]>
Commit | Line | Data |
---|---|---|
7c673cae FG |
1 | ===================================== |
2 | Integrating with OpenStack Keystone | |
3 | ===================================== | |
4 | ||
5 | It is possible to integrate the Ceph Object Gateway with Keystone, the OpenStack | |
6 | identity service. This sets up the gateway to accept Keystone as the users | |
7 | authority. A user that Keystone authorizes to access the gateway will also be | |
8 | automatically created on the Ceph Object Gateway (if didn't exist beforehand). A | |
9 | token that Keystone validates will be considered as valid by the gateway. | |
10 | ||
11 | The following configuration options are available for Keystone integration:: | |
12 | ||
13 | [client.radosgw.gateway] | |
14 | rgw keystone api version = {keystone api version} | |
15 | rgw keystone url = {keystone server url:keystone server admin port} | |
16 | rgw keystone admin token = {keystone admin token} | |
17 | rgw keystone accepted roles = {accepted user roles} | |
18 | rgw keystone token cache size = {number of tokens to cache} | |
19 | rgw keystone revocation interval = {number of seconds before checking revoked tickets} | |
20 | rgw keystone implicit tenants = {true for private tenant for each new user} | |
21 | rgw s3 auth use keystone = true | |
22 | nss db path = {path to nss db} | |
23 | ||
24 | It is also possible to configure a Keystone service tenant, user & password for | |
25 | keystone (for v2.0 version of the OpenStack Identity API), similar to the way | |
26 | OpenStack services tend to be configured, this avoids the need for setting the | |
27 | shared secret ``rgw keystone admin token`` in the configuration file, which is | |
28 | recommended to be disabled in production environments. The service tenant | |
29 | credentials should have admin privileges, for more details refer the `Openstack | |
30 | keystone documentation`_, which explains the process in detail. The requisite | |
31 | configuration options for are:: | |
32 | ||
33 | rgw keystone admin user = {keystone service tenant user name} | |
34 | rgw keystone admin password = {keystone service tenant user password} | |
35 | rgw keystone admin tenant = {keystone service tenant name} | |
36 | ||
37 | ||
38 | A Ceph Object Gateway user is mapped into a Keystone ``tenant``. A Keystone user | |
39 | has different roles assigned to it on possibly more than a single tenant. When | |
40 | the Ceph Object Gateway gets the ticket, it looks at the tenant, and the user | |
41 | roles that are assigned to that ticket, and accepts/rejects the request | |
42 | according to the ``rgw keystone accepted roles`` configurable. | |
43 | ||
44 | For a v3 version of the OpenStack Identity API you should replace | |
45 | ``rgw keystone admin tenant`` with:: | |
46 | ||
47 | rgw keystone admin domain = {keystone admin domain name} | |
48 | rgw keystone admin project = {keystone admin project name} | |
49 | ||
28e407b8 AA |
50 | For compatibility with previous versions of ceph, it is also |
51 | possible to set ``rgw keystone implicit tenants`` to either | |
52 | ``s3`` or ``swift``. This has the effect of splitting | |
53 | the identity space such that the indicated protocol will | |
54 | only use implicit tenants, and the other protocol will | |
55 | never use implicit tenants. Some older versions of ceph | |
56 | only supported implicit tenants with swift. | |
7c673cae FG |
57 | |
58 | Prior to Kilo | |
59 | ------------- | |
60 | ||
61 | Keystone itself needs to be configured to point to the Ceph Object Gateway as an | |
62 | object-storage endpoint:: | |
63 | ||
64 | keystone service-create --name swift --type object-store | |
65 | keystone endpoint-create --service-id <id> --publicurl http://radosgw.example.com/swift/v1 \ | |
66 | --internalurl http://radosgw.example.com/swift/v1 --adminurl http://radosgw.example.com/swift/v1 | |
67 | ||
68 | ||
69 | As of Kilo | |
70 | ---------- | |
71 | ||
72 | Keystone itself needs to be configured to point to the Ceph Object Gateway as an | |
73 | object-storage endpoint:: | |
74 | ||
75 | openstack service create --name=swift \ | |
76 | --description="Swift Service" \ | |
77 | object-store | |
78 | +-------------+----------------------------------+ | |
79 | | Field | Value | | |
80 | +-------------+----------------------------------+ | |
81 | | description | Swift Service | | |
82 | | enabled | True | | |
83 | | id | 37c4c0e79571404cb4644201a4a6e5ee | | |
84 | | name | swift | | |
85 | | type | object-store | | |
86 | +-------------+----------------------------------+ | |
87 | ||
88 | openstack endpoint create --region RegionOne \ | |
89 | --publicurl "http://radosgw.example.com:8080/swift/v1" \ | |
90 | --adminurl "http://radosgw.example.com:8080/swift/v1" \ | |
91 | --internalurl "http://radosgw.example.com:8080/swift/v1" \ | |
92 | swift | |
93 | +--------------+------------------------------------------+ | |
94 | | Field | Value | | |
95 | +--------------+------------------------------------------+ | |
96 | | adminurl | http://radosgw.example.com:8080/swift/v1 | | |
97 | | id | e4249d2b60e44743a67b5e5b38c18dd3 | | |
98 | | internalurl | http://radosgw.example.com:8080/swift/v1 | | |
99 | | publicurl | http://radosgw.example.com:8080/swift/v1 | | |
100 | | region | RegionOne | | |
101 | | service_id | 37c4c0e79571404cb4644201a4a6e5ee | | |
102 | | service_name | swift | | |
103 | | service_type | object-store | | |
104 | +--------------+------------------------------------------+ | |
105 | ||
106 | $ openstack endpoint show object-store | |
107 | +--------------+------------------------------------------+ | |
108 | | Field | Value | | |
109 | +--------------+------------------------------------------+ | |
110 | | adminurl | http://radosgw.example.com:8080/swift/v1 | | |
111 | | enabled | True | | |
112 | | id | e4249d2b60e44743a67b5e5b38c18dd3 | | |
113 | | internalurl | http://radosgw.example.com:8080/swift/v1 | | |
114 | | publicurl | http://radosgw.example.com:8080/swift/v1 | | |
115 | | region | RegionOne | | |
116 | | service_id | 37c4c0e79571404cb4644201a4a6e5ee | | |
117 | | service_name | swift | | |
118 | | service_type | object-store | | |
119 | +--------------+------------------------------------------+ | |
120 | ||
121 | ||
122 | The keystone URL is the Keystone admin RESTful API URL. The admin token is the | |
123 | token that is configured internally in Keystone for admin requests. | |
124 | ||
125 | The Ceph Object Gateway will query Keystone periodically for a list of revoked | |
126 | tokens. These requests are encoded and signed. Also, Keystone may be configured | |
127 | to provide self-signed tokens, which are also encoded and signed. The gateway | |
128 | needs to be able to decode and verify these signed messages, and the process | |
129 | requires that the gateway be set up appropriately. Currently, the Ceph Object | |
130 | Gateway will only be able to perform the procedure if it was compiled with | |
131 | ``--with-nss``. Configuring the Ceph Object Gateway to work with Keystone also | |
132 | requires converting the OpenSSL certificates that Keystone uses for creating the | |
133 | requests to the nss db format, for example:: | |
134 | ||
135 | mkdir /var/ceph/nss | |
136 | ||
137 | openssl x509 -in /etc/keystone/ssl/certs/ca.pem -pubkey | \ | |
138 | certutil -d /var/ceph/nss -A -n ca -t "TCu,Cu,Tuw" | |
139 | openssl x509 -in /etc/keystone/ssl/certs/signing_cert.pem -pubkey | \ | |
140 | certutil -A -d /var/ceph/nss -n signing_cert -t "P,P,P" | |
141 | ||
142 | ||
143 | ||
144 | Openstack keystone may also be terminated with a self signed ssl certificate, in | |
145 | order for radosgw to interact with keystone in such a case, you could either | |
146 | install keystone's ssl certificate in the node running radosgw. Alternatively | |
147 | radosgw could be made to not verify the ssl certificate at all (similar to | |
148 | openstack clients with a ``--insecure`` switch) by setting the value of the | |
149 | configurable ``rgw keystone verify ssl`` to false. | |
150 | ||
151 | ||
152 | .. _Openstack keystone documentation: http://docs.openstack.org/developer/keystone/configuringservices.html#setting-up-projects-users-and-roles |