Application Concepts

The Gateway offers developers an integration platform that adds many valuable features to the native Swarm storage API. These features include:

  • A multi-tenant framework that provides several levels of control and delegation

  • Choice of two object storage APIs: SCSP, S3

  • A service provisioning and management API

Object Storage APIs

Gateway provides developers the freedom to choose between the Swarm Storage SCSP object storage protocol and the Amazon S3 object storage protocol. Gateway allows both of these protocols to share the back-end Swarm cluster and even the same content. Additionally, Gateway provides enhancements to both object storage protocols that allow for geographically distributed, multi-tenant storage clouds.

S3 and SCSP are the Storage APIs offered through the Gateway. Developers accustomed with Amazon S3 development can continue to use tools, libraries, and experience and immediately begin using Swarm in the existing environment. The Swarm SCSP object storage protocol offers advantages over Amazon S3 in the area of content protection controls, time-based content policies, metadata searching capabilities, and an additional object type: unnamed objects.

Multi-Tenant Framework

Swarm provides multi-tenant separation of content. Gateway builds upon that foundation of scopes formally defined within the storage system. Gateway provides a proven framework to developers for organizing and managing a cloud storage system. Gateway defines these scopes.

Info

While Swarm defines the role of owner, role-based access control (RBAC) definitions can be created with varying to sophistication as required for the organization using Gateway's access control policies. The “admins” is a common role for Cluster, Tenant, Domain and Bucket, which is optional and hard-coded into the system. These roles are assumed to be used in the system.

  • Root Scope: The root scope exists on the Gateway servers' file systems as the configuration information necessary to bootstrap the cloud storage system. It contains the top-level definition of the identity management system and the overall access control policy for the entire cluster. The Gateway system administrations manage the resources at this level through standard Linux administration tools.

  • Cluster Scope: The cluster scope is the top-level control point within the object storage system. The cluster administrations operating in this scope are the super users within the cloud storage system and have the ability to create and access all content within the system. Through the Content Portal or using management API calls, they create lower-level scopes, such as tenants and storage domains, and they can delegate management duties to those lower-level scopes to less privileged users.

  • Tenant Scope: The tenant scope is a formalized concept that exists within Gateway and not within Swarm. A tenant is a hierarchy that owns one or more storage domains. Each tenant scope can define a separate identity management system so users and groups within them are separated from those in other tenants. The tenant administrators have the ability to create and access storage domains on behalf of the tenant and they can delegate management duties for the storage domains they create. The tenant scope does not store end-user data; it is a meta store for information about the tenant, users, and storage domains.

  • Domain Scope: The domain scope is directly tied to a Swarm storage domain and is where end-user data is kept. The SCSP and S3 storage protocols create and use data within the domain scope. While the domain scope can inherit user and group identity information from its tenant, it also has the ability to define its own identity management system. The domain administrators can create and access all content within the storage domain. They can optionally delegate control of storage buckets to individual users or groups.

  • Bucket Scope: The bucket scope is directly tied to a bucket that exists within the Swarm storage domain. While access control policies can be defined for every bucket, there is no option for an identity management system definition at the bucket scope. All buckets with a domain share the domain's identity management system definition.

  • IDM: Identity management system connection information is stored within IDSYS objects and they are the source of user and group information and the authentication system.

  • Access Policy: The Policy objects contain the rules for access control to content within the system. This includes control of all operations through the Storage API and the Management API. Policies are associated with every scope within the storage system.

Management API

Separate from the Storage API for end-user content, the Gateway implements a storage management API as an integration point for cloud management platforms and developers that need to automate the provisioning and management of the cloud storage system.

© DataCore Software Corporation. · https://www.datacore.com · All rights reserved.