]> git.proxmox.com Git - ceph.git/blobdiff - ceph/doc/radosgw/s3/authentication.rst
projects / ceph.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
update sources to ceph Nautilus 14.2.1
[ceph.git] / ceph / doc / radosgw / s3 / authentication.rst
diff --git a/ceph/doc/radosgw/s3/authentication.rst b/ceph/doc/radosgw/s3/authentication.rst
index 3cdacc495dfbbb526046bd6527be31b235422c00..10143290d3c77092c5448d3095f9def3832cb4ec 100644 (file)
--- a/ceph/doc/radosgw/s3/authentication.rst
+++ b/ceph/doc/radosgw/s3/authentication.rst
@@ -49,6 +49,41 @@ To normalize the header into canonical form:
 
 Replace the ``{hash-of-header-and-secret}`` with the base-64 encoded HMAC string.
 
+Authentication against OpenStack Keystone
+-----------------------------------------
+
+In a radosgw instance that is configured with authentication against
+OpenStack Keystone, it is possible to use Keystone as an authoritative
+source for S3 API authentication. To do so, you must set:
+
+* the ``rgw keystone`` configuration options explained in :doc:`../keystone`,
+* ``rgw s3 auth use keystone = true``.
+
+In addition, a user wishing to use the S3 API must obtain an AWS-style
+access key and secret key. They can do so with the ``openstack ec2
+credentials create`` command::
+
+  $ openstack --os-interface public ec2 credentials create
+  +------------+---------------------------------------------------------------------------------------------------------------------------------------------+
+  | Field      | Value                                                                                                                                       |
+  +------------+---------------------------------------------------------------------------------------------------------------------------------------------+
+  | access     | c921676aaabbccdeadbeef7e8b0eeb2c                                                                                                            |
+  | links      | {u'self': u'https://auth.example.com:5000/v3/users/7ecbebaffeabbddeadbeefa23267ccbb24/credentials/OS-EC2/c921676aaabbccdeadbeef7e8b0eeb2c'} |
+  | project_id | 5ed51981aab4679851adeadbeef6ebf7                                                                                                            |
+  | secret     | ********************************                                                                                                            |
+  | trust_id   | None                                                                                                                                        |
+  | user_id    | 7ecbebaffeabbddeadbeefa23267cc24                                                                                                            |
+  +------------+---------------------------------------------------------------------------------------------------------------------------------------------+
+
+The thus-generated access and secret key can then be used for S3 API
+access to radosgw.
+
+.. note:: Consider that most production radosgw deployments
+          authenticating against OpenStack Keystone are also set up
+          for :doc:`../multitenancy`, for which special
+          considerations apply with respect to S3 signed URLs and
+          public read ACLs.
+
 Access Control Lists (ACLs)
 ---------------------------
 
@@ -193,4 +228,4 @@ policies rather than S3 ACLs when possible.
 
 
 .. _RFC 2104: http://www.ietf.org/rfc/rfc2104.txt
-.. _HMAC: http://en.wikipedia.org/wiki/HMAC
+.. _HMAC: https://en.wikipedia.org/wiki/HMAC
Ceph