Starting with Gateway 7.3 and Content UI 7.3, the concept of a System domain has been introduced in order to provide legacy SCSP clients with the ability to access unnamed objects stored outside of all storage domains. The System domain feature allows taking advantage of Swarm's modern features such as metadata searching for unnamed and untenanted objects in a cluster. It provides better access control policy management and integration via the UI.
System domain vs. Default domain
System domain is not the same as a default domain. For more information on Default domain, see Guidelines for managing Domains.
With the System domain, the choices for connecting legacy SCSP clients with the storage are:
direct network connection to all object storage nodes,
through legacy SCSPproxy package, or
through gateway running in legacy mode.
Direct network connection and SCSPproxy with legacy application clients:
continue to work in existing deployment without code modifications
can use legacy HTTP digest auth/auth mechanism with storage nodes
storage-in-use metering is tracked by gateway
bandwidth metering is not tracked by gateway
no audit log tracking by gateway
can interfere with tenanted content within storage domains – depends on specific application
Legacy application clients connecting through gateway:
continue to work without changing application code logic (except legacy auth/auth)
cannot use legacy HTTP digest auth/auth mechanism
storage-in-use and bandwidth metering is tracked by gateway
audit logging for all access
access control using gateway's policy mechanism
assured isolation from content within other storage domains
API and UI
The System domain is considered a child of the System tenant and is represented as a domain called "System" within the System tenant, both in the UI listing and in the Management API ("_system"). Metrics for the System domain roll up into the System tenant, together with metrics for all untenanted domains.
Buckets cannot be created in the System domain, but it presents the Content IDs pseudo-bucket. Upload to Content IDs the same way as to any other domain.
System domain also supports Collections.
Setting Up Access Permissions
The System domain has no owner and no one can be assigned to be the owner, so there is no default access policy for it. System domain management only allows setting IDSYS and policy based access. Access to content in the System domain must be granted through the root and/or System domain-specific policies.
No user is able to perform SCSP operations with content in the System domain if no policy is added and no root policy exists granting access to the System domain.
Authentication tokens are not supported for the System domain in the UI.
Configuring a Gateway as a System Domain-only Gateway (Legacy Mode)
Gateway can be configured to work in one of the following modes:
Normal mode with tenanted named and unnamed objects
Legacy mode with unnamed untenanted objects only. (new with v7.3)
This is configured using the following setting. The default value is 'false' and the gateway runs in normal mode if unset.
[gateway]
legacyOnlyMode = true/false
Legacy mode allows configuring a gateway as a System domain-only gateway for use by legacy SCSP clients so unnamed objects in the System domain can be accessed. Gateway disregards a client's specification domain and communicates solely to the System domain in the back-end storage cluster when operating in this mode.
Content UI is only available through normal mode gateways and attempting to use the UI through a legacy-only mode gateway returns the following message in a browser:
This gateway is running in legacy mode. UI requests are not supported.
Attempting to use modern clients using tenanted objects within storage domains or named objects within buckets with a gateway configured in legacy mode is a misconfiguration. These clients need to use a separate gateway configured for normal mode operations.