From d72b27f2d1059a7be89e520f6ada9920eb3bf73c Mon Sep 17 00:00:00 2001 From: Scott Solkhon Date: Tue, 13 Aug 2019 12:46:17 +0000 Subject: [PATCH] Add support for Swift S3 API This feature is disabled by default, and can be enabled by setting 'enable_swift_s3api' to 'true' in globals.yml. Two middlewares are required for Swift S3 - s3api and s3token. Additionally, we need to configure the authtoken middleware to delay auth decisions to give s3token a chance to authorise requests using EC2 credentials. Change-Id: Ib8e8e3a1c2ab383100f3c60ec58066e588d3b4db --- ansible/group_vars/all.yml | 1 + ansible/roles/swift/defaults/main.yml | 4 +++- .../roles/swift/templates/proxy-server.conf.j2 | 11 ++++++++++- doc/source/reference/storage/swift-guide.rst | 15 ++++++++++++--- .../notes/swift-s3api-2b51917b169fff78.yaml | 4 ++++ 5 files changed, 30 insertions(+), 5 deletions(-) create mode 100644 releasenotes/notes/swift-s3api-2b51917b169fff78.yaml diff --git a/ansible/group_vars/all.yml b/ansible/group_vars/all.yml index ca1d2971e2..97a249818d 100644 --- a/ansible/group_vars/all.yml +++ b/ansible/group_vars/all.yml @@ -617,6 +617,7 @@ enable_skydive: "no" enable_solum: "no" enable_storm: "{{ enable_monasca | bool }}" enable_swift: "no" +enable_swift_s3api: "no" enable_tacker: "no" enable_telegraf: "no" enable_tempest: "no" diff --git a/ansible/roles/swift/defaults/main.yml b/ansible/roles/swift/defaults/main.yml index c79532c54d..dbc3daf316 100644 --- a/ansible/roles/swift/defaults/main.yml +++ b/ansible/roles/swift/defaults/main.yml @@ -64,7 +64,9 @@ swift_admin_tenant_name: "admin" swift_devices_mount_point: "/srv/node" swift_devices_match_mode: "strict" swift_devices_name: "KOLLA_SWIFT_DATA" -swift_delay_auth_decision: "False" +# For S3 API we need to defer the auth decision to allow s3api and s3token +# middlewares to process requests using EC2 credentials. +swift_delay_auth_decision: "{{ enable_swift_s3api | bool }}" # Boolean, true if there is a dedicated replication network. swift_has_replication_network: "{{ swift_storage_interface != swift_replication_interface }}" diff --git a/ansible/roles/swift/templates/proxy-server.conf.j2 b/ansible/roles/swift/templates/proxy-server.conf.j2 index c842c556a8..3c002db0f6 100644 --- a/ansible/roles/swift/templates/proxy-server.conf.j2 +++ b/ansible/roles/swift/templates/proxy-server.conf.j2 @@ -10,7 +10,7 @@ log_level = {{ swift_log_level }} workers = {{ openstack_service_workers }} [pipeline:main] -pipeline = catch_errors gatekeeper healthcheck cache container_sync bulk tempurl ratelimit authtoken keystoneauth container_quotas account_quotas slo dlo {% if enable_ceilometer | bool %}ceilometer {% endif %}proxy-server +pipeline = catch_errors gatekeeper healthcheck cache container_sync bulk tempurl ratelimit authtoken {% if enable_swift_s3api | bool %}s3api s3token {% endif %}keystoneauth container_quotas account_quotas slo dlo {% if enable_ceilometer | bool %}ceilometer {% endif %}proxy-server [app:proxy-server] use = egg:swift#proxy @@ -91,3 +91,12 @@ use = egg:swift#dlo [filter:versioned_writes] use = egg:swift#versioned_writes allow_versioned_writes = True + +{% if enable_swift_s3api | bool %} +[filter:s3api] +use = egg:swift#s3api + +[filter:s3token] +use = egg:swift#s3token +www_authenticate_uri = {{ keystone_internal_url }}/v3 +{% endif %} diff --git a/doc/source/reference/storage/swift-guide.rst b/doc/source/reference/storage/swift-guide.rst index 3b53783b75..6626e75012 100644 --- a/doc/source/reference/storage/swift-guide.rst +++ b/doc/source/reference/storage/swift-guide.rst @@ -1,8 +1,8 @@ .. _swift-guide: -============================= -Swift- Object storage service -============================= +============================== +Swift - Object storage service +============================== Overview ~~~~~~~~ @@ -266,3 +266,12 @@ A very basic smoke test: | Containers | 1 | | Objects | 1 | +------------+---------------------------------------+ + +S3 API +~~~~~~ + +The Swift S3 API can be enabled by setting ``enable_swift_s3api`` to ``true`` +in ``globals.yml``. It is disabled by default. In order to use this API it is +necessary to obtain EC2 credentials from Keystone. See the `Swift documentation +`__ +for details. diff --git a/releasenotes/notes/swift-s3api-2b51917b169fff78.yaml b/releasenotes/notes/swift-s3api-2b51917b169fff78.yaml new file mode 100644 index 0000000000..ac9af5e097 --- /dev/null +++ b/releasenotes/notes/swift-s3api-2b51917b169fff78.yaml @@ -0,0 +1,4 @@ +--- +features: + - | + Adds support for the Swift S3 API, enabled via the ``enable_swift_s3api`` flag.