Shulou(Shulou.com)05/31 Report--

In this issue, the editor will bring you about what caps refers to among rgw users. The article is rich in content and analyzes and narrates it from a professional point of view. I hope you can get something after reading this article.

You can add all the caps for the user with the following command. Users with the corresponding cap can operate not only with their own buckets and objects and other users, but also as administrators.

Radosgw-admin caps add-uid=admin-caps= "users=*;buckets=*;metadata=*;usage=*;zone=*"

* stands for read and write

You can add different caps for different users in the following ways, but it is not recommended to open any caps for ordinary users

Testcaps1 user radosgw-admin caps add-uid=testcaps1-caps= "users=*" testcaps2 user radosgw-admin caps add-uid=testcaps2-caps= "buckets=*" testcaps3 user radosgw-admin caps add-uid=testcaps3-caps= "metadata=*" testcaps4 user radosgw-admin caps add-uid=testcaps4-caps= "usage=*" testcaps5 user radosgw-admin caps add-uid=testcaps5-caps= "zone=*"

Compare with the introduction of http://docs.ceph.com/docs/jewel/radosgw/adminops/

Cap is usage=read

Users with usage=read can view the usage interface that calls admin rest api.

So only testcaps4 can.

GET / admin/usage?format=json&start=2016-07-26%2013:00:00&show-entries=True&show-summary=True HTTP/1.1Host: yuliyangdebugweb68.tunnel.qydev.comUser-Agent: python-requests/2.10.0Accept: * / * Accept-Encoding: gzip, deflateAuthorization: AWS testcaps4:Hk5gPweXZKBNraDK8/1XvHv8Umw=Connection: keep-aliveDate: Tue, 26 Jul 2016 05:51:21 GMTHTTP/1.1 200 OKContent-Length: 27Connection: Keep-AliveDate: Tue 26 Jul 2016 05:48:50 GMTX-Amz-Request-Id: tx000000000000000000145-005796f9c2-a8f9f-default {"entries": [], "summary": []}

Other users do not have access to usage statistics.

GET / admin/usage?format=json&start=2016-07-26%2013:00:00&show-entries=True&show-summary=True HTTP/1.1Host: yuliyangdebugweb68.tunnel.qydev.comUser-Agent: python-requests/2.10.0Accept: * / * Accept-Encoding: gzip, deflateAuthorization: AWS testcaps5:fJZkl8WezcmVz9/aekKsjbq0DrE=Connection: keep-aliveDate: Tue, 26 Jul 2016 05:51:15 GMTHTTP/1.1 403 ForbiddenContent-Length: 119Accept-Ranges: bytesConnection: Keep-AliveContent-Type: application/jsonDate: Tue 26 Jul 2016 05:48:44 GMTX-Amz-Request-Id: tx000000000000000000144-005796f9bc-a8f9f-default {"Code": "AccessDenied", "RequestId": "tx000000000000000000144-005796f9bc-a8f9f-default", "HostId": "a8f9f-default-default"} cap is usage=write

Users who own the cap can delete the statistics of the usage

DELETE / {admin} / usage?format=json HTTP/1.1

# cap is users=read. Users of this cap can obtain user information display_name user_id suspended max_buckets subusers keys swift_keys caps and quota information.

GET / {admin} / user?format=json HTTP/1.1cap is users=write

Users of this cap can create or modify or delete other users or sub-users, add users' cap, delete user cap, create key, delete key, modify key, modify quotas

PUT / {admin} / user?format=json HTTP/1.1Host: {fqdn} PUT / {admin} / user?caps&format=json HTTP/1.1Host {fqdn} cap is buckets=read

Users of the cap can get bucket information, objects or the acl of the Bucket

GET / {admin} / bucket?format=json HTTP/1.1Host {fqdn} GET / {admin} / bucket?policy&format=json HTTP/1.1Host {fqdn} cap is buckets=write

Users of the cap can check bucket index, delete bucket,unlink bucket,link bucket, delete objects (regardless of whether the bucket or object belongs to the user or not)

GET / {admin} / bucket?index&format=json HTTP/1.1Host {fqdn} DELETE / {admin} / bucket?format=json HTTP/1.1Host {fqdn} POST / {admin} / bucket?format=json HTTP/1.1Host {fqdn} PUT / {admin} / bucket?format=json HTTP/1.1Host {fqdn} DELETE / {admin} / bucket?object&format=json HTTP/1.1Host {fqdn} cap is metadata=read

Users of the cap can read the metadata of user and bucket

Radosgw-admin metadata get user:admin {"key": "user:admin", "ver": {"tag": "_ cz1Iiuv69GdQbVsCAoagBik", "ver": 15}, "mtime": "2016-07-25 0414334Z", "data": {"user_id": "admin", "display_name": "admin" "email": "admin@cmss.com", "suspended": 0, "max_buckets": 1000, "auid": 0, "subusers": [{"id": "admin:swift", "permissions": "full-control"}] "keys": [{"user": "admin", "access_key": "F3ZKGR2Q6M8QJA5AVBAB", "secret_key": "sQzliizcmlSJg1BL6nOpL41hYRvg7dLXTxFtOZb2"}, {"user": "admin", "access_key": "H3085SM4LQUT5IVNC39D" "secret_key": "2z3Bw09EDyhtO11rH7DyZBioyaHozZDM4mZCOi9r", {"user": "admin:yuliyangtests3002", "access_key": "VCFIBX41YJQ9U4NB9F6A", "secret_key": "GoUcvNUe52KoZJux24V2mMFkkaN1Bh2TGdTOkxUD"}, {"user": "admin" "access_key": "admin", "secret_key": "admin"}, {"user": "admin:admin-subuser3", "access_key": "admin-subuser3", "secret_key": "admin-subuser3"} {"user": "admin:admin-subuser4", "access_key": "admin-subuser4", "secret_key": "admin-subuser4"}], "swift_keys": [{"user": "admin:swift" "secret_key": "FlC7XZuiLjdTjSC1wZ9S2KnIlccrQkSGm0P0vHvl"}, {"user": "admin:yuliyangswift1", "secret_key": "make s for Russia"}], "caps": [{"type": "buckets" "perm": "*"}, {"type": "metadata", "perm": "*"}, {"type": "usage", "perm": "*"} {"type": "users", "perm": "*"}, {"type": "zone", "perm": "*"}], "op_mask": "read, write, delete" "default_placement": "," placement_tags ": []," bucket_quota ": {" enabled ": false," max_size_kb ":-1," max_objects ":-1}," user_quota ": {" enabled ": false "max_size_kb":-1, "max_objects":-1}, "temp_url_keys": [], "attrs": [{"key": "user.rgw.idtag", "val": ""} {"key": "user.rgw.manifest", "val": ""}]} radosgw-admin metadata get bucket:bababa {"key": "bucket:bababa", "ver": {"tag": "_ 8KAo6w6VPo5fhGtzTvxwRaE", "ver": 1} "mtime": "2016-07-24 23 bucket 43 bucket 19.214419Z", "data": {"bucket": {"name": "bababa", "pool": "default.rgw.buckets.data", "data_extra_pool": "default.rgw.buckets.non-ec", "index_pool": "default.rgw.buckets.index" Marker: "b74b128b-eac1-4f3a-a5ca-60536d190664.694099.2", "bucket_id": "b74b128b-eac1-4f3a-a5ca-60536d190664.694099.2"}, "owner": "date2", "creation_time": "0.000000", "linked": "true", "has_bucket_info": "false"}}

Metadata of user

GET / admin/metadata/user?format=json&key=admin HTTP/1.1Host: yuliyangdebugweb68.tunnel.qydev.comUser-Agent: python-requests/2.10.0Accept: * / * Accept-Encoding: gzip, deflateAuthorization: AWS testcaps3:qSnsnWOB9hljBBZz+wumQKm/qfM=Connection: keep-aliveDate: Wed, 27 Jul 2016 02:17:35 GMTHTTP/1.1 200 OKContent-Length: 1497Connection: Keep-AliveContent-Type: application/jsonDate: Wed, 27 Jul 2016 02:15:02 GMTX-Amz-Request-Id: tx00000000000000000033e-0057981926-a8f9f-default {"key": "user:admin" "ver": {"tag": "_ cz1Iiuv69GdQbVsCAoagBik", "ver": 15}, "mtime": "2016-07-25 0414 334Z", "data": {"user_id": "admin", "display_name": "admin", "email": "admin@cmss.com", "suspended": 0, "max_buckets": 1000, "auid": 0, "subusers": [{"id": "admin:swift", "permissions": "full-control"}] "keys": [{"user": "admin", "access_key": "F3ZKGR2Q6M8QJA5AVBAB", "secret_key": "sQzliizcmlSJg1BL6nOpL41hYRvg7dLXTxFtOZb2"}, {"user": "admin", "access_key": "H3085SM4LQUT5IVNC39D", "secret_key": "2z3Bw09EDyhtO11rH7DyZBioyaHozZDM4mZCOi9r"}, {"user": "admin:yuliyangtests3002", "access_key": "VCFIBX41YJQ9U4NB9F6A", "secret_key": "GoUcvNUe52KoZJux24V2mMFkkaN1Bh2TGdTOkxUD"}, {"user": "admin", "access_key": "admin", "secret_key": "admin"} {"user": "admin:admin-subuser3", "access_key": "admin-subuser3", "secret_key": "admin-subuser3"}, {"user": "admin:admin-subuser4", "access_key": "admin-subuser4", "secret_key": "admin-subuser4"}], "swift_keys": [{"user": "admin:swift", "secret_key": "FlC7XZuiLjdTjSC1wZ9S2KnIlccrQkSGm0P0vHvl"}, {"user": "admin:yuliyangswift1", "secret_key": "do s for Russia"}] "caps": [{"type": "buckets", "perm": "*"}, {"type": "metadata", "perm": "*"}, {"type": "usage", "perm": "*"}, {"type": "users", "perm": "*"}, {"type": zone, "perm": "*"}], "op_mask": "read, write, delete", "default_placement": "," placement_tags ": [] "bucket_quota": {"enabled": false, "max_size_kb":-1, "max_objects":-1}, "user_quota": {"enabled": false, "max_size_kb":-1, "max_objects":-1}, "temp_url_keys": [], "attrs": [{"key": "user.rgw.idtag", "val": ""}, {"key": "user.rgw.manifest", "val": ""}]}}

Metadata of bucket

GET / admin/metadata/bucket?format=json&key=bababa HTTP/1.1Host: yuliyangdebugweb68.tunnel.qydev.comUser-Agent: python-requests/2.10.0Accept: * / * Accept-Encoding: gzip, deflateAuthorization: AWS testcaps3:YrRXMsS6SRDJ2QeGSGyT+UBNkNU=Connection: keep-aliveDate: Wed, 27 Jul 2016 02:38:33 GMTHTTP/1.1 200 OKContent-Length: 470Connection: Keep-AliveContent-Type: application/jsonDate: Wed, 27 Jul 2016 02:35:59 GMTX-Amz-Request-Id: tx000000000000000000343-0057981e0f-a8f9f-default {"key": "bucket:bababa" "ver": {"tag": "_ 8KAo6w6VPo5fhGtzTvxwRaE", "ver": 1}, "mtime": "2016-07-24 23 8KAo6w6VPo5fhGtzTvxwRaE 43V 19.214419Z", "data": {"bucket": {"name": "bababa", "pool": "default.rgw.buckets.data", "data_extra_pool": "default.rgw.buckets.non-ec", "index_pool": "default.rgw.buckets.index", "marker": "b74b128b-eac1-4f3a-a5ca-60536d190664.694099.2" "bucket_id": "b74b128b-eac1-4f3a-a5ca-60536d190664.694099.2"}, "owner": "date2", "creation_time": "0.000000", "linked": "true", "has_bucket_info": "false"}} cap is metadata=write

Users of the cap can set the metadata of user and bucket

$radosgw-admin metadata put bucket.instance:widodh:default.20111.1

< bucket.jsonPUT /admin/metadata/bucket?key=bababa HTTP/1.1Host: yuliyangdebugweb68.tunnel.qydev.comUser-Agent: python-requests/2.10.0Content-Length: 454Accept: */*Accept-Encoding: gzip, deflateAuthorization: AWS testcaps3:6EjaVjvYDQlOpFA4qK1wnazXy4A=Connection: keep-aliveContent-Type: application/jsonDate: Wed, 27 Jul 2016 02:45:39 GMT{"key":"bucket:bababa","ver":{"tag":"_8KAo6w6VPo5fhGtzTvxwRaE","ver":1},"mtime":"2016-07-24 23:43:19.214419Z","data":{"bucket":{"name":"bababa","pool":"yuliyang","data_extra_pool":"default.rgw.buckets.non-ec","index_pool":"default.rgw.buckets.index","marker":"b74b128b-eac1-4f3a-a5ca-60536d190664.694099.2","bucket_id":"b74b128b-eac1-4f3a-a5ca-60536d190664.694099.2"},"owner":"date2","creation_time":"0.000000","linked":"true","has_bucket_info":"false"}}[root@ceph03 ~]# radosgw-admin metadata get bucket:bababa{ "key": "bucket:bababa", "ver": { "tag": "_8KAo6w6VPo5fhGtzTvxwRaE", "ver": 1 }, "mtime": "2016-07-24 23:43:19.214419Z", "data": { "bucket": { "name": "bababa", "pool": "yuliyang", "data_extra_pool": "default.rgw.buckets.non-ec", "index_pool": "default.rgw.buckets.index", "marker": "b74b128b-eac1-4f3a-a5ca-60536d190664.694099.2", "bucket_id": "b74b128b-eac1-4f3a-a5ca-60536d190664.694099.2" }, "owner": "date2", "creation_time": "0.000000", "linked": "true", "has_bucket_info": "false" }}cap为zone=read 有该cap的用户何以通ADMIN REST API 过获取zone信息 获取zone[root@ceph03 ~]# radosgw-admin zone get --rgw-zone=default { "id": "b74b128b-eac1-4f3a-a5ca-60536d190664", "name": "default", "domain_root": "default.rgw.data.root", "control_pool": "default.rgw.control", "gc_pool": "default.rgw.gc", "log_pool": "default.rgw.log", "intent_log_pool": "default.rgw.intent-log", "usage_log_pool": "default.rgw.usage", "user_keys_pool": "default.rgw.users.keys", "user_email_pool": "default.rgw.users.email", "user_swift_pool": "default.rgw.users.swift", "user_uid_pool": "default.rgw.users.uid", "system_key": { "access_key": "", "secret_key": "" }, "placement_pools": [ { "key": "default-placement", "val": { "index_pool": "default.rgw.buckets.index", "data_pool": "default.rgw.buckets.data", "data_extra_pool": "default.rgw.buckets.non-ec", "index_type": 0 } } ], "metadata_heap": "default.rgw.meta", "realm_id": ""}获取zonegroup[root@node1 ~]# radosgw-admin zonegroup-map get --rgw-zonegroup=de { "zonegroups": [ { "key": "b47af7c7-e2d8-4b62-8966-b5b6de0bddc3", "val": { "id": "b47af7c7-e2d8-4b62-8966-b5b6de0bddc3", "name": "de", "api_name": "de", "is_master": "true", "endpoints": [ "http:\/\/192.168.10.10:7480" ], "hostnames": [], "hostnames_s3website": [], "master_zone": "426f76bd-bb22-4098-b064-ae28b8357bb0", "zones": [ { "id": "426f76bd-bb22-4098-b064-ae28b8357bb0", "name": "nue", "endpoints": [], "log_meta": "true", "log_data": "false", "bucket_index_max_shards": 0, "read_only": "false" } ], "placement_targets": [ { "name": "default-placement", "tags": [] } ], "default_placement": "default-placement", "realm_id": "f1574551-03e7-4739-a136-9670c62b46c1" } } ], "master_zonegroup": "b47af7c7-e2d8-4b62-8966-b5b6de0bddc3", "bucket_quota": { "enabled": false, "max_size_kb": -1, "max_objects": -1 }, "user_quota": { "enabled": false, "max_size_kb": -1, "max_objects": -1 }}+++++++++++++++++++++++++++++++请求URL++++++++++++++++++++++++++++++++获取zonegroup的url< GET /admin/config HTTP/1.1< Host: 192.168.10.10:7480< Connection: keep-alive< Accept-Encoding: gzip, deflate< Accept: */*< User-Agent: python-requests/2.10.0< date: Wed, 27 Jul 2016 07:30:10 GMT< Authorization: AWS admin:i1P7+FvmhMBlQ/gaUDtwe4QZ424=< >

HTTP/1.1 200 OK > x-amz-request-id: tx000000000000000000005-00579862e5-d7d96-nue > Content-Length: 803 > Date: Wed, 27 Jul 07:29:41 GMT > Connection: Keep-Alive > {"regions": [{"key": "b47af7c7-e2d8-4b62-8966-b5b6de0bddc3", "val": {"id": "b47af7c7-e2d8-4b62-8966-b5b6de0bddc3", "name": "de", "api_name": "de", "is_master": "true" "endpoints": ["http:\ / 192.168.10.10 hostnames_s3website 7480"], "hostnames": [], "hostnames_s3website": [], "master_zone": "426f76bd-bb22-4098-b064-ae28b8357bb0", "zones": {"id": "426f76bd-bb22-4098-b064-ae28b8357bb0", "name": "nue", "endpoints": [], "log_meta": "true", "log_data": "false", "bucket_index_max_shards": 0 "read_only": "false"}], "placement_targets": [{"name": "default-placement", "tags": []}], "default_placement": "default-placement", "realm_id": "f1574551-03e7-4739-a136-9670c62b46c1"}}], "master_region": "b47af7c7-e2d8-4b62-8966-b5b6de0bddc3", "bucket_quota": {"enabled": false, "max_size_kb":-1, "max_objects":-1} "user_quota": {"enabled": false, "max_size_kb":-1, "max_objects":-1}} cap is zone=write

Users with this cap permission can modify zone-related information

PUT / admin/config HTTP/1.1body body content is in json format

Note: information such as zone can be modified through ADMIN REST API to bind bucket to pool, instead of using the command line to bind bucket and pool

This is what the caps among the rgw users shared by the editor refers to. If you happen to have similar doubts, you might as well refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.