Enabling the HPE Ezmeral Data Fabric Object Store
Some post-installation steps must be performed before you can use the HPE Ezmeral Data Fabric Object Store.
mapr-s3server
package, you must perform post-installation
steps to:- Enable the Multithreaded Object Store Server (MOSS) to start in https mode.
- Enable user access to
mc
commands. - Enable access to the Object Store through an application using the AWS S3 SDK.
- Enable CLI access to the Object Store.
- Gain access to the Object Store UI.
Post-Installation Steps
The following steps are needed if the cluster is running in secure mode:
- If you did not do so as part of Enabling Security on a Configured Cluster, copy the following
files to
/opt/mapr/conf
on all other nodes:/opt/mapr/conf/private.key
/opt/mapr/conf/ca/chain-ca.pem
NOTEIf you are running Data Fabric 7.0.0.5 or later, theprivate.key
andpublic.crt
are not present and do not need to be copied to all other nodes. On Data Fabric 7.0.0.5, the/opt/mapr/conf/ssl_usertruststore
performs this function and is present on all nodes. - Copy
/opt/mapr/conf/ca/chain-ca.pem
to~/.mc/certs/CAs/
on the node running mc. - On every node that runs an application using the AWS S3 SDK, add the
chain-ca.pem
to the Javacacerts
truststore, as shown in the following example:
Note:${JAVA_HOME}/bin/keytool -noprompt -importcert -file /opt/mapr/conf/ca/chain-ca.pem -alias maprca -keystore ${JAVA_HOME}/lib/security/cacerts -storepass <cacerts_truststore>
- The default password for
-storepass
ischangeit
. - The
{JAVA_HOME}
location can vary. For example, on RHEL 8.4,{JAVA_HOME}
is located at:/usr/lib/jvm/jre-11-openjdk-11.0.15.0.9-2.el8_5.x86_64
.
- The default password for
- (Required if you want to access the Object Store from the CLI) Generate S3 keys
(accessKey and secretKey) for the cluster administrator. The cluster administrator
(typically the
mapr
user) must authenticate to the Object Store cluster and generate S3 keys on the default Object Store account.- Use
maprlogin
to authenticate the cluster administrator. - Run the
maprcli dump cldbstate -json
command to check the status of the S3 server module quorum. The dump output should indicate that the primary and secondary S3 server modules are running. - Generate the keys, as shown in the following
example:
The primary domain is the only domain that exists in Object Store. Currently, you cannot create additional domains.maprcli s3keys generate -domainname primary -accountname default -username mapr -json
- Use
- (Required if you upgraded from an earlier version of core to core 7.x) Restart the
CLDB service on all nodes to activate the CLDB S3
modules:
For additional information, see node services./opt/mapr/bin/maprcli node services -cldb restart -nodes <list node names separated by spaces>
Log in to the Object Store UI
https://<ip-address>:8443/app/mcs/opal/
. Before you log in to the
Object Store UI, note the following Object Store login requirements for AD/LDAP users:- All cluster nodes must be part of AD/LDAP. (Required for AD/LDAP users to log in to the Object Store UI.)
- The AD/LDAP user logging in to the Object Store must have log-in permission. You can
set log-in permission from the Control System. Go to
https://<node-ip-address>:8443/app/mcs/#/overview
and select Admin > User Settings. Click the Permissions tab. Add the AD/LDAP user, and select the Login checkbox next to the username.
HTTPS Access to Object Store
${JAVA_HOME}/bin/keytool -noprompt -importcert -file /opt/mapr/conf/ca/chain-ca.pem -alias mosscert -keystore ${JAVA_HOME}/lib/security/cacerts -storepass changeit
The following sections provide command usage examples:
- S3cmd
- The following example shows how to access Object Store and create a bucket using the S3cmd:
- AWS
- Before you use the aws command to access Object Store, verify that you have a recent
version of
python3-urllib3
. (Version 1.22-1 was tested successfully.)
HTTP Access to Object Store
To revert to http access, comment out the moss.certs.dir=/opt/mapr/conf
line in the /opt/mapr/conf/moss.conf
file.
Enabling S3 Virtual-Host-Style Requests
Style | Example REST Request |
---|---|
Virtual Host | host:<bucket_name>.mip.storage.hpecorp.net:9000 |
Path | host:mip.storage.hpecorp.net:9000 |
- Install and configure a DNS server that maps the domain name of the S3 server to all
the S3 servers in the cluster. For
example:
address=/mip.storage.hpecorp.net/10.163.161.175 address=/mip.storage.hpecorp.net/10.163.163.164
- Add the following command to
/opt/mapr/conf/env_override.sh
, and restart the S3 server on all nodes in the cluster:export MINIO_DOMAIN=<domain_name>
- Use the
<domain_name>
during alias creation or as an endpoint URL in S3 requests wherever it is required:/opt/mapr/bin/mc alias set newmoss https://<domain_name>:9000 <access_key> <secret_key> aws s3api put-object --bucket sbuck3 --body /root/1m --key f1 --endpoint-url https://<domain_name>:9000
MINIO_DOMAIN=<domain_name>
to
/opt/mapr/conf/env_override.sh
while using the complete host name during alias creation or as an endpoint.Object Store Port
The default port for MOSS is 9000. The default port for S3 Gateway
is also 9000. If you run S3 Gateway
and Object
Store in your cluster, change one of the ports to avoid conflicts. Change the MOSS
port in /opt/mapr/conf/moss.conf
by editing the
moss.port=<port_number>
option. Change the S3 Gateway port in
/opt/mapr/objectstore-client/objectstore-client-<version>/conf/minio.json
by changing the ports
option. For additional port information, see Ports Used by HPE Ezmeral Data Fabric Software