name":"swift_admin","roles":[{"name":"member"},{"name":"admin"}],"role_links":[]},"serviceCatalog":[{"type":"object-store", "name":"Swift","endpoints_links":[],"endpoint":[{"internalURL":"http://203.0.113.10:9024/v1/s3","publicURL":"http://203.0.113.10:9024/v1/s3"}]}]}}

  4. Use the scoped token and service endpoint URL for swift authentication. This step is the same as in V1 of OpenStack.

    curl -v -H "X-Auth-Token: baf0709e30ed4b138c5db6767ba76a4e" http://203.0.113.10:9024/v1/s3/{container}/{object}

Back to Top

Authorization on Container

OpenStack Swift authorization targets only containers.

Swift currently supports two types of authorization:

  • Referral style authorization
  • Group style authorization.

ViPR 2.0 supports only group-based authorization.

Admin users can perform all operations within the account. Non-admin users can only perform operations per container based on the container's X-Container-Read and X-Container-Write Access Control Lists. The following operations can be granted to non-admin users:

Admin assigns read access to the container

curl -XPUT -v -H 'X-Container-Read: {GROUP LIST}' -H 'X-Auth-Token: {TOKEN}' http://127.0.0.1:8080/v1/AUTH_bourne/{container1}"

This command allows users belonging to the GROUP LIST to have read access rights to container1.

After read permission is granted, users belongs to target group(s) can perform below operations:

  • HEAD container - Retrieve container metadata. Only allowed if user is assigned to group that has Tenant Administrator privileges.
  • GET container - List objects within a container
  • GET objects with container - Read contents of the object within the container

Admin assigns write access to the container

curl -XPUT -v -H 'X-Container-Write: {GROUP LIST}' -H 'X-Auth-Token: {TOKEN}' http://127.0.0.1:8080/v1/AUTH_bourne/{container1}"

The users in the group GROUP LIST are granted write permission. Once write permission is granted, users belongs to target group(s) can perform following operations:

  • POST container - Set metadata. Start with prefix "X-Container-Meta".
  • PUT objects within container - Write/override objects with container.

Additional information on authorization can be found here:

http://ceph.com/docs/master/radosgw/swift/containerops/