Configuring MapR Object Store with S3-Compatible API

To configure the MapR Object Store with S3-Compatible APIMapR Object Store, add MapR Object Store tenants (users) and credentials to the tenants.json file and change the deployment mode in the minio.json file. After you update and save the files, restart the objectstore service.

Important: If a bucket does not have custom policies applied and mixed deployment mode is set, you must remove the policy file for the bucket and restart the objectstore service to avoid permissions issues any time you:
  • change the owner of the bucket
  • add new tenants that are also bucket owners
The bucket policy file is located in FS_PATH/.minio.sys/buckets/BUCKET_NAME/policy.json. To restart the objectstore service, see Restart the Object Store Service.

About Credentials

In the S3 world, credentials represent the application and not the identity of the end user. The application layer is responsible for end-user verification. The S3 administrator must assign S3 credentials for the application or set of applications and optionally, map those S3 credentials to a MapR identity.

As defined in the Amazon S3 documentation, the S3 REST API uses a “key” and “secret” (in a REST-like manner) as credentials to authenticate to the underlying object store and authorize access to data.

The MapR Object Store supports a multitenant scenario in which the S3 administrator can configure one or more credentials with the appropriate MapR-credential mapping. The S3 administrator can assign credentials to a user and map them to a MapR identity. Mapping them to a MapR identity is optional.

For an overview of tenants and multi-tenancy, see Multitenancy on MapR Filesystem.

Add Tenants and Credentials in the tenants.json File

The tenants.json file describes the tenants configuration. This file consists of a JSON object with two keys: credentials and tenants. The credentials key relates more to MapR Object Store authorization, whereas the tenants key relates to the users in the system.

The credentials key contains an array of objects with the following fields:
  • accessKey - S3 format access key
  • secretKey - S3 format secret key
  • Tenant - Internal tenant name, used to link an access key to an operating system user
The tenants key contains an array of objects with the following fields:
  • uid - Operating system user ID for file impersonation
  • gid - Operating system group ID for file impersonation
  • name - Internal tenant name, used to link an access key to an operating systems user

You add or update tenants (MapR Object Store users) and credentials in the /opt/mapr/objectstore-client/objectstore-client-<version>/conf/tenants.json file. The /opt/mapr/objectstore-client/objectstore-client-<version>/conf directory also contains a tenants-sample.json file that you can use for reference.

Example of a tenants.json configuration:
{
    "tenants": [
        {
            "name": "tenant1",
            "uid": 5001,
            "gid": 5001
        }
	],
 
    "credentials": [
        {
            "accessKey": "accessKey1",
            "secretKey": "secretKey1",
            "tenant": "tenant1"
        }
	]
}

Set the Deployment Mode (Authorization Type) in the minio.json File

The deployment mode sets the type of authorization being used. The default deployment mode is mixed. You can edit the deploymentMode parameter in the /opt/mapr/objectstore-client/objectstore-client-<version>/conf/minio.json file to change the deployment mode setting.

The MapR Object Store supports the following deployment modes:
Option Deployment Mode Description
1 fs_only Enforced by MapR File System file permissions only. The S3 bucket policy is disabled. Access is granted based on the bucket owner UID and GID, not read/write/execute permissions.
  • Configuration maps the application key or secret to a MapR ID.
  • S3 policy is not used and the policy check is skipped.
  • MapR file security validates inbound mapped UID and GID to authorize read or write file permissions.
2 mixed The default setting. Uses a mix of the MapR File System and S3 bucket policy security enforcement.
  • Configuration maps the application key or secret to a MapR ID.
  • S3 bucket policy and MapR file security are enforced. Specifically, the two authorization models.
  • The access key is ignored and the filesystem permissions determine access.
3 s3_only Enforced by s3 bucket policy only.
  • No configuration to map the application key or secret to a MapR ID.
  • All the files in the file system are owned by the user that runs the MapR Object Store processes (typically the mapr user).
  • Access is controlled by the secret access key and the key ID.

Secure the Data

To prevent unauthorized access to data, secure the data based on the configured deployment mode:

  • For mixed mode, set folder permissions and upload the S3 policies.
  • For fs_only mode, set folder permissions to allow authorized users access to folders.
  • For s3_only mode, upload the S3 policies.

Set the Path to Mount the Filesystem

If you are using fs_only or mixed mode, set the path to mount the filesystem.

  • Server node - In the minio.json file, set the fsPath parameter to the filesystem mount path. By default, the path is set to /mapr/<clustername>/apps/s3/<nodename>. If you want to share existing folders with users, set the fsPath parameter to point to the directory with the folders that you want to share. All the folders in the directory (to which fsPath points) are accessible as buckets.
  • Edge node - If you completed the Edge Node Installation steps, you may have already set the path to mount the filesystem when you ran the objectstore configure.sh script with the --path parameter. No action is required.

For more information about deployment modes, see Using the MapR Object Store Authorization Model.

Restart the Object Store Service

Start, restart, or stop the MapR Object Store using the command appropriate for the node:

Server node
/opt/mapr/bin/maprcli node services -name objectstore -nodes <node_name> -action [ start |
          restart | stop ]

Edge node

sudo /opt/mapr/objectstore-client/objectstore-client-<version>/bin/objectstore.sh [ start |
        stop ]