이 콘텐츠는 선택한 언어로 제공되지 않습니다.

Chapter 2. Object Gateway S3 Application Programming Interface (API)

Red Hat Ceph Object Gateway supports a RESTful API that is compatible with the basic data access model of the Amazon S3 API.

The following table describes the support status for current Amazon S3 functional features.

Table 2.1. Features
Feature	Status	Remarks
List Buckets	Supported
Create Bucket	Supported	Different set of canned ACLs
Put Bucket Lifecycle	Partially Supported	`Expiration`, `NoncurrentVersionExpiration` and `AbortIncompleteMultipartUpload` supported.
Get Bucket	Supported
Get Bucket Lifecycle	Partially Supported	`Expiration`, `NoncurrentVersionExpiration` and `AbortIncompleteMultipartUpload` supported.
Get Bucket Location	Supported
Get Bucket Versioning	Supported
Delete Bucket	Supported
Delete Bucket Lifecycle	Supported
Bucket ACLs (Get, Put)	Supported	Different set of canned ACLs
Bucket cors (Get, Put, Delete)	Supported
Bucket Object Versions	Supported
Head Bucket	Supported
List Bucket Multipart Uploads	Supported
Bucket Lifecycle	Partially Supported	`Expiration`, `NoncurrentVersionExpiration` and `AbortIncompleteMultipartUpload` supported.
Policy (Buckets)	Partially Supported
Bucket Website	Supported
Bucket Request Payment (Get, Put)	Supported
Put Object	Supported
Delete Object	Supported
Get Object	Supported
Object ACLs (Get, Put)	Supported
Get Object Info (HEAD)	Supported
Copy Object	Supported
Post Object	Supported
Options Object	Supported
Delete Multiple Objects	Supported
Initiate Multipart Upload	Supported
Initiate Multipart Upload Part	Supported
List Multipart Upload Parts	Supported
Complete Multipart Upload	Supported
Abort Multipart Upload	Supported
Copy Multipart Upload	Supported
Multi Tenancy	Supported

The following table lists the common request header fields that are not supported.

Table 2.2. Unsupported Header Fields
Name	Type
x-amz-security-token	Request
Server	Response
x-amz-delete-marker	Response
x-amz-id-2	Response
x-amz-request-id	Response
x-amz-version-id	Response

2.1. S3 API Server-side Encryption

The Ceph Object Gateway supports server-side encryption of uploaded objects for the S3 API. Server-side encryption means that the S3 client sends data over HTTP in its unencrypted form, and the Ceph Object Gateway stores that data in the Ceph Storage Cluster in encrypted form.

Note

Red Hat does NOT support S3 object encryption of SLO(Static Large Object) and DLO(Dynamic Large Object).

Important

To use encryption, client requests MUST send requests over an SSL connection. Red Hat does not support S3 encryption from a client unless the Ceph Object Gateway uses SSL. However, for testing purposes, administrators may disable SSL during testing by setting the rgw_crypt_require_ssl configuration setting to false at runtime, setting it to false in the Ceph configuration file and restarting the gateway instance, or setting it to false in the Ansible configuration files and replaying the Ansible playbooks for the Ceph Object Gateway.

There are two options for the management of encryption keys:

Customer-Provided Keys

When using customer-provided keys, the S3 client passes an encryption key along with each request to read or write encrypted data. It is the customer’s responsibility to manage those keys. Customers must remember which key the Ceph Object Gateway used to encrypt each object.

Ceph Object Gateway implements the customer-provided key behavior in the S3 API according to the Amazon SSE-C specification.

Since the customer handles the key management and the S3 client passes keys to the Ceph Object Gateway, the Ceph Object Gateway requires no special configuration to support this encryption mode.

Key Management Service

When using a key management service, the secure key management service stores the keys and the Ceph Object Gateway retrieves them on demand to serve requests to encrypt or decrypt data.

Ceph Object Gateway implements the key management service behavior in the S3 API according to the Amazon SSE-KMS specification.

Important

Currently, the only tested key management implementation uses OpenStack Barbican. However, OpenStack Barbican is a Technology Preview and is not supported for use in production systems.

2.2. Bucket Policies

The Ceph Object Gateway supports a subset of the Amazon S3 policy language applied to buckets.

Creation and Removal

Ceph Object Gateway manages S3 Bucket policies through standard S3 operations rather than using the radosgw-admin CLI tool.

Administrators may use the s3cmd command to set or delete a policy. For example:

$ cat > examplepol
{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Principal": {"AWS": ["arn:aws:iam::usfolks:user/fred"]},
    "Action": "s3:PutObjectAcl",
    "Resource": [
      "arn:aws:s3:::happybucket/*"
    ]
  }]
}

$ s3cmd setpolicy examplepol s3://happybucket
$ s3cmd delpolicy s3://happybucket

Limitations

Ceph Object Gateway only supports the following S3 actions:

s3:AbortMultipartUpload
s3:CreateBucket
s3:DeleteBucketPolicy
s3:DeleteBucket
s3:DeleteBucketWebsite
s3:DeleteObject
s3:DeleteObjectVersion
s3:GetBucketAcl
s3:GetBucketCORS
s3:GetBucketLocation
s3:GetBucketPolicy
s3:GetBucketRequestPayment
s3:GetBucketVersioning
s3:GetBucketWebsite
s3:GetLifecycleConfiguration
s3:GetObjectAcl
s3:GetObject
s3:GetObjectTorrent
s3:GetObjectVersionAcl
s3:GetObjectVersion
s3:GetObjectVersionTorrent
s3:ListAllMyBuckets
s3:ListBucketMultiPartUploads
s3:ListBucket
s3:ListBucketVersions
s3:ListMultipartUploadParts
s3:PutBucketAcl
s3:PutBucketCORS
s3:PutBucketPolicy
s3:PutBucketRequestPayment
s3:PutBucketVersioning
s3:PutBucketWebsite
s3:PutLifecycleConfiguration
s3:PutObjectAcl
s3:PutObject
s3:PutObjectVersionAcl

Note

Ceph Object Gateway does not support setting policies on users, groups, or roles.

The Ceph Object Gateway uses the RGW ‘tenant’ identifier in place of the Amazon twelve-digit account ID. Ceph Object Gateway administrators who want to use policies between Amazon Web Service (AWS) S3 and Ceph Object Gateway S3 will have to use the Amazon account ID as the tenant ID when creating users.

With AWS S3, all tenants share a single namespace. By contrast, Ceph Object Gateway gives every tenant its own namespace of buckets. At present, Ceph Object Gateway clients trying to access a bucket belonging to another tenant MUST address it as tenant:bucket in the S3 request.

In the AWS, a bucket policy can grant access to another account, and that account owner can then grant access to individual users with user permissions. Since Ceph Object Gateway does not yet support user, role, and group permissions, account owners will need to grant access directly to individual users.

Important

Granting an entire account access to a bucket grants access to ALL users in that account.

Bucket policies do NOT support string interpolation.

Ceph Object Gateway supports the following condition keys:

aws:CurrentTime
aws:EpochTime
aws:PrincipalType
aws:Referer
aws:SecureTransport
aws:SourceIp
aws:UserAgent
aws:username

Ceph Object Gateway ONLY supports the following condition keys for the ListBucket action:

s3:prefix
s3:delimiter
s3:max-keys

Impact on Swift

Ceph Object Gateway provides no functionality to set bucket policies under the Swift API. However, bucket policies that have been set with the S3 API govern Swift as well as S3 operations.

Ceph Object Gateway matches Swift credentials against Principals specified in a policy.

2.3. Authentication and Access Control Lists

Requests to the Ceph Object Gateway can be either authenticated or unauthenticated. Ceph Object Gateway assumes unauthenticated requests are sent by an anonymous user. Ceph Object Gateway supports canned ACLs.

2.3.1. Authentication

For most use cases, clients use existing open source libraries like the Amazon SDK’s AmazonS3Client for Java, and Python Boto, where you simply pass in the access key and secret key, and the library builds the request header and authentication signature for you. However, you can create requests and sign them too.

Authenticating a request requires including an access key and a base 64-encoded Hash-based Message Authentication Code (HMAC) in the request before it is sent to the Ceph Object Gateway server. Ceph Object Gateway uses an S3-compatible authentication approach.

Example

HTTP/1.1
PUT /buckets/bucket/object.mpeg
Host: cname.domain.com
Date: Mon, 2 Jan 2012 00:01:01 +0000
Content-Encoding: mpeg
Content-Length: 9999999

Authorization: AWS <access_key>:<hash_of_header_and_secret>

In the foregoing example, replace <access_key> with the value for the access key ID followed by a colon (:). Replace <hash_of_header_and_secret> with a hash of a canonicalized header string and the secret corresponding to the access key ID.

To generate the hash of the header string and secret, you must:

Get the value of the header string.
Normalize the request header string into canonical form.
Generate an HMAC using a SHA-1 hashing algorithm.
Encode the hmac result as base-64.

To normalize the header into canonical form:

Get all content- headers.
Remove all content- headers except for content-type and content-md5.
Ensure the content- header names are lowercase.
Sort the content- headers lexicographically.
Ensure you have a Date header AND ensure the specified date uses GMT and not an offset.
Get all headers beginning with x-amz-.
Ensure that the x-amz- headers are all lowercase.
Sort the x-amz- headers lexicographically.
Combine multiple instances of the same field name into a single field and separate the field values with a comma.
Replace white space and line breaks in header values with a single space.
Remove white space before and after colons.
Append a new line after each header.
Merge the headers back into the request header.

Replace the <hash_of_header_and_secret> with the base-64 encoded HMAC string.

For additional details, consult the Signing and Authenticating REST Requests section of Amazon Simple Storage Service documentation.

2.3.2. Access Control Lists (ACLs)

Ceph Object Gateway supports S3-compatible ACL functionality. An ACL is a list of access grants that specify which operations a user can perform on a bucket or on an object. Each grant has a different meaning when applied to a bucket versus applied to an object:

Table 2.3. User Operations
Permission	Bucket	Object
`READ`	Grantee can list the objects in the bucket.	Grantee can read the object.
`WRITE`	Grantee can write or delete objects in the bucket.	N/A
`READ_ACP`	Grantee can read bucket ACL.	Grantee can read the object ACL.
`WRITE_ACP`	Grantee can write bucket ACL.	Grantee can write to the object ACL.
`FULL_CONTROL`	Grantee has full permissions for object in the bucket.	Grantee can read or write to the object ACL.

2.3.3. Authentication using the STS Lite API (Technology Preview)

The Ceph Object Gateway provides support for a subset of the Amazon Secure Token Service (STS) REST APIs. STS Lite provides access to a set of temporary credentials for identity and access management.

The STS Lite authentication mechanism is integrated with Keystone in the Ceph Object Gateway. A set of temporary security credentials are returned after authenticating a set of Amazon Web Services (AWS) credentials with Keystone. The STS engine authenticates these temporary security credentials made by subsequent S3 calls, resulting in less load on the Keystone server.

The Ceph Object Gateway implements the following STS Lite REST APIs:

GetSessionToken

Returns a set of temporary security credentials for a set of AWS credentials. Use this API for initial authentication with Keystone and the temporary credentials returned can be used to make subsequent S3 calls. The temporary credentials will have the same permission as that of the AWS credentials.

Parameters:

DurationSeconds (Integer/ Optional): The duration in seconds for which the credentials should remain valid. The default value is 3600 seconds. The max value is 43200 seconds. You can set this value using the rgw_sts_max_session option in the Ceph configuration file, by default the /etc/ceph/ceph.conf file.
SerialNumber (String/ Optional): The identifier number of the Multi-Factor Authentication (MFA) device associated with the user making the GetSessionToken call.
TokenCode (String/ Optional): The value provided by the MFA device, if MFA is required.

AssumeRole

Returns a set of temporary credentials that can be used for cross-account access. The temporary credentials will have permissions that are allowed by both - permission policies attached with the Role and policy attached with the AssumeRole API.

Parameters:

RoleArn (String/ Required)

Amazon Resource Name (ARN) of the Role to Assume.

RoleSessionName (String/ Required)

An Identifier for the assumed role session.

Policy (String/ Optional):: An IAM Policy in JSON format.

DurationSeconds (Integer/ Optional)

The duration in seconds of the session. The default value is 3600.

ExternalId (String/ Optional)

A unique Id that might be used when a role is assumed in another account.

SerialNumber (String/ Optional)

The identifier number of the MFA device associated with the user making the AssumeRole call.

TokenCode (String/ Optional)

The value provided by the MFA device, if the trust policy of the role being assumed requires MFA.

Additional Resources

See the AWS Security Token Service API Reference documentation for more information.
See the AWS Identity and Access Management User Guide for more information.

2.4. Accessing the Gateway

You can use various programming languages to create a connection with the gateway server and do the bucket management tasks. There are different open source libraries available for these programming languages that are used for authentication with the gateway.

The sections mentioned below will describe the procedure for some of the popular programming languages.

2.4.1. Prerequisites

You must follow some prerequisites on the Ceph Object Gateway node before attempting to access the gateway server. The prerequisites are as follows:

Set up the gateway server properly by following the instructions based on the operating system:
1. For Red Hat Enterprise Linux, see the Ceph Object Gateway Installation chapter in the Installation Guide for Red hat Enterprise Linux.
2. For Ubuntu, see the Ceph Object Gateway Installation chapter in the Installation Guide for Ubuntu.
DO NOT modify the Ceph configuration file to use port 80 and let Civetweb use the default Ansible configured port of 8080.

As root, open port 8080 on firewall:

# firewall-cmd --zone=public --add-port=8080/tcp --permanent
# firewall-cmd --reload

Add a wildcard to the DNS server that you are using for the gateway as mentioned in the Object Gateway Guide.
You can also set up the gateway node for local DNS caching. To do so, execute the following steps:
1. As root, install and setup dnsmasq:
```
# yum install dnsmasq
# echo "address=/.<FQDN_of_gateway_node>/<IP_of_gateway_node>" | tee --append /etc/dnsmasq.conf
# systemctl start dnsmasq
# systemctl enable dnsmasq
```
  Replace <IP_of_gateway_node> and <FQDN_of_gateway_node> with the IP address and FQDN of the gateway node.
2. As root, stop NetworkManager:
```
# systemctl stop NetworkManager
# systemctl disable NetworkManager
```
3. As root, set the gateway server’s IP as the nameserver:
```
# echo "DNS1=<IP_of_gateway_node>" | tee --append /etc/sysconfig/network-scripts/ifcfg-eth0
# echo "<IP_of_gateway_node> <FQDN_of_gateway_node>" | tee --append /etc/hosts
# systemctl restart network
# systemctl enable network
# systemctl restart dnsmasq
```
  Replace <IP_of_gateway_node> and <FQDN_of_gateway_node> with the IP address and FQDN of the gateway node.
4. Verify subdomain requests:
```
$ ping mybucket.<FQDN_of_gateway_node>
```
  Replace <FQDN_of_gateway_node> with the FQDN of the gateway node.
  Warning
  Setting up the gateway server for local DNS caching is for testing purposes only. You won’t be able to access outside network after doing this. It is strongly recommended to use a proper DNS server for the Ceph cluster and gateway node.
Create the radosgw user for S3 access carefully as mentioned in the Object Gateway Guide for Red Hat Enterprise Linux or Object Gateway Guide for Ubuntu and copy the generated access_key and secret_key. You will need these keys for S3 access and subsequent bucket management tasks.

2.4.2. Ruby AWS::S3 Examples (aws-s3 gem)

You can use Ruby programming language along with aws-s3 gem for S3 access. Execute the steps mentioned below on the node used for accessing the Ceph Object Gateway server with Ruby AWS::S3.

Setup Ruby

Execute the following steps to setup Ruby:

As root, install ruby:
```
# yum install ruby
```
Note
The above command will install ruby and it’s essential dependencies like rubygems and ruby-libs too. If somehow the command doesn’t install all the dependencies, install them separately.
As root, install aws-s3:
```
# gem install aws-s3
```

Creating a connection

Create a project directory:
```
$ mkdir ruby_aws_s3
$ cd ruby_aws_s3
```
Create the connection file:
```
$ vim conn.rb
```

Paste the following contents into the conn.rb file:

#!/usr/bin/env ruby

require 'aws/s3'
require 'resolv-replace'

AWS::S3::Base.establish_connection!(
        :server            => '<FQDN_of_gateway_node>',
        :port           => '8080',
        :access_key_id     => 'my-access-key',
        :secret_access_key => 'my-secret-key'
)

Replace <FQDN_of_gateway_node> with the FQDN of your gateway node. Replace my-access-key and my-secret-key with the access_key and secret_key that were generated when you created the radosgw user for S3 access as mentioned in the Object Gateway Guide for Red Hat Enterprise Linux or the Object Gateway Guide for Ubuntu.

An example connection file looks like the following:

#!/usr/bin/env ruby

require 'aws/s3'

require 'resolv-replace'

AWS::S3::Base.establish_connection!(
        :server            => 'testclient.englab.pnq.redhat.com',
        :port           => '8080',
        :access_key_id     => '98J4R9P22P5CDL65HKP8',
        :secret_access_key => '6C+jcaP0dp0+FZfrRNgyGA9EzRy25pURldwje049'
)

Save the file and exit the editor.

Make the file executable:
```
$ chmod +x conn.rb
```
Run the file:
```
$ ./conn.rb | echo $?
```
If you have provided the values correctly in the file, the output of the command will be 0.

Creating a bucket

Create a new file:

$ vim create_bucket.rb

Paste the following contents into the file:

#!/usr/bin/env ruby

load 'conn.rb'

AWS::S3::Bucket.create('my-new-bucket1')

Save the file and exit the editor.

Make the file executable:
```
$ chmod +x create_bucket.rb
```
Run the file:
```
$ ./create_bucket.rb
```
If the output of the command is true it would mean that bucket my-new-bucket1 was created successfully.

Listing owned buckets

Create a new file:

$ vim list_owned_buckets.rb

Paste the following content into the file:

#!/usr/bin/env ruby

load 'conn.rb'

AWS::S3::Service.buckets.each do |bucket|
        puts "#{bucket.name}\t#{bucket.creation_date}"
end

Save the file and exit the editor.

Make the file executable:
```
$ chmod +x list_owned_buckets.rb
```

Run the file:

$ ./list_owned_buckets.rb

The output should look something like this:

my-new-bucket1 2016-01-21 10:33:19 UTC

Creating an object

Create a new file:

$ vim create_object.rb

Paste the following contents into the file:

#!/usr/bin/env ruby

load 'conn.rb'

AWS::S3::S3Object.store(
        'hello.txt',
        'Hello World!',
        'my-new-bucket1',
        :content_type => 'text/plain'
)

Save the file and exit the editor.

Make the file executable:
```
$ chmod +x create_object.rb
```
Run the file:
```
$ ./create_object.rb
```
This will create a file hello.txt with the string Hello World!.

Listing a Bucket’s Content

Create a new file:

$ vim list_bucket_content.rb

Paste the following content into the file:

#!/usr/bin/env ruby

load 'conn.rb'

new_bucket = AWS::S3::Bucket.find('my-new-bucket1')
new_bucket.each do |object|
        puts "#{object.key}\t#{object.about['content-length']}\t#{object.about['last-modified']}"
end

Save the file and exit the editor.

Make the file executable.
```
$ chmod +x list_bucket_content.rb
```

Run the file:

$ ./list_bucket_content.rb

The output will look something like this:

hello.txt    12    Fri, 22 Jan 2016 15:54:52 GMT

Deleting a empty bucket

Create a new file:

$ vim del_empty_bucket.rb

Paste the following contents into the file:

#!/usr/bin/env ruby

load 'conn.rb'

AWS::S3::Bucket.delete('my-new-bucket1')

Save the file and exit the editor.

Make the file executable:
```
$ chmod +x del_empty_bucket.rb
```
Run the file:
```
$ ./del_empty_bucket.rb | echo $?
```
If the bucket is successfully deleted, the command will return 0 as output.
Note
Please edit the create_bucket.rb file to create empty buckets like my-new-bucket9, my-new-bucket10 etc and edit the above mentioned del_empty_bucket.rb file accordingly before trying to delete empty buckets.

Deleting a non-empty bucket (forcefully)

Create a new file:

$ vim del_non_empty_bucket.rb

Paste the following contents into the file:

#!/usr/bin/env ruby

load 'conn.rb'

AWS::S3::Bucket.delete('my-new-bucket1', :force => true)

Save the file and exit the editor.

Make the file executable:
```
$ chmod +x del_non_empty_bucket.rb
```
Run the file:
```
$ ./del_non_empty_bucket.rb | echo $?
```
If the bucket is successfully deleted, the command will return 0 as output.

Deleting an object

Create a new file:

$ vim delete_object.rb

Paste the following contents into the file:

#!/usr/bin/env ruby

load 'conn.rb'

AWS::S3::S3Object.delete('hello.txt', 'my-new-bucket1')

Save the file and exit the editor.

Make the file executable:
```
$ chmod +x delete_object.rb
```
Run the file:
```
$ ./delete_object.rb
```
This will delete the object hello.txt.

2.4.3. Ruby AWS::SDK Examples (aws-sdk gem ~>2)

You can use the Ruby programming language along with aws-sdk gem for S3 access. Execute the steps mentioned below on the node used for accessing the Ceph Object Gateway server with Ruby AWS::SDK.

Setup Ruby

Execute the following steps to setup Ruby:

As root, install ruby:
```
# yum install ruby
```
Note
The above command will install ruby and its essential dependencies such as rubygems and ruby-libs. If somehow the command doesn’t install all the dependencies, install them separately.
As root, install aws-sdk:
```
# gem install aws-sdk
```

Creating a connection

Create a project directory:
```
$ mkdir ruby_aws_sdk
$ cd ruby_aws_sdk
```
Create the connection file:
```
$ vim conn.rb
```

Paste the following contents into the conn.rb file:

#!/usr/bin/env ruby

require 'aws-sdk'
require 'resolv-replace'

Aws.config.update(
        endpoint: 'http://<FQDN_of_gateway_node>:8080',
        access_key_id: 'my-access-key',
        secret_access_key: 'my-secret-key',
        force_path_style: true,
        region: 'us-east-1'
)

An example connection file looks like the following:

#!/usr/bin/env ruby

require 'aws-sdk'
require 'resolv-replace'

Aws.config.update(
        endpoint: 'http://testclient.englab.pnq.redhat.com:8080',
        access_key_id: '98J4R9P22P5CDL65HKP8',
        secret_access_key: '6C+jcaP0dp0+FZfrRNgyGA9EzRy25pURldwje049',
        force_path_style: true,
        region: 'us-east-1'
)

Save the file and exit the editor.

Make the file executable:
```
chmod +x conn.rb
```
Run the file:
```
./conn.rb | echo $?
```
If you have provided the values correctly in the file, the output of the command will be 0.

Creating a bucket

Create a new file:

vim create_bucket.rb

Paste the following contents into the file:

#!/usr/bin/env ruby

load 'conn.rb'

s3_client = Aws::S3::Client.new
s3_client.create_bucket(bucket: 'my-new-bucket2')

Save the file and exit the editor.

Make the file executable:
```
chmod +x create_bucket.rb
```
Run the file:
```
./create_bucket.rb
```
If the output of the command is true it would mean that bucket my-new-bucket2 was created successfully.

Listing owned buckets

Create a new file:

vim list_owned_buckets.rb

Paste the following content into the file:

#!/usr/bin/env ruby

load 'conn.rb'

s3_client = Aws::S3::Client.new
s3_client.list_buckets.buckets.each do |bucket|
        puts "#{bucket.name}\t#{bucket.creation_date}"
end

Save the file and exit the editor.

Make the file executable:
```
chmod +x list_owned_buckets.rb
```

Run the file:

./list_owned_buckets.rb

The output should look something like this:

my-new-bucket2 2016-01-21 10:33:19 UTC

Creating an object

Create a new file:

vim create_object.rb

Paste the following contents into the file:

#!/usr/bin/env ruby

load 'conn.rb'

s3_client = Aws::S3::Client.new
s3_client.put_object(
        key: 'hello.txt',
        body: 'Hello World!',
        bucket: 'my-new-bucket2',
        content_type: 'text/plain'
)

Save the file and exit the editor.

Make the file executable:
```
chmod +x create_object.rb
```
Run the file:
```
./create_object.rb
```
This will create a file hello.txt with the string Hello World!.

Listing a Bucket’s Content

Create a new file:

vim list_bucket_content.rb

Paste the following content into the file:

#!/usr/bin/env ruby

load 'conn.rb'

s3_client = Aws::S3::Client.new
s3_client.list_objects(bucket: 'my-new-bucket2').contents.each do |object|
        puts "#{object.key}\t#{object.size}"
end

Save the file and exit the editor.

Make the file executable.
```
chmod +x list_bucket_content.rb
```

Run the file:

./list_bucket_content.rb

The output will look something like this:

hello.txt    12    Fri, 22 Jan 2016 15:54:52 GMT

Deleting a empty bucket

Create a new file:

vim del_empty_bucket.rb

Paste the following contents into the file:

#!/usr/bin/env ruby

load 'conn.rb'

s3_client = Aws::S3::Client.new
s3_client.delete_bucket(bucket: 'my-new-bucket2')

Save the file and exit the editor.

Make the file executable:
```
chmod +x del_empty_bucket.rb
```
Run the file:
```
./del_empty_bucket.rb | echo $?
```
If the bucket is successfully deleted, the command will return 0 as output.
Note
Please edit the create_bucket.rb file to create empty buckets like my-new-bucket6, my-new-bucket7 etc and edit the above mentioned del_empty_bucket.rb file accordingly before trying to delete empty buckets.

Deleting a non-empty bucket (forcefully)

Create a new file:

vim del_non_empty_bucket.rb

Paste the following contents into the file:

#!/usr/bin/env ruby

load 'conn.rb'

s3_client = Aws::S3::Client.new
Aws::S3::Bucket.new('my-new-bucket2', client: s3_client).clear!
s3_client.delete_bucket(bucket: 'my-new-bucket2')

Save the file and exit the editor.

Make the file executable:
```
chmod +x del_non_empty_bucket.rb
```
Run the file:
```
./del_non_empty_bucket.rb | echo $?
```
If the bucket is successfully deleted, the command will return 0 as output.

Deleting an object

Create a new file:

vim delete_object.rb

Paste the following contents into the file:

#!/usr/bin/env ruby

load 'conn.rb'

s3_client = Aws::S3::Client.new
s3_client.delete_object(key: 'hello.txt', bucket: 'my-new-bucket2')

Save the file and exit the editor.

Make the file executable:
```
chmod +x delete_object.rb
```
Run the file:
```
./delete_object.rb
```
This will delete the object hello.txt.

2.4.4. PHP S3 Examples

You can use PHP scripts too for S3 access. Execute the steps mentioned below on the node used for accessing the Ceph Object Gateway server with PHP.

Important

The examples given below are tested against php v5.4.16 and aws-sdk v2.8.24. DO NOT use the latest version of aws-sdk for php as it requires php >= 5.5+. php 5.5 is not available in the default repos of RHEL 7. If you want to use php 5.5, you will have to enable epel and other third party repos. Also, the configuration options for php 5.5 and latest version of aws-sdk are different.

Setup PHP/AWS SDK

Execute the following steps to set up PHP:

As root, install php:
```
# yum install php
```
Install aws-sdk for php:
Download the zip archive of aws-sdk for php and extract it.

Creating a connection

Create a project directory:
```
$ mkdir php_s3
$ cd php_s3
```
Copy the extracted aws directory to the project directory. For example:
```
$ cp -r ~/Downloads/aws/ ~/php_s3/
```
Create the connection file:
```
$ vim conn.php
```

Paste the following contents in the conn.php file:

<?php
define('AWS_KEY', 'my_access_key');
define('AWS_SECRET_KEY', 'my_secret_key');
define('HOST', '<FQDN_of_gateway_node>');
define('PORT', '8080');

// require the AWS SDK for php library
require '/path_to_aws/aws-autoloader.php';

use Aws\S3\S3Client;

// Establish connection with host using S3 Client
$client = S3Client::factory(array(
    'base_url' => HOST,
    'port' => PORT,
    'key'      => AWS_KEY,
    'secret'   => AWS_SECRET_KEY
));
?>

Replace <FQDN_of_gateway_node> with the FQDN of the gateway node. Replace my-access-key and my-secret-key with the access_key and secret_key that were generated when you created the radosgw user for S3 access as mentioned in the Red Hat Ceph Storage Object Gateway Guide. Also, replace path_to_aws with absolute path to the extracted aws directory that you copied to the php project directory.

An example connection file will look like the following:

<?php
define('AWS_KEY', '{key}');
define('AWS_SECRET_KEY', '{secret}');
define('HOST', 'http://{hostname}');

// require the AWS SDK for php library
require '/home/ceph/php_s3/aws/aws-autoloader.php';

use Aws\S3\S3Client;

// Establish connection with host using S3 Client
$client = S3Client::factory(array(
    'base_url' => HOST,
    'port' => PORT,
    'key'      => AWS_KEY,
    'secret'   => AWS_SECRET_KEY
));
?>

Save the file and exit the editor.

Run the file:
```
$ php -f conn.php | echo $?
```
If you have provided the values correctly in the file, the output of the command will be 0.

Creating a bucket

Create a new file:

vim create_bucket.php

Paste the following contents into the file:

<?php

include 'conn.php';

$client->createBucket(array('Bucket' => 'my-new-bucket3'));

?>

Save the file and exit the editor.

Run the file:
```
php -f create_bucket.php
```

Listing owned buckets

Create a new file:

vim list_owned_buckets.php

Paste the following content into the file:

<?php

include 'conn.php';

$blist = $client->listBuckets();
echo "   Buckets belonging to " . $blist['Owner']['ID'] . ":\n";
foreach ($blist['Buckets'] as $b) {
    echo "{$b['Name']}\t{$b['CreationDate']}\n";
}

?>

Save the file and exit the editor.

Run the file:

php -f list_owned_buckets.php

The output should look something like this:

my-new-bucket3 2016-01-21 10:33:19 UTC

Creating an object

Create a source file hello.txt:
```
echo "Hello World!" > hello.txt
```

Create a new php file:

vim create_object.php

Paste the following contents into the file:

<?php

include 'conn.php';

$key         = 'hello.txt';
$source_file = './hello.txt';
$acl         = 'private';
$bucket      = 'my-new-bucket3';
$client->upload($bucket, $key, fopen($source_file, 'r'), $acl);

?>

Save the file and exit the editor.

Run the file:
```
php -f create_object.php
```
This will create the object hello.txt in bucket my-new-bucket3.

Listing a Bucket’s Content

Create a new file:

vim list_bucket_content.php

Paste the following content into the file:

<?php

include 'conn.php';

$o_iter = $client->getIterator('ListObjects', array(
    'Bucket' => 'my-new-bucket3'
));
foreach ($o_iter as $o) {
    echo "{$o['Key']}\t{$o['Size']}\t{$o['LastModified']}\n";
}
?>

Save the file and exit the editor.

Run the file:

php -f list_bucket_content.php

The output will look something like this:

hello.txt    12    Fri, 22 Jan 2016 15:54:52 GMT

Deleting an empty bucket

Create a new file:

vim del_empty_bucket.php

Paste the following contents into the file:

<?php

include 'conn.php';

$client->deleteBucket(array('Bucket' => 'my-new-bucket3'));
?>

Save the file and exit the editor.

Run the file:
```
php -f del_empty_bucket.php | echo $?
```
If the bucket is successfully deleted, the command will return 0 as output.
Note
Edit the create_bucket.php file to create empty buckets like my-new-bucket4, my-new-bucket5, and so on, and then edit the del_empty_bucket.php file accordingly before trying to delete empty buckets.

Deleting a non-empty bucket (forcefully)

Deleting a non-empty bucket is not currently supported in php 2 and newer versions of aws-sdk.

Deleting an object

Create a new file:

vim delete_object.php

Paste the following contents into the file:

<?php

include 'conn.php';

$client->deleteObject(array(
    'Bucket' => 'my-new-bucket3',
    'Key'    => 'hello.txt',
));
?>

Save the file and exit the editor.

Run the file:
```
php -f delete_object.php
```
This will delete the object hello.txt.

2.4.5. Configuring and using STS Lite with Keystone (Technology Preview)

The Amazon Secure Token Service (STS) and S3 APIs co-exist in the same namespace. The STS options can be configured in conjunction with the Keystone options.

Note

Both S3 and STS APIs can be accessed using the same endpoint in Ceph Object Gateway.

Prerequisites

Red Hat Ceph Storage 3.2 or higher.
A running Ceph Object Gateway.
Installation of the Boto Python module, version 3 or higher.

Procedure

Open and edit the group_vars/rgws.yml file with the following options:

rgw_sts_key = $STS_KEY_FOR_ENCRYPTING_SESSION_TOKEN
rgw_s3_auth_use_sts = true

Rerun the Ansible playbook:

[user@admin ceph-ansible]$ ansible-playbook site.yml --limit rgws

Generate the EC2 credentials:

Example

$ openstack ec2 credentials create
+------------+--------------------------------------------------------+
| Field      | Value                                                  |
+------------+--------------------------------------------------------+
| access     | b924dfc87d454d15896691182fdeb0ef                       |
| links      | {u'self': u'http://192.168.0.15/identity/v3/users/     |
|            | 40a7140e424f493d8165abc652dc731c/credentials/          |
|            | OS-EC2/b924dfc87d454d15896691182fdeb0ef'}              |
| project_id | c703801dccaf4a0aaa39bec8c481e25a                       |
| secret     | 6a2142613c504c42a94ba2b82147dc28                       |
| trust_id   | None                                                   |
| user_id    | 40a7140e424f493d8165abc652dc731c                       |
+------------+--------------------------------------------------------+

Use the generated credentials to get back a set of temporary security credentials using GetSessionToken API.

Example

import boto3

access_key = b924dfc87d454d15896691182fdeb0ef
secret_key = 6a2142613c504c42a94ba2b82147dc28

client = boto3.client('sts',
aws_access_key_id=access_key,
aws_secret_access_key=secret_key,
endpoint_url=https://www.example.com/rgw,
region_name='',
)

response = client.get_session_token(
    DurationSeconds=43200
)

Obtaining the temporary credentials can be used for making S3 calls:

Example

    s3client = boto3.client('s3',
      aws_access_key_id = response['Credentials']['AccessKeyId'],
      aws_secret_access_key = response['Credentials']['SecretAccessKey'],
      aws_session_token = response['Credentials']['SessionToken'],
      endpoint_url=https://www.example.com/s3,
      region_name='')

    bucket = s3client.create_bucket(Bucket='my-new-shiny-bucket')
    response = s3client.list_buckets()
    for bucket in response["Buckets"]:
        print "{name}\t{created}".format(
                    name = bucket['Name'],
                    created = bucket['CreationDate'],
    )

Create a new S3Access role and configure a policy.

Assign a user with administrative CAPS:

radosgw-admin caps add --uid="$USER" --caps="roles=*"

Example

[user@client]$ radosgw-admin caps add --uid="gwadmin" --caps="roles=*"

Create the S3Access role:

radosgw-admin role create --role-name=$ROLE_NAME --path=$PATH --assume-role-policy-doc=$TRUST_POLICY_DOC

Example

[user@client]$ radosgw-admin role create --role-name=S3Access --path=/application_abc/component_xyz/ --assume-role-policy-doc=\{\"Version\":\"2012-10-17\",\"Statement\":\[\{\"Effect\":\"Allow\",\"Principal\":\{\"AWS\":\[\"arn:aws:iam:::user/TESTER\"\]\},\"Action\":\[\"sts:AssumeRole\"\]\}\]\}

Attach a permission policy to the S3Access role:

radosgw-admin role-policy put --role-name=$ROLE_NAME --policy-name=$POLICY_NAME --policy-doc=$PERMISSION_POLICY_DOC

Example

[user@client]$ radosgw-admin role-policy put --role-name=S3Access --policy-name=Policy --policy-doc=\{\"Version\":\"2012-10-17\",\"Statement\":\[\{\"Effect\":\"Allow\",\"Action\":\[\"s3:*\"\],\"Resource\":\"arn:aws:s3:::example_bucket\"\}\]\}

Now another user can assume the role of the gwadmin user. For example, the gwuser user can assume the permissions of the gwadmin user.

Make a note of the assuming user’s access_key and secret_key values.

Example

[user@client]$ radosgw-admin user info --uid=gwuser | grep -A1 access_key

Use the AssumeRole API call, providing the access_key and secret_key values from the assuming user:

Example

import boto3

access_key = 11BS02LGFB6AL6H1ADMW
secret_key = vzCEkuryfn060dfee4fgQPqFrncKEIkh3ZcdOANY

client = boto3.client('sts',
aws_access_key_id=access_key,
aws_secret_access_key=secret_key,
endpoint_url=https://www.example.com/rgw,
region_name='',
)

response = client.assume_role(
RoleArn='arn:aws:iam:::role/application_abc/component_xyz/S3Access',
RoleSessionName='Bob',
DurationSeconds=3600
)

Important

The AssumeRole API requires the S3Access role.

Additional Resources

See the Test S3 Access section in the Red Hat Ceph Storage Object Gateway Guide for more information on installing the Boto Python module.
See the Create a User section in the Red Hat Ceph Storage Object Gateway Guide for more information.

2.4.6. Working around the limitations of using STS Lite with Keystone (Technology Preview)

A limitation with Keystone is that it does not supports STS requests. Another limitation is the payload hash is not included with the request. To work around these two limitations the Boto authentication code must be modified.

Prerequisites

Red Hat Ceph Storage 3.2 or higher.
A running Ceph Object Gateway.
Installation of Boto Python module, version 3 or higher.

Procedure

Open and edit Boto’s auth.py file.

Add the following four lines to the code block:

class SigV4Auth(BaseSigner):
  """
  Sign a request with Signature V4.
  """
  REQUIRES_REGION = True

  def __init__(self, credentials, service_name, region_name):
      self.credentials = credentials
      # We initialize these value here so the unit tests can have
      # valid values.  But these will get overriden in ``add_auth``
      # later for real requests.
      self._region_name = region_name
      if service_name == 'sts': 1
          self._service_name = 's3' 2
      else: 3
          self._service_name = service_name 4

Add the following two lines to the code block:

def _modify_request_before_signing(self, request):
        if 'Authorization' in request.headers:
            del request.headers['Authorization']
        self._set_necessary_date_headers(request)
        if self.credentials.token:
            if 'X-Amz-Security-Token' in request.headers:
                del request.headers['X-Amz-Security-Token']
            request.headers['X-Amz-Security-Token'] = self.credentials.token

        if not request.context.get('payload_signing_enabled', True):
            if 'X-Amz-Content-SHA256' in request.headers:
                del request.headers['X-Amz-Content-SHA256']
            request.headers['X-Amz-Content-SHA256'] = UNSIGNED_PAYLOAD 1
        else: 2
            request.headers['X-Amz-Content-SHA256'] = self.payload(request)

Additional Resources

See the Test S3 Access section in the Red Hat Ceph Storage Object Gateway Guide for more information on installing the Boto Python module.

2.5. Common Operations

2.5.1. Bucket and Host Name

There are two different modes of accessing the buckets. The first, and preferred method identifies the bucket as the top-level directory in the URI.

Example

GET /mybucket HTTP/1.1
Host: cname.domain.com

The second method identifies the bucket via a virtual bucket host name.

Example

GET / HTTP/1.1
Host: mybucket.cname.domain.com

Tip

Red Hat prefers the first method, because the second method requires expensive domain certification and DNS wild cards.

2.5.2. Common Request Headers

The following table lists the valid common request headers and their descriptions.

Table 2.4. Request Headers
Request Header	Description
`CONTENT_LENGTH`	Length of the request body.
`DATE`	Request time and date (in UTC).
`HOST`	The name of the host server.
`AUTHORIZATION`	Authorization token.

2.5.3. Common Response Status

The following table lists the valid common HTTP response status and its corresponding code.

Table 2.5. Response Status
HTTP Status	Response Code
`100`	Continue
`200`	Success
`201`	Created
`202`	Accepted
`204`	NoContent
`206`	Partial content
`304`	NotModified
`400`	InvalidArgument
`400`	InvalidDigest
`400`	BadDigest
`400`	InvalidBucketName
`400`	InvalidObjectName
`400`	UnresolvableGrantByEmailAddress
`400`	InvalidPart
`400`	InvalidPartOrder
`400`	RequestTimeout
`400`	EntityTooLarge
`403`	AccessDenied
`403`	UserSuspended
`403`	RequestTimeTooSkewed
`404`	NoSuchKey
`404`	NoSuchBucket
`404`	NoSuchUpload
`405`	MethodNotAllowed
`408`	RequestTimeout
`409`	BucketAlreadyExists
`409`	BucketNotEmpty
`411`	MissingContentLength
`412`	PreconditionFailed
`416`	InvalidRange
`422`	UnprocessableEntity
`500`	InternalError

2.6. Service Operations

2.6.1. List Buckets

GET / returns a list of buckets created by the user making the request. GET / only returns buckets created by an authenticated user. You cannot make an anonymous request.

Syntax

GET / HTTP/1.1
Host: cname.domain.com

Authorization: AWS <access_key>:<hash_of_header_and_secret>

Table 2.6. Response Entities
Name	Type	Description
`Buckets`	Container	Container for list of buckets.
`Bucket`	Container	Container for bucket information.
`Name`	String	Bucket name.
`CreationDate`	Date	UTC time when the bucket was created.
`ListAllMyBucketsResult`	Container	A container for the result.
`Owner`	Container	A container for the bucket owner’s `ID` and `DisplayName`.
`ID`	String	The bucket owner’s ID.
`DisplayName`	String	The bucket owner’s display name.

Name	Type	Description
`prefix`	String	Only returns objects that contain the specified prefix.
`delimiter`	String	The delimiter between the prefix and the rest of the object name.
`marker`	String	A beginning index for the list of objects returned.
`max-keys`	Integer	The maximum number of keys to return. Default is 1000.

Name	Type	Description
`ListBucketResult`	Entity	The container for the list of objects.
`Name`	String	The name of the bucket whose contents will be returned.
`Prefix`	String	A prefix for the object keys.
`Marker`	String	A beginning index for the list of objects returned.
`MaxKeys`	Integer	The maximum number of keys returned.
`Delimiter`	String	If set, objects with the same prefix will appear in the `CommonPrefixes` list.
`IsTruncated`	Boolean	If `true`, only a subset of the bucket’s contents were returned.
`CommonPrefixes`	Container	If multiple objects contain the same prefix, they will appear in this list.

Name	Type	Description
`Contents`	Object	A container for the object.
`Key`	String	The object’s key.
`LastModified`	Date	The object’s last-modified date/time.
`ETag`	String	An MD-5 hash of the object. (entity tag)
`Size`	Integer	The object’s size.
`StorageClass`	String	Should always return `STANDARD`.

Name	Type	Description
`VersioningConfiguration`	container	A container for the request.
`Status`	String	Sets the versioning state of the bucket. Valid Values: Suspended/Enabled

Name	Type	Description
`AccessControlPolicy`	Container	A container for the response.
`AccessControlList`	Container	A container for the ACL information.
`Owner`	Container	A container for the bucket owner’s `ID` and `DisplayName`.
`ID`	String	The bucket owner’s ID.
`DisplayName`	String	The bucket owner’s display name.
`Grant`	Container	A container for `Grantee` and `Permission`.
`Grantee`	Container	A container for the `DisplayName` and `ID` of the user receiving a grant of permission.
`Permission`	String	The permission given to the `Grantee` bucket.

Name	Type	Description
`prefix`	String	Returns in-progress uploads whose keys contains the specified prefix.
`delimiter`	String	The delimiter between the prefix and the rest of the object name.
`key-marker`	String	The beginning marker for the list of uploads.
`max-keys`	Integer	The maximum number of in-progress uploads. The default is 1000.
`version-id-marker`	String	Specifies the object version to begin the list.

Name	Type	Description
`KeyMarker`	String	The key marker specified by the `key-marker` request parameter (if any).
`NextKeyMarker`	String	The key marker to use in a subsequent request if `IsTruncated` is `true`.
`NextUploadIdMarker`	String	The upload ID marker to use in a subsequent request if `IsTruncated` is `true`.
`IsTruncated`	Boolean	If `true`, only a subset of the bucket’s upload contents were returned.
`Size`	Integer	The size of the uploaded part.
`DisplayName`	String	The owners’s display name.
`ID`	String	The owners’s ID.
`Owner`	Container	A container for the `ID` and `DisplayName` of the user who owns the object.
`StorageClass`	String	The method used to store the resulting object. `STANDARD` or `REDUCED_REDUNDANCY`
`Version`	Container	Container for the version information.
`versionId`	String	Version ID of an object.
`versionIdMarker`	String	The last version of the key in a truncated response.

Name	Type	Description
`ListMultipartUploadsResult`	Container	A container for the results.
`ListMultipartUploadsResult.Prefix`	String	The prefix specified by the `prefix` request parameter (if any).
`Bucket`	String	The bucket that will receive the bucket contents.
`KeyMarker`	String	The key marker specified by the `key-marker` request parameter (if any).
`UploadIdMarker`	String	The marker specified by the `upload-id-marker` request parameter (if any).
`NextKeyMarker`	String	The key marker to use in a subsequent request if `IsTruncated` is `true`.
`NextUploadIdMarker`	String	The upload ID marker to use in a subsequent request if `IsTruncated` is `true`.
`MaxUploads`	Integer	The max uploads specified by the `max-uploads` request parameter.
`Delimiter`	String	If set, objects with the same prefix will appear in the `CommonPrefixes` list.
`IsTruncated`	Boolean	If `true`, only a subset of the bucket’s upload contents were returned.
`Upload`	Container	A container for `Key`, `UploadId`, `InitiatorOwner`, `StorageClass`, and `Initiated` elements.
`Key`	String	The key of the object once the multipart upload is complete.
`UploadId`	String	The `ID` that identifies the multipart upload.
`Initiator`	Container	Contains the `ID` and `DisplayName` of the user who initiated the upload.
`DisplayName`	String	The initiator’s display name.
`ID`	String	The initiator’s ID.
`Owner`	Container	A container for the `ID` and `DisplayName` of the user who owns the uploaded object.
`StorageClass`	String	The method used to store the resulting object. `STANDARD` or `REDUCED_REDUNDANCY`
`Initiated`	Date	The date and time the user initiated the upload.
`CommonPrefixes`	Container	If multiple objects contain the same prefix, they will appear in this list.
`CommonPrefixes.Prefix`	String	The substring of the key after the prefix as defined by the `prefix` request parameter.

Name	Type	Description
`Payer`	Enum	Specifies who pays for the download and request fees.
`RequestPaymentConfiguration`	Container	A container for `Payer`.

Name	Description	Valid Values	Required
content-md5	A base64 encoded MD-5 hash of the message.	A string. No defaults or constraints.	No
content-type	A standard MIME type.	Any MIME type. Default: `binary/octet-stream`	No
x-amz-meta-<…>	User metadata. Stored with the object.	A string up to 8kb. No defaults.	No
x-amz-acl	A canned ACL.	`private`, `public-read`, `public-read-write`, `authenticated-read`	No

Table 2.27. Request Headers
Name	Description	Valid Values	Required
range	The range of the object to retrieve.	Range: bytes=beginbyte-endbyte	No
if-modified-since	Gets only if modified since the timestamp.	Timestamp	No
if-unmodified-since	Gets only if not modified since the timestamp.	Timestamp	No
if-match	Gets only if object ETag matches ETag.	Entity Tag	No
if-none-match	Gets only if object ETag matches ETag.	Entity Tag	No

Table 2.29. Request Headers
Name	Description	Valid Values	Required
range	The range of the object to retrieve.	Range: bytes=beginbyte-endbyte	No
if-modified-since	Gets only if modified since the timestamp.	Timestamp	No
if-unmodified-since	Gets only if not modified since the timestamp.	Timestamp	No
if-match	Gets only if object ETag matches ETag.	Entity Tag	No
if-none-match	Gets only if object ETag matches ETag.	Entity Tag	No

Name	Description	Valid Values	Required
x-amz-copy-source	The source bucket name + object name.	<bucket>/<object>	Yes
x-amz-acl	A canned ACL.	`private`, `public-read`, `public-read-write`, `authenticated-read`	No
x-amz-copy-if-modified-since	Copies only if modified since the timestamp.	Timestamp	No
x-amz-copy-if-unmodified-since	Copies only if unmodified since the timestamp.	Timestamp	No
x-amz-copy-if-match	Copies only if object ETag matches ETag.	Entity Tag	No
x-amz-copy-if-none-match	Copies only if object ETag doesn’t match.	Entity Tag	No

Name	Type	Description
CopyObjectResult	Container	A container for the response elements.
LastModified	Date	The last modified date of the source object.
Etag	String	The ETag of the new object.

Name	Description
Content-Range	Data range, will only be returned if the range header field was specified in the request
x-amz-version-id	Returns the version ID or null.

Name	Description	Valid Values	Required
`content-md5`	A base64 encoded MD-5 hash of the message.	A string. No defaults or constraints.	No
`content-type`	A standard MIME type.	Any MIME type. Default: `binary/octet-stream`	No
`x-amz-meta-<…>`	User metadata. Stored with the object.	A string up to 8kb. No defaults.	No
`x-amz-acl`	A canned ACL.	`private`, `public-read`, `public-read-write`, `authenticated-read`	No

Name	Type	Description
`InitiatedMultipartUploadsResult`	Container	A container for the results.
`Bucket`	String	The bucket that will receive the object contents.
`Key`	String	The key specified by the `key` request parameter (if any).
`UploadId`	String	The ID specified by the `upload-id` request parameter identifying the multipart upload (if any).

Name	Type	Description	Required
`CompleteMultipartUpload`	Container	A container consisting of one or more parts.	Yes
`Part`	Container	A container for the `PartNumber` and `ETag`.	Yes
`PartNumber`	Integer	The identifier of the part.	Yes
`ETag`	String	The part’s entity tag.	Yes

Name	Type	Description
`CompleteMultipartUploadResult`	Container	A container for the response.
`Location`	URI	The resource identifier (path) of the new object.
`Bucket`	String	The name of the bucket that contains the new object.
`Key`	String	The object’s key.
`ETag`	String	The entity tag of the new object.

Name	Description	Valid Values	Required
`x-amz-copy-source`	The source bucket name and object name.	<bucket>/<object>	Yes
`x-amz-copy-source-range`	The range of bytes to copy from the source object.	Range: `bytes=first-last`, where the first and last are the zero-based byte offsets to copy. For example, `bytes=0-9` indicates that you want to copy the first ten bytes of the source.	No

Name	Type	Description
`CopyPartResult`	Container	A container for all response elements.
`ETag`	String	Returns the ETag of the new part.
`LastModified`	String	Returns the date the part was last modified.

이 콘텐츠는 선택한 언어로 제공되지 않습니다.

Chapter 2. Object Gateway S3 Application Programming Interface (API)

2.1. S3 API Server-side Encryption

2.2. Bucket Policies

2.3. Authentication and Access Control Lists

2.3.1. Authentication

2.3.2. Access Control Lists (ACLs)

2.3.3. Authentication using the STS Lite API (Technology Preview)

2.4. Accessing the Gateway

2.4.1. Prerequisites

2.4.2. Ruby AWS::S3 Examples (aws-s3 gem)

2.4.3. Ruby AWS::SDK Examples (aws-sdk gem ~>2)

2.4.4. PHP S3 Examples

2.4.5. Configuring and using STS Lite with Keystone (Technology Preview)

2.4.6. Working around the limitations of using STS Lite with Keystone (Technology Preview)

2.5. Common Operations

2.5.1. Bucket and Host Name

2.5.2. Common Request Headers

2.5.3. Common Response Status

2.6. Service Operations

2.6.1. List Buckets

2.7. Bucket Operations

2.7.1. Bucket Operations with Multi Tenancy

2.7.2. Bucket Lifecycle

2.7.3. Head Bucket

2.7.4. PUT Bucket

2.7.5. Put Bucket Lifecycle

2.7.6. DELETE Bucket

2.7.7. Delete Bucket Lifecycle

2.7.8. GET Bucket

2.7.9. Get Bucket Lifecycle

2.7.10. Get Bucket Location

2.7.11. Get Bucket Versioning

2.7.12. PUT Bucket Versioning

2.7.13. Get Bucket ACLs

2.7.14. PUT Bucket ACLs

2.7.15. GET Bucket cors

2.7.16. PUT Bucket cors

2.7.17. DELETE Bucket cors

2.7.18. List Bucket Object Versions

2.7.19. List Bucket Multipart Uploads

2.7.20. PUT Bucket Request Payment

2.7.21. GET Bucket Request Payment

2.8. Object Operations

2.8.1. PUT Object

2.8.2. Copy Object

2.8.3. POST Object

2.8.4. OPTIONS Object

2.8.5. Delete Multiple Objects

2.8.6. Remove Object

2.8.7. Get Object

2.8.8. Get Object Information

2.8.9. Get Object ACL

2.8.10. Set Object ACL

2.8.11. Initiate Multipart Upload

2.8.12. Multipart Upload Part

2.8.13. List Multipart Upload Parts

2.8.14. Complete Multipart Upload

2.8.15. Abort Multipart Upload

2.8.16. Copy Multipart Upload

2.9. Hadoop S3A Interoperability

2.10. S3 Limitations

자세한 정보

평가판, 구매 및 판매

커뮤니티

Red Hat 문서 정보

보다 포괄적 수용을 위한 오픈 소스 용어 교체

Red Hat 소개

Red Hat legal and privacy links

Red Hat legal and privacy links