Add support for Swift S3 API

This feature is disabled by default, and can be enabled by setting
'enable_swift_s3api' to 'true' in globals.yml.

Two middlewares are required for Swift S3 - s3api and s3token. Additionally, we
need to configure the authtoken middleware to delay auth decisions to give
s3token a chance to authorise requests using EC2 credentials.

Change-Id: Ib8e8e3a1c2ab383100f3c60ec58066e588d3b4db
This commit is contained in:
Scott Solkhon 2019-08-13 12:46:17 +00:00
parent 41e634e204
commit d72b27f2d1
5 changed files with 30 additions and 5 deletions

View File

@ -617,6 +617,7 @@ enable_skydive: "no"
enable_solum: "no" enable_solum: "no"
enable_storm: "{{ enable_monasca | bool }}" enable_storm: "{{ enable_monasca | bool }}"
enable_swift: "no" enable_swift: "no"
enable_swift_s3api: "no"
enable_tacker: "no" enable_tacker: "no"
enable_telegraf: "no" enable_telegraf: "no"
enable_tempest: "no" enable_tempest: "no"

View File

@ -64,7 +64,9 @@ swift_admin_tenant_name: "admin"
swift_devices_mount_point: "/srv/node" swift_devices_mount_point: "/srv/node"
swift_devices_match_mode: "strict" swift_devices_match_mode: "strict"
swift_devices_name: "KOLLA_SWIFT_DATA" swift_devices_name: "KOLLA_SWIFT_DATA"
swift_delay_auth_decision: "False" # For S3 API we need to defer the auth decision to allow s3api and s3token
# middlewares to process requests using EC2 credentials.
swift_delay_auth_decision: "{{ enable_swift_s3api | bool }}"
# Boolean, true if there is a dedicated replication network. # Boolean, true if there is a dedicated replication network.
swift_has_replication_network: "{{ swift_storage_interface != swift_replication_interface }}" swift_has_replication_network: "{{ swift_storage_interface != swift_replication_interface }}"

View File

@ -10,7 +10,7 @@ log_level = {{ swift_log_level }}
workers = {{ openstack_service_workers }} workers = {{ openstack_service_workers }}
[pipeline:main] [pipeline:main]
pipeline = catch_errors gatekeeper healthcheck cache container_sync bulk tempurl ratelimit authtoken keystoneauth container_quotas account_quotas slo dlo {% if enable_ceilometer | bool %}ceilometer {% endif %}proxy-server pipeline = catch_errors gatekeeper healthcheck cache container_sync bulk tempurl ratelimit authtoken {% if enable_swift_s3api | bool %}s3api s3token {% endif %}keystoneauth container_quotas account_quotas slo dlo {% if enable_ceilometer | bool %}ceilometer {% endif %}proxy-server
[app:proxy-server] [app:proxy-server]
use = egg:swift#proxy use = egg:swift#proxy
@ -91,3 +91,12 @@ use = egg:swift#dlo
[filter:versioned_writes] [filter:versioned_writes]
use = egg:swift#versioned_writes use = egg:swift#versioned_writes
allow_versioned_writes = True allow_versioned_writes = True
{% if enable_swift_s3api | bool %}
[filter:s3api]
use = egg:swift#s3api
[filter:s3token]
use = egg:swift#s3token
www_authenticate_uri = {{ keystone_internal_url }}/v3
{% endif %}

View File

@ -1,8 +1,8 @@
.. _swift-guide: .. _swift-guide:
============================= ==============================
Swift- Object storage service Swift - Object storage service
============================= ==============================
Overview Overview
~~~~~~~~ ~~~~~~~~
@ -266,3 +266,12 @@ A very basic smoke test:
| Containers | 1 | | Containers | 1 |
| Objects | 1 | | Objects | 1 |
+------------+---------------------------------------+ +------------+---------------------------------------+
S3 API
~~~~~~
The Swift S3 API can be enabled by setting ``enable_swift_s3api`` to ``true``
in ``globals.yml``. It is disabled by default. In order to use this API it is
necessary to obtain EC2 credentials from Keystone. See the `Swift documentation
<https://docs.openstack.org/swift/latest/middleware.html#module-swift.common.middleware.s3api.s3api>`__
for details.

View File

@ -0,0 +1,4 @@
---
features:
- |
Adds support for the Swift S3 API, enabled via the ``enable_swift_s3api`` flag.