rgw keystone admin token path = {path to keystone admin token} #preferred
rgw keystone accepted roles = {accepted user roles}
rgw keystone token cache size = {number of tokens to cache}
- rgw keystone revocation interval = {number of seconds before checking revoked tickets}
rgw keystone implicit tenants = {true for private tenant for each new user}
- nss db path = {path to nss db}
It is also possible to configure a Keystone service tenant, user & password for
-keystone (for v2.0 version of the OpenStack Identity API), similar to the way
+Keystone (for v2.0 version of the OpenStack Identity API), similar to the way
OpenStack services tend to be configured, this avoids the need for setting the
shared secret ``rgw keystone admin token`` in the configuration file, which is
recommended to be disabled in production environments. The service tenant
-credentials should have admin privileges, for more details refer the `Openstack
-keystone documentation`_, which explains the process in detail. The requisite
+credentials should have admin privileges, for more details refer the `OpenStack
+Keystone documentation`_, which explains the process in detail. The requisite
configuration options for are::
rgw keystone admin user = {keystone service tenant user name}
rgw keystone admin domain = {keystone admin domain name}
rgw keystone admin project = {keystone admin project name}
+For compatibility with previous versions of ceph, it is also
+possible to set ``rgw keystone implicit tenants`` to either
+``s3`` or ``swift``. This has the effect of splitting
+the identity space such that the indicated protocol will
+only use implicit tenants, and the other protocol will
+never use implicit tenants. Some older versions of ceph
+only supported implicit tenants with swift.
-Prior to Kilo
--------------
-
-Keystone itself needs to be configured to point to the Ceph Object Gateway as an
-object-storage endpoint::
-
- keystone service-create --name swift --type object-store
- keystone endpoint-create --service-id <id> --publicurl http://radosgw.example.com/swift/v1 \
- --internalurl http://radosgw.example.com/swift/v1 --adminurl http://radosgw.example.com/swift/v1
-
-
-As of Kilo
-----------
+Ocata (and later)
+-----------------
Keystone itself needs to be configured to point to the Ceph Object Gateway as an
object-storage endpoint::
endpoint URLs must be set to include the suffix
``/v1/AUTH_%(tenant_id)s`` (instead of just ``/v1``).
-The keystone URL is the Keystone admin RESTful API URL. The admin token is the
+The Keystone URL is the Keystone admin RESTful API URL. The admin token is the
token that is configured internally in Keystone for admin requests.
-The Ceph Object Gateway will query Keystone periodically for a list of revoked
-tokens. These requests are encoded and signed. Also, Keystone may be configured
-to provide self-signed tokens, which are also encoded and signed. The gateway
-needs to be able to decode and verify these signed messages, and the process
-requires that the gateway be set up appropriately. Currently, the Ceph Object
-Gateway will only be able to perform the procedure if it was compiled with
-``--with-nss``. Configuring the Ceph Object Gateway to work with Keystone also
-requires converting the OpenSSL certificates that Keystone uses for creating the
-requests to the nss db format, for example::
-
- mkdir /var/ceph/nss
+OpenStack Keystone may be terminated with a self signed ssl certificate, in
+order for radosgw to interact with Keystone in such a case, you could either
+install Keystone's ssl certificate in the node running radosgw. Alternatively
+radosgw could be made to not verify the ssl certificate at all (similar to
+OpenStack clients with a ``--insecure`` switch) by setting the value of the
+configurable ``rgw keystone verify ssl`` to false.
- openssl x509 -in /etc/keystone/ssl/certs/ca.pem -pubkey | \
- certutil -d /var/ceph/nss -A -n ca -t "TCu,Cu,Tuw"
- openssl x509 -in /etc/keystone/ssl/certs/signing_cert.pem -pubkey | \
- certutil -A -d /var/ceph/nss -n signing_cert -t "P,P,P"
+.. _OpenStack Keystone documentation: http://docs.openstack.org/developer/keystone/configuringservices.html#setting-up-projects-users-and-roles
+Cross Project(Tenant) Access
+----------------------------
-Openstack keystone may also be terminated with a self signed ssl certificate, in
-order for radosgw to interact with keystone in such a case, you could either
-install keystone's ssl certificate in the node running radosgw. Alternatively
-radosgw could be made to not verify the ssl certificate at all (similar to
-openstack clients with a ``--insecure`` switch) by setting the value of the
-configurable ``rgw keystone verify ssl`` to false.
+In order to let a project (earlier called a 'tenant') access buckets belonging to a different project, the following config option needs to be enabled::
+ rgw swift account in url = true
-.. _Openstack keystone documentation: http://docs.openstack.org/developer/keystone/configuringservices.html#setting-up-projects-users-and-roles
+The Keystone object-store endpoint must accordingly be configured to include the AUTH_%(project_id)s suffix::
+ openstack endpoint create --region RegionOne \
+ --publicurl "http://radosgw.example.com:8080/swift/v1/AUTH_$(project_id)s" \
+ --adminurl "http://radosgw.example.com:8080/swift/v1/AUTH_$(project_id)s" \
+ --internalurl "http://radosgw.example.com:8080/swift/v1/AUTH_$(project_id)s" \
+ swift
+ +--------------+--------------------------------------------------------------+
+ | Field | Value |
+ +--------------+--------------------------------------------------------------+
+ | adminurl | http://radosgw.example.com:8080/swift/v1/AUTH_$(project_id)s |
+ | id | e4249d2b60e44743a67b5e5b38c18dd3 |
+ | internalurl | http://radosgw.example.com:8080/swift/v1/AUTH_$(project_id)s |
+ | publicurl | http://radosgw.example.com:8080/swift/v1/AUTH_$(project_id)s |
+ | region | RegionOne |
+ | service_id | 37c4c0e79571404cb4644201a4a6e5ee |
+ | service_name | swift |
+ | service_type | object-store |
+ +--------------+--------------------------------------------------------------+
Keystone integration with the S3 API
------------------------------------