CloudBerry Explorer with IBM Spectrum Scale

Steps to enable CloudBerry explorer to use Object Storage from IBM Spectrum Scale

Prerequisite:
IBM Spectrum Scale 4.2.2 with Object service enabled.
CloudBerry Explorer for Openstack Storage – Build-1.6.2.63

  1. Verify IBM Spectrum Scale Object storage is enabled by running following command[root@c1n3 ~]# mmces service list
    Enabled services: OBJ
    OBJ is running

    [root@c1n3 ~]# mmuserauth service list –data-access-method object
    OBJECT access configuration : LOCAL
    PARAMETERS               VALUES
    ————————————————-
    ENABLE_KS_SSL            false
    ENABLE_KS_CASIGNING      false
    KS_ADMIN_USER            none

  2. Configure the CloudBerry Explorer with IBM Spectrum Scale Object Storage12344
    56789
    10
  3. List/Create/Upload objects/Containers using Swift Client[root@c1n3 ~]# swift list
    myFirstContainerFromCloudBerry

    [root@c1n3 ~]# swift post containerFromWwiftClient

    [root@c1n3 ~]# swift list
    containerFromWwiftClient
    myFirstContainerFromCloudBerry

    [root@c1n3 ~]# swift upload myFirstContainerFromCloudBerry anaconda-ks.cfg
    anaconda-ks.cfg

  4.  View Object/Containers from CloudBerry Explorer
    1211

 

“These are my personal views and do not necessarily reflect that of my employer”

 

 

Advertisements

Configuring IBM Spectrum Scale Object with SSL enabled External Keystone server

Prerequisite :  

  • IBM Spectrum Scale 4.2.1.x
  • SSL enabled Keystone server.
  • A swift user with valid password having ‘admin‘ role in ‘service‘ tenant of ‘default‘ domain in a external Keystone server

Endpoints on External Keystone server will look like

[root@externalKeystone ~]# openstack endpoint list
+———————————-+———–+————–+————–+———+———–+—————————————–+
| ID | Region | Service Name | Service Type | Enabled | Interface | URL |
+———————————-+———–+————–+————–+———+———–+—————————————–+
| 78cd570651f34b848890687c4f1578a9 | None | keystone | identity | True | public | https://cesip:5000/ |
| ff82aa833eec42b7a345a1c029b74959 | None | keystone | identity | True | internal | https://cesip:35357/ |
| 692c4bb6c4a14ece9f810ba4fc1944f1 | None | keystone | identity | True | admin | https://cesip:35357/ |
| 52b559474c03454eaef67af14a3c4afe | RegionOne | swift | object-store | True | public | http://c1ces:8080/v1/AUTH_%(tenant_id)s |
| ed14c1c50f3242a0aed61b9ccdfc8c4d | RegionOne | swift | object-store | True | internal | http://c1ces:8080/v1/AUTH_%(tenant_id)s |
| f26a242b71b34128abf87cbc1e8937aa | RegionOne | swift | object-store | True | admin | http://c1ces:8080 |
+———————————-+———–+————–+————–+———+———–+—————————————–+

 

On IBM Spectrum scale, Object will be already configured.
Remove the Current Object Authentication and Id-mapping using following command.

[root@c1n3 ~]# mmuserauth service remove –data-access-method object 
mmuserauth service remove: Command successfully completed

[root@c1n3 ~]# mmuserauth service remove –data-access-method object –idmapdelete
mmuserauth service remove: Command successfully completed

Copy CA-Certificates used on External Keystone server on Protocol node of IBM Spectrum Scale at following location.

[root@c1n3 ~]# ls /var/mmfs/tmp/ks_ext_cacert.pem
/var/mmfs/tmp/ks_ext_cacert.pem

Run mmuserauth command on protocol node where CA-Certificate is copied

[root@c1n3 ~]# mmuserauth service create –data-access-method object –type userdefined –ks-swift-user swift –ks-swift-pwd passw0rd –ks-ext-endpoint https://cesip:5000/v3 –enable-ks-ssl
mmcesobjcrbase: Validating execution environment.
mmcesobjcrbase: Validating Keystone environment.
mmcesobjcrbase: Configuration complete.
Object authentication configuration completed successfully.

Note : External keystone server must be reachable from protocol nodes using the hostname used for creating SSL Certificates for external Keystone. Hostname in Keystone Endpoints should also match the hostname used for creating SSL certificates

IBM Spectrum scale Object is successfully configured with SSL enabled external Keystone server.

~/openrc file on protocol node will be updated with details of External Keystone.

[root@c1n3 ~]# cat openrc
export OS_AUTH_URL=”https://cesip:5000/v3
export OS_CACERT=”/etc/swift/ks_ext_cacert.pem”
export OS_IDENTITY_API_VERSION=3
export OS_AUTH_VERSION=3
export OS_USERNAME=”admin”
export OS_PASSWORD=””
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=admin
export OS_PROJECT_DOMAIN_NAME=Default

Update the ~/openrc with valid username and password from external Keystone server.

[root@c1n3 ~]# source ~/openrc

Verify IBM Spectrum Scale Object is working with external Keystone server.

[root@c1n3 ~]# swift stat
Account: AUTH_0557d5eb51294e48b1c5041c684b4f66
Containers: 0
Objects: 0
Bytes: 0
Content-Type: text/plain; charset=utf-8
Keep-Alive: timeout=5, max=100

“These are my personal views and do not necessarily reflect that of my employer”

 

Running Openstack-Keystone under Apache

  1. Install Keystone and Apache(HTTPD) Packages
    [root@deepaknode1 ~]# yum install openstack-keystone openstack-utils openldap-clients python-openstackclient httpd mod_wsgi -y
  2. Copy keystone.py to httpd configuration
    [root@deepaknode1 ~]# mkdir /var/www/cgi-bin/keystone

    [root@deepaknode1 ~]# cp /usr/lib/python2.7/site-packages/keystone/httpd/keystone.py /var/www/cgi-bin/keystone/admin

    [root@deepaknode1 ~]# cp /usr/lib/python2.7/site-packages/keystone/httpd/keystone.py /var/www/cgi-bin/keystone/main

  3. Create /etc/httpd/conf.d/wsgi-keystone.conf with following content
    [root@deepaknode1 ~]# cat /etc/httpd/conf.d/wsgi-keystone.conf
    WSGISocketPrefix /var/run/wsgi
    SetEnv APACHE_RUN_USER keystone
    SetEnv APACHE_RUN_GROUP keystone
    Listen 5000
    <VirtualHost *:5000>
    WSGIDaemonProcess keystone-public user=keystone group=keystone display-name=keystone-public
    WSGIProcessGroup keystone-public
    WSGIImportScript /var/www/cgi-bin/keystone/main process-group=keystone-public application-group=%{GLOBAL}
    WSGIScriptAlias / /var/www/cgi-bin/keystone/main
    ErrorLog /var/log/keystone/httpd-error.log
    LogLevel info
    CustomLog /var/log/keystone/httpd-access.log combined
    LimitRequestBody 16384
    </VirtualHost>

    Listen 35357
    <VirtualHost *:35357>
    WSGIDaemonProcess keystone-admin user=keystone group=keystone display-name=keystone-admin
    WSGIProcessGroup keystone-admin
    WSGIImportScript /var/www/cgi-bin/keystone/main process-group=keystone-admin application-group=%{GLOBAL}
    WSGIScriptAlias / /var/www/cgi-bin/keystone/admin
    ErrorLog /var/log/keystone/httpd-error.log
    LogLevel info
    CustomLog /var/log/keystone/httpd-access.log combined
    LimitRequestBody 16384
    </VirtualHost>

  4. Start httpd service. Make sure openstack-keystone service is not running.
    [root@deepaknode1 ~]# service httpd start
    [root@deepaknode3 ~]# service httpd status
    Redirecting to /bin/systemctl status httpd.service
    …..
    Main PID: 16430 (httpd)
    CGroup: /system.slice/httpd.service
    ├─14749 keystone-public -DFOREGROUND
    ├─14750 keystone-admin -DFOREGROUND
    ├─14755 /usr/sbin/httpd -DFOREGROUND
    ├─14756 /usr/sbin/httpd -DFOREGROUND
    ├─14757 /usr/sbin/httpd -DFOREGROUND
  5. Continue with remaining Openstack-Keystone configuration like database setup, User/Project/Role/Service/Endpoint creation.
    Refer https://deepakrghuge.wordpress.com/2015/10/06/configure-openstack-keystone-for-ibm-spectrum-scale-object-storage/ for remaining setup. Just make sure that use httpd.service to start/stop keystone service instead of openstack-keystone.service

“These are my personal views and do not necessarily reflect that of my employer”

Setting up Openstack Keystone with Kerberos..

Prerequisite :
– Kerberos server(MIT Kerberos)
– Keystone server with Apache (Redhat 7.*)

1. On Kerberos Server

Add/Create new principle for Keystone service with Kerberos server Hostname.

[root@krbserver ~]# kadmin.local 
Authenticating as principal root/admin@PUNE-KDC.COM with password.
kadmin.local: addprinc -randkey HTTP/spectrumscale1
kadmin.local: ktadd -k /tmp/http.keytab HTTP/spectrumscale1

Copy /tmp/http.keytab on Keystone server :/etc/httpd/conf/httpd.keytab

2. On Keystone Server

  1. Install Apache kerberos module
    [root@KeystoneServer ~]# yum install mod_auth_kerb -y

  2. Update wsgi-keystone.conf with Kerberos configuration
    [root@KeystoneServer ~]# cat /etc/httpd/conf.d/wsgi-keystone.conf
    LoadModule auth_kerb_module modules/mod_auth_kerb.so
    WSGISocketPrefix /var/run/wsgi
    SetEnv APACHE_RUN_USER keystone
    SetEnv APACHE_RUN_GROUP keystone
    <VirtualHost *:5000>
    WSGIDaemonProcess keystone-public user=keystone group=keystone display-name=keystone-public
    WSGIProcessGroup keystone-public
    WSGIImportScript /var/www/cgi-bin/keystone/main process-group=keystone-public application-group=%{GLOBAL}
    WSGIScriptAlias /krb “/var/www/cgi-bin/keystone/main”
    WSGIScriptAlias / “/var/www/cgi-bin/keystone/main”
    <Location “/krb/v3/auth/tokens”>
    LogLevel debug
    AuthType Kerberos
    AuthName “Kerberos Login”
    KrbMethodNegotiate on
    KrbMethodK5Passwd off
    KrbServiceName HTTP/spectrumscale1
    KrbAuthRealms PUNE-KDC.COM
    Krb5KeyTab /etc/httpd/conf/httpd.keytab
    KrbLocalUserMapping on
    require valid-user
    </Location>
    ErrorLog /var/log/keystone/httpd-error.log
    LogLevel info
    CustomLog /var/log/keystone/httpd-access.log combined
    LimitRequestBody 16384
    </VirtualHost>

    Listen 35357

    <VirtualHost *:35357>
    WSGIDaemonProcess keystone-admin user=keystone group=keystone display-name=keystone-admin
    WSGIProcessGroup keystone-admin
    WSGIImportScript /var/www/cgi-bin/keystone/main process-group=keystone-admin application-group=%{GLOBAL}
    WSGIScriptAlias /krb “/var/www/cgi-bin/keystone/admin”
    WSGIScriptAlias / “/var/www/cgi-bin/keystone/admin”
    <Location “/krb/v3/auth/tokens”>
    LogLevel debug
    AuthType Kerberos
    AuthName “Kerberos Login”
    KrbMethodNegotiate on
    KrbMethodK5Passwd off
    KrbServiceName HTTP/spectrumscale1
    KrbAuthRealms PUNE-KDC.COM
    Krb5KeyTab /etc/httpd/conf/httpd.keytab
    KrbLocalUserMapping on
    require valid-user
    </Location>
    ErrorLog /var/log/keystone/httpd-error.log
    LogLevel info
    CustomLog /var/log/keystone/httpd-access.log combined
    LimitRequestBody 16384
    </VirtualHost>

  3. Install kerberos client package
    yum install krb5-workstation -y

  4. Configure the Kerberos client(as per your environment)
    [root@KeystoneServer ~]# cat /etc/krb5.conf
    [logging]

    [libdefaults]

    default_realm = PUNE-KDC.COM
    [realms]
    PUNE-KDC.COM = {
    kdc = krbserver.in.ibm.com:88
    admin_server = krbserver.in.ibm.com:749

    }
    [domain_realm]
    in.ibm.com = PUNE-KDC.COM
    .in.ibm.com = PUNE-KDC.COM

  5. Get kerberos token for user
    [root@KeystoneServer ~]# kinit userrw
    Password for userrw@PUNE-KDC.COM:
    [root@KeystoneServer ~]# klist
    Ticket cache: KEYRING:persistent:0:0
    Default principal: userrw@PUNE-KDC.COM
    Valid starting Expires Service principal
    2016-02-26T12:17:28 2016-02-27T11:45:15 krbtgt/PUNE-KDC.COM@PUNE-KDC.COM
    renew until 2016-02-26T12:17:28

  6. Curl request for keystone token without username and password
    [root@KeystoneServer ~]# curl -i -H “Content-Type:application/json” –negotiate -u : -d ‘{ “auth”: { “identity”: { “methods”: []}, “scope”: { “project”: { “domain”: { “name”: “Default” }, “name”: “admin” } } } }’ -X POST http://SpectrumScale1:5000/krb/v3/auth/tokens
    HTTP/1.1 401 Unauthorized
    Date: Tue, 01 Mar 2016 07:35:52 GMT
    Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.1e-fips mod_auth_kerb/5.4 PHP/5.4.16 mod_wsgi/3.4 Python/2.7.5
    WWW-Authenticate: Negotiate
    Content-Length: 381
    Content-Type: text/html; charset=iso-8859-1
    HTTP/1.1 201 Created
    Date: Tue, 01 Mar 2016 07:35:52 GMT
    Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.1e-fips mod_auth_kerb/5.4 PHP/5.4.16 mod_wsgi/3.4 Python/2.7.5
    X-Subject-Token: MIIHuQYJKoZIhvcNAQcCoIIHVqXmOQZM5KBfGnHhW3FMJW7nXDAELZ0X2s2WO9e6w==
    Vary: X-Auth-Token
    x-openstack-request-id: req-d6738e8b-b9b6-42e7-a615-ae03c8eb563e
    WWW-Authenticate: Negotiate YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvwFfLUoOfh04
    …………
    …………
    3Tg5Ts8goQatVJ5JEnCYqkXIo8Yk5vYB7BWto2FRhDKzcAp75Qqciv6DgT8gnc6
    Content-Length: 1634
    Content-Type: application/json
    {“token”: {“methods”: [], “roles”: [{“id”: “e23776346ab747f4bddf7f056b8d62c9”, “name”: “admin”}], “expires_at”: “2016-03-31T07:35:52.528404Z”, “project”: {“domain”: {“id”: “default”, “name”: “Default”}, “id”: “bb86db4204e84b4b857241a0b23a62fb”, “name”: “admin”}, “catalog”: [{“endpoints”: [{“region_id”: null, “url”: “http://SpectrumScale1:35357/&#8221;, “region”: null, “interface”: “admin”, “id”: “1bd1b57b2cb14e74b5864261588a1e57”}, {“region_id”: null, “url”: “http://SpectrumScale1:35357/&#8221;, “region”: null, “interface”: “internal”, “id”: “43472eb0474d469c90d85a4dc7c6058d”}, {“region_id”: null, “url”: “http://SpectrumScale1:5000/&#8221;, “region”: null, “interface”: “public”, “id”: “6a9c87ec04f3480eb254568b60b8db07”}], “type”: “identity”, “id”: “7a22d7f78b224843811ef0708431eb46”, “name”: “keystone”} “extras”: {}, “user”: {“domain”: {“id”: “default”, “name”: “Default”}, “id”: “userrw”, “name”: “userrw”}, “audit_ids”: [“rcLqPQp5T6y9hKu12Tle2g”], “issued_at”: “2016-03-01T07:35:52.528436Z”}}

    “These are my personal views and do not necessarily reflect that of my employer