此内容没有您所选择的语言版本。
Chapter 3. Object Gateway Swift Application Programming Interface (API)
Ceph supports a RESTful API that is compatible with the basic data access model of the Swift API.
The following table describes the support status for current Swift functional features:
| Feature | Status | Remarks |
|---|---|---|
| Supported | ||
| Get Account Metadata | Supported | No custom metadata |
| Supported | Supports a subset of Swift ACLs | |
| Supported | ||
| Supported | ||
| Supported | ||
| Get Container Metadata | Supported | |
| Supported | ||
| Delete Container Metadata | Supported | |
| Supported | ||
| Static Website | Not Supported | |
| Supported | ||
| Supported | ||
| Create Large Object | Supported | |
| Supported | ||
| Supported | ||
| Supported | ||
| Supported | ||
| Supported | ||
| Supported | ||
| Expiring Objects | Supported | |
| Object Versioning | Not Supported | |
| CORS | Not Supported |
3.1. Authentication
Swift API requests that require authentication must contain an X-Storage-Token authentication token in the request header. The token can be retrieved from Ceph Object Gateway, or from another authenticator. To obtain a token from Ceph Object Gateway, you must create a user.
Syntax
# radosgw-admin user create --uid="<user_name>" --display-name="<display_name>"
Example
# radosgw-admin user create --uid="swift1" --display-name="First Swift User"
3.1.1. Authentication GET
To authenticate a user, make a request containing an X-Auth-User and a X-Auth-Key in the header.
Syntax
GET /auth HTTP/1.1 Host: swift.radosgwhost.com X-Auth-User: johndoe X-Auth-Key: R7UUOLFDI2ZI9PRCQ53K
| Name | Description | Type | Required |
|---|---|---|---|
|
| The key Ceph Object Gateway username to authenticate. | String | Yes |
|
| The key associated to a Ceph Object Gateway username. | String | Yes |
The response from the server should include an X-Auth-Token value. The response might also contain a X-Storage-Url that provides the <api_version>/<account> prefix that is specified in other requests throughout the API documentation.
| Name | Description | Type |
|---|---|---|
|
|
The authorization token for the | String |
|
|
The URL and | String |
Example Response
HTTP/1.1 204 No Content Date: Mon, 16 Jul 2012 11:05:33 GMT Server: swift X-Storage-Url: https://swift.radosgwhost.com/v1/ACCT-12345 X-Storage-Token: UOlCCC8TahFKlWuv9DB09TWHF0nDjpPElha0kAa Content-Length: 0 Content-Type: text/plain; charset=UTF-8
3.2. Service Operations
To retrieve data about our Swift-compatible service, you can execute GET requests using the X-Storage-Url value retrieved during authentication.
3.2.1. List Containers
A GET request that specifies the API version and the account will return a list of containers for a particular user account. Since the request returns a particular user’s containers, the request requires an authentication token. The request cannot be made anonymously.
Syntax
GET /<api_version>/<account> HTTP/1.1 Host: <Fully_Qualified_Domain_Name> X-Auth-Token: <auth_token>
| Name | Description | Type | Required | Valid Values |
|---|---|---|---|---|
|
| Limits the number of results to the specified value. | Integer | No | N/A |
|
| Defines the format of the result. | String | No |
|
|
| Returns a list of results greater than the marker value. | String | No | N/A |
The response contains a list of containers, or returns with an HTTP 204 response code
| Name | Description | Type |
|---|---|---|
|
| A list for account information. | Container |
|
| The list of containers. | Container |
|
| The name of a container. | String |
|
| The size of the container. | Integer |
3.3. Container Operations
A container is a mechanism for storing data objects. An account can have many containers, but container names must be unique. This API enables a client to create a container, set access controls and metadata, retrieve a container’s contents, and delete a container. Since this API makes requests related to information in a particular user’s account, all requests in this API must be authenticated unless a container’s access control is deliberately made publicly accessible, that is, allows anonymous requests.
The Amazon S3 API uses the term 'bucket' to describe a data container. When you hear someone refer to a 'bucket' within the Swift API, the term 'bucket' might be construed as the equivalent of the term 'container.'
One facet of object storage is that it does not support hierarchical paths or directories. Instead, it supports one level consisting of one or more containers, where each container might have objects. The RADOS Gateway’s Swift-compatible API supports the notion of 'pseudo-hierarchical containers', which is a means of using object naming to emulate a container, or directory hierarchy without actually implementing one in the storage system. You can name objects with pseudo-hierarchical names, for example, photos/buildings/empire-state.jpg, but container names cannot contain a forward slash (/) character.
When uploading large objects to versioned Swift containers, use the --leave-segments option with the python-swiftclient utility. Not using --leave-segments overwrites the manifest file. Consequently, an existing object is overwritten, which leads to data loss.
3.3.1. Container Operations with Multi Tenancy
When a client application accesses containers, it always operates with credentials of a particular user. In Red Hat Ceph Storage 3, every user belongs to a tenant. See Multi Tenancy for additional details. Consequently, every container operation has an implicit tenant in its context if no tenant is specified explicitly. Thus multi tenancy is completely backward compatible with previous releases, as long as the referred containers and referring user belong to the same tenant.
Extensions employed to specify an explicit tenant differ according to the protocol and authentication system used.
A colon character separates tenant and container, thus a sample URL would be:
Example
https://rgw.domain.com/tenant:container
By contrast, in a create_container() method, simply separate the tenant and container in the container method itself:
Example
create_container("tenant:container")
3.3.2. Create a Container
To create a new container, make a PUT request with the API version, account, and the name of the new container. The container name must be unique, must not contain a forward-slash (/) character, and should be less than 256 bytes. You can include access control headers and metadata headers in the request. You can also include a storage policy identifying a key for a set of placement pools, for example, execute radosgw-admin zone get to see a list of available keys under placement_pools. A storage policy enables you to specify a special set of pools for the container, for example, SSD-based storage. The operation is idempotent; that is, if you make a request to create a container that already exists, it will return with a HTTP 202 return code, but will not create another container.
Syntax
PUT /<api_version>/<account>/<tenant>:<container> HTTP/1.1 Host: <Fully_Qualified_Domain_Name> X-Auth-Token: <auth_token> X-Container-Read: <comma_separated_uids> X-Container-Write: <comma_separated_uids> X-Container-Meta-<key>: <value> X-Storage-Policy: <placement_pools_key>
| Name | Description | Type | Required |
|---|---|---|---|
|
| The user IDs with read permissions for the container. | Comma-separated string values of user IDs. | No |
|
| The user IDs with write permissions for the container. | Comma-separated string values of user IDs. | No |
|
| A user-defined meta data key that takes an arbitrary string value. | String | No |
|
|
The key that identifies the storage policy under | String | No |
If a container with the same name already exists, and the user is the container owner then the operation will succeed. Otherwise the operation will fail.
| Name | Description | Status Code |
|---|---|---|
|
| The container already exists under a different user’s ownership. |
|
3.3.3. List a Container’s Objects
To list the objects within a container, make a GET request with the with the API version, account, and the name of the container. You can specify query parameters to filter the full list, or leave out the parameters to return a list of the first 10,000 object names stored in the container.
Syntax
GET /<api_version>/<tenant>:<container> HTTP/1.1 Host: <Fully_Qualified_Domain_Name> X-Auth-Token: <auth_token>
| Name | Description | Type | Valid Values | Required |
|---|---|---|---|---|
|
| Defines the format of the result. | String |
| No |
|
| Limits the result set to objects beginning with the specified prefix. | String | N/A | No |
|
| Returns a list of results greater than the marker value. | String | N/A | No |
|
| Limits the number of results to the specified value. | Integer | 0 - 10,000 | No |
|
| The delimiter between the prefix and the rest of the object name. | String | N/A | No |
|
| The pseudo-hierarchical path of the objects. | String | N/A | No |
| Name | Description | Type |
|---|---|---|
|
| The container. | Container |
|
| An object within the container. | Container |
|
| The name of an object within the container. | String |
|
| A hash code of the object’s contents. | String |
|
| The last time the object’s contents were modified. | Date |
|
| The type of content within the object. | String |
3.3.4. Update a Container’s Access Control Lists (ACLs)
When a user creates a container, the user has read and write access to the container by default. To allow other users to read a container’s contents or write to a container, you must specifically enable the user. You can also specify * in the X-Container-Read or X-Container-Write settings, which effectively enables all users to either read from or write to the container. Setting * makes the container public. That is it enables anonymous users to either read from or write to the container.
Syntax
POST /<api_version>/<account>/<tenant>:<container> HTTP/1.1 Host: <Fully_Qualified_Domain_Name> X-Auth-Token: <auth_token> X-Container-Read: * X-Container-Write: <uid1>, <uid2>, <uid3>
| Name | Description | Type | Required |
|---|---|---|---|
|
| The user IDs with read permissions for the container. | Comma-separated string values of user IDs. | No |
|
| The user IDs with write permissions for the container. | Comma-separated string values of user IDs. | No |
3.3.5. Add/Update Container Metadata
To add metadata to a container, make a POST request with the API version, account, and container name. You must have write permissions on the container to add or update metadata.
Syntax
POST /<api_version>/<account>/<tenant>:<container> HTTP/1.1 Host: <Fully_Qualified_Domain_Name> X-Auth-Token: <auth_token> X-Container-Meta-Color: red X-Container-Meta-Taste: salty
| Name | Description | Type | Required |
|---|---|---|---|
|
| A user-defined meta data key that takes an arbitrary string value. | String | No |
3.3.6. Delete a Container
To delete a container, make a DELETE request with the API version, account, and the name of the container. The container must be empty. If you’d like to check if the container is empty, execute a HEAD request against the container. Once you’ve successfully removed the container, you’ll be able to reuse the container name.
Syntax
DELETE /<api version>/<account>/<tenant>:<container> HTTP/1.1 Host: <Fully_Qualified_Domain_Name> X-Auth-Token: <auth-token>
| Name | Description | Status Code |
|---|---|---|
|
| The container was removed. |
|
3.4. Object Operations
An object is a container for storing data and metadata. A container might have many objects, but the object names must be unique. This API enables a client to create an object, set access controls and metadata, retrieve an object’s data and metadata, and delete an object. Since this API makes requests related to information in a particular user’s account, all requests in this API must be authenticated unless the container or object’s access control is deliberately made publicly accessible, that is, allows anonymous requests.
3.4.1. Create/Update an Object
To create a new object, make a PUT request with the API version, account, container name and the name of the new object. You must have write permission on the container to create or update an object. The object name must be unique within the container. The PUT request is not idempotent, so if you do not use a unique name, the request will update the object. However, you can use pseudo-hierarchical syntax in the object name to distinguish it from another object of the same name if it is under a different pseudo-hierarchical directory. You can include access control headers and metadata headers in the request.
Syntax
PUT /<api_version>/<account>/<tenant>:<container>/<object> HTTP/1.1 Host: <Fully_Qualified_Domain_Name> X-Auth-Token: <auth_token>
| Name | Description | Type | Required | Valid Values |
|---|---|---|---|---|
|
| An MD5 hash of the object’s contents. Recommended. | String | No | N/A |
|
| The type of content the object contains. | String | No | N/A |
|
| Indicates whether the object is part of a larger aggregate object. | String | No |
|
3.4.2. Copy an Object
Copying an object allows you to make a server-side copy of an object, so that you don’t have to download it and upload it under another container/name. To copy the contents of one object to another object, you can make either a PUT request or a COPY request with the API version, account, and the container name. For a PUT request, use the destination container and object name in the request, and the source container and object in the request header. For a Copy request, use the source container and object in the request, and the destination container and object in the request header. You must have write permission on the container to copy an object. The destination object name must be unique within the container. The request is not idempotent, so if you do not use a unique name, the request will update the destination object. However, you can use pseudo-hierarchical syntax in the object name to distinguish the destination object from the source object of the same name if it is under a different pseudo-hierarchical directory. You can include access control headers and metadata headers in the request.
Syntax
PUT /<api_version>/<account>/<tenant>:<dest_container>/<dest_object> HTTP/1.1 X-Copy-From: <tenant>:<source_container>/<source_object> Host: <Fully_Qualified_Domain_Name> X-Auth-Token: <auth_token>
or alternatively:
Syntax
COPY /<api_version>/<account>/<tenant>:<source_container>/<source_object> HTTP/1.1 Destination: <tenant>:<dest_container>/<dest_object>
| Name | Description | Type | Required |
|---|---|---|---|
|
|
Used with a | String |
Yes, if using |
|
|
Used with a | String |
Yes, if using |
|
|
Only copies if modified since the date/time of the source object’s | Date | No |
|
|
Only copies if not modified since the date/time of the source object’s | Date | No |
|
| Copies only if the ETag in the request matches the source object’s ETag. | ETag. | No |
|
| Copies only if the ETag in the request does not match the source object’s ETag. | ETag. | No |
3.4.3. Delete an Object
To delete an object, make a DELETE request with the API version, account, container and object name. You must have write permissions on the container to delete an object within it. Once you’ve successfully deleted the object, you’ll be able to reuse the object name.
Syntax
DELETE /<api_version>/<account>/<tenant>:<container>/<object> HTTP/1.1 Host: <Fully_Qualified_Domain_Name> X-Auth-Token: <auth_token>
3.4.4. Get an Object
To retrieve an object, make a GET request with the API version, account, container and object name. You must have read permissions on the container to retrieve an object within it.
Syntax
GET /<api version>/<account>/<tenant>:<container>/<object> HTTP/1.1 Host: <Fully_Qualified_Domain_Name> X-Auth-Token: <auth-token>
| Name | Description | Type | Required |
|---|---|---|---|
|
| To retrieve a subset of an object’s contents, you can specify a byte range. | Date | No |
|
|
Only copies if modified since the date/time of the source object’s | Date | No |
|
|
Only copies if not modified since the date/time of the source object’s | Date | No |
|
| Copies only if the ETag in the request matches the source object’s ETag. | ETag. | No |
|
| Copies only if the ETag in the request does not match the source object’s ETag. | ETag. | No |
| Name | Description |
|---|---|
|
| The range of the subset of object contents. Returned only if the range header field was specified in the request. |
3.4.5. Get Object Metadata
To retrieve an object’s metadata, make a HEAD request with the API version, account, container and object name. You must have read permissions on the container to retrieve metadata from an object within the container. This request returns the same header information as the request for the object itself, but it does not return the object’s data.
Syntax
HEAD /<api_version>/<account>/<tenant>:<container>/<object> HTTP/1.1 Host: <Fully_Qualified_Domain_Name> X-Auth-Token: <auth_token>
3.4.6. Add/Update Object Metadata
To add metadata to an object, make a POST request with the API version, account, container and object name. You must have write permissions on the parent container to add or update metadata.
Syntax
POST /<api_version>/<account>/<tenant>:<container>/<object> HTTP/1.1 Host: <Fully_Qualified_Domain_Name> X-Auth-Token: <auth_token>
| Name | Description | Type | Required |
|---|---|---|---|
|
| A user-defined meta data key that takes an arbitrary string value. | String | No |
3.5. Temp URL Operations
To allow temporary access, for example GET requests, to objects without the need to share credentials, temp url functionality is supported by swift endpoint of radosgw. For this functionality, initially the value of X-Account-Meta-Temp-URL-Key and optionally X-Account-Meta-Temp-URL-Key-2 should be set. The Temp URL functionality relies on a HMAC-SHA1 signature against these secret keys.
3.5.1. POST Temp-URL Keys
A POST request to the swift account with the required Key will set the secret temp url key for the account against which temporary url access can be provided to accounts. Up to two keys are supported, and signatures are checked against both the keys, if present, so that keys can be rotated without invalidating the temporary urls.
Syntax
POST /<api_version>/<account> HTTP/1.1 Host: <Fully_Qualified_Domain_Name> X-Auth-Token: <auth_token>
| Name | Description | Type | Required |
|---|---|---|---|
|
| A user-defined key that takes an arbitrary string value. | String | Yes |
|
| A user-defined key that takes an arbitrary string value. | String | No |
3.5.2. GET Temp-URL Objects
Temporary URL uses a cryptographic HMAC-SHA1 signature, which includes the following elements:
- The value of the Request method, "GET" for instance
- The expiry time, in format of seconds since the epoch, that is, Unix time
- The request path starting from "v1" onwards
The above items are normalized with newlines appended between them, and a HMAC is generated using the SHA-1 hashing algorithm against one of the Temp URL Keys posted earlier.
A sample python script to demonstrate the above is given below:
Example
import hmac
from hashlib import sha1
from time import time
method = 'GET'
host = 'https://objectstore.example.com'
duration_in_seconds = 300 # Duration for which the url is valid
expires = int(time() + duration_in_seconds)
path = '/v1/your-bucket/your-object'
key = 'secret'
hmac_body = '%s\n%s\n%s' % (method, expires, path)
hmac_body = hmac.new(key, hmac_body, sha1).hexdigest()
sig = hmac.new(key, hmac_body, sha1).hexdigest()
rest_uri = "{host}{path}?temp_url_sig={sig}&temp_url_expires={expires}".format(
host=host, path=path, sig=sig, expires=expires)
print rest_uri
Example Output
https://objectstore.example.com/v1/your-bucket/your-object?temp_url_sig=ff4657876227fc6025f04fcf1e82818266d022c6&temp_url_expires=1423200992
3.6. Swift API Limitations
The following limitations should be used with caution. There are implications related to your hardware selections, so you should always discuss these requirements with your Red Hat account team.
- Maximum object size when using Swift API: 5GB
- Maximum metadata size when using Swift API: There is no defined limit on the total size of user metadata that can be applied to an object, but a single HTTP request is limited to 16,000.
