1.3. 管理身份验证请求
Amazon 的 S3 服务使用访问密钥和请求标头的哈希和 secret 密钥来验证请求。它有提供经过身份验证的请求(特别是大型上传)的好处,而没有 SSL 开销。
S3 API 的大部分用例都涉及使用开源 S3 客户端,如 Amazon SDK 中用于 Java 或 Python Boto 的 AmazonS3Client。这些库不支持 Ceph 对象网关管理员 API。您可以子类和扩展这些库来支持 Ceph Admin API。或者,您可以创建唯一的网关客户端。
创建 execute() 方法
本节中的 CephAdminAPI 示例类演示了如何创建 执行() 方法,获取请求参数,对请求进行身份验证,调用 Ceph Admin API 并接收响应。
CephAdminAPI 类示例不受支持或用于商业用途。它只用于演示目的。
调用 Ceph 对象网关
客户端代码 包含对 Ceph 对象网关的五个调用,以演示 CRUD 操作:
- 创建用户
- 获取用户
- 修改用户
- 创建子用户
- 删除用户
要使用此示例,请获取 httpcomponents-client-4.5.3 Apache HTTP 组件。您可以在此处下载该文件:http://hc.apache.org/downloads.cgi。然后解压缩 tar 文件,导航到其 lib 目录,并将内容复制到 JAVA_HOME 目录或自定义类路径的 /jre/lib/ext 目录中。
当您检查 CephAdminAPI 类示例时,请注意 execute() 采用 HTTP 方法、请求路径、可选的子资源、null(如果未指定),以及参数映射。若要使用 subresources 执行,例如 subuser、和 key,您需要在 execute() 方法中指定子资源作为参数。
示例方法:
- 构建 URI。
- 构建 HTTP 标头字符串。
-
实例化 HTTP 请求,如
PUT、POST、GET、DELETE。 -
在 HTTP 标头字符串和请求标头中添加
Date标头。 -
在 HTTP 请求标头中添加
Authorization标头。 - 实例化 HTTP 客户端,并传递实例化的 HTTP 请求。
- 发出请求。
- 返回响应。
构建标头字符串
构建标头字符串是涉及 Amazon 的 S3 身份验证过程的过程的一部分。具体来说,示例方法如下:
-
添加请求类型,如
PUT、POST、GET和DELETE。 - 添加日期。
- 添加 requestPath。
请求类型应该是大写的,没有前导或尾随空格。如果您不修剪空格,身份验证将失败。日期需要 以 GMT 表示,否则身份验证将失败。
exemplary 方法没有任何其他标头。Amazon S3 身份验证流程按 x-amz 标头顺序排序。因此,如果您要添加 x-amz 标头,确保以字典顺序添加它们。
构建了标头字符串后,下一步是实例化 HTTP 请求并传递 URI。考试卷方法使用 PUT 来创建用户和子用户,GET 用于获取用户,POST 用于修改用户和 DELETE 以删除用户。
实例化了一个请求后,添加 Date 标头后跟 Authorization 标头。Amazon 的 S3 身份验证使用标准 Authorization 标头,且结构如下:
Authorization: AWS ACCESS_KEY:HASH_OF_HEADER_AND_SECRET
CephAdminAPI 示例类具有一个 base64Sha1Hmac() 方法,它采用 admin 用户的标头字符串和 secret 密钥,并将 SHA1 HMAC 作为 base-64 编码字符串返回。每个 execute() 调用都将调用同一行代码来构建 Authorization 标头:
httpRequest.addHeader("Authorization", "AWS " + this.getAccessKey() + ":" + base64Sha1Hmac(headerString.toString(), this.getSecretKey()));
以下 CephAdminAPI 示例类要求您将访问密钥、secret 密钥和端点传递给构造器。class 提供在运行时更改它们的访问器方法。
示例
import java.io.IOException;
import java.net.URI;
import java.net.URISyntaxException;
import java.time.OffsetDateTime;
import java.time.format.DateTimeFormatter;
import java.time.ZoneId;
import org.apache.http.HttpEntity;
import org.apache.http.NameValuePair;
import org.apache.http.Header;
import org.apache.http.client.entity.UrlEncodedFormEntity;
import org.apache.http.client.methods.CloseableHttpResponse;
import org.apache.http.client.methods.HttpRequestBase;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.client.methods.HttpPost;
import org.apache.http.client.methods.HttpPut;
import org.apache.http.client.methods.HttpDelete;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClients;
import org.apache.http.message.BasicNameValuePair;
import org.apache.http.util.EntityUtils;
import org.apache.http.client.utils.URIBuilder;
import java.util.Base64;
import java.util.Base64.Encoder;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import javax.crypto.spec.SecretKeySpec;
import javax.crypto.Mac;
import java.util.Map;
import java.util.Iterator;
import java.util.Set;
import java.util.Map.Entry;
public class CephAdminAPI {
/*
* Each call must specify an access key, secret key, endpoint and format.
*/
String accessKey;
String secretKey;
String endpoint;
String scheme = "http"; //http only.
int port = 80;
/*
* A constructor that takes an access key, secret key, endpoint and format.
*/
public CephAdminAPI(String accessKey, String secretKey, String endpoint){
this.accessKey = accessKey;
this.secretKey = secretKey;
this.endpoint = endpoint;
}
/*
* Accessor methods for access key, secret key, endpoint and format.
*/
public String getEndpoint(){
return this.endpoint;
}
public void setEndpoint(String endpoint){
this.endpoint = endpoint;
}
public String getAccessKey(){
return this.accessKey;
}
public void setAccessKey(String accessKey){
this.accessKey = accessKey;
}
public String getSecretKey(){
return this.secretKey;
}
public void setSecretKey(String secretKey){
this.secretKey = secretKey;
}
/*
* Takes an HTTP Method, a resource and a map of arguments and
* returns a CloseableHTTPResponse.
*/
public CloseableHttpResponse execute(String HTTPMethod, String resource,
String subresource, Map arguments) {
String httpMethod = HTTPMethod;
String requestPath = resource;
StringBuffer request = new StringBuffer();
StringBuffer headerString = new StringBuffer();
HttpRequestBase httpRequest;
CloseableHttpClient httpclient;
URI uri;
CloseableHttpResponse httpResponse = null;
try {
uri = new URIBuilder()
.setScheme(this.scheme)
.setHost(this.getEndpoint())
.setPath(requestPath)
.setPort(this.port)
.build();
if (subresource != null){
uri = new URIBuilder(uri)
.setCustomQuery(subresource)
.build();
}
for (Iterator iter = arguments.entrySet().iterator();
iter.hasNext();) {
Entry entry = (Entry)iter.next();
uri = new URIBuilder(uri)
.setParameter(entry.getKey().toString(),
entry.getValue().toString())
.build();
}
request.append(uri);
headerString.append(HTTPMethod.toUpperCase().trim() + "\n\n\n");
OffsetDateTime dateTime = OffsetDateTime.now(ZoneId.of("GMT"));
DateTimeFormatter formatter = DateTimeFormatter.RFC_1123_DATE_TIME;
String date = dateTime.format(formatter);
headerString.append(date + "\n");
headerString.append(requestPath);
if (HTTPMethod.equalsIgnoreCase("PUT")){
httpRequest = new HttpPut(uri);
} else if (HTTPMethod.equalsIgnoreCase("POST")){
httpRequest = new HttpPost(uri);
} else if (HTTPMethod.equalsIgnoreCase("GET")){
httpRequest = new HttpGet(uri);
} else if (HTTPMethod.equalsIgnoreCase("DELETE")){
httpRequest = new HttpDelete(uri);
} else {
System.err.println("The HTTP Method must be PUT,
POST, GET or DELETE.");
throw new IOException();
}
httpRequest.addHeader("Date", date);
httpRequest.addHeader("Authorization", "AWS " + this.getAccessKey()
+ ":" + base64Sha1Hmac(headerString.toString(),
this.getSecretKey()));
httpclient = HttpClients.createDefault();
httpResponse = httpclient.execute(httpRequest);
} catch (URISyntaxException e){
System.err.println("The URI is not formatted properly.");
e.printStackTrace();
} catch (IOException e){
System.err.println("There was an error making the request.");
e.printStackTrace();
}
return httpResponse;
}
/*
* Takes a uri and a secret key and returns a base64-encoded
* SHA-1 HMAC.
*/
public String base64Sha1Hmac(String uri, String secretKey) {
try {
byte[] keyBytes = secretKey.getBytes("UTF-8");
SecretKeySpec signingKey = new SecretKeySpec(keyBytes, "HmacSHA1");
Mac mac = Mac.getInstance("HmacSHA1");
mac.init(signingKey);
byte[] rawHmac = mac.doFinal(uri.getBytes("UTF-8"));
Encoder base64 = Base64.getEncoder();
return base64.encodeToString(rawHmac);
} catch (Exception e) {
throw new RuntimeException(e);
}
}
}
后续 CephAdminAPIClient 示例演示如何实例化 CephAdminAPI 类,构建请求参数映射,并使用 execute() 方法创建、获取、更新和删除用户。
示例
import java.io.IOException;
import org.apache.http.client.methods.CloseableHttpResponse;
import org.apache.http.HttpEntity;
import org.apache.http.util.EntityUtils;
import java.util.*;
public class CephAdminAPIClient {
public static void main (String[] args){
CephAdminAPI adminApi = new CephAdminAPI ("FFC6ZQ6EMIF64194158N",
"Xac39eCAhlTGcCAUreuwe1ZuH5oVQFa51lbEMVoT",
"ceph-client");
/*
* Create a user
*/
Map requestArgs = new HashMap();
requestArgs.put("access", "usage=read, write; users=read, write");
requestArgs.put("display-name", "New User");
requestArgs.put("email", "new-user@email.com");
requestArgs.put("format", "json");
requestArgs.put("uid", "new-user");
CloseableHttpResponse response =
adminApi.execute("PUT", "/admin/user", null, requestArgs);
System.out.println(response.getStatusLine());
HttpEntity entity = response.getEntity();
try {
System.out.println("\nResponse Content is: "
+ EntityUtils.toString(entity, "UTF-8") + "\n");
response.close();
} catch (IOException e){
System.err.println ("Encountered an I/O exception.");
e.printStackTrace();
}
/*
* Get a user
*/
requestArgs = new HashMap();
requestArgs.put("format", "json");
requestArgs.put("uid", "new-user");
response = adminApi.execute("GET", "/admin/user", null, requestArgs);
System.out.println(response.getStatusLine());
entity = response.getEntity();
try {
System.out.println("\nResponse Content is: "
+ EntityUtils.toString(entity, "UTF-8") + "\n");
response.close();
} catch (IOException e){
System.err.println ("Encountered an I/O exception.");
e.printStackTrace();
}
/*
* Modify a user
*/
requestArgs = new HashMap();
requestArgs.put("display-name", "John Doe");
requestArgs.put("email", "johndoe@email.com");
requestArgs.put("format", "json");
requestArgs.put("uid", "new-user");
requestArgs.put("max-buckets", "100");
response = adminApi.execute("POST", "/admin/user", null, requestArgs);
System.out.println(response.getStatusLine());
entity = response.getEntity();
try {
System.out.println("\nResponse Content is: "
+ EntityUtils.toString(entity, "UTF-8") + "\n");
response.close();
} catch (IOException e){
System.err.println ("Encountered an I/O exception.");
e.printStackTrace();
}
/*
* Create a subuser
*/
requestArgs = new HashMap();
requestArgs.put("format", "json");
requestArgs.put("uid", "new-user");
requestArgs.put("subuser", "foobar");
response = adminApi.execute("PUT", "/admin/user", "subuser", requestArgs);
System.out.println(response.getStatusLine());
entity = response.getEntity();
try {
System.out.println("\nResponse Content is: "
+ EntityUtils.toString(entity, "UTF-8") + "\n");
response.close();
} catch (IOException e){
System.err.println ("Encountered an I/O exception.");
e.printStackTrace();
}
/*
* Delete a user
*/
requestArgs = new HashMap();
requestArgs.put("format", "json");
requestArgs.put("uid", "new-user");
response = adminApi.execute("DELETE", "/admin/user", null, requestArgs);
System.out.println(response.getStatusLine());
entity = response.getEntity();
try {
System.out.println("\nResponse Content is: "
+ EntityUtils.toString(entity, "UTF-8") + "\n");
response.close();
} catch (IOException e){
System.err.println ("Encountered an I/O exception.");
e.printStackTrace();
}
}
}
其它资源
- 如需了解更多详细信息,请参阅 Red Hat Ceph Storage Developer Guide 中的 S3 身份验证部分。
- 有关 Amazon S3 身份验证流程的更广泛的解释,请参阅 Amazon Simple Storage Service 文档中的 Signing and Authenticating REST Requests 部分。
