2.2. 管理身份验证请求
Amazon 的 S3 服务使用访问密钥和请求标头的哈希和 secret 密钥来验证请求。它有提供经过身份验证的请求的好处,特别是进行大型上传,而无需 SSL 开销。
S3 API 的大部分用例都涉及使用开源 S3 客户端,如 Amazon SDK for Java 或 Python Boto 的 AmazonS3Client。这些库不支持 Ceph 对象网关管理员 API。您可以使用子类并扩展这些库来支持 Ceph Admin API。或者,您可以创建唯一的网关客户端。
创建 execute () 方法
本节中的 CephAdminAPI 示例类演示了如何创建能够获取请求参数的 execute() 方法,验证请求,调用 Ceph Admin API 并收到响应。
CephAdminAPI 类示例不被支持,不适用于商业用途。它只用于演示目的。
调用 Ceph 对象网关
client code 包含对 Ceph 对象网关的五个调用,以演示 CRUD 操作:
- 创建用户
- 获取用户
- 修改用户
- 创建子用户
- 删除用户
要使用此示例,请获取 httpcomponents-client-4.5.3 Apache HTTP 组件。您可以在此处下载该文件:http://hc.apache.org/downloads.cgi。然后解压缩 tar 文件,进入其 lib 目录,并将内容复制到 JAVA_HOME 目录的 /jre/lib/ext 目录中,或自定义 classpath。
当您检查 CephAdminAPI 类示例时,请注意 execute() 采用 HTTP 方法、请求路径、可选的子资源、null(如果未指定),以及参数映射。要使用子资源(如 subuser 和 key )执行,您需要在 execute () 方法中指定子资源作为参数。
示例方法:
- 构建 URI。
- 构建 HTTP 标头字符串。
-
实例化 HTTP 请求,如
PUT、POST、GET、DELETE。 -
在 HTTP 标头字符串和请求标头中添加
Date标头。 -
在 HTTP 请求标头中添加
Authorization标头。 - 实例化 HTTP 客户端,并传递实例化的 HTTP 请求。
- 发出请求。
- 返回响应。
构建标头字符串
构建标头字符串是涉及 Amazon 的 S3 身份验证过程的过程的一部分。具体来说,示例方法如下:
-
添加请求类型,如
PUT、POST、GET和DELETE。 - 添加日期。
- 添加 requestPath。
请求类型应该为大写,没有前导或尾随空格。如果没有修剪空格,身份验证将失败。日期需要 以 GMT 表示,否则身份验证将失败。
exemplary 方法没有任何其他标头。Amazon S3 身份验证流程按 x-amz 标头顺序排序。因此,如果您要添加 x-amz 标头,确保以字典顺序添加它们。
构建了标头字符串后,下一步是实例化 HTTP 请求并传递 URI。exemplary 方法使用 PUT 来创建用户和子用户,GET 获取用户,POST 用于修改用户和 DELETE 删除用户。
实例化了一个请求后,添加 Date 标头后跟 Authorization 标头。Amazon 的 S3 身份验证使用标准 Authorization 标头,且结构如下:
Authorization: AWS ACCESS_KEY:HASH_OF_HEADER_AND_SECRET
CephAdminAPI 示例类具有 base64Sha1Hmac () 方法,它使用标头字符串和 admin 用户的 secret 密钥,并将 SHA1 HMAC 返回为 base-64 编码字符串。每个 execute() 调用都将调用同一行代码来构建 Authorization 标头:
httpRequest.addHeader("Authorization", "AWS " + this.getAccessKey() + ":" + base64Sha1Hmac(headerString.toString(), this.getSecretKey()));
以下 CephAdminAPI 示例类要求您将访问密钥、secret 密钥和端点传递给构造器。类提供在运行时更改它们的访问者方法。
示例
import java.io.IOException;
import java.net.URI;
import java.net.URISyntaxException;
import java.time.OffsetDateTime;
import java.time.format.DateTimeFormatter;
import java.time.ZoneId;
import org.apache.http.HttpEntity;
import org.apache.http.NameValuePair;
import org.apache.http.Header;
import org.apache.http.client.entity.UrlEncodedFormEntity;
import org.apache.http.client.methods.CloseableHttpResponse;
import org.apache.http.client.methods.HttpRequestBase;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.client.methods.HttpPost;
import org.apache.http.client.methods.HttpPut;
import org.apache.http.client.methods.HttpDelete;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClients;
import org.apache.http.message.BasicNameValuePair;
import org.apache.http.util.EntityUtils;
import org.apache.http.client.utils.URIBuilder;
import java.util.Base64;
import java.util.Base64.Encoder;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import javax.crypto.spec.SecretKeySpec;
import javax.crypto.Mac;
import java.util.Map;
import java.util.Iterator;
import java.util.Set;
import java.util.Map.Entry;
public class CephAdminAPI {
/*
* Each call must specify an access key, secret key, endpoint and format.
*/
String accessKey;
String secretKey;
String endpoint;
String scheme = "http"; //http only.
int port = 80;
/*
* A constructor that takes an access key, secret key, endpoint and format.
*/
public CephAdminAPI(String accessKey, String secretKey, String endpoint){
this.accessKey = accessKey;
this.secretKey = secretKey;
this.endpoint = endpoint;
}
/*
* Accessor methods for access key, secret key, endpoint and format.
*/
public String getEndpoint(){
return this.endpoint;
}
public void setEndpoint(String endpoint){
this.endpoint = endpoint;
}
public String getAccessKey(){
return this.accessKey;
}
public void setAccessKey(String accessKey){
this.accessKey = accessKey;
}
public String getSecretKey(){
return this.secretKey;
}
public void setSecretKey(String secretKey){
this.secretKey = secretKey;
}
/*
* Takes an HTTP Method, a resource and a map of arguments and
* returns a CloseableHTTPResponse.
*/
public CloseableHttpResponse execute(String HTTPMethod, String resource,
String subresource, Map arguments) {
String httpMethod = HTTPMethod;
String requestPath = resource;
StringBuffer request = new StringBuffer();
StringBuffer headerString = new StringBuffer();
HttpRequestBase httpRequest;
CloseableHttpClient httpclient;
URI uri;
CloseableHttpResponse httpResponse = null;
try {
uri = new URIBuilder()
.setScheme(this.scheme)
.setHost(this.getEndpoint())
.setPath(requestPath)
.setPort(this.port)
.build();
if (subresource != null){
uri = new URIBuilder(uri)
.setCustomQuery(subresource)
.build();
}
for (Iterator iter = arguments.entrySet().iterator();
iter.hasNext();) {
Entry entry = (Entry)iter.next();
uri = new URIBuilder(uri)
.setParameter(entry.getKey().toString(),
entry.getValue().toString())
.build();
}
request.append(uri);
headerString.append(HTTPMethod.toUpperCase().trim() + "\n\n\n");
OffsetDateTime dateTime = OffsetDateTime.now(ZoneId.of("GMT"));
DateTimeFormatter formatter = DateTimeFormatter.RFC_1123_DATE_TIME;
String date = dateTime.format(formatter);
headerString.append(date + "\n");
headerString.append(requestPath);
if (HTTPMethod.equalsIgnoreCase("PUT")){
httpRequest = new HttpPut(uri);
} else if (HTTPMethod.equalsIgnoreCase("POST")){
httpRequest = new HttpPost(uri);
} else if (HTTPMethod.equalsIgnoreCase("GET")){
httpRequest = new HttpGet(uri);
} else if (HTTPMethod.equalsIgnoreCase("DELETE")){
httpRequest = new HttpDelete(uri);
} else {
System.err.println("The HTTP Method must be PUT,
POST, GET or DELETE.");
throw new IOException();
}
httpRequest.addHeader("Date", date);
httpRequest.addHeader("Authorization", "AWS " + this.getAccessKey()
+ ":" + base64Sha1Hmac(headerString.toString(),
this.getSecretKey()));
httpclient = HttpClients.createDefault();
httpResponse = httpclient.execute(httpRequest);
} catch (URISyntaxException e){
System.err.println("The URI is not formatted properly.");
e.printStackTrace();
} catch (IOException e){
System.err.println("There was an error making the request.");
e.printStackTrace();
}
return httpResponse;
}
/*
* Takes a uri and a secret key and returns a base64-encoded
* SHA-1 HMAC.
*/
public String base64Sha1Hmac(String uri, String secretKey) {
try {
byte[] keyBytes = secretKey.getBytes("UTF-8");
SecretKeySpec signingKey = new SecretKeySpec(keyBytes, "HmacSHA1");
Mac mac = Mac.getInstance("HmacSHA1");
mac.init(signingKey);
byte[] rawHmac = mac.doFinal(uri.getBytes("UTF-8"));
Encoder base64 = Base64.getEncoder();
return base64.encodeToString(rawHmac);
} catch (Exception e) {
throw new RuntimeException(e);
}
}
}
后续 CephAdminAPIClient 示例演示了如何实例化 CephAdminAPI 类、构建请求参数映射,并使用 execute () 方法来创建、获取、更新和删除用户。
示例
import java.io.IOException;
import org.apache.http.client.methods.CloseableHttpResponse;
import org.apache.http.HttpEntity;
import org.apache.http.util.EntityUtils;
import java.util.*;
public class CephAdminAPIClient {
public static void main (String[] args){
CephAdminAPI adminApi = new CephAdminAPI ("FFC6ZQ6EMIF64194158N",
"Xac39eCAhlTGcCAUreuwe1ZuH5oVQFa51lbEMVoT",
"ceph-client");
/*
* Create a user
*/
Map requestArgs = new HashMap();
requestArgs.put("access", "usage=read, write; users=read, write");
requestArgs.put("display-name", "New User");
requestArgs.put("email", "new-user@email.com");
requestArgs.put("format", "json");
requestArgs.put("uid", "new-user");
CloseableHttpResponse response =
adminApi.execute("PUT", "/admin/user", null, requestArgs);
System.out.println(response.getStatusLine());
HttpEntity entity = response.getEntity();
try {
System.out.println("\nResponse Content is: "
+ EntityUtils.toString(entity, "UTF-8") + "\n");
response.close();
} catch (IOException e){
System.err.println ("Encountered an I/O exception.");
e.printStackTrace();
}
/*
* Get a user
*/
requestArgs = new HashMap();
requestArgs.put("format", "json");
requestArgs.put("uid", "new-user");
response = adminApi.execute("GET", "/admin/user", null, requestArgs);
System.out.println(response.getStatusLine());
entity = response.getEntity();
try {
System.out.println("\nResponse Content is: "
+ EntityUtils.toString(entity, "UTF-8") + "\n");
response.close();
} catch (IOException e){
System.err.println ("Encountered an I/O exception.");
e.printStackTrace();
}
/*
* Modify a user
*/
requestArgs = new HashMap();
requestArgs.put("display-name", "John Doe");
requestArgs.put("email", "johndoe@email.com");
requestArgs.put("format", "json");
requestArgs.put("uid", "new-user");
requestArgs.put("max-buckets", "100");
response = adminApi.execute("POST", "/admin/user", null, requestArgs);
System.out.println(response.getStatusLine());
entity = response.getEntity();
try {
System.out.println("\nResponse Content is: "
+ EntityUtils.toString(entity, "UTF-8") + "\n");
response.close();
} catch (IOException e){
System.err.println ("Encountered an I/O exception.");
e.printStackTrace();
}
/*
* Create a subuser
*/
requestArgs = new HashMap();
requestArgs.put("format", "json");
requestArgs.put("uid", "new-user");
requestArgs.put("subuser", "foobar");
response = adminApi.execute("PUT", "/admin/user", "subuser", requestArgs);
System.out.println(response.getStatusLine());
entity = response.getEntity();
try {
System.out.println("\nResponse Content is: "
+ EntityUtils.toString(entity, "UTF-8") + "\n");
response.close();
} catch (IOException e){
System.err.println ("Encountered an I/O exception.");
e.printStackTrace();
}
/*
* Delete a user
*/
requestArgs = new HashMap();
requestArgs.put("format", "json");
requestArgs.put("uid", "new-user");
response = adminApi.execute("DELETE", "/admin/user", null, requestArgs);
System.out.println(response.getStatusLine());
entity = response.getEntity();
try {
System.out.println("\nResponse Content is: "
+ EntityUtils.toString(entity, "UTF-8") + "\n");
response.close();
} catch (IOException e){
System.err.println ("Encountered an I/O exception.");
e.printStackTrace();
}
}
}
其它资源
- 如需了解更多详细信息,请参阅 Red Hat Ceph Storage Developer Guide 中的 S3 身份验证 部分。
- 有关 Amazon S3 身份验证流程的更广泛的解释,请参阅 Amazon Simple Storage Service 文档中的 Signing and Authenticating REST Requests 部分。
