Enabling the HPE Ezmeral Data Fabric Object Store

1. If you did not do so as part of Enabling Security on a Configured Cluster, copy the following files to /opt/mapr/conf on all other nodes:
   • /opt/mapr/conf/private.key
   • /opt/mapr/conf/ca/chain-ca.pem
   NOTE

   If you are running Data Fabric 7.0.0.5 or later, the private.key and public.crt are not present and do not need to be copied to all other nodes. On Data Fabric 7.0.0.5, the /opt/mapr/conf/ssl_usertruststore performs this function and is present on all nodes.
2. Copy /opt/mapr/conf/ca/chain-ca.pem to ~/.mc/certs/CAs/ on the node running mc.
3. On every node that runs an application using the AWS S3 SDK, add the chain-ca.pem to the Java cacerts truststore, as shown in the following example:

   ${JAVA_HOME}/bin/keytool -noprompt -importcert -file /opt/mapr/conf/ca/chain-ca.pem -alias maprca -keystore ${JAVA_HOME}/lib/security/cacerts -storepass <cacerts_truststore>

   Note:
   • The default password for -storepass is changeit.
   • The {JAVA_HOME} location can vary. For example, on RHEL 8.4, {JAVA_HOME} is located at: /usr/lib/jvm/jre-11-openjdk-11.0.15.0.9-2.el8_5.x86_64.
4. (Required if you want to access the Object Store from the CLI) Generate S3 keys (accessKey and secretKey) for the cluster administrator. The cluster administrator (typically the mapr user) must authenticate to the Object Store cluster and generate S3 keys on the default Object Store account.
   1. Use maprlogin to authenticate the cluster administrator.
   2. Run the maprcli dump cldbstate -json command to check the status of the S3 server module quorum. The dump output should indicate that the primary and secondary S3 server modules are running.
   3. Generate the keys, as shown in the following example:

      maprcli s3keys generate -domainname primary -accountname default -username mapr -json

      The primary domain is the only domain that exists in Object Store. Currently, you cannot create additional domains.
5. (Required if you upgraded from an earlier version of core to core 7.x) Restart the CLDB service on all nodes to activate the CLDB S3 modules:

   /opt/mapr/bin/maprcli node services -cldb restart -nodes <list node names separated by spaces>

   For additional information, see node services.

Log in to the Object Store UI at https://<ip-address>:8443/app/mcs/opal/. Before you log in to the Object Store UI, note the following Object Store login requirements for AD/LDAP users:

• All cluster nodes must be part of AD/LDAP. (Required for AD/LDAP users to log in to the Object Store UI.)
• The AD/LDAP user logging in to the Object Store must have log-in permission. You can set log-in permission from the Control System. Go to https://<node-ip-address>:8443/app/mcs/#/overview and select Admin > User Settings. Click the Permissions tab. Add the AD/LDAP user, and select the Login checkbox next to the username.

You can use S3cmd or the AWS CLI to access Object Store over https. If you do not have S3cmd or the AWS CLI installed, you can download them:

• AWS CLI
• S3cmd

Before you run either command, you must first add the MOSS certificate with the java certificates, as shown in the following example:

${JAVA_HOME}/bin/keytool -noprompt -importcert -file /opt/mapr/conf/ca/chain-ca.pem -alias mosscert -keystore ${JAVA_HOME}/lib/security/cacerts -storepass changeit

S3cmd

The following example shows how to access Object Store and create a bucket using the S3cmd:

s3cmd --ca-certs=/opt/mapr/conf/ca/chain-ca.pem mb s3://bucketname

AWS

Before you use the aws command to access Object Store, verify that you have a recent version of python3-urllib3. (Version 1.22-1 was tested successfully.)

Also, you must either set an environment variable for the Object Store certificate, as shown:

export AWS_CA_BUNDLE=/opt/mapr/conf/ca/chain-ca.pem

OR update /root/.aws/config, as shown:

[default]
region = us-east-1
ca_bundle = /opt/mapr/conf/ca/chain-ca.pem
aws_access_key_id = R2VPO2QR3CTDQ5SG4DJSKIZ2VX1X8HDOTO6NDCHCM9NKASB03WJ
aws_secret_access_key = 1241TP3TOGWK8OGJJVR9N4D6P2M6BUIZLVQOT6NHD4QH38QBU3HV2NXMHAIQNYJ2TQ

The following example shows how to access Object Store and list buckets with the aws command:

aws s3api list-buckets --endpoint-url https://m2-sm2028-08-n4.mip.storage.hpecorp.net:9000 

S3 REST requests can be made either in virtual host style or in path style. The host value of the HTTP request header indicates the request style:

Style	Example REST Request
Virtual Host	host:<bucket_name>.mip.storage.hpecorp.net:9000
Path	host:mip.storage.hpecorp.net:9000

However, the Amazon documentation indicates that path-style URLs will be discontinued in the future.

To enable the S3 server to work with virtual-host-style requests, use the steps below:

1. Install and configure a DNS server that maps the domain name of the S3 server to all the S3 servers in the cluster. For example:

   address=/mip.storage.hpecorp.net/10.163.161.175
   address=/mip.storage.hpecorp.net/10.163.163.164

2. Add the following command to /opt/mapr/conf/env_override.sh, and restart the S3 server on all nodes in the cluster:

   export MINIO_DOMAIN=<domain_name>

3. Use the <domain_name> during alias creation or as an endpoint URL in S3 requests wherever it is required:

   /opt/mapr/bin/mc alias set newmoss https://<domain_name>:9000 <access_key> <secret_key>
   
   aws s3api put-object --bucket sbuck3 --body /root/1m --key f1 --endpoint-url https://<domain_name>:9000 

Virtual host-style requests do not work when you use the host name during alias creation or as an endpoint URL. Do not add MINIO_DOMAIN=<domain_name> to /opt/mapr/conf/env_override.sh while using the complete host name during alias creation or as an endpoint.