1 ======================================
2 Ceph Object Gateway Config Reference
3 ======================================
5 The following settings may added to the Ceph configuration file (i.e., usually
6 ``ceph.conf``) under the ``[client.radosgw.{instance-name}]`` section. The
7 settings may contain default values. If you do not specify each setting in the
8 Ceph configuration file, the default value will be set automatically.
10 Configuration variables set under the ``[client.radosgw.{instance-name}]``
11 section will not apply to rgw or radosgw-admin commands without an instance-name
12 specified in the command. Thus variables meant to be applied to all RGW
13 instances or all radosgw-admin commands can be put into the ``[global]`` or the
14 ``[client]`` section to avoid specifying instance-name.
18 :Description: Configures the HTTP frontend(s). The configuration for multiple
19 frontends can be provided in a comma-delimited list. Each frontend
20 configuration may include a list of options separated by spaces,
21 where each option is in the form "key=value" or "key". See
22 `HTTP Frontends`_ for more on supported options.
25 :Default: ``beast port=7480``
29 :Description: Sets the location of the data files for Ceph Object Gateway.
31 :Default: ``/var/lib/ceph/radosgw/$cluster-$id``
36 :Description: Enables the specified APIs.
38 .. note:: Enabling the ``s3`` API is a requirement for
39 any radosgw instance that is meant to
40 participate in a `multi-site <../multisite>`_
43 :Default: ``s3, swift, swift_auth, admin`` All APIs.
48 :Description: Whether the Ceph Object Gateway cache is enabled.
53 ``rgw cache lru size``
55 :Description: The number of entries in the Ceph Object Gateway cache.
62 :Description: The socket path for the domain socket. ``FastCgiExternalServer``
63 uses this socket. If you do not specify a socket path, Ceph
64 Object Gateway will not run as an external server. The path you
65 specify here must be the same as the path specified in the
71 ``rgw fcgi socket backlog``
73 :Description: The socket backlog for fcgi.
79 :Description: The host for the Ceph Object Gateway instance. Can be an IP
80 address or a hostname.
88 :Description: Port the instance listens for requests. If not specified,
89 Ceph Object Gateway runs external FastCGI.
97 :Description: The DNS name of the served domain. See also the ``hostnames`` setting within regions.
104 :Description: The alternative value for the ``SCRIPT_URI`` if not set
113 :Description: The alternative value for the ``REQUEST_URI`` if not set
120 ``rgw print continue``
122 :Description: Enable ``100-continue`` if it is operational.
127 ``rgw remote addr param``
129 :Description: The remote address parameter. For example, the HTTP field
130 containing the remote address, or the ``X-Forwarded-For``
131 address if a reverse proxy is operational.
134 :Default: ``REMOTE_ADDR``
137 ``rgw op thread timeout``
139 :Description: The timeout in seconds for open threads.
144 ``rgw op thread suicide timeout``
146 :Description: The time ``timeout`` in seconds before a Ceph Object Gateway
147 process dies. Disabled if set to ``0``.
153 ``rgw thread pool size``
155 :Description: The size of the thread pool.
157 :Default: 100 threads.
160 ``rgw num control oids``
162 :Description: The number of notification objects used for cache synchronization
163 between different ``rgw`` instances.
171 :Description: The number of seconds before Ceph Object Gateway gives up on
178 ``rgw mime types file``
180 :Description: The path and location of the MIME types. Used for Swift
181 auto-detection of object types.
184 :Default: ``/etc/mime.types``
187 ``rgw s3 success create obj status``
189 :Description: The alternate success status response for ``create-obj``.
194 ``rgw resolve cname``
196 :Description: Whether ``rgw`` should use DNS CNAME record of the request
197 hostname field (if hostname is not equal to ``rgw dns name``).
203 ``rgw obj stripe size``
205 :Description: The size of an object stripe for Ceph Object Gateway objects.
206 See `Architecture`_ for details on striping.
209 :Default: ``4 << 20``
212 ``rgw extended http attrs``
214 :Description: Add new set of attributes that could be set on an entity
215 (user, bucket or object). These extra attributes can be set
216 through HTTP header fields when putting the entity or modifying
217 it using POST method. If set, these attributes will return as
218 HTTP fields when doing GET/HEAD on the entity.
222 :Example: "content_foo, content_bar, x-foo-bar"
225 ``rgw exit timeout secs``
227 :Description: Number of seconds to wait for a process before exiting
234 ``rgw get obj window size``
236 :Description: The window size in bytes for a single object request.
238 :Default: ``16 << 20``
241 ``rgw get obj max req size``
243 :Description: The maximum request size of a single get operation sent to the
244 Ceph Storage Cluster.
247 :Default: ``4 << 20``
250 ``rgw relaxed s3 bucket names``
252 :Description: Enables relaxed S3 bucket names rules for US region buckets.
257 ``rgw list buckets max chunk``
259 :Description: The maximum number of buckets to retrieve in a single operation
260 when listing user buckets.
266 ``rgw override bucket index max shards``
268 :Description: Represents the number of shards for the bucket index object,
269 a value of zero indicates there is no sharding. It is not
270 recommended to set a value too large (e.g. thousand) as it
271 increases the cost for bucket listing.
272 This variable should be set in the client or global sections
273 so that it is automatically applied to radosgw-admin commands.
279 ``rgw curl wait timeout ms``
281 :Description: The timeout in milliseconds for certain ``curl`` calls.
286 ``rgw copy obj progress``
288 :Description: Enables output of object progress during long copy operations.
293 ``rgw copy obj progress every bytes``
295 :Description: The minimum bytes between copy progress output.
297 :Default: ``1024 * 1024``
302 :Description: The entry point for an admin request URL.
307 ``rgw content length compat``
309 :Description: Enable compatibility handling of FCGI requests with both CONTENT_LENGTH AND HTTP_CONTENT_LENGTH set.
314 ``rgw bucket quota ttl``
316 :Description: The amount of time in seconds cached quota information is
317 trusted. After this timeout, the quota information will be
318 re-fetched from the cluster.
323 ``rgw user quota bucket sync interval``
325 :Description: The amount of time in seconds bucket quota information is
326 accumulated before syncing to the cluster. During this time,
327 other RGW instances will not see the changes in bucket quota
328 stats from operations on this instance.
333 ``rgw user quota sync interval``
335 :Description: The amount of time in seconds user quota information is
336 accumulated before syncing to the cluster. During this time,
337 other RGW instances will not see the changes in user quota stats
338 from operations on this instance.
343 ``rgw bucket default quota max objects``
345 :Description: Default max number of objects per bucket. Set on new users,
346 if no other quota is specified. Has no effect on existing users.
347 This variable should be set in the client or global sections
348 so that it is automatically applied to radosgw-admin commands.
353 ``rgw bucket default quota max size``
355 :Description: Default max capacity per bucket, in bytes. Set on new users,
356 if no other quota is specified. Has no effect on existing users.
361 ``rgw user default quota max objects``
363 :Description: Default max number of objects for a user. This includes all
364 objects in all buckets owned by the user. Set on new users,
365 if no other quota is specified. Has no effect on existing users.
370 ``rgw user default quota max size``
372 :Description: The value for user max size quota in bytes set on new users,
373 if no other quota is specified. Has no effect on existing users.
380 :Description: Verify SSL certificates while making requests.
385 Garbage Collection Settings
386 ===========================
388 The Ceph Object Gateway allocates storage for new objects immediately.
390 The Ceph Object Gateway purges the storage space used for deleted and overwritten
391 objects in the Ceph Storage cluster some time after the gateway deletes the
392 objects from the bucket index. The process of purging the deleted object data
393 from the Ceph Storage cluster is known as Garbage Collection or GC.
395 To view the queue of objects awaiting garbage collection, execute the following::
397 $ radosgw-admin gc list
399 Note: specify --include-all to list all entries, including unexpired
401 Garbage collection is a background activity that may
402 execute continuously or during times of low loads, depending upon how the
403 administrator configures the Ceph Object Gateway. By default, the Ceph Object
404 Gateway conducts GC operations continuously. Since GC operations are a normal
405 part of Ceph Object Gateway operations, especially with object delete
406 operations, objects eligible for garbage collection exist most of the time.
408 Some workloads may temporarily or permanently outpace the rate of garbage
409 collection activity. This is especially true of delete-heavy workloads, where
410 many objects get stored for a short period of time and then deleted. For these
411 types of workloads, administrators can increase the priority of garbage
412 collection operations relative to other operations with the following
413 configuration parameters.
418 :Description: The maximum number of objects that may be handled by
419 garbage collection in one garbage collection processing cycle.
420 Please do not change this value after the first deployment.
426 ``rgw gc obj min wait``
428 :Description: The minimum wait time before a deleted object may be removed
429 and handled by garbage collection processing.
432 :Default: ``2 * 3600``
435 ``rgw gc processor max time``
437 :Description: The maximum time between the beginning of two consecutive garbage
438 collection processing cycles.
444 ``rgw gc processor period``
446 :Description: The cycle time for garbage collection processing.
453 .. versionadded:: Jewel
455 You may include the following settings in your Ceph configuration
456 file under each ``[client.radosgw.{instance-name}]`` instance.
461 :Description: The name of the zone for the gateway instance. If no zone is
462 set, a cluster-wide default can be configured with the command
463 ``radosgw-admin zone default``.
470 :Description: The name of the zonegroup for the gateway instance. If no
471 zonegroup is set, a cluster-wide default can be configured with
472 the command ``radosgw-admin zonegroup default``.
479 :Description: The name of the realm for the gateway instance. If no realm is
480 set, a cluster-wide default can be configured with the command
481 ``radosgw-admin realm default``.
486 ``rgw run sync thread``
488 :Description: If there are other zones in the realm to sync from, spawn threads
489 to handle the sync of data and metadata.
494 ``rgw data log window``
496 :Description: The data log entries window in seconds.
501 ``rgw data log changes size``
503 :Description: The number of in-memory entries to hold for the data changes log.
508 ``rgw data log obj prefix``
510 :Description: The object name prefix for the data log.
512 :Default: ``data_log``
515 ``rgw data log num shards``
517 :Description: The number of shards (objects) on which to keep the
524 ``rgw md log max shards``
526 :Description: The maximum number of shards for the metadata log.
530 .. important:: The values of ``rgw data log num shards`` and
531 ``rgw md log max shards`` should not be changed after sync has
537 ``rgw s3 auth use ldap``
539 :Description: Should S3 authentication use LDAP.
547 ``rgw enforce swift acls``
549 :Description: Enforces the Swift Access Control List (ACL) settings.
554 ``rgw swift token expiration``
556 :Description: The time in seconds for expiring a Swift token.
558 :Default: ``24 * 3600``
563 :Description: The URL for the Ceph Object Gateway Swift API.
568 ``rgw swift url prefix``
570 :Description: The URL prefix for the Swift API, to distinguish it from
571 the S3 API endpoint. The default is ``swift``, which
572 makes the Swift API available at the URL
573 ``http://host:port/swift/v1`` (or
574 ``http://host:port/swift/v1/AUTH_%(tenant_id)s`` if
575 ``rgw swift account in url`` is enabled).
577 For compatibility, setting this configuration variable
578 to the empty string causes the default ``swift`` to be
579 used; if you do want an empty prefix, set this option to
582 .. warning:: If you set this option to ``/``, you must
583 disable the S3 API by modifying ``rgw
584 enable apis`` to exclude ``s3``. It is not
585 possible to operate radosgw with ``rgw
586 swift url prefix = /`` and simultaneously
587 support both the S3 and Swift APIs. If you
588 do need to support both APIs without
589 prefixes, deploy multiple radosgw instances
590 to listen on different hosts (or ports)
591 instead, enabling some for S3 and some for
594 :Example: "/swift-testing"
597 ``rgw swift auth url``
599 :Description: Default URL for verifying v1 auth tokens (if not using internal
606 ``rgw swift auth entry``
608 :Description: The entry point for a Swift auth URL.
613 ``rgw swift account in url``
615 :Description: Whether or not the Swift account name should be included
616 in the Swift API URL.
618 If set to ``false`` (the default), then the Swift API
619 will listen on a URL formed like
620 ``http://host:port/<rgw_swift_url_prefix>/v1``, and the
621 account name (commonly a Keystone project UUID if
622 radosgw is configured with `Keystone integration
623 <../keystone>`_) will be inferred from request
626 If set to ``true``, the Swift API URL will be
627 ``http://host:port/<rgw_swift_url_prefix>/v1/AUTH_<account_name>``
629 ``http://host:port/<rgw_swift_url_prefix>/v1/AUTH_<keystone_project_id>``)
630 instead, and the Keystone ``object-store`` endpoint must
631 accordingly be configured to include the
632 ``AUTH_%(tenant_id)s`` suffix.
634 You **must** set this option to ``true`` (and update the
635 Keystone service catalog) if you want radosgw to support
636 publicly-readable containers and `temporary URLs
637 <../swift/tempurl>`_.
642 ``rgw swift versioning enabled``
644 :Description: Enables the Object Versioning of OpenStack Object Storage API.
645 This allows clients to put the ``X-Versions-Location`` attribute
646 on containers that should be versioned. The attribute specifies
647 the name of container storing archived versions. It must be owned
648 by the same user that the versioned container due to access
649 control verification - ACLs are NOT taken into consideration.
650 Those containers cannot be versioned by the S3 object versioning
653 A slightly different attribute, ``X-History-Location``, which is also understood by
654 `OpenStack Swift <https://docs.openstack.org/swift/latest/api/object_versioning.html>`_
655 for handling ``DELETE`` operations, is currently not supported.
660 ``rgw trust forwarded https``
662 :Description: When a proxy in front of radosgw is used for ssl termination, radosgw
663 does not know whether incoming http connections are secure. Enable
664 this option to trust the ``Forwarded`` and ``X-Forwarded-Proto`` headers
665 sent by the proxy when determining whether the connection is secure.
666 This is required for some features, such as server side encryption.
676 ``rgw log nonexistent bucket``
678 :Description: Enables Ceph Object Gateway to log a request for a non-existent
685 ``rgw log object name``
687 :Description: The logging format for an object name. See manpage
688 :manpage:`date` for details about format specifiers.
691 :Default: ``%Y-%m-%d-%H-%i-%n``
694 ``rgw log object name utc``
696 :Description: Whether a logged object name includes a UTC time.
697 If ``false``, it uses the local time.
703 ``rgw usage max shards``
705 :Description: The maximum number of shards for usage logging.
710 ``rgw usage max user shards``
712 :Description: The maximum number of shards used for a single user's
719 ``rgw enable ops log``
721 :Description: Enable logging for each successful Ceph Object Gateway operation.
726 ``rgw enable usage log``
728 :Description: Enable the usage log.
733 ``rgw ops log rados``
735 :Description: Whether the operations log should be written to the
736 Ceph Storage Cluster backend.
742 ``rgw ops log socket path``
744 :Description: The Unix domain socket for writing operations logs.
749 ``rgw ops log data backlog``
751 :Description: The maximum data backlog data size for operations logs written
752 to a Unix domain socket.
755 :Default: ``5 << 20``
758 ``rgw usage log flush threshold``
760 :Description: The number of dirty merged entries in the usage log before
761 flushing synchronously.
767 ``rgw usage log tick interval``
769 :Description: Flush pending usage log data every ``n`` seconds.
774 ``rgw log http headers``
776 :Description: Comma-delimited list of HTTP headers to include with ops
777 log entries. Header names are case insensitive, and use
778 the full header name with words separated by underscores.
782 :Example: "http_x_forwarded_for, http_x_special_k"
785 ``rgw intent log object name``
787 :Description: The logging format for the intent log object name. See manpage
788 :manpage:`date` for details about format specifiers.
791 :Default: ``%Y-%m-%d-%i-%n``
794 ``rgw intent log object name utc``
796 :Description: Whether the intent log object name includes a UTC time.
797 If ``false``, it uses the local time.
810 :Description: The URL for the Keystone server.
815 ``rgw keystone api version``
817 :Description: The version (2 or 3) of OpenStack Identity API that should be
818 used for communication with the Keystone server.
823 ``rgw keystone admin domain``
825 :Description: The name of OpenStack domain with admin privilege when using
826 OpenStack Identity API v3.
831 ``rgw keystone admin project``
833 :Description: The name of OpenStack project with admin privilege when using
834 OpenStack Identity API v3. If left unspecified, value of
835 ``rgw keystone admin tenant`` will be used instead.
840 ``rgw keystone admin token``
842 :Description: The Keystone admin token (shared secret). In Ceph RadosGW
843 authentication with the admin token has priority over
844 authentication with the admin credentials
845 (``rgw keystone admin user``, ``rgw keystone admin password``,
846 ``rgw keystone admin tenant``, ``rgw keystone admin project``,
847 ``rgw keystone admin domain``). The Keystone admin token
848 has been deprecated, but can be used to integrate with
849 older environments. Prefer ``rgw keystone admin token path``
850 to avoid exposing the token.
854 ``rgw keystone admin token path``
856 :Description: Path to a file containing the Keystone admin token
857 (shared secret). In Ceph RadosGW authentication with
858 the admin token has priority over authentication with
859 the admin credentials
860 (``rgw keystone admin user``, ``rgw keystone admin password``,
861 ``rgw keystone admin tenant``, ``rgw keystone admin project``,
862 ``rgw keystone admin domain``).
863 The Keystone admin token has been deprecated, but can be
864 used to integrate with older environments.
868 ``rgw keystone admin tenant``
870 :Description: The name of OpenStack tenant with admin privilege (Service Tenant) when
871 using OpenStack Identity API v2
876 ``rgw keystone admin user``
878 :Description: The name of OpenStack user with admin privilege for Keystone
879 authentication (Service User) when OpenStack Identity API v2
884 ``rgw keystone admin password``
886 :Description: The password for OpenStack admin user when using OpenStack
887 Identity API v2. Prefer ``rgw keystone admin password path``
888 to avoid exposing the token.
892 ``rgw keystone admin password path``
894 :Description: Path to a file containing the password for OpenStack
895 admin user when using OpenStack Identity API v2.
900 ``rgw keystone accepted roles``
902 :Description: The roles requires to serve requests.
904 :Default: ``Member, admin``
907 ``rgw keystone token cache size``
909 :Description: The maximum number of entries in each Keystone token cache.
914 ``rgw keystone revocation interval``
916 :Description: The number of seconds between token revocation checks.
918 :Default: ``15 * 60``
921 ``rgw keystone verify ssl``
923 :Description: Verify SSL certificates while making token requests to keystone.
928 Server-side encryption Settings
929 ===============================
931 ``rgw crypt s3 kms backend``
933 :Description: Where the SSE-KMS encryption keys are stored. Supported KMS
934 systems are OpenStack Barbican (``barbican``, the default) and
935 HashiCorp Vault (``vault``).
945 :Description: The URL for the Barbican server.
949 ``rgw keystone barbican user``
951 :Description: The name of the OpenStack user with access to the `Barbican`_
952 secrets used for `Encryption`_.
956 ``rgw keystone barbican password``
958 :Description: The password associated with the `Barbican`_ user.
962 ``rgw keystone barbican tenant``
964 :Description: The name of the OpenStack tenant associated with the `Barbican`_
965 user when using OpenStack Identity API v2.
969 ``rgw keystone barbican project``
971 :Description: The name of the OpenStack project associated with the `Barbican`_
972 user when using OpenStack Identity API v3.
976 ``rgw keystone barbican domain``
978 :Description: The name of the OpenStack domain associated with the `Barbican`_
979 user when using OpenStack Identity API v3.
984 HashiCorp Vault Settings
985 ========================
987 ``rgw crypt vault auth``
989 :Description: Type of authentication method to be used. The only method
990 currently supported is ``token``.
994 ``rgw crypt vault token file``
996 :Description: If authentication method is ``token``, provide a path to the token
997 file, which should be readable only by Rados Gateway.
1001 ``rgw crypt vault addr``
1003 :Description: Vault server base address, e.g. ``http://vaultserver:8200``.
1007 ``rgw crypt vault prefix``
1009 :Description: The Vault secret URL prefix, which can be used to restrict access
1010 to a particular subset of the secret space, e.g. ``/v1/secret/data``.
1014 ``rgw crypt vault secret engine``
1016 :Description: Vault Secret Engine to be used to retrieve encryption keys: choose
1017 between kv-v2, transit.
1021 ``rgw crypt vault namespace``
1023 :Description: If set, Vault Namespace provides tenant isolation for teams and individuals
1024 on the same Vault Enterprise instance, e.g. ``acme/tenant1``
1032 .. versionadded:: Nautilus
1034 The ``civetweb`` frontend has a threading model that uses a thread per
1035 connection and hence automatically throttled by ``rgw thread pool size``
1036 configurable when it comes to accepting connections. The ``beast`` frontend is
1037 not restricted by the thread pool size when it comes to accepting new
1038 connections, so a scheduler abstraction is introduced in Nautilus release which
1039 for supporting ways for scheduling requests in the future.
1041 Currently the scheduler defaults to a throttler which throttles the active
1042 connections to a configured limit. QoS based on mClock is currently in an
1043 *experimental* phase and not recommended for production yet. Current
1044 implementation of *dmclock_client* op queue divides RGW Ops on admin, auth
1045 (swift auth, sts) metadata & data requests.
1048 ``rgw max concurrent requests``
1050 :Description: Maximum number of concurrent HTTP requests that the beast frontend
1051 will process. Tuning this can help to limit memory usage under
1057 ``rgw scheduler type``
1059 :Description: The type of RGW Scheduler to use. Valid values are throttler,
1060 dmclock. Currently defaults to throttler which throttles beast
1061 frontend requests. dmclock is *experimental* and will need the
1062 experimental flag set
1065 The options below are to tune the experimental dmclock scheduler. For some
1066 further reading on dmclock, see :ref:`dmclock-qos`. `op_class` for the flags below is
1067 one of admin, auth, metadata or data.
1069 ``rgw_dmclock_<op_class>_res``
1071 :Description: The mclock reservation for `op_class` requests
1075 ``rgw_dmclock_<op_class>_wgt``
1077 :Description: The mclock weight for `op_class` requests
1081 ``rgw_dmclock_<op_class>_lim``
1083 :Description: The mclock limit for `op_class` requests
1089 .. _Architecture: ../../architecture#data-striping
1090 .. _Pool Configuration: ../../rados/configuration/pool-pg-config-ref/
1091 .. _Cluster Pools: ../../rados/operations/pools
1092 .. _Rados cluster handles: ../../rados/api/librados-intro/#step-2-configuring-a-cluster-handle
1093 .. _Barbican: ../barbican
1094 .. _Encryption: ../encryption
1095 .. _HTTP Frontends: ../frontends