Enabling the HPE Ezmeral Data Fabric Object Store

Some post-installation steps must be performed before you can use the HPE Ezmeral Data Fabric Object Store.

After applying the mapr-s3server package, you must perform post-installation steps to:
  • Enable the Multithreaded Object Store Server (MOSS) to start in https mode.
  • Enable user access to mc commands.
  • Enable access to the Object Store through an application using the AWS S3 SDK.
  • Enable CLI access to the Object Store.
  • Gain access to the Object Store UI.

Post-Installation Steps

The following steps are needed if the cluster is running in secure mode:

  1. If you did not do so as part of Enabling Security, copy the following files to /opt/mapr/conf on all other nodes:
    • /opt/mapr/conf/private.key
    • /opt/mapr/conf/ca/chain-ca.pem
    NOTE
    If you are running Data Fabric 7.0.0.5 or later, the private.key and public.crt are not present and do not need to be copied to all other nodes. On Data Fabric 7.0.0.5, the /opt/mapr/conf/ssl_usertruststore performs this function and is present on all nodes.
  2. Copy /opt/mapr/conf/ca/chain-ca.pem to ~/.mc/certs/CAs/ on the node running mc.
  3. On every node that runs an application using the AWS S3 SDK, add the chain-ca.pem to the Java cacerts truststore, as shown in the following example:
    ${JAVA_HOME}/bin/keytool -noprompt -importcert -file /opt/mapr/conf/ca/chain-ca.pem -alias maprca -keystore ${JAVA_HOME}/lib/security/cacerts -storepass <cacerts_truststore>
    Note:
    • The default password for -storepass is changeit.
    • The {JAVA_HOME} location can vary. For example, on RHEL 8.4, {JAVA_HOME} is located at: /usr/lib/jvm/jre-11-openjdk-11.0.15.0.9-2.el8_5.x86_64.
  4. (Required if you want to access the Object Store from the CLI) Generate S3 keys (accessKey and secretKey) for the cluster administrator. The cluster administrator (typically the mapr user) must authenticate to the Object Store cluster and generate S3 keys on the default Object Store account.
    1. Use maprlogin to authenticate the cluster administrator.
    2. Run the maprcli dump cldbstate -json command to check the status of the S3 server module quorum. The dump output should indicate that the primary and secondary S3 server modules are running.
    3. Generate the keys, as shown in the following example:
      maprcli s3keys generate -domainname primary -accountname default -username mapr -json
      The primary domain is the only domain that exists in Object Store. Currently, you cannot create additional domains.
  5. (Required if you upgraded from an earlier version of core to core 7.x) Restart the CLDB service on all nodes to activate the CLDB S3 modules:
    /opt/mapr/bin/maprcli node services -cldb restart -nodes <list node names separated by spaces>
    For additional information, see node services.

Log in to the Object Store UI

Log in to the Object Store UI at https://<ip-address>:8443/app/mcs/opal/. Before you log in to the Object Store UI, note the following Object Store login requirements for AD/LDAP users:
  • All cluster nodes must be part of AD/LDAP. (Required for AD/LDAP users to log in to the Object Store UI.)
  • The AD/LDAP user logging in to the Object Store must have log-in permission. You can set log-in permission from the Control System. Go to https://<node-ip-address>:8443/app/mcs/#/overview and select Admin > User Settings. Click the Permissions tab. Add the AD/LDAP user, and select the Login checkbox next to the username.

HTTPS Access to Object Store

You can use S3cmd or the AWS CLI to access Object Store over https. If you do not have S3cmd or the AWS CLI installed, you can download them:
Before you run either command, you must first add the MOSS certificate with the java certificates, as shown in the following example:
${JAVA_HOME}/bin/keytool -noprompt -importcert -file /opt/mapr/conf/ca/chain-ca.pem -alias mosscert -keystore ${JAVA_HOME}/lib/security/cacerts -storepass changeit

The following sections provide command usage examples:

S3cmd
The following example shows how to access Object Store and create a bucket using the S3cmd:
s3cmd --ca-certs=/opt/mapr/conf/ca/chain-ca.pem mb s3://bucketname
AWS
Before you use the aws command to access Object Store, verify that you have a recent version of python3-urllib3. (Version 1.22-1 was tested successfully.)
Also, you must either set an environment variable for the Object Store certificate, as shown:
export AWS_CA_BUNDLE=/opt/mapr/conf/ca/chain-ca.pem
OR update /root/.aws/config, as shown:
[default]
region = us-east-1
ca_bundle = /opt/mapr/conf/ca/chain-ca.pem
aws_access_key_id = R2VPO2QR3CTDQ5SG4DJSKIZ2VX1X8HDOTO6NDCHCM9NKASB03WJ
aws_secret_access_key = 1241TP3TOGWK8OGJJVR9N4D6P2M6BUIZLVQOT6NHD4QH38QBU3HV2NXMHAIQNYJ2TQ
The following example shows how to access Object Store and list buckets with the aws command:
aws s3api list-buckets --endpoint-url https://m2-sm2028-08-n4.mip.storage.hpecorp.net:9000 

HTTP Access to Object Store

To revert to http access, comment out the moss.certs.dir=/opt/mapr/conf line in the /opt/mapr/conf/moss.conf file.

Enabling S3 Virtual-Host-Style Requests

S3 REST requests can be made either in virtual host style or in path style. The host value of the HTTP request header indicates the request style:
Style Example REST Request
Virtual Host host:<bucket_name>.mip.storage.hpecorp.net:9000
Path host:mip.storage.hpecorp.net:9000
However, the Amazon documentation indicates that path-style URLs will be discontinued in the future.
To enable the S3 server to work with virtual-host-style requests, use the steps below:
  1. Install and configure a DNS server that maps the domain name of the S3 server to all the S3 servers in the cluster. For example:
    address=/mip.storage.hpecorp.net/10.163.161.175
    address=/mip.storage.hpecorp.net/10.163.163.164
  2. Add the following command to /opt/mapr/conf/env_override.sh, and restart the S3 server on all nodes in the cluster:
    export MINIO_DOMAIN=<domain_name>
  3. Use the <domain_name> during alias creation or as an endpoint URL in S3 requests wherever it is required:
    /opt/mapr/bin/mc alias set newmoss https://<domain_name>:9000 <access_key> <secret_key>
    
    aws s3api put-object --bucket sbuck3 --body /root/1m --key f1 --endpoint-url https://<domain_name>:9000 
Virtual host-style requests do not work when you use the host name during alias creation or as an endpoint URL. Do not add MINIO_DOMAIN=<domain_name> to /opt/mapr/conf/env_override.sh while using the complete host name during alias creation or as an endpoint.

Object Store Port

The default port for MOSS is 9000. The default port for S3 Gateway is also 9000. If you run S3 Gateway and Object Store in your cluster, change one of the ports to avoid conflicts. Change the MOSS port in /opt/mapr/conf/moss.conf by editing the moss.port=<port_number> option. Change the S3 Gateway port in /opt/mapr/objectstore-client/objectstore-client-<version>/conf/minio.json by changing the ports option. For additional port information, see Ports Used by HPE Ezmeral Data Fabric Software