ceph/doc/radosgw/rgw-cache.rst

   1 ==========================
   2 RGW Data caching and CDN
   3 ==========================
   4
   5 .. versionadded:: Octopus
   6
   7 .. contents::
   8
   9 This feature adds to RGW the ability to securely cache objects and offload the workload from the cluster, using Nginx.
  10 After an object is accessed the first time it will be stored in the Nginx directory.
  11 When data is already cached, it need not be fetched from RGW. A permission check will be made against RGW to ensure the requesting user has access.
  12 This feature is based on some Nginx modules, ngx_http_auth_request_module, https://github.com/kaltura/nginx-aws-auth-module, Openresty for lua capabilities.
  13 Currently this feature only works for GET requests and it will cache only AWSv4 requests (only s3 requests).
  14 The feature introduces 2 new APIs: Auth and Cache.
  15
  16 New APIs
  17 -------------------------
  18
  19 There are 2 new apis for this feature:
  20
  21 Auth API - The cache uses this to validate that an user can access the cached data
  22
  23 Cache API - Adds the ability to override securely Range header, that way Nginx can use it is own smart cache on top of S3:
  24 https://www.nginx.com/blog/smart-efficient-byte-range-caching-nginx/
  25 Using this API gives the ability to read ahead objects when clients asking a specific range from the object.
  26 On subsequent accesses to the cached object, Nginx will satisfy requests for already-cached ranges from cache. Uncached ranges will be read from RGW (and cached).
  27
  28 Auth API
  29 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  30
  31 This API Validates a specific authenticated access being made to the cache, using RGW's knowledge of the client credentials and stored access policy.
  32 Returns success if the encapsulated request would be granted.
  33
  34 Cache API
  35 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  36
  37 This API is meant to allow changing signed Range headers using a privileged user, cache user.
  38
  39 Creating cache user
  40
  41 ::
  42
  43 $ radosgw-admin user create --uid=<uid for cache user> --display-name="cache user" --caps="amz-cache=read"
  44
  45 This user can send to the RGW the Cache API header ``X-Amz-Cache``, this header contains the headers from the original request(before changing the Range header).
  46 It means that ``X-Amz-Cache`` built from several headers.
  47 The headers that are building the ``X-Amz-Cache`` header are separated by char with ascii code 177 and the header name and value are separated by char ascii code 178.
  48 The RGW will check that the cache user is an authorized user and if it is a cache user,
  49 if yes it will use the ``X-Amz-Cache`` to revalidate that the user have permissions, using the headers from the X-Amz-Cache.
  50 During this flow the RGW will override the Range header.
  51
  52
  53 Using Nginx with RGW
  54 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  55
  56 Download the source of Openresty:
  57
  58 ::
  59
  60 $ wget https://openresty.org/download/openresty-1.15.8.3.tar.gz
  61
  62 git clone the aws auth nginx module:
  63
  64 ::
  65
  66 $ git clone https://github.com/kaltura/nginx-aws-auth-module
  67
  68 untar the openresty package:
  69
  70 ::
  71
  72 $ tar xvzf openresty-1.15.8.3.tar.gz
  73 $ cd openresty-1.15.8.3
  74
  75 Compile openresty, Make sure that you have pcre lib and openssl lib:
  76
  77 ::
  78
  79 $ sudo yum install pcre-devel openssl-devel gcc curl zlib-devel nginx
  80 $ ./configure --add-module=<the nginx-aws-auth-module dir> --with-http_auth_request_module --with-http_slice_module --conf-path=/etc/nginx/nginx.conf
  81 $ gmake -j $(nproc)
  82 $ sudo gmake install
  83 $ sudo ln -sf /usr/local/openresty/bin/openresty /usr/bin/nginx
  84
  85 Put in-place your nginx configuration files and edit them according to your environment:
  86
  87 All nginx conf files are under: https://github.com/ceph/ceph/tree/master/examples/rgw-cache
  88
  89 nginx.conf should go to /etc/nginx/nginx.conf
  90
  91 nginx-lua-file.lua should go to /etc/nginx/nginx-lua-file.lua
  92
  93 nginx-default.conf should go to /etc/nginx/conf.d/nginx-default.conf
  94
  95 The parameters that are most likely to require adjustment according to the environment are located in the file nginx-default.conf
  96
  97 Modify the example values of *proxy_cache_path* and *max_size* at:
  98
  99 `proxy_cache_path /data/cache levels=2:2:2 keys_zone=mycache:999m max_size=20G inactive=1d use_temp_path=off;`
 100
 101 And modify the example *server* values to point to the RGWs URIs:
 102
 103 `server rgw1:8000 max_fails=2 fail_timeout=5s;`
 104
 105 `server rgw2:8000 max_fails=2 fail_timeout=5s;`
 106
 107 `server rgw3:8000 max_fails=2 fail_timeout=5s;`
 108
 109 It is important to substitute the access key and secret key located in the nginx.conf with those belong to the user with the amz-cache caps
 110
 111 It is possible to use nginx slicing which is a better method for streaming purposes.
 112
 113 For using slice you should use nginx-slicing.conf and not nginx-default.conf
 114
 115 Further information about nginx slicing:
 116
 117 https://docs.nginx.com/nginx/admin-guide/content-cache/content-caching/#byte-range-caching
 118
 119
 120 If you do not want to use the prefetch caching, It is possible to replace nginx-default.conf with nginx-noprefetch.conf
 121 Using noprefetch means that if the client is sending range request of 0-4095 and then 0-4096 Nginx will cache those requests separately, So it will need to fetch those requests twice.
 122
 123
 124 Run nginx(openresty):
 125 ::
 126
 127 $ sudo systemctl restart nginx