Include Swift AUTH_%(tenant_id)s suffix in rgw Keystone endpoint

In order to make rgw a better drop-in replacement for Swift, this
patch does two things:

* Configure rgw to include the Swift account in its URL
* Update the Keystone catalog entry so that the rgw endpoints
  include the AUTH_%(tenant_id)s suffix (just like the os_swift
  role does)

Both of the above are necessary to make both public read ACLs
and temp URLs work with rgw, the way they do with native Swift.

In addition, the patch also:

* Removes the rgw_s3_auth_use_keystone config override, which
  is useless in the default configuration that does not enable
  the S3 API.
* Enables rgw_keystone_implicit_tenants to properly enable Swift
  multi-tenancy in rgw. Reference:
* Enables rgw_swift_versioning_enabled to support Swift's object
  versioning feature (and the default for the os_swift role's
  swift_allow_versions variable). A limitation applies here,
  which is that radosgw currently does support setting the
  X-Versions-Location header on a container, but does not
  understand X-History-Location.
* Adds documentation to the users guide, about using rgw as a
  Swift replacement.
* Adds a release note detailing possible upgrade issues,
  and the object versioning limitation.

Closes-Bug: #1800637

Change-Id: Iacd8f32f100f283ff590e063854d06b2c7c98cc2
Florian Haas 2018-10-30 11:37:42 +01:00 committed by Jesse Pretorius (odyssey4me)
parent 89b5b43883
commit 9dbdf71de0
5 changed files with 84 additions and 4 deletions

View File

@ -0,0 +1,47 @@
Using radosgw as a drop-in replacement for Swift
OpenStack-Ansible gives you the option of deploying radosgw as a
drop-in replacement for native OpenStack Swift.
In particular, the ``ceph-rgw-install.yml`` playbook (which includes
``ceph-rgw-keystone-setup.yml``) will deploy radosgw to any
``ceph-rgw`` hosts, and create a corresponding Keystone
``object-store`` service catalog entry. The service endpoints do
contain the ``AUTH_%(tenant_id)s`` prefix just like in native Swift,
so public read ACLs and temp URLs will work just like they do in
By default, OSA enables *only* the Swift API in radosgw.
Adding S3 API support
You may want to enable the default radosgw S3 API, in addition to the
Swift API. In order to do so, you need to override the
``ceph_conf_overrides_rgw`` variable in ``user_variables.yml``. Below
is an example configuration snippet:
.. code-block:: yaml
"client.rgw.{{ hostvars[inventory_hostname]['ansible_hostname'] }}":
# OpenStack integration with Keystone
rgw_keystone_url: "{{ keystone_service_adminuri }}"
rgw_keystone_api_version: 3
rgw_keystone_admin_user: "{{ radosgw_admin_user }}"
rgw_keystone_admin_password: "{{ radosgw_admin_password }}"
rgw_keystone_admin_tenant: "{{ radosgw_admin_tenant }}"
rgw_keystone_admin_domain: default
rgw_keystone_accepted_roles: 'member, _member_, admin, swiftoperator'
rgw_keystone_implicit_tenants: 'true'
rgw_swift_account_in_url: true
rgw_swift_versioning_enabled: 'true'
# Add S3 support, in addition to Swift
rgw_enable_apis: 'swift, s3'
rgw_s3_auth_use_keystone: 'true'
You may also want to add the ``rgw_dns_name`` option if you want to
enable bucket hostnames with the S3 API.

View File

@ -28,6 +28,7 @@ For in-depth technical information, see the

View File

@ -13,8 +13,8 @@ radosgw_service_publicuri_proto: "{{ openstack_service_publicuri_proto | default
radosgw_service_adminuri_proto: "{{ openstack_service_adminuri_proto | default(radosgw_service_proto) }}"
radosgw_service_internaluri_proto: "{{ openstack_service_internaluri_proto | default(radosgw_service_proto) }}"
radosgw_service_publicuri: "{{ radosgw_service_publicuri_proto }}://{{ external_lb_vip_address }}:{{ radosgw_service_port }}"
radosgw_service_publicurl: "{{ radosgw_service_publicuri }}/swift/v1"
radosgw_service_publicurl: "{{ radosgw_service_publicuri }}/swift/v1/AUTH_%(tenant_id)s"
radosgw_service_adminuri: "{{ radosgw_service_adminuri_proto }}://{{ internal_lb_vip_address }}:{{ radosgw_service_port }}"
radosgw_service_adminurl: "{{ radosgw_service_adminuri }}/swift/v1"
radosgw_service_adminurl: "{{ radosgw_service_adminuri }}/swift/v1/AUTH_%(tenant_id)s"
radosgw_service_internaluri: "{{ radosgw_service_internaluri_proto }}://{{ internal_lb_vip_address }}:{{ radosgw_service_port }}"
radosgw_service_internalurl: "{{ radosgw_service_internaluri }}/swift/v1"
radosgw_service_internalurl: "{{ radosgw_service_internaluri }}/swift/v1/AUTH_%(tenant_id)s"

View File

@ -9,5 +9,7 @@ ceph_conf_overrides_rgw:
rgw_keystone_admin_tenant: "{{ radosgw_admin_tenant }}"
rgw_keystone_admin_domain: default
rgw_keystone_accepted_roles: 'member, _member_, admin, swiftoperator'
rgw_s3_auth_use_keystone: true
rgw_keystone_implicit_tenants: 'true'
rgw_enable_apis: swift
rgw_swift_account_in_url: 'true'
rgw_swift_versioning_enabled: 'true'

View File

@ -0,0 +1,30 @@
- >
The ``ceph-rgw`` playbooks now set ``rgw_swift_account_in_url =
true`` and update the corresponding Keystone service catalog entry
accordingly. Applications (such as monitoring scripts) that do
*not* rely on service catalog lookup must be updated with the new
endpoint URL that includes ``AUTH_%(tenant_id)s`` just like native
Swift does --- or, alternatively, should be updated to honor the
service catalog after all.
- >
The ``ceph-rgw`` playbooks now set ``rgw_swift_versioning_enabled =
true``, adding support for object versioning for the ``object-store``
- >
The ``ceph-rgw`` playbooks now include the ``AUTH_%(tenant_id)s``
suffix in the Keystone ``object-store`` endpoint. This aligns
radosgw's behavior with that of native Swift. It also enables
radosgw to support public read ACLs on containers, and temporary
URLs on objects, in the same way that Swift does
(`bug 1800637 <>`_).
- >
Although the ``ceph-rgw`` playbooks do enable Swift object
versioning, support in radosgw is currently limited to setting
``X-Versions-Location`` on a container. ``X-History-Location``,
understood by native Swift, is currently not supported by radosgw
(although the feature is `pending
<>`_ upstream).