Use the CLI or the API to manage your accounts for S3 object access.
Before creating an account, after the S3 service instance is created, make sure that the
directory structure corresponding to the new account exists on the storage cluster with the
appropriate user ID and group ID.
On the storage cluster, you must have this directory and
permissions set before it is passed to the
newBucketsPath
parameter.
cd /<mount-point>/fs1
mkdir <create-user-dir>
chown -R uid:gid <preceding-dir-name>
As the IBM Storage Scale DAS administrator, you can get this directory
created by the storage cluster administrator with the appropriate user ID and group ID or you can
create it yourself. If you plan to use the newBucketsPath parameter, complete
this prerequisite step before creating user accounts.
Account directory in filesets: If you plan to use an account directory that is in a
fileset, the following considerations apply:
- You must change the ownership of the directory to the account user ID.
- If you have enabled SELinux on the storage cluster, you must set the SELinux context. Because
the SELinux context inheritance breaks, if the account directory is in a fileset.
Use the following information to create, list, update, or delete your accounts for S3 object
access.
- Create an IBM Storage Scale DAS S3 object user
account as follows:
- CLI
mmdas account create s3user --gid 777 --uid 888 --newBucketsPath "/mnt/fs1/fset1/user1_buckets"
In this command example, the following parameters are specified:
- File system absolute path for creating new exports for the S3 user account that you want to
create.
Note: When you specify this parameter for creating an account, the specified path is not
validated. If the specified path is not valid, an error occurs when you try to create an export.
Administrators must specify the newBucketsPath to enable s3 accounts of end
users to create exports using the S3 IO path. If newBucketsPath is not
specified for an S3 account, by default, the S3 user cannot create new exports and gets the
AccessDenied
error while trying to create an export using the S3 IO
path.
- User ID that is associated with the S3 user account that you want to create.
- Group ID that is associated with the S3 user account that you want to create.
A sample output is as
follows:Account is created successfully. The secret and access keys are as follows.
Secret Key Access Key
---------- -----------
q2F4l5tt8/8mFXt8YOroVrUPx80TW6dlrVYm/zGO 47al0MTOuj98WkgHWmti
- REST
API
curl -k -X POST -H "Content-Type: application/json" -H "Authorization: Basic czMtYWRtaW46UGFzc3cwcmQ=" https://<ibm-spectrumscale_host>/scalemgmt/v2/das/accounts/
-d '{"name":"s3user","uid":5001,"gid":500,"newBucketsPath":"/mnt/fs1/fset1/s3user_bucket1"}'
A sample output is as
follows:{"access_key":"UTnMjG1MUTMyXug8U6aT","secret_key":"PfaJm8ueu+4NrlgF8HI4Y8HrpZOElVJg8kVb0Fp+"}
Note: The variable
<ibm-spectrumscale_host> in the request URL must be replaced with the route host. Obtain the route host by using the
following command from a node that is configured to work with the Red Hat OpenShift Container
Platform (OCP)
cluster:
oc get route ibm-spectrum-scale-gui -n <IBM Storage Scale namespace> -o json | jq .spec.host
For
example,
oc get route ibm-spectrum-scale-gui -n ibm-spectrum-scale -o json | jq .spec.host
A sample output is as follows:
"ibm-spectrum-scale-gui-ibm-spectrum-scale.example.com"
- List the account information for IBM Storage Scale DAS S3 object user accounts as follows:
- CLI
mmdas account list
A sample output is as
follows:Name UID GID New buckets path
---- --- --- -----------------
s3user1 888 777 /mnt/fs1/fset1/user1_buckets/s3user1_buckets
s3user2 679 629 /mnt/fs1/fset1/user1_buckets/s3user2_buckets
s3user3 478 128 /mnt/fs1/fset1/user1_buckets/s3user3_buckets
s3user4 471 127 /mnt/fs1/fset1/user1_buckets/s3user4_buckets
s3user5 431 124 /mnt/fs1/fset1/user1_buckets/s3user5_buckets
To list the detailed
information for a specified S3 object user account in the JSON format, issue the following
command:mmdas account list s3user1 -o json
A sample output
is as follows:{"name":"s3user1",
"uid":888,
"gid":777,
"new_buckets_path":"/mnt/fs1/fset1/user1_buckets/s3user1_buckets",
"access_key":"47al0MTOuj98WkgHWmti",
"secret_key":"q2F4l5tt8/8mFXt8YOroVrUPx80TW6dlrVYm/zGO"}
Note: The access key and the
secret key that are associated with an S3 object user account are only displayed in the output if
you specify an account name with this command. If you specify UserID:GroupID with
this command, they are not displayed.
- REST
API
curl -k -X GET -H "Authorization: Basic czMtYWRtaW46UGFzc3cwcmQ=" -H "accept: application/json" https://<ibm-spectrumscale_host>/scalemgmt/v2/das/accounts
A sample output is as follows:[
{
"gid": 52,
"name": "s3user1",
"newBucketsPath": "/mnt/fs1/fset1/s3user1_bucket1",
"uid": 51
},
{
"gid": 101,
"name": "s3user2",
"newBucketsPath": "/mnt/fs1/fset1/s3user2_bucket1",
"uid": 1003
},
{
"gid": 101,
"name": "s3user3",
"newBucketsPath": "/mnt/fs1/fset1/s3user3_bucket1",
"uid": 1001
},
{
"gid": 101,
"name": "s3user4",
"newBucketsPath": "/mnt/fs1/fset1/s3user4_bucket1",
"uid": 1001
}
]
- Update the IBM Storage Scale DAS S3 object user
account as follows:
- CLI
mmdas account update s3user2 --newBucketsPath "/mnt/fs1/fset1/sharedBuckets" --resetKeys
This command updates the bucket path and resets the access and secret keys. A sample output is as
follows:Account is successfully updated
- REST
API
curl -k -X POST -H "Content-Type: application/json" -H "Authorization: Basic czMtYWRtaW46UGFzc3cwcmQ=" https://<ibm-spectrumscale_host>/scalemgmt/v2/das/accounts/
-d '{"name":"s3user2", "newBucketsPath":"/mnt/fs1/fset1/sharedBuckets","resetKeys":true}'
- Delete an IBM Storage Scale DAS S3 object user
account as follows:
Note: You can delete an account only if the exports (buckets) corresponding to the account are
deleted.
- CLI
mmdas account delete s3user1
A sample output is
as follows:Account is successfully deleted
- REST
API
curl -k -X DELETE -H "Authorization: Basic czMtYWRtaW46UGFzc3cwcmQ=" https://<ibm-spectrumscale_host>/scalemgmt/v2/das/accounts/s3user1