Red Hat Summit이 콘텐츠는 선택한 언어로 제공되지 않습니다.
Chapter 11. Managing Ceph Object Gateway using the dashboard
As a storage administrator, the Ceph Object Gateway functions of the dashboard allow you to manage and monitor the Ceph Object Gateway.
You can also create the Ceph Object Gateway services with Secure Sockets Layer (SSL) using the dashboard.
For example, monitoring functions allow you to view details about a gateway daemon such as its zone name, or performance graphs of GET and PUT rates. Management functions allow you to view, create, and edit both users and buckets.
Ceph Object Gateway functions are divided between user functions and bucket functions.
11.1. Manually adding Ceph object gateway login credentials to the dashboard
The Red Hat Ceph Storage Dashboard can manage the Ceph Object Gateway, also known as the RADOS Gateway, or RGW. When Ceph Object Gateway is deployed with cephadm, the Ceph Object Gateway credentials used by the dashboard is automatically configured. You can also manually force the Ceph object gateway credentials to the Ceph dashboard using the command-line interface.
Prerequisites
- A running Red Hat Ceph Storage cluster.
- Dashboard is installed.
- Ceph Object Gateway is installed.
Procedure
Log into the Cephadm shell:
Example
cephadm shell
[root@host01 ~]# cephadm shellCopy to Clipboard Copied! Toggle word wrap Toggle overflow Set up the credentials manually:
Example
[ceph: root@host01 /]# ceph dashboard set-rgw-credentials
[ceph: root@host01 /]# ceph dashboard set-rgw-credentialsCopy to Clipboard Copied! Toggle word wrap Toggle overflow This creates a Ceph Object Gateway user with UID
dashboardfor each realm in the system.Optional: If you have configured a custom
adminresource in your Ceph Object Gateway admin API, you have to also set the the admin resource:Syntax
ceph dashboard set-rgw-api-admin-resource RGW_API_ADMIN_RESOURCE
ceph dashboard set-rgw-api-admin-resource RGW_API_ADMIN_RESOURCECopy to Clipboard Copied! Toggle word wrap Toggle overflow Example
[ceph: root@host01 /]# ceph dashboard set-rgw-api-admin-resource admin Option RGW_API_ADMIN_RESOURCE updated
[ceph: root@host01 /]# ceph dashboard set-rgw-api-admin-resource admin Option RGW_API_ADMIN_RESOURCE updatedCopy to Clipboard Copied! Toggle word wrap Toggle overflow Optional: If you are using HTTPS with a self-signed certificate, disable certificate verification in the dashboard to avoid refused connections.
Refused connections can happen when the certificate is signed by an unknown Certificate Authority, or if the host name used does not match the host name in the certificate.
Syntax
ceph dashboard set-rgw-api-ssl-verify false
ceph dashboard set-rgw-api-ssl-verify falseCopy to Clipboard Copied! Toggle word wrap Toggle overflow Example
[ceph: root@host01 /]# ceph dashboard set-rgw-api-ssl-verify False Option RGW_API_SSL_VERIFY updated
[ceph: root@host01 /]# ceph dashboard set-rgw-api-ssl-verify False Option RGW_API_SSL_VERIFY updatedCopy to Clipboard Copied! Toggle word wrap Toggle overflow Optional: If the Object Gateway takes too long to process requests and the dashboard runs into timeouts, you can set the timeout value:
Syntax
ceph dashboard set-rest-requests-timeout _TIME_IN_SECONDS_
ceph dashboard set-rest-requests-timeout _TIME_IN_SECONDS_Copy to Clipboard Copied! Toggle word wrap Toggle overflow The default value of 45 seconds.
Example
[ceph: root@host01 /]# ceph dashboard set-rest-requests-timeout 240
[ceph: root@host01 /]# ceph dashboard set-rest-requests-timeout 240Copy to Clipboard Copied! Toggle word wrap Toggle overflow
11.2. Creating the Ceph Object Gateway services with SSL using the dashboard
After installing a Red Hat Ceph Storage cluster, you can create the Ceph Object Gateway service with SSL using two methods:
- Using the command-line interface.
- Using the dashboard.
Prerequisites
- A running Red Hat Ceph Storage cluster.
- Dashboard is installed.
- SSL key from Certificate Authority (CA).
Obtain the SSL certificate from a CA that matches the hostname of the gateway host. Red Hat recommends obtaining a certificate from a CA that has subject alternate name fields and a wildcard for use with S3-style subdomains.
Procedure
- From the dashboard navigation, go to Administration→Services.
- Click Create.
Fill in the Create Service form.
- Select rgw from the Type service list.
-
Enter the ID that is used in
service_id. - Select SSL.
Click Choose File and upload the SSL certificate
.pemformat.Figure 11.1. Creating Ceph Object Gateway service
- Click Create Service.
- Check the Ceph Object Gateway service is up and running.
11.3. Configuring high availability for the Ceph Object Gateway on the dashboard
The ingress service provides a highly available endpoint for the Ceph Object Gateway. You can create and configure the ingress service using the Ceph Dashboard.
Prerequisites
- A running Red Hat Ceph Storage cluster.
- A minimum of two Ceph Object Gateway daemons running on different hosts.
- Dashboard is installed.
-
A running
rgwservice.
Procedure
- From the dashboard navigation, go to Administration→Services.
- Click Create.
-
In the Create Service form, select
ingressservice. Select backend service and edit the required parameters.
Figure 11.2. Creating
ingressserviceClick Create Service.
A notification displays that the
ingressservice was created successfully.
11.4. Managing Ceph Object Gateway users on the dashboard
As a storage administrator, the Red Hat Ceph Storage Dashboard allows you to view and manage Ceph Object Gateway users.
Prerequisites
- A running Red Hat Ceph Storage cluster.
- Dashboard is installed.
- The Ceph Object Gateway is installed.
- Object gateway login credentials are added to the dashboard.
11.4.1. Creating Ceph object gateway users on the dashboard
You can create Ceph object gateway users on the Red Hat Ceph Storage once the credentials are set-up using the CLI.
Prerequisites
- A running Red Hat Ceph Storage cluster.
- Dashboard is installed.
- The Ceph Object Gateway is installed.
- Object gateway login credentials are added to the dashboard.
Procedure
- From the dashboard navigation, go to Object→Users.
- On the Users tab, click Create.
Create User form, set the following parameters:
- Enter the User ID and Full name.
- If required, edit the maximum number of buckets.
- Optional: Fill in an Email address
- Optional: Select if the user is Suspended or a System user.
- Optional: In the S3 key section, set a custom access key and secret key by clearing the Auto-generate key selection.
- Optional: In the User quota section, select if the user quota is Enabled, Unlimited size, or has Unlimited objects. If there is a limited size enter the maximum size. If there are limited objects, enter the maximum objects.
- Optional: In the Bucket quota section, select if the bucket quota is Enabled, Unlimited size, or has Unlimited objects. If there is a limited size enter the maximum size. If there are limited objects, enter the maximum objects.
Click Create User.
Figure 11.3. Create Ceph object gateway user
A notification displays that the user was created successfully.
11.4.2. Adding roles to the Ceph Object Gateway users on the dashboard
You can add a role to a specific Ceph object gateway user on the Red Hat Ceph Storage dashboard.
Prerequisites
- Ceph Object Gateway is installed.
- Ceph Object gateway login credentials are added to the dashboard.
- Ceph Object gateway user is created.
Procedure
- Log in to the Dashboard.
- On the navigation bar, click Object Gateway.
- Click Roles.
- Select the user by clicking the relevant row.
- From Edit drop-down menu, select Create Role.
In the Create Role window, configure Role name, Path, and Assume Role Policy Document.
Figure 11.4. Create Ceph object gateway subuser
- Click Create Role.
11.4.3. Creating Ceph object gateway subusers on the dashboard
A subuser is associated with a user of the S3 interface. You can create a sub user for a specific Ceph object gateway user on the Red Hat Ceph Storage dashboard.
Prerequisites
- A running Red Hat Ceph Storage cluster.
- Dashboard is installed.
- The Ceph Object Gateway is installed.
- Object gateway login credentials are added to the dashboard.
- Object gateway user is created.
Procedure
- From the dashboard navigation, go to Object→Users.
- On the Uers tab, select a user and click Edit.
- In the Edit User form, click Create Subuser.
- In the Create Subuser dialog, enter the username and select the appropriate permissions.
Select the Auto-generate secret box and then click Create Subuser.
Figure 11.5. Create Ceph object gateway subuser
NoteBy selecting Auto-generate-secret, the secret key for Object Gateway is generated automatically.
In the Edit User form, click Edit user.
A notification displays that the user was updated successfully.
11.4.4. Editing Ceph object gateway users on the dashboard
You can edit Ceph object gateway users on the Red Hat Ceph Storage once the credentials are set-up using the CLI.
Prerequisites
- A running Red Hat Ceph Storage cluster.
- Dashboard is installed.
- The Ceph Object Gateway is installed.
- Object gateway login credentials are added to the dashboard.
- A Ceph object gateway user is created.
Procedure
- From the dashboard navigation, go to Object→Users.
- On the Users tab, select the user row and click Edit.
In the Edit User form, edit the required parameters and click Edit User.
Figure 11.6. Edit Ceph object gateway user
A notification displays that the user was updated successfully.
11.4.5. Deleting Ceph Object Gateway users on the dashboard
You can delete Ceph object gateway users on the Red Hat Ceph Storage once the credentials are set-up using the CLI.
Prerequisites
- A running Red Hat Ceph Storage cluster.
- Dashboard is installed.
- The Ceph Object Gateway is installed.
- Object gateway login credentials are added to the dashboard.
- A Ceph object gateway user is created.
Procedure
- From the dashboard navigation, go to Object→Users.
- Select the Username to delete, and click Delete from the action drop-down.
In the Delete user notification, select Yes, I am sure and click Delete User.
The user is removed from the Users table.
Figure 11.7. Delete Ceph object gateway user
11.5. Managing user accounts
User accounts provide authenticated identities for accessing Object Gateway resources. A user account can operate independently or be linked to an IAM account, where it inherits shared ownership, quotas, and centrally managed IAM policies.
11.5.1. Creating a account
Create an account to define a managed identity boundary and configure quotas, limits, and access controls for its users and buckets.
Prerequisites
Ensure that the following prerequisites are met:
- You have administrator access to the Red Hat Ceph Storage Dashboard.
- The account email address is unique.
- You have planned the quotas, resource modes, and identity limits for the account.
Procedure
- Go to Object > User management > Accounts > Create.
- Enter the required account information.
- Configure resource modes and limits, including maximum users, roles, groups, and access keys.
- Optional: Set the account-level quota.
- Optional: Set the bucket-level quota.
- Click Create Account.
Results
The account is created and appears in the Accounts list. All configured quotas, limits, and access settings are applied, and the account becomes available for linking with users.
After creating an account, the next step is to create an account user.
11.5.2. Editing a user account
Update a user account’s attributes, limits, or IAM policies.
Prerequisites
Before you begin, make sure that you have administrator permission to edit user accounts.
An IAM-linked user cannot be deleted. Only editable attributes and policies can be modified from the User page.
Procedure
- Go to Object > User management > Accounts > Edit.
- In the user list, open the ⋮ (three-dot menu) for the account list and account you want to modify.
- Select Edit and update the required identity details, limits, or managed policies.
- Save the changes.
Results
The user account is updated with the new configuration. The changes take effect immediately and are reflected in the User Details panel.
11.5.3. Deleting a user account
Delete a user account that is no longer required.
Prerequisites
Before you begin, make sure that you have the following prerequisites in place:
- The user does not own any buckets.
- You have administrator permission to delete user accounts.
Procedure
Go to Object > User management > Accounts > Delete.
NoteAn account cannot be deleted until all user linked to the accounts are deleted.
- In the user list, open the ⋮ (three-dot menu) for the user you want to delete.
- Select Delete and confirm the action.
Results
The user account is deleted from the system. All associated credentials are deleted, and the user no longer appears in the Users list.
11.5.4. Linking a bucket with an account
Link a bucket to an account so the bucket becomes part of the account’s ownership scope and follows the account’s quota, visibility, and policy rules.
Prerequisites
Before you begin, make sure that you have the following prerequisites in place:
- The bucket owner must be a user associated with an account.
- The user must have sufficient permissions, through a managed policy, to create or modify bucket ownership.
- Account membership is permanent. When a user is linked to an account, all of that user’s existing buckets are automatically reassigned to the account.
Procedure
Choose one of the following methods to associate a bucket with an account:
- Create a new bucket under a user who belongs to an account, and specify the account user as the owner.
- Edit an existing bucket created by a normal RGW user and update its ownership to an account user.
- In the bucket creation or edit form, select the account user from the owner list.
- Save the bucket configuration.
Results
The bucket is linked to the account and appears in the Buckets list with updated ownership. Account users can view and manage the bucket according to their assigned permissions, and the bucket now follows the account’s quota and policy settings.
11.5.5. Linking a user to an account
Associate a user with an account so the user inherits account-level quotas, policies, and resource ownership. Account membership is permanent. When a user is linked to an account, all of that user’s existing buckets are automatically reassigned to the account.
Prerequisites
Before you begin, make sure that you have the following prerequisites in place:
- At least one account must exist.
- Determine whether the user requires root-level access within the account.
- Ensure that the appropriate managed policies are available if the user requires predefined access permissions.
Procedure
- Go to Object > Users.
Choose one of the following ways to associate a user with an account:
- Create a new user and link it to an account during creation.
- Edit an existing user and link it to an account.
- In the Link Account field, select the account to associate it with the user.
- Optional: Select Account Root User if the user requires administrative privileges to manage other users or roles.
- Optional: Apply managed policies if the user requires predefined full-access or read-only permissions.
- Save the user configuration.
Results
The user is linked to the selected account and inherits the account’s quotas, ownership rules, and applicable IAM policies. If configured as a root account user, the user receives elevated management capabilities, which are indicated in the Users list.
11.6. Managing Ceph Object Gateway buckets on the dashboard
As a storage administrator, the Red Hat Ceph Storage Dashboard allows you to view and manage Ceph Object Gateway buckets.
Prerequisites
- A running Red Hat Ceph Storage cluster.
- Dashboard is installed.
- The Ceph Object Gateway is installed.
- At least one Ceph Object Gateway user is created.
- Object gateway login credentials are added to the dashboard.
11.6.1. Creating Ceph object gateway buckets on the dashboard
You can create Ceph object gateway buckets on the Red Hat Ceph Storage once the credentials are set-up using the CLI.
Prerequisites
- A running Red Hat Ceph Storage cluster.
- Dashboard is installed.
- The Ceph Object Gateway is installed.
- Object gateway login credentials are added to the dashboard.
- Object gateway user is created and not suspended.
Procedure
- From the dashboard navigation, go to Object→Buckets.
Click Create.
The Create Bucket form displays.
- Enter a Name for the bucket.
- Select an Owner. The owner is a user that is not suspended.
Select a Placement target.
ImportantA bucket’s placement target cannot be changed after creation.
Optional: In the Locking section, select Enabled to enable locking for the bucket objects.
ImportantLocking can only be enabled while creating a bucket and cannot be changed after creation.
- Select the Mode, either Compliance or Governance.
- In the Days field, select the default retention period that is applied to new objects placed in this bucket.
Optional: In the Security section, select Security to encrypt objects in the bucket.
Set the configuration values for SSE-S3. Click the Encryption information icon and then Click here.
NoteWhen using
SSE-S3encryption type, Ceph manages the encryption keys that are stored in the vault by the user.- In the Update RGW Encryption Configurations dialog, ensure that SSE-S3 is selected as the Encryption Type.
- Fill the other required information.
Click Submit.
Figure 11.8. Encrypt objects in the bucket
In the Tags section, click Add to add bucket tags.
These tags are equivalent to the S3 PutBucketTagging. Enter the tag Key and tag Value to categorize your storage buckets.
Set the bucket policies in the Policies section.
Enter the Bucket policy. Use the Policy generator or Policy examples buttons to help create the bucket policies, as needed. Enter or modify the policy in JSON format.
Use the following links from within the form to help create your bucket policy. These links open a new tab in your browser.
Policy generator is an external tool from AWS to generate a bucket policy. For more information, see link::https://awspolicygen.s3.amazonaws.com/policygen.html[AWS Policy Generator].
NoteYou can use the policy generator with the S3 Bucket Policy type as a guideline for building your Ceph Object Gateway bucket policies.
Policy examples takes you to AWS documentation with examples of bucket policies.
For more information about managing bucket policies through the dashboard, see Managing Ceph Object Gateway bucket policies on the dashboard.
Set the Access Control Lists (ACL) grantee and permission information.
Expand Table 11.1. ACL user options Permission Bucket Object READGrantee can list the objects in the bucket.
Grantee can read the object.
WRITEGrantee can write or delete objects in the bucket.
N/A
FULL_CONTROLGrantee has full permissions for object in the bucket.
Grantee can read or write to the object ACL.
Click Create bucket.
A notification displays that the bucket was created successfully.
11.6.2. Editing Ceph object gateway buckets on the dashboard
You can edit Ceph object gateway buckets on the Red Hat Ceph Storage once the credentials are set-up using the CLI.
Prerequisites
- A running Red Hat Ceph Storage cluster.
- Dashboard is installed.
- The Ceph Object Gateway is installed.
- Object gateway login credentials are added to the dashboard.
- Object gateway user is created and not suspended.
- A Ceph Object Gateway bucket created.
Procedure
- From the dashboard navigation, go to Object>Buckets.
- On the navigation bar, click Object Gateway.
Select the bucket row that needs to be updated, and click Edit. The Edit Bucket displays.
Optional: Enable Versioning if you want to enable versioning state for all the objects in an existing bucket.
- To enable versioning, you must be the owner of the bucket.
- If Locking is enabled during bucket creation, you cannot disable the versioning.
- All objects added to the bucket will receive a unique version ID.
- If the versioning state has not been set on a bucket, then the bucket will not have a versioning state.
Optional: Select (Delete enabled) for Multi-Factor Authentication. Multi-Factor Authentication (MFA) ensures that users need to use a one-time password (OTP) when removing objects on certain buckets. Enter a value for Token Serial Number and Token PIN.
NoteThe buckets must be configured with versioning and MFA enabled which can be done through the S3 API.
- Optional: As needed, update the Tags and Policies. Updating the Policies includes updating the Bucket policy and Access Control Lists (ACL) grantee and permission information. For more information, see Creating Ceph object gateway buckets on the dashboard.
- Click Edit Bucket to save the changes. A notification displays that the bucket was updated successfully.
11.6.3. Deleting Ceph Object Gateway buckets on the dashboard
You can delete Ceph object gateway buckets on the Red Hat Ceph Storage once the credentials are set-up using the CLI.
Prerequisites
- A running Red Hat Ceph Storage cluster.
- Dashboard is installed.
- The Ceph Object Gateway is installed.
- Object Gateway login credentials are added to the dashboard.
- Object Gateway user is created and not suspended.
- A Ceph Object Gateway bucket created.
Procedure
- From the dashboard navigation, go to Object→Buckets.
- Select the bucket to be deleted, and click Delete from the action drop-down.
In the Delete Bucket notification, select Yes, I am sure and click Delete bucket.
Figure 11.9. Delete Ceph Object Gateway bucket
11.7. Managing notification destinations
Learn how notification destinations in Red Hat Ceph Storage Object Gateway define where S3 bucket event messages are delivered.
A notification destination represents an external endpoint that receives S3 bucket event messages. These destinations define how and where events are sent—for example, to HTTPS endpoints, Kafka topics, AMQP queues, or custom services. Notification destinations are created once and can be reused across multiple bucket notifications.
Why notification destinations are important
Notification destinations are used when downstream systems need to consume event data generated by bucket or object changes. Typical consumers include:
- Stream processing services
- Data ingestion pipelines
- Automation tools
- Audit and compliance systems
- Analytics applications
Key components of a notification destination
A notification destination includes the following components:
- Destination name
- A unique identifier.
- Endpoint type
- HTTPS, Kafka, AMQP, or other supported mechanisms.
- Endpoint details
- URL, port, credentials, TLS settings, timeout, and retry configuration.
- Delivery format
- How event data is packaged and transmitted.
- Associations
- Bucket notifications that reference the destination.
How notification destinations fit into the event architecture
The following sequence explains how notification destinations participate in event routing:
- The administrator creates one or more notification destinations.
- Bucket notifications reference these destinations.
- The Object Gateway monitors bucket events.
- When an event occurs, the gateway identifies the mapped destination.
- The event is delivered to the configured endpoint.
Use cases
Notification destinations support scenarios such as:
- Sending new-object events to Kafka.
- Triggering workflows through HTTPS webhooks.
- Forwarding delete events to audit systems.
- Integrating with AMQP or message queues.
- Driving real-time data ingestion.
11.7.1. Creating a notification destination
Create a new notification destination to receive S3 event messages.
Prerequisites
Make sure that you have the following prerequisites in place:
- You have administrative permissions.
- You have the endpoint information, including URL, protocol, and authentication details.
Procedure
- Go to Object Gateway > Bucket notifications and select the Destinations tab.
- Click Create destination.
- Enter the destination details, including the name, endpoint type, and required configuration fields.
- Click Save.
- Verify that the destination appears in the list.
Results
A new notification destination is created and available for bucket notification mapping.
11.7.2. Editing a notification destination
Modify the configuration of an existing notification destination.
Prerequisites
Make sure that you have the following prerequisites in place:
- The destination is not used by critical or production bucket notifications.
- You have the updated endpoint or configuration details.
Procedure
- Go to Object Gateway > Bucket notifications and select the Destinations tab.
- Select the destination and click Edit.
- Update the required fields.
- Click Save.
- Verify that the updated details appear in the list.
Results
The notification destination is updated.
11.7.3. Listing notification destinations
Learn how to view the list of notification destinations.
Prerequisites
Before you begin, make sure that you have permission to view notification destinations.
Procedure
- In the Ceph Dashboard, select Object Gateway > Notification destinations.
- Click the Notification destinations tab.
- Review the list of configured notification destinations.
- Optional: Use the search or filters to refine the list.
Results
All configured notification destinations are displayed.
11.7.4. Deleting a notification destination
Delete a notification destination that is no longer required.
Prerequisites
Make sure that you have the following prerequisites in place:
- No active bucket notifications reference the destination.
- You have confirmed that deleting the destination will not impact downstream workflows.
Procedure
- Go to Object Gateway > Bucket notifications and select the Destinations tab.
- Select the destination that you want to delete.
- Click Delete.
- Confirm the deletion when prompted.
- Verify that the destination is removed from the list.
Results
The selected notification destination is deleted.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}