Capabilities
A large cloud object storage (COS) system needs several crucial capabilities to offer storage as a service (STaaS).
These capabilities give an object storage system the flexibility to be deployed as private,
public or hybrid cloud solution.
- Support for millions of containers
- Support for millions of users
- Self-provisioning capability for service
- Support for billing users based on usage
- Isolation of objects between users and tenants
- Security for objects
- Ability to set quotas for tenants
- Ability to isolate issues to a tenant
- Ability to dynamically scale system and add capacity
Container Mode allows an IBM COS system to be deployed for private, public or hybrid cloud with
capability across all these areas to various degrees to offer storage as a service. Without these
capabilities, a COS deployment for a cloud using the existing Vault Mode has the following constraints:
- A vault limit (see IBM Manager Administration Guide) vault limit, which also limits the number of user buckets
- No more than a few thousand user accounts
- No ability for self provisioning service with a special service user role
- No detailed billing information in order to support all billing models (e.g. request based pricing)
Supporting large number of containers and large number users all using the system concurrently
while tracking real time data usage requires additional focus on consistency and performance. To
address these areas, several enhancements to current design were introduced as part of the feature
to achieve the following:
- Consistency of index and usage updates
- Fast listing
- Better handling of contention
Container Mode brings the following capabilities to each of the areas listed above in the IBM COS solution:
- Support for millions of containers
- A new logical entity called container is introduced on top of vault (container vault). The containers are addressable externally via REST API requests. External requests cannot address or access vaults directly in Container Mode. The new entity has fewer overheads for creation and deletion within the system. Containers can be quickly created or deleted (in the order of milliseconds). There is no visibility for these containers on the Manager.
- Support for millions of users
- All end user accounts and credentials are now created and stored outside of the manager within the IBM COS system. This makes it possible to support millions of users without the limitations that come with the Manager. There is no visibility for these users on the Manager. The account and credential data is stored in a private vault called a service vault.
- Self-provisioning capability for service
- The IBM COS system now supports a new set of REST APIs with the Accesser appliance for storage account management and AWS credentials management. A self-service portal or another application using a service role only on a different port can use these APIs.
- Support for billing users based on usage
- The IBM COS system now has detailed logging that includes account, container and usage information at the different levels. These logs are available to business support systems to process them to create per-tenant bills.
- Isolation of objects between users and tenants
- The IBM COS system supports isolation of objects between users and tenants.
- Security for objects
- The IBM COS system now has an owner assigned to every container and object. In addition, the system enforces ACL permissions across writes and reads (including more granular permissions). An enhanced ACL enforcement mode is also available to more closely match the S3 ACL model. This is enabled by default.
- Ability to control usage programmatically
- The IBM COS system continues to support hard and soft quotas at the vault level.
- Ability to isolate issues
- The IBM COS system has more detailed logging and additional log files when the system is in Container Mode. The detailed logging will help isolate issues for a user or tenant in a large deployment.
- Ability to scale and grow, as capacity has to expand
- The IBM COS system continues to support system expansion as the need arises to grow the system to increase capacity.
| Callout in STaaS architecture diagram | Purpose | IBM element | APIs |
|---|---|---|---|
| 1 - Container mode administration | To administer and monitor container mode | Manager | Create service vault, Enable container mode and service API, Manage service accounts, Manage container vaults |
| 2 - Storage account management | To manage storage accounts and associate them to tenants (enterprises and users) | Accesser | Create, List, Head, Modify, Delete storage accounts. List containers |
| 2 - AWS credentials management | To manage credentials that are associated with the storage accounts | Accesser | Create, List, Show, Delete, Update AWS credentials |
| 2 - Bucket management | For service provider to manage container on behalf of clients | Accesser | Create, retrieve/, update bucket metadata, delete bucket |
| 3 - S3 API | For data IO and container/object management | Accesser | Read, Write, List, Delete, Head for containers and objects |
| 4 - Not supported | (future) | ||
| 4' - Not supported | (future) |