CLOUDIAN HyperStore - User Manual

The Cloudian HyperStore is a scale-out object storage system designed for managing massive amounts of unstructured data. It functions as a Software Defined Storage (SDS) platform, capable of running on any standard x64 server platform. This design significantly reduces the cost of data center storage while offering limitless scalability, extreme availability, and unprecedented reliability. With native S3 compatibility, Cloudian HyperStore enables data centers to provide highly cost-effective on-premise unstructured data storage repositories. It is built on standard hardware that can span across the enterprise and extend into public cloud environments.

The HyperStore system is available as a standalone software solution or fully integrated with hardware as a Cloudian HyperStore appliance. It is designed for easy scaling to limitless capacities and supports multi-datacenter storage. A key feature is its fully automated data tiering to all major public clouds, including AWS, Azure, and Google Cloud Platform. The system fully supports S3 applications and offers flexible security options. Deployment models include on-premises storage, distributed storage, storage-as-a-service, and other hybrid combinations.

A significant usage feature introduced with the 7.2 release is the implementation of WORM (Write Once Read Many) protection for stored objects through support for the standard AWS S3 Object Lock functionality. To utilize Object Lock within HyperStore, a separate Object Lock license is required. Additionally, enabling the HyperStore Shell (HSH) and disabling the root account password on all HyperStore nodes are prerequisites. The system supports all standard AWS S3 API methods and headers associated with the S3 Object Lock feature. This allows third-party S3 client applications to enable Object Lock on new buckets during creation. It's important to note that Object Lock can only be enabled on newly created buckets, not existing ones, and automatically enables Versioning on the bucket, as Object Lock can only be used in combination with Versioning.

When enabling Object Lock on a bucket, it does not automatically lock objects. Instead, it makes it possible to lock them. Users can optionally set a bucket default Object Lock configuration, which applies a Retention time period to all subsequently created objects. This default configuration specifies either Governance mode or Compliance mode. In Governance mode, privileged users can change the retention period or delete objects before their retention period ends. In Compliance mode, no user can change the retention period or delete objects. Object Lock attributes can also be set on individual objects, either during or after creation, overriding the bucket's default configuration. These per-object attributes can include Retention (in Governance or Compliance mode) and Legal Hold, which applies indefinitely until explicitly released and prevents deletion.

As of the 7.2 release, all users must use a third-party S3 client application that supports the standard S3 APIs for object locking, as the Cloudian Management Console (CMC) does not support setting up object locking on buckets or objects, nor can the HSH be used for this purpose. The guide specifically demonstrates using the AWS CLI for creating and configuring bucket-level Object Lock capabilities.

To enable Object Lock in HyperStore, several prerequisites must be met. First, the HyperStore system must be deployed or upgraded to version 7.2 on a minimum of three nodes. Second, a HyperStore license that supports the Object Lock feature must be applied. The "Object Lock License" field on the CMC Cluster Information page will indicate if it's "Enabled" or "Disabled." If disabled, Cloudian customer support must be contacted for an upgraded license key. Third, the HyperStore Shell (HSH) must be enabled. HSH is a new feature in the 7.2 release providing a secure command-line interface for management tasks. Finally, the root user account password must be disabled, requiring Cloudian Support for assistance once disabled.

The process for enabling Object Lock involves applying the appropriate license file through the CMC Cluster Information page. After selecting and uploading the license file, the "Object Lock License" field should show "Enabled" after a few minutes, possibly requiring a manual browser refresh.

Enabling the HSH and disabling the root account password is a multi-step process. First, log into the Puppet Master node as the root user. Check if HSH is disabled using hsctl config get hsh.enabled. If it returns False, set hsh.enabled to true using hsctl config set hsh.enabled=true. Then, push the configuration change to the cluster with hsctl config apply hsh and confirm HSH is enabled. Once HSH is enabled, provision the default admin user by logging into the CMC as "admin" and changing the "admin" user's password, which creates a corresponding HSH user. This HSH user can then use SSH to log into any HyperStore node, with the prompt appearing as sa_admin@hyperstore1$. Typing help confirms access to the HyperStore shell.

To disable the root user password across all HyperStore nodes, log into the Puppet Master node as root, change to the staging directory (/opt/cloudian-staging/<version>), and launch the HyperStore installer (./cloudianInstall.sh). From the main menu, select "Advanced Configuration Options" (option 4), then "Disable the root password" (option m). Follow the prompts to complete the process. After exiting the installer, logging out and attempting to log back in as root with the old password should fail, confirming the password has been disabled. Subsequent logins should be performed as sa_admin or another HSH user.

For using Object Lock, a third-party S3 application like the AWS CLI is required. The AWS CLI can be deployed and configured on Linux systems (e.g., CentOS). Prerequisites for AWS CLI deployment include Python 2 (version 2.6.5+) or Python 3 (version 3.3+). The recommended installation method is using the bundled installer provided by AWS. This involves downloading the awscli-bundle.zip file using curl, unzipping it, and then running the installation script with sudo ./awscli-bundle/install -i /usr/local/aws -b /usr/local/bin/aws. The -b option allows all users to use the AWS CLI from any directory.

After installation, the AWS CLI needs to be configured to connect to a HyperStore user account using aws configure. This command prompts for four pieces of information: the S3 HyperStore user account access key ID, secret access key, region name, and output format (e.g., json, text, table). The access key ID and secret access key serve as credentials and can be generated within HyperStore Identity and Access Management (IAM) or found on the user credentials page in the CMC. The region name is defined during HyperStore installation and can be found on the CMC Cluster Information page or user credentials page. It's crucial that the S3 endpoint is resolvable by name, either through the /etc/hosts file or a DNS server, as IP addresses cannot be used.

Once configured, the AWS CLI can be used to manage buckets and objects with Object Lock enabled. Examples include listing existing buckets, creating a new bucket with Object Lock enabled (e.g., aws s3api create-bucket --bucket oblck01 --object-lock-enabled-for-bucket --endpoint-url=http://s3-reg01.cloudiantme.local), verifying Object Lock enablement (aws s3api get-object-lock-configuration --bucket oblck01 --endpoint-url=http://s3-reg01.cloudiantme.local), and setting Object Lock policies and default retention times using a JSON file (e.g., aws s3api put-object-lock-configuration --bucket b02 --object-lock-configuration file://object-lock-config-g-1day.json). The JSON file specifies the mode (e.g., GOVERNANCE) and retention period (e.g., 1 day). The Object Lock policy can then be viewed to verify correct application.

The Cloudian HyperStore's native S3 compatibility ensures seamless integration with any AWS S3 application that supports Object Lock. While Object Lock is a relatively new feature, Cloudian HyperStore aims to provide robust support for this functionality.