Chapter 3. Object Gateway Swift Application Programming Interface (API)
Ceph supports a RESTful API that is compatible with the basic data access model of the Swift API.
The following table describes the support status for current Swift functional features:
Feature | Status | Remarks |
---|---|---|
Supported | ||
Get Account Metadata | Supported | No custom metadata |
Supported | Supports a subset of Swift ACLs | |
Supported | ||
Supported | ||
Supported | ||
Get Container Metadata | Supported | |
Supported | ||
Delete Container Metadata | Supported | |
Supported | ||
Static Website | Not Supported | |
Supported | ||
Supported | ||
Create Large Object | Supported | |
Supported | ||
Supported | ||
Supported | ||
Supported | ||
Supported | ||
Supported | ||
Expiring Objects | Supported | |
Object Versioning | Not Supported | |
CORS | Not Supported |
3.1. Authentication
Swift API requests that require authentication must contain an X-Storage-Token
authentication token in the request header. The token can be retrieved from Ceph Object Gateway, or from another authenticator. To obtain a token from Ceph Object Gateway, you must create a user.
Syntax
# radosgw-admin user create --uid="<user_name>" --display-name="<display_name>"
Example
# radosgw-admin user create --uid="swift1" --display-name="First Swift User"
3.1.1. Authentication GET
To authenticate a user, make a request containing an X-Auth-User
and a X-Auth-Key
in the header.
Syntax
GET /auth HTTP/1.1 Host: swift.radosgwhost.com X-Auth-User: johndoe X-Auth-Key: R7UUOLFDI2ZI9PRCQ53K
Name | Description | Type | Required |
---|---|---|---|
| The key Ceph Object Gateway username to authenticate. | String | Yes |
| The key associated to a Ceph Object Gateway username. | String | Yes |
The response from the server should include an X-Auth-Token
value. The response might also contain a X-Storage-Url
that provides the <api_version>/<account>
prefix that is specified in other requests throughout the API documentation.
Name | Description | Type |
---|---|---|
|
The authorization token for the | String |
|
The URL and | String |
Example Response
HTTP/1.1 204 No Content Date: Mon, 16 Jul 2012 11:05:33 GMT Server: swift X-Storage-Url: https://swift.radosgwhost.com/v1/ACCT-12345 X-Storage-Token: UOlCCC8TahFKlWuv9DB09TWHF0nDjpPElha0kAa Content-Length: 0 Content-Type: text/plain; charset=UTF-8
3.2. Service Operations
To retrieve data about our Swift-compatible service, you can execute GET
requests using the X-Storage-Url
value retrieved during authentication.
3.2.1. List Containers
A GET
request that specifies the API version and the account will return a list of containers for a particular user account. Since the request returns a particular user’s containers, the request requires an authentication token. The request cannot be made anonymously.
Syntax
GET /<api_version>/<account> HTTP/1.1 Host: <Fully_Qualified_Domain_Name> X-Auth-Token: <auth_token>
Name | Description | Type | Required | Valid Values |
---|---|---|---|---|
| Limits the number of results to the specified value. | Integer | No | N/A |
| Defines the format of the result. | String | No |
|
| Returns a list of results greater than the marker value. | String | No | N/A |
The response contains a list of containers, or returns with an HTTP 204 response code
Name | Description | Type |
---|---|---|
| A list for account information. | Container |
| The list of containers. | Container |
| The name of a container. | String |
| The size of the container. | Integer |
3.3. Container Operations
A container is a mechanism for storing data objects. An account can have many containers, but container names must be unique. This API enables a client to create a container, set access controls and metadata, retrieve a container’s contents, and delete a container. Since this API makes requests related to information in a particular user’s account, all requests in this API must be authenticated unless a container’s access control is deliberately made publicly accessible, that is, allows anonymous requests.
The Amazon S3 API uses the term 'bucket' to describe a data container. When you hear someone refer to a 'bucket' within the Swift API, the term 'bucket' might be construed as the equivalent of the term 'container.'
One facet of object storage is that it does not support hierarchical paths or directories. Instead, it supports one level consisting of one or more containers, where each container might have objects. The RADOS Gateway’s Swift-compatible API supports the notion of 'pseudo-hierarchical containers', which is a means of using object naming to emulate a container, or directory hierarchy without actually implementing one in the storage system. You can name objects with pseudo-hierarchical names, for example, photos/buildings/empire-state.jpg, but container names cannot contain a forward slash (/
) character.
3.3.1. Container Operations with Multi Tenancy
When a client application accesses containers, it always operates with credentials of a particular user. In Red Hat Ceph Storage 2, every user belongs to a tenant. See Multi Tenancy for additional details. Consequently, every container operation has an implicit tenant in its context if no tenant is specified explicitly. Thus multi tenancy is completely backward compatible with previous releases, as long as the referred containers and referring user belong to the same tenant.
Extensions employed to specify an explicit tenant differ according to the protocol and authentication system used.
A colon character separates tenant and container, thus a sample URL would be:
Example
https://rgw.domain.com/tenant:container
By contrast, in a create_container()
method, simply separate the tenant and container in the container method itself:
Example
create_container("tenant:container")
3.3.2. Create a Container
To create a new container, make a PUT
request with the API version, account, and the name of the new container. The container name must be unique, must not contain a forward-slash (/) character, and should be less than 256 bytes. You can include access control headers and metadata headers in the request. You can also include a storage policy identifying a key for a set of placement pools, for example, execute radosgw-admin zone get
to see a list of available keys under placement_pools
. A storage policy enables you to specify a special set of pools for the container, for example, SSD-based storage. The operation is idempotent; that is, if you make a request to create a container that already exists, it will return with a HTTP 202 return code, but will not create another container.
Syntax
PUT /<api_version>/<account>/<tenant>:<container> HTTP/1.1 Host: <Fully_Qualified_Domain_Name> X-Auth-Token: <auth_token> X-Container-Read: <comma_separated_uids> X-Container-Write: <comma_separated_uids> X-Container-Meta-<key>: <value> X-Storage-Policy: <placement_pools_key>
Name | Description | Type | Required |
---|---|---|---|
| The user IDs with read permissions for the container. | Comma-separated string values of user IDs. | No |
| The user IDs with write permissions for the container. | Comma-separated string values of user IDs. | No |
| A user-defined meta data key that takes an arbitrary string value. | String | No |
|
The key that identifies the storage policy under | String | No |
If a container with the same name already exists, and the user is the container owner then the operation will succeed. Otherwise the operation will fail.
Name | Description | Status Code |
---|---|---|
| The container already exists under a different user’s ownership. |
|
3.3.3. List a Container’s Objects
To list the objects within a container, make a GET
request with the with the API version, account, and the name of the container. You can specify query parameters to filter the full list, or leave out the parameters to return a list of the first 10,000 object names stored in the container.
Syntax
GET /<api_version>/<tenant>:<container> HTTP/1.1 Host: <Fully_Qualified_Domain_Name> X-Auth-Token: <auth_token>
Name | Description | Type | Valid Values | Required |
---|---|---|---|---|
| Defines the format of the result. | String |
| No |
| Limits the result set to objects beginning with the specified prefix. | String | N/A | No |
| Returns a list of results greater than the marker value. | String | N/A | No |
| Limits the number of results to the specified value. | Integer | 0 - 10,000 | No |
| The delimiter between the prefix and the rest of the object name. | String | N/A | No |
| The pseudo-hierarchical path of the objects. | String | N/A | No |
Name | Description | Type |
---|---|---|
| The container. | Container |
| An object within the container. | Container |
| The name of an object within the container. | String |
| A hash code of the object’s contents. | String |
| The last time the object’s contents were modified. | Date |
| The type of content within the object. | String |
3.3.4. Update a Container’s Access Control Lists (ACLs)
Red Hat Ceph Storage does not support ACLs if using the OpenStack Keystone authentication framework in RHCS 2 and earlier releases.
When a user creates a container, the user has read and write access to the container by default. To allow other users to read a container’s contents or write to a container, you must specifically enable the user. You can also specify *
in the X-Container-Read
or X-Container-Write
settings, which effectively enables all users to either read from or write to the container. Setting *
makes the container public. That is it enables anonymous users to either read from or write to the container.
Syntax
POST /<api_version>/<account>/<tenant>:<container> HTTP/1.1 Host: <Fully_Qualified_Domain_Name> X-Auth-Token: <auth_token> X-Container-Read: * X-Container-Write: <uid1>, <uid2>, <uid3>
Name | Description | Type | Required |
---|---|---|---|
| The user IDs with read permissions for the container. | Comma-separated string values of user IDs. | No |
| The user IDs with write permissions for the container. | Comma-separated string values of user IDs. | No |
3.3.5. Add/Update Container Metadata
To add metadata to a container, make a POST
request with the API version, account, and container name. You must have write permissions on the container to add or update metadata.
Syntax
POST /<api_version>/<account>/<tenant>:<container> HTTP/1.1 Host: <Fully_Qualified_Domain_Name> X-Auth-Token: <auth_token> X-Container-Meta-Color: red X-Container-Meta-Taste: salty
Name | Description | Type | Required |
---|---|---|---|
| A user-defined meta data key that takes an arbitrary string value. | String | No |
3.3.6. Delete a Container
To delete a container, make a DELETE
request with the API version, account, and the name of the container. The container must be empty. If you’d like to check if the container is empty, execute a HEAD
request against the container. Once you’ve successfully removed the container, you’ll be able to reuse the container name.
Syntax
DELETE /<api version>/<account>/<tenant>:<container> HTTP/1.1 Host: <Fully_Qualified_Domain_Name> X-Auth-Token: <auth-token>
Name | Description | Status Code |
---|---|---|
| The container was removed. |
|
3.4. Object Operations
An object is a container for storing data and metadata. A container might have many objects, but the object names must be unique. This API enables a client to create an object, set access controls and metadata, retrieve an object’s data and metadata, and delete an object. Since this API makes requests related to information in a particular user’s account, all requests in this API must be authenticated unless the container or object’s access control is deliberately made publicly accessible, that is, allows anonymous requests.
3.4.1. Create/Update an Object
To create a new object, make a PUT
request with the API version, account, container name and the name of the new object. You must have write permission on the container to create or update an object. The object name must be unique within the container. The PUT
request is not idempotent, so if you do not use a unique name, the request will update the object. However, you can use pseudo-hierarchical syntax in the object name to distinguish it from another object of the same name if it is under a different pseudo-hierarchical directory. You can include access control headers and metadata headers in the request.
Syntax
PUT /<api_version>/<account>/<tenant>:<container>/<object> HTTP/1.1 Host: <Fully_Qualified_Domain_Name> X-Auth-Token: <auth_token>
Name | Description | Type | Required | Valid Values |
---|---|---|---|---|
| An MD5 hash of the object’s contents. Recommended. | String | No | N/A |
| The type of content the object contains. | String | No | N/A |
| Indicates whether the object is part of a larger aggregate object. | String | No |
|
3.4.2. Copy an Object
Copying an object allows you to make a server-side copy of an object, so that you don’t have to download it and upload it under another container/name. To copy the contents of one object to another object, you can make either a PUT
request or a COPY
request with the API version, account, and the container name. For a PUT
request, use the destination container and object name in the request, and the source container and object in the request header. For a Copy
request, use the source container and object in the request, and the destination container and object in the request header. You must have write permission on the container to copy an object. The destination object name must be unique within the container. The request is not idempotent, so if you do not use a unique name, the request will update the destination object. However, you can use pseudo-hierarchical syntax in the object name to distinguish the destination object from the source object of the same name if it is under a different pseudo-hierarchical directory. You can include access control headers and metadata headers in the request.
Syntax
PUT /<api_version>/<account>/<tenant>:<dest_container>/<dest_object> HTTP/1.1 X-Copy-From: <tenant>:<source_container>/<source_object> Host: <Fully_Qualified_Domain_Name> X-Auth-Token: <auth_token>
or alternatively:
Syntax
COPY /<api_version>/<account>/<tenant>:<source_container>/<source_object> HTTP/1.1 Destination: <tenant>:<dest_container>/<dest_object>
Name | Description | Type | Required |
---|---|---|---|
|
Used with a | String |
Yes, if using |
|
Used with a | String |
Yes, if using |
|
Only copies if modified since the date/time of the source object’s | Date | No |
|
Only copies if not modified since the date/time of the source object’s | Date | No |
| Copies only if the ETag in the request matches the source object’s ETag. | ETag. | No |
| Copies only if the ETag in the request does not match the source object’s ETag. | ETag. | No |
3.4.3. Delete an Object
To delete an object, make a DELETE
request with the API version, account, container and object name. You must have write permissions on the container to delete an object within it. Once you’ve successfully deleted the object, you’ll be able to reuse the object name.
Syntax
DELETE /<api_version>/<account>/<tenant>:<container>/<object> HTTP/1.1 Host: <Fully_Qualified_Domain_Name> X-Auth-Token: <auth_token>
3.4.4. Get an Object
To retrieve an object, make a GET
request with the API version, account, container and object name. You must have read permissions on the container to retrieve an object within it.
Syntax
GET /<api version>/<account>/<tenant>:<container>/<object> HTTP/1.1 Host: <Fully_Qualified_Domain_Name> X-Auth-Token: <auth-token>
Name | Description | Type | Required |
---|---|---|---|
| To retrieve a subset of an object’s contents, you can specify a byte range. | Date | No |
|
Only copies if modified since the date/time of the source object’s | Date | No |
|
Only copies if not modified since the date/time of the source object’s | Date | No |
| Copies only if the ETag in the request matches the source object’s ETag. | ETag. | No |
| Copies only if the ETag in the request does not match the source object’s ETag. | ETag. | No |
Name | Description |
---|---|
| The range of the subset of object contents. Returned only if the range header field was specified in the request. |
3.4.5. Get Object Metadata
To retrieve an object’s metadata, make a HEAD
request with the API version, account, container and object name. You must have read permissions on the container to retrieve metadata from an object within the container. This request returns the same header information as the request for the object itself, but it does not return the object’s data.
Syntax
HEAD /<api_version>/<account>/<tenant>:<container>/<object> HTTP/1.1 Host: <Fully_Qualified_Domain_Name> X-Auth-Token: <auth_token>
3.4.6. Add/Update Object Metadata
To add metadata to an object, make a POST
request with the API version, account, container and object name. You must have write permissions on the parent container to add or update metadata.
Syntax
POST /<api_version>/<account>/<tenant>:<container>/<object> HTTP/1.1 Host: <Fully_Qualified_Domain_Name> X-Auth-Token: <auth_token>
Name | Description | Type | Required |
---|---|---|---|
| A user-defined meta data key that takes an arbitrary string value. | String | No |
3.5. Temp URL Operations
To allow temporary access, for example GET requests, to objects without the need to share credentials, temp url functionality is supported by swift endpoint of radosgw
. For this functionality, initially the value of X-Account-Meta-Temp-URL-Key
and optionally X-Account-Meta-Temp-URL-Key-2
should be set. The Temp URL functionality relies on a HMAC-SHA1 signature against these secret keys.
3.5.1. POST Temp-URL Keys
A POST
request to the swift account with the required Key will set the secret temp url key for the account against which temporary url access can be provided to accounts. Up to two keys are supported, and signatures are checked against both the keys, if present, so that keys can be rotated without invalidating the temporary urls.
Syntax
POST /<api_version>/<account> HTTP/1.1 Host: <Fully_Qualified_Domain_Name> X-Auth-Token: <auth_token>
Name | Description | Type | Required |
---|---|---|---|
| A user-defined key that takes an arbitrary string value. | String | Yes |
| A user-defined key that takes an arbitrary string value. | String | No |
3.5.2. GET Temp-URL Objects
Temporary URL uses a cryptographic HMAC-SHA1 signature, which includes the following elements:
- The value of the Request method, "GET" for instance
- The expiry time, in format of seconds since the epoch, that is, Unix time
- The request path starting from "v1" onwards
The above items are normalized with newlines appended between them, and a HMAC is generated using the SHA-1 hashing algorithm against one of the Temp URL Keys posted earlier.
A sample python script to demonstrate the above is given below:
Example
import hmac from hashlib import sha1 from time import time method = 'GET' host = 'https://objectstore.example.com' duration_in_seconds = 300 # Duration for which the url is valid expires = int(time() + duration_in_seconds) path = '/v1/your-bucket/your-object' key = 'secret' hmac_body = '%s\n%s\n%s' % (method, expires, path) hmac_body = hmac.new(key, hmac_body, sha1).hexdigest() sig = hmac.new(key, hmac_body, sha1).hexdigest() rest_uri = "{host}{path}?temp_url_sig={sig}&temp_url_expires={expires}".format( host=host, path=path, sig=sig, expires=expires) print rest_uri
Example Output
https://objectstore.example.com/v1/your-bucket/your-object?temp_url_sig=ff4657876227fc6025f04fcf1e82818266d022c6&temp_url_expires=1423200992
3.6. Swift API Limitations
The following limitations should be used with caution. There are implications related to your hardware selections, so you should always discuss these requirements with your Red Hat account team.
- Maximum object size when using Swift API: 5GB
- Maximum metadata size when using Swift API: There is no defined limit on the total size of user metadata that can be applied to an object, but a single HTTP request is limited to 16,000.