]> git.proxmox.com Git - ceph.git/blob - ceph/doc/radosgw/keystone.rst
projects / ceph.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
update sources to 12.2.7
[ceph.git] / ceph / doc / radosgw / keystone.rst
1 =====================================
2 Integrating with OpenStack Keystone
3 =====================================
4
5 It is possible to integrate the Ceph Object Gateway with Keystone, the OpenStack
6 identity service. This sets up the gateway to accept Keystone as the users
7 authority. A user that Keystone authorizes to access the gateway will also be
8 automatically created on the Ceph Object Gateway (if didn't exist beforehand). A
9 token that Keystone validates will be considered as valid by the gateway.
10
11 The following configuration options are available for Keystone integration::
12
13 [client.radosgw.gateway]
14 rgw keystone api version = {keystone api version}
15 rgw keystone url = {keystone server url:keystone server admin port}
16 rgw keystone admin token = {keystone admin token}
17 rgw keystone accepted roles = {accepted user roles}
18 rgw keystone token cache size = {number of tokens to cache}
19 rgw keystone revocation interval = {number of seconds before checking revoked tickets}
20 rgw keystone implicit tenants = {true for private tenant for each new user}
21 rgw s3 auth use keystone = true
22 nss db path = {path to nss db}
23
24 It is also possible to configure a Keystone service tenant, user & password for
25 keystone (for v2.0 version of the OpenStack Identity API), similar to the way
26 OpenStack services tend to be configured, this avoids the need for setting the
27 shared secret ``rgw keystone admin token`` in the configuration file, which is
28 recommended to be disabled in production environments. The service tenant
29 credentials should have admin privileges, for more details refer the `Openstack
30 keystone documentation`_, which explains the process in detail. The requisite
31 configuration options for are::
32
33 rgw keystone admin user = {keystone service tenant user name}
34 rgw keystone admin password = {keystone service tenant user password}
35 rgw keystone admin tenant = {keystone service tenant name}
36
37
38 A Ceph Object Gateway user is mapped into a Keystone ``tenant``. A Keystone user
39 has different roles assigned to it on possibly more than a single tenant. When
40 the Ceph Object Gateway gets the ticket, it looks at the tenant, and the user
41 roles that are assigned to that ticket, and accepts/rejects the request
42 according to the ``rgw keystone accepted roles`` configurable.
43
44 For a v3 version of the OpenStack Identity API you should replace
45 ``rgw keystone admin tenant`` with::
46
47 rgw keystone admin domain = {keystone admin domain name}
48 rgw keystone admin project = {keystone admin project name}
49
50 For compatibility with previous versions of ceph, it is also
51 possible to set ``rgw keystone implicit tenants`` to either
52 ``s3`` or ``swift``. This has the effect of splitting
53 the identity space such that the indicated protocol will
54 only use implicit tenants, and the other protocol will
55 never use implicit tenants. Some older versions of ceph
56 only supported implicit tenants with swift.
57
58 Prior to Kilo
59 -------------
60
61 Keystone itself needs to be configured to point to the Ceph Object Gateway as an
62 object-storage endpoint::
63
64 keystone service-create --name swift --type object-store
65 keystone endpoint-create --service-id <id> --publicurl http://radosgw.example.com/swift/v1 \
66 --internalurl http://radosgw.example.com/swift/v1 --adminurl http://radosgw.example.com/swift/v1
67
68
69 As of Kilo
70 ----------
71
72 Keystone itself needs to be configured to point to the Ceph Object Gateway as an
73 object-storage endpoint::
74
75 openstack service create --name=swift \
76 --description="Swift Service" \
77 object-store
78 +-------------+----------------------------------+
79 | Field | Value |
80 +-------------+----------------------------------+
81 | description | Swift Service |
82 | enabled | True |
83 | id | 37c4c0e79571404cb4644201a4a6e5ee |
84 | name | swift |
85 | type | object-store |
86 +-------------+----------------------------------+
87
88 openstack endpoint create --region RegionOne \
89 --publicurl "http://radosgw.example.com:8080/swift/v1" \
90 --adminurl "http://radosgw.example.com:8080/swift/v1" \
91 --internalurl "http://radosgw.example.com:8080/swift/v1" \
92 swift
93 +--------------+------------------------------------------+
94 | Field | Value |
95 +--------------+------------------------------------------+
96 | adminurl | http://radosgw.example.com:8080/swift/v1 |
97 | id | e4249d2b60e44743a67b5e5b38c18dd3 |
98 | internalurl | http://radosgw.example.com:8080/swift/v1 |
99 | publicurl | http://radosgw.example.com:8080/swift/v1 |
100 | region | RegionOne |
101 | service_id | 37c4c0e79571404cb4644201a4a6e5ee |
102 | service_name | swift |
103 | service_type | object-store |
104 +--------------+------------------------------------------+
105
106 $ openstack endpoint show object-store
107 +--------------+------------------------------------------+
108 | Field | Value |
109 +--------------+------------------------------------------+
110 | adminurl | http://radosgw.example.com:8080/swift/v1 |
111 | enabled | True |
112 | id | e4249d2b60e44743a67b5e5b38c18dd3 |
113 | internalurl | http://radosgw.example.com:8080/swift/v1 |
114 | publicurl | http://radosgw.example.com:8080/swift/v1 |
115 | region | RegionOne |
116 | service_id | 37c4c0e79571404cb4644201a4a6e5ee |
117 | service_name | swift |
118 | service_type | object-store |
119 +--------------+------------------------------------------+
120
121
122 The keystone URL is the Keystone admin RESTful API URL. The admin token is the
123 token that is configured internally in Keystone for admin requests.
124
125 The Ceph Object Gateway will query Keystone periodically for a list of revoked
126 tokens. These requests are encoded and signed. Also, Keystone may be configured
127 to provide self-signed tokens, which are also encoded and signed. The gateway
128 needs to be able to decode and verify these signed messages, and the process
129 requires that the gateway be set up appropriately. Currently, the Ceph Object
130 Gateway will only be able to perform the procedure if it was compiled with
131 ``--with-nss``. Configuring the Ceph Object Gateway to work with Keystone also
132 requires converting the OpenSSL certificates that Keystone uses for creating the
133 requests to the nss db format, for example::
134
135 mkdir /var/ceph/nss
136
137 openssl x509 -in /etc/keystone/ssl/certs/ca.pem -pubkey | \
138 certutil -d /var/ceph/nss -A -n ca -t "TCu,Cu,Tuw"
139 openssl x509 -in /etc/keystone/ssl/certs/signing_cert.pem -pubkey | \
140 certutil -A -d /var/ceph/nss -n signing_cert -t "P,P,P"
141
142
143
144 Openstack keystone may also be terminated with a self signed ssl certificate, in
145 order for radosgw to interact with keystone in such a case, you could either
146 install keystone's ssl certificate in the node running radosgw. Alternatively
147 radosgw could be made to not verify the ssl certificate at all (similar to
148 openstack clients with a ``--insecure`` switch) by setting the value of the
149 configurable ``rgw keystone verify ssl`` to false.
150
151
152 .. _Openstack keystone documentation: http://docs.openstack.org/developer/keystone/configuringservices.html#setting-up-projects-users-and-roles
Ceph