Ceph Object Gateway namespaces can now be exported over file-based
access protocols such as NFSv3 and NFSv4, alongside traditional HTTP access
protocols (S3 and Swift).
In particular, the Ceph Object Gateway can now be configured to
provide file-based access when embedded in the NFS-Ganesha NFS server.
librgw
======
The librgw.so shared library (Unix) provides a loadable interface to
Ceph Object Gateway services, and instantiates a full Ceph Object Gateway
instance on initialization.
In turn, librgw.so exports rgw_file, a stateful API for file-oriented
access to RGW buckets and objects. The API is general, but its design
is strongly influenced by the File System Abstraction Layer (FSAL) API
of NFS-Ganesha, for which it has been primarily designed.
A set of Python bindings is also provided.
Namespace Conventions
=====================
The implementation conforms to Amazon Web Services (AWS) hierarchical
namespace conventions which map UNIX-style path names onto S3 buckets
and objects.
The top level of the attached namespace consists of S3 buckets,
represented as NFS directories. Files and directories subordinate to
buckets are each represented as objects, following S3 prefix and
delimiter conventions, with '/' being the only supported path
delimiter [#]_.
For example, if an NFS client has mounted an RGW namespace at "/nfs",
then a file "/nfs/mybucket/www/index.html" in the NFS namespace
corresponds to an RGW object "www/index.html" in a bucket/container
"mybucket."
Although it is generally invisible to clients, the NFS namespace is
assembled through concatenation of the corresponding paths implied by
the objects in the namespace. Leaf objects, whether files or
directories, will always be materialized in an RGW object of the
corresponding key name, "<name>" if a file, "<name>/" if a directory.
Non-leaf directories (e.g., "www" above) might only be implied by
their appearance in the names of one or more leaf objects. Directories
created within NFS or directly operated on by an NFS client (e.g., via
an attribute-setting operation such as chown or chmod) always have a
leaf object representation used to store materialized attributes such
as Unix ownership and permissions.
Supported Operations
====================
The RGW NFS interface supports most operations on files and
directories, with the following restrictions:
- Links, including symlinks, are not supported
- NFS ACLs are not supported
+ Unix user and group ownership and permissions *are* supported
- Directories may not be moved/renamed
+ files may be moved between directories
- Only full, sequential *write* i/o is supported
+ i.e., write operations are constrained to be **uploads**
+ many typical i/o operations such as editing files in place will necessarily fail as they perform non-sequential stores
+ some file utilities *apparently* writing sequentially (e.g., some versions of GNU tar) may fail due to infrequent non-sequential stores
+ When mounting via NFS, sequential application i/o can generally be constrained to be written sequentially to the NFS server via a synchronous mount option (e.g. -osync in Linux)
+ NFS clients which cannot mount synchronously (e.g., MS Windows) will not be able to upload files
Security
========
The RGW NFS interface provides a hybrid security model with the
following characteristics:
- NFS protocol security is provided by the NFS-Ganesha server, as negotiated by the NFS server and clients
+ e.g., clients can by trusted (AUTH_SYS), or required to present Kerberos user credentials (RPCSEC_GSS)
+ RPCSEC_GSS wire security can be integrity only (krb5i) or integrity and privacy (encryption, krb5p)
+ various NFS-specific security and permission rules are available
* e.g., root-squashing
- a set of RGW/S3 security credentials (unknown to NFS) is associated with each RGW NFS mount (i.e., NFS-Ganesha EXPORT)
+ all RGW object operations performed via the NFS server will be performed by the RGW user associated with the credentials stored in the export being accessed (currently only RGW and RGW LDAP credentials are supported)
* additional RGW authentication types such as Keystone are not currently supported