From 9dbdf71de04425473143bdf36412c5278830e993 Mon Sep 17 00:00:00 2001 From: Florian Haas Date: Tue, 30 Oct 2018 11:37:42 +0100 Subject: [PATCH] Include Swift AUTH_%(tenant_id)s suffix in rgw Keystone endpoint In order to make rgw a better drop-in replacement for Swift, this patch does two things: * Configure rgw to include the Swift account in its URL * Update the Keystone catalog entry so that the rgw endpoints include the AUTH_%(tenant_id)s suffix (just like the os_swift role does) Both of the above are necessary to make both public read ACLs and temp URLs work with rgw, the way they do with native Swift. In addition, the patch also: * Removes the rgw_s3_auth_use_keystone config override, which is useless in the default configuration that does not enable the S3 API. * Enables rgw_keystone_implicit_tenants to properly enable Swift multi-tenancy in rgw. Reference: http://docs.ceph.com/docs/mimic/radosgw/multitenancy/ * Enables rgw_swift_versioning_enabled to support Swift's object versioning feature (and the default for the os_swift role's swift_allow_versions variable). A limitation applies here, which is that radosgw currently does support setting the X-Versions-Location header on a container, but does not understand X-History-Location. * Adds documentation to the users guide, about using rgw as a Swift replacement. * Adds a release note detailing possible upgrade issues, and the object versioning limitation. Closes-Bug: #1800637 Change-Id: Iacd8f32f100f283ff590e063854d06b2c7c98cc2 --- doc/source/user/ceph/swift.rst | 47 +++++++++++++++++++ doc/source/user/index.rst | 1 + inventory/group_vars/all/ceph-rgw.yml | 6 +-- inventory/group_vars/ceph-rgw.yml | 4 +- ...ph-rgw-swift-account-93350d92f0f33b20.yaml | 30 ++++++++++++ 5 files changed, 84 insertions(+), 4 deletions(-) create mode 100644 doc/source/user/ceph/swift.rst create mode 100644 releasenotes/notes/ceph-rgw-swift-account-93350d92f0f33b20.yaml diff --git a/doc/source/user/ceph/swift.rst b/doc/source/user/ceph/swift.rst new file mode 100644 index 0000000000..703138cad5 --- /dev/null +++ b/doc/source/user/ceph/swift.rst @@ -0,0 +1,47 @@ +================================================ +Using radosgw as a drop-in replacement for Swift +================================================ + +OpenStack-Ansible gives you the option of deploying radosgw as a +drop-in replacement for native OpenStack Swift. + +In particular, the ``ceph-rgw-install.yml`` playbook (which includes +``ceph-rgw-keystone-setup.yml``) will deploy radosgw to any +``ceph-rgw`` hosts, and create a corresponding Keystone +``object-store`` service catalog entry. The service endpoints do +contain the ``AUTH_%(tenant_id)s`` prefix just like in native Swift, +so public read ACLs and temp URLs will work just like they do in +Swift. + +By default, OSA enables *only* the Swift API in radosgw. + + +Adding S3 API support +~~~~~~~~~~~~~~~~~~~~~ + +You may want to enable the default radosgw S3 API, in addition to the +Swift API. In order to do so, you need to override the +``ceph_conf_overrides_rgw`` variable in ``user_variables.yml``. Below +is an example configuration snippet: + +.. code-block:: yaml + + ceph_conf_overrides_rgw: + "client.rgw.{{ hostvars[inventory_hostname]['ansible_hostname'] }}": + # OpenStack integration with Keystone + rgw_keystone_url: "{{ keystone_service_adminuri }}" + rgw_keystone_api_version: 3 + rgw_keystone_admin_user: "{{ radosgw_admin_user }}" + rgw_keystone_admin_password: "{{ radosgw_admin_password }}" + rgw_keystone_admin_tenant: "{{ radosgw_admin_tenant }}" + rgw_keystone_admin_domain: default + rgw_keystone_accepted_roles: 'member, _member_, admin, swiftoperator' + rgw_keystone_implicit_tenants: 'true' + rgw_swift_account_in_url: true + rgw_swift_versioning_enabled: 'true' + # Add S3 support, in addition to Swift + rgw_enable_apis: 'swift, s3' + rgw_s3_auth_use_keystone: 'true' + +You may also want to add the ``rgw_dns_name`` option if you want to +enable bucket hostnames with the S3 API. diff --git a/doc/source/user/index.rst b/doc/source/user/index.rst index 1240ad3094..e7b2eafae0 100644 --- a/doc/source/user/index.rst +++ b/doc/source/user/index.rst @@ -28,6 +28,7 @@ For in-depth technical information, see the limited-connectivity/index.rst l3pods/example.rst ceph/full-deploy.rst + ceph/swift.rst ceph/ceilometer.rst security/index.rst source-overrides/index.rst diff --git a/inventory/group_vars/all/ceph-rgw.yml b/inventory/group_vars/all/ceph-rgw.yml index 3d34703273..b093e5c4bc 100644 --- a/inventory/group_vars/all/ceph-rgw.yml +++ b/inventory/group_vars/all/ceph-rgw.yml @@ -13,8 +13,8 @@ radosgw_service_publicuri_proto: "{{ openstack_service_publicuri_proto | default radosgw_service_adminuri_proto: "{{ openstack_service_adminuri_proto | default(radosgw_service_proto) }}" radosgw_service_internaluri_proto: "{{ openstack_service_internaluri_proto | default(radosgw_service_proto) }}" radosgw_service_publicuri: "{{ radosgw_service_publicuri_proto }}://{{ external_lb_vip_address }}:{{ radosgw_service_port }}" -radosgw_service_publicurl: "{{ radosgw_service_publicuri }}/swift/v1" +radosgw_service_publicurl: "{{ radosgw_service_publicuri }}/swift/v1/AUTH_%(tenant_id)s" radosgw_service_adminuri: "{{ radosgw_service_adminuri_proto }}://{{ internal_lb_vip_address }}:{{ radosgw_service_port }}" -radosgw_service_adminurl: "{{ radosgw_service_adminuri }}/swift/v1" +radosgw_service_adminurl: "{{ radosgw_service_adminuri }}/swift/v1/AUTH_%(tenant_id)s" radosgw_service_internaluri: "{{ radosgw_service_internaluri_proto }}://{{ internal_lb_vip_address }}:{{ radosgw_service_port }}" -radosgw_service_internalurl: "{{ radosgw_service_internaluri }}/swift/v1" +radosgw_service_internalurl: "{{ radosgw_service_internaluri }}/swift/v1/AUTH_%(tenant_id)s" diff --git a/inventory/group_vars/ceph-rgw.yml b/inventory/group_vars/ceph-rgw.yml index dfd46c948a..f7b7355d0b 100644 --- a/inventory/group_vars/ceph-rgw.yml +++ b/inventory/group_vars/ceph-rgw.yml @@ -9,5 +9,7 @@ ceph_conf_overrides_rgw: rgw_keystone_admin_tenant: "{{ radosgw_admin_tenant }}" rgw_keystone_admin_domain: default rgw_keystone_accepted_roles: 'member, _member_, admin, swiftoperator' - rgw_s3_auth_use_keystone: true + rgw_keystone_implicit_tenants: 'true' rgw_enable_apis: swift + rgw_swift_account_in_url: 'true' + rgw_swift_versioning_enabled: 'true' \ No newline at end of file diff --git a/releasenotes/notes/ceph-rgw-swift-account-93350d92f0f33b20.yaml b/releasenotes/notes/ceph-rgw-swift-account-93350d92f0f33b20.yaml new file mode 100644 index 0000000000..4f4a77bbd4 --- /dev/null +++ b/releasenotes/notes/ceph-rgw-swift-account-93350d92f0f33b20.yaml @@ -0,0 +1,30 @@ +--- +upgrade: + - > + The ``ceph-rgw`` playbooks now set ``rgw_swift_account_in_url = + true`` and update the corresponding Keystone service catalog entry + accordingly. Applications (such as monitoring scripts) that do + *not* rely on service catalog lookup must be updated with the new + endpoint URL that includes ``AUTH_%(tenant_id)s`` just like native + Swift does --- or, alternatively, should be updated to honor the + service catalog after all. + - > + The ``ceph-rgw`` playbooks now set ``rgw_swift_versioning_enabled = + true``, adding support for object versioning for the ``object-store`` + service. +fixes: + - > + The ``ceph-rgw`` playbooks now include the ``AUTH_%(tenant_id)s`` + suffix in the Keystone ``object-store`` endpoint. This aligns + radosgw's behavior with that of native Swift. It also enables + radosgw to support public read ACLs on containers, and temporary + URLs on objects, in the same way that Swift does + (`bug 1800637 `_). +issues: + - > + Although the ``ceph-rgw`` playbooks do enable Swift object + versioning, support in radosgw is currently limited to setting + ``X-Versions-Location`` on a container. ``X-History-Location``, + understood by native Swift, is currently not supported by radosgw + (although the feature is `pending + `_ upstream). \ No newline at end of file