Configuring tenant accounts and connections
Configuring StorageGRID to accept connections from client applications requires creating one or more tenant accounts and setting up the connections.
Creating and configuring S3 tenant accounts
An S3 tenant account is required before S3 API clients can store and retrieve objects on StorageGRID. Each tenant account has its own account ID, groups and users, and containers and objects.
S3 tenant accounts are created by a StorageGRID grid administrator using the Grid Manager or the Grid Management API. When creating an S3 tenant account, the grid administrator specifies the following information:
-
Display name for the tenant (the tenant's account ID is assigned automatically and cannot be changed).
-
Whether the tenant account is allowed to use platform services. If the use of platform services is allowed, the grid must be configured to support their use.
-
Optionally, a storage quota for the tenant account—the maximum number of gigabytes, terabytes, or petabytes available for the tenant's objects. A tenant's storage quota represents a logical amount (object size), not a physical amount (size on disk).
-
If identity federation is enabled for the StorageGRID system, which federated group has Root Access permission to configure the tenant account.
-
If single sign-on (SSO) is not in use for the StorageGRID system, whether the tenant account will use its own identity source or share the grid's identity source, and the initial password for the tenant's local root user.
After an S3 tenant account is created, tenant users can access the Tenant Manager to perform tasks such as the following:
-
Set up identity federation (unless the identity source is shared with the grid), and create local groups and users
-
Manage S3 access keys
-
Create and manage S3 buckets, including buckets that have S3 Object Lock enabled
-
Use platform services (if enabled)
-
Monitor storage usage
S3 tenant users can create and manage S3 buckets with the Tenant Manager, but they must have S3 access keys and use the S3 REST API to ingest and manage objects. |
How client connections can be configured
A grid administrator makes configuration choices that affect how S3 clients connect to StorageGRID to store and retrieve data. The specific information you need to make a connection depends upon the configuration that was chosen.
Client applications can store or retrieve objects by connecting to any of the following:
-
The Load Balancer service on Admin Nodes or Gateway Nodes, or optionally, the virtual IP address of a high availability (HA) group of Admin Nodes or Gateway Nodes
-
The CLB service on Gateway Nodes, or optionally, the virtual IP address of a high availability group of Gateway Nodes
The CLB service is deprecated. Clients configured before the StorageGRID 11.3 release can continue to use the CLB service on Gateway Nodes. All other client applications that depend on StorageGRID to provide load balancing should connect using the Load Balancer service. -
Storage Nodes, with or without an external load balancer
When configuring StorageGRID, a grid administrator can use the Grid Manager or the Grid Management API to perform the following steps, all of which are optional:
-
Configure endpoints for the Load Balancer service.
You must configure endpoints to use the Load Balancer service. The Load Balancer service on Admin Nodes or Gateway Nodes distributes incoming network connections from client applications to Storage Nodes. When creating a load balancer endpoint, the StorageGRID administrator specifies a port number, whether the endpoint accepts HTTP or HTTPS connections, the type of client (S3 or Swift) that will use the endpoint, and the certificate to be used for HTTPS connections (if applicable).
-
Configure Untrusted Client Networks.
If a StorageGRID administrator configures a node's Client Network to be untrusted, the node only accepts inbound connections on the Client Network on ports that are explicitly configured as load balancer endpoints.
-
Configure high availability groups.
If an administrator creates an HA group, the network interfaces of multiple Admin Nodes or Gateway Nodes are placed into an active-backup configuration. Client connections are made using the virtual IP address of the HA group.
For more information about each option, see the instructions for administering StorageGRID.
Summary: IP addresses and ports for client connections
Client applications connect to StorageGRID using the IP address of a grid node and the port number of a service on that node. If high availability (HA) groups are configured, client applications can connect using the virtual IP address of the HA group.
Information required to make client connections
The table summarizes the different ways that clients can connect to StorageGRID and the IP addresses and ports that are used for each type of connection. Contact your StorageGRID administrator for more information, or see the instructions for administering StorageGRID for a description of how to find this information in the Grid Manager.
Where connection is made | Service that client connects to | IP address | Port |
---|---|---|---|
HA group |
Load Balancer |
Virtual IP address of an HA group |
|
HA group |
CLB Note: The CLB service is deprecated. |
Virtual IP address of an HA group |
Default S3 ports:
|
Admin Node |
Load Balancer |
IP address of the Admin Node |
|
Gateway Node |
Load Balancer |
IP address of the Gateway Node |
|
Gateway Node |
CLB Note: The CLB service is deprecated. |
IP address of the Gateway Node Note: By default, HTTP ports for CLB and LDR are not enabled. |
Default S3 ports:
|
Storage Node |
LDR |
IP address of Storage Node |
Default S3 ports:
|
Example
To connect an S3 client to the Load Balancer endpoint of an HA group of Gateway Nodes, use a URL structured as shown below:
-
https://VIP-of-HA-group:_LB-endpoint-port_
For example, if the virtual IP address of the HA group is 192.0.2.5 and the port number of an S3 Load Balancer endpoint is 10443, then an S3 client could use the following URL to connect to StorageGRID:
It is possible to configure a DNS name for the IP address that clients use to connect to StorageGRID. Contact your local network administrator.
Deciding to use HTTPS or HTTP connections
When client connections are made using a Load Balancer endpoint, connections must be made using the protocol (HTTP or HTTPS) that was specified for that endpoint. To use HTTP for client connections to Storage Nodes or to the CLB service on Gateway Nodes, you must enable its use.
By default, when client applications connect to Storage Nodes or the CLB service on Gateway Nodes, they must use encrypted HTTPS for all connections. Optionally, you can enable less-secure HTTP connections by selecting the Enable HTTP Connection grid option in the Grid Manager. For example, a client application might use HTTP when testing the connection to a Storage Node in a non-production environment.
Be careful when enabling HTTP for a production grid since requests will be sent unencrypted. |
The CLB service is deprecated. |
If the Enable HTTP Connection option is selected, clients must use different ports for HTTP than they use for HTTPS. See the instructions for administering StorageGRID.
Endpoint domain names for S3 requests
Before you can use S3 domain names for client requests, a StorageGRID administrator must configure the system to accept connections that use S3 domain names in S3 path-style and S3 virtual hosted-style requests.
To enable you to use S3 virtual hosted style-requests, a grid administrator must perform the following tasks:
-
Use the Grid Manager to add the S3 endpoint domain names to the StorageGRID system.
-
Ensure that the certificate the client uses for HTTPS connections to StorageGRID is signed for all domain names that the client requires.
For example, if the endpoint is
s3.company.com
, the grid administrator must ensure that the certificate used for HTTPS connections includes thes3.company.com
endpoint and the endpoint's wildcard Subject Alternative Name (SAN):*.s3.company.com
. -
Configure the DNS server used by the client to include DNS records that match the endpoint domain names, including any required wildcard records.
If the client connects using the Load Balancer service, the certificate that the grid administrator configures is the certificate for the load balancer endpoint that the client uses.
Each load balancer endpoint has its own certificate, and each endpoint can be configured to recognize different endpoint domain names. |
If the client connects Storage Nodes or to the CLB service on Gateway Nodes, the certificate that the grid administrator configures is the single custom server certificate used for the grid.
The CLB service is deprecated. |
See the instructions for administering StorageGRID for more information.
After these steps have been completed, you can use virtual hosted-style requests (for example, bucket.s3.company.com
).
Testing your S3 REST API configuration
You can use the Amazon Web Services Command Line Interface (AWS CLI) to test your connection to the system and to verify that you can read and write objects to the system.
-
You must have downloaded and installed the AWS CLI from aws.amazon.com/cli.
-
You must have created an S3 tenant account in the StorageGRID system.
-
Configure the Amazon Web Services settings to use the account you created in the StorageGRID system:
-
Enter configuration mode:
aws configure
-
Enter the AWS Access Key ID for the account you created.
-
Enter the AWS Secret Access key for the account you created.
-
Enter the default region to use, for example, us-east-1.
-
Enter the default output format to use, or press Enter to select JSON.
-
-
Create a bucket.
aws s3api --endpoint-url https://10.96.101.17:10443 --no-verify-ssl create-bucket --bucket testbucket
If the bucket is created successfully, the location of the bucket is returned, as seen in the following example:
"Location": "/testbucket"
-
Upload an object.
aws s3api --endpoint-url https://10.96.101.17:10443 --no-verify-ssl put-object --bucket testbucket --key s3.pdf --body C:\s3-test\upload\s3.pdf
If the object is uploaded successfully, an Etag is returned which is a hash of the object data.
-
List the contents of the bucket to verify that the object was uploaded.
aws s3api --endpoint-url https://10.96.101.17:10443 --no-verify-ssl list-objects --bucket testbucket
-
Delete the object.
aws s3api --endpoint-url https://10.96.101.17:10443 --no-verify-ssl delete-object --bucket testbucket --key s3.pdf
-
Delete the bucket.
aws s3api --endpoint-url https://10.96.101.17:10443 --no-verify-ssl delete-bucket --bucket testbucket