Complete the necessary setup in Ceph object storage (S3-compatible).
Procedure
To create a user in Ceph, run the following command:
radosgw-admin user create --uid=user_id --display-name=user_nameThe command creates a user in Ceph with the given user_id and user_name. The output of the command contains the access key and secret key which are needed during the set up in Commvault.
To back up and restore Ceph backups and data, you need an STS assume role that will be attached to the user created in the previous step. To create an STS assume role, run the following command:
radosgw-admin role create --role-name=<role name> --path=/commvault/ --assume-role-policy-doc=\{\"Version\":\"2012-10-17\",\"Statement\":\[\{\"Effect\":\"Allow\",\"Principal\":\{\"AWS\":\[\"arn:aws:iam:::user/user_id \"\]\},\"Action\":\[\"sts:AssumeRole\"\]\}\]\}Output:
{
"RoleId": "2638ac34-1a71-4ca2-bdad-bcc1caaa88c0",
"RoleName": role_name,
"Path": "/commvault/",
"Arn": "arn:aws:iam:::role/commvault/role_name",
"CreateDate": "2022-03-22T14:06:40.656Z",
"MaxSessionDuration": 3600,
"AssumeRolePolicyDocument": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":[\"arn:aws:iam:::user/myrestore1\"]},\"Action\":[\"sts:AssumeRole\"]}]}"
}The ARN value in the output is needed during the set up in Commvault.
To provide permissions to the user, you must attach a policy to the STS assume role.
To create a policy, use the following syntax:
radosgw-admin role-policy put --role-name=role_name(role to which this policy gets attached) --policy-name=policy_name --policy-doc=\{\"Version\":\"2012-10-17\",\"Statement\":\[\{\"Effect\":\"Allow\",\"Action\":\[<list of permissions>],\"Resource\":\"arn:aws:s3:::*\"\}\]\}To create a policy to back up the Ceph buckets, run the following command:
radosgw-admin role-policy put --role-name=backup_role_name --policy-name=backup_policy_name --policy-doc=\{\"Version\":\"2012-10-17\",\"Statement\":\[\{\"Effect\":\"Allow\",\"Action\":\[\"s3:ListBucket\",\"s3:ListAllMyBuckets\",\"s3:GetObject\",\"s3:ListBucketMultipartUploads\",\"s3:GetObjectAcl\",\"s3:GetBucketAcl\",\"s3:GetBucketPolicy\",\"s3:GetBucketTagging\",\"s3:GetObjectTagging\",\"s3:GetAccelerateConfiguration\",\"s3:GetBucketCORS\",\"s3:GetBucketLocation\",\"s3:GetBucketLogging\",\"s3:GetBucketNotification\",\"s3:GetBucketRequestPayment\",\"s3:GetBucketVersioning\",\"s3:GetBucketWebsite\",\"s3:GetLifecycleConfiguration\"],\"Resource\":\"arn:aws:s3:::*\"\}\]\}To create a policy to restore the Ceph buckets and data, run the following command:
radosgw-admin role-policy put --role-name=restore_role_name --policy-name=restore_policy_name --policy-doc=\{\"Version\":\"2012-10-17\",\"Statement\":\[\{\"Effect\":\"Allow\",\"Action\":\[\"s3:CreateBucket\",\"s3:DeleteObject\",\"s3:PutObjectAcl\",\"s3:PutObjectTagging\",\"s3:PutObject\",\"s3:ListBucket\",\"s3:ListAllMyBuckets\",\"s3:GetObject\",\"s3:GetObjectAcl\",\"s3:ListBucketMultipartUploads\",\"s3:PutBucketAcl\",\"s3:PutBucketTagging\",\"s3:PutBucketPolicy\"\],\"Resource\":\"arn:aws:s3:::*\"\}\]\}
After the policy is attached to the role, the access key and secret key of the user, and the ARN from the role will be available.