==============================
OpenStack `Barbican`_ can be used as a secure key management service for
-`Server-Side Encryption`_.
+:ref:`Server-Side Encryption <radosgw-encryption>`.
.. image:: ../images/rgw-encryption-barbican.png
Barbican depends on Keystone for authorization and access control of its keys.
-See `OpenStack Keystone Integration`_.
+See :ref:`OpenStack Keystone Integration <radosgw-keystone>`.
Create a Keystone user
======================
.. _Barbican: https://wiki.openstack.org/wiki/Barbican
-.. _Server-Side Encryption: ../encryption
-.. _OpenStack Keystone Integration: ../keystone
.. _Manage projects, users, and roles: https://docs.openstack.org/admin-guide/cli-manage-projects-users-and-roles.html#create-a-user
.. _How to Create a Secret: https://developer.openstack.org/api-guide/key-manager/secrets.html#how-to-create-a-secret
.. _SSE-KMS: http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingKMSEncryption.html
+.. _radosgw-compression:
+
===========
Compression
===========
The Ceph Object Gateway supports server-side compression of uploaded objects.
.. note:: The Reef release added a :ref:`feature_compress_encrypted` zonegroup
- feature to enable compression with `Server-Side Encryption`_.
+ feature to enable compression with :ref:`Server-Side Encryption <radosgw-encryption>`.
Supported compression plugins include the following:
}
.. note:: A ``default`` zone is created for you if you have not done any
- previous `Multisite Configuration`_.
+ previous :ref:`Multisite Configuration <multisite>`.
Statistics
The ``size_utilized`` and ``size_kb_utilized`` fields represent the total
size of compressed data, in bytes and kilobytes respectively.
-
-.. _`Server-Side Encryption`: ../encryption
-.. _`Multisite Configuration`: ../multisite
Limitations
-----------
-- D3N will not cache objects compressed by `Rados Gateway Compression`_ (OSD level compression is supported).
-- D3N will not cache objects encrypted by `Rados Gateway Encryption`_.
+- D3N will not cache objects compressed by :ref:`RADOS Gateway Compression <radosgw-compression>` (OSD level compression is supported).
+- D3N will not cache objects encrypted by :ref:`RADOS Gateway Encryption <radosgw-encryption>`.
- D3N will be disabled if the ``rgw_max_chunk_size`` config variable value differs from the ``rgw_obj_stripe_size`` config variable value.
.. _MOC D3N (Datacenter-scale Data Delivery Network): https://massopen.cloud/research-and-development/cloud-research/d3n/
.. _Red Hat Research D3N Cache for Data Centers: https://research.redhat.com/blog/research_project/d3n-multilayer-cache/
-.. _Rados Gateway Compression: ../compression/
-.. _Rados Gateway Encryption: ../encryption/
.. _RGW Data cache and CDN: ../rgw-cache/
.. _Service Management - Mounting Files with Extra Container Arguments: ../cephadm/services/#mounting-files-with-extra-container-arguments
+.. _radosgw-encryption:
+
==========
Encryption
==========
+.. _radosgw-keystone:
+
=====================================
Integrating with OpenStack Keystone
=====================================
================
`KMIP`_ can be used as a secure key management service for
-`Server-Side Encryption`_ (SSE-KMS).
+:ref:`Server-Side Encryption <radosgw-encryption>` (SSE-KMS).
.. ditaa::
1. `IBM Security Guardium Key Lifecycle Manager (SKLM)`__. This is a well
supported commercial product.
-__ SKLM_
-
-2. PyKMIP_. This is a small python project, suitable for experimental
+2. `PyKMIP`_. This is a small python project, suitable for experimental
and testing use only.
+__ SKLM_
+
Using IBM SKLM
--------------
-IBM SKLM__ supports client authentication using certificates.
+IBM `SKLM`_ supports client authentication using certificates.
Certificates may either be self-signed certificates created,
for instance, using openssl, or certificates may be created
using SKLM. Ceph should then be configured (see below) to
This can be then upgraded to a registered client using the web
interface to complete the registration process.
-__ SKLM_
-
Find untrusted clients under ``Advanced Configuration``,
``Client Device Communication Certificates``. Select
``Modify SSL/KMIP Certificates for Clients``, then toggle the flag
Using PyKMIP
------------
-PyKMIP_ has no special registration process, it simply
+`PyKMIP`_ has no special registration process, it simply
trusts the certificate. However, the certificate has to
be issued by a certificate authority that is trusted by
pykmip. PyKMIP also prefers that the certificate contain
pykmip-mybucketkey
-.. _Server-Side Encryption: ../encryption
.. _KMIP: http://www.oasis-open.org/committees/kmip/
.. _SKLM: https://www.ibm.com/products/ibm-security-key-lifecycle-manager
.. _PyKMIP: https://pykmip.readthedocs.io/en/latest/
Storage Cluster.
For additional details on setting up a cluster, see `Ceph Object Gateway for
-Production <https://access.redhat.com/documentation/en-us/red_hat_ceph_storage/3/html/ceph_object_gateway_for_production/index/>`__.
+Production <https://access.redhat.com/documentation/en-us/red_hat_ceph_storage/3/html/ceph_object_gateway_for_production/index/>`_.
Functional Changes from Infernalis
==================================
OpenStack Keystone, it is possible to use Keystone as an authoritative
source for S3 API authentication. To do so, you must set:
-* the ``rgw keystone`` configuration options explained in :doc:`../keystone`,
+* the ``rgw keystone`` configuration options explained in :ref:`radosgw-keystone`,
* ``rgw s3 auth use keystone = true``.
In addition, a user wishing to use the S3 API must obtain an AWS-style
.. note:: Consider that most production radosgw deployments
authenticating against OpenStack Keystone are also set up
- for :doc:`../multitenancy`, for which special
+ for :ref:`rgw-multitenancy`, for which special
considerations apply with respect to S3 signed URLs and
public read ACLs.
===========================
HashiCorp `Vault`_ can be used as a secure key management service for
-`Server-Side Encryption`_ (SSE-KMS).
+:ref:`Server-Side Encryption <radosgw-encryption>` (SSE-KMS).
.. ditaa::
http://vaultserver:8200/v1/transit/mybucketkey
-.. _Server-Side Encryption: ../encryption
.. _Vault: https://www.vaultproject.io/docs/
.. _Token authentication method: https://www.vaultproject.io/docs/auth/token.html
.. _Vault agent: https://www.vaultproject.io/docs/agent/index.html
compress-encrypted
~~~~~~~~~~~~~~~~~~
-This feature enables support for combining `Server-Side Encryption`_ and
-`Compression`_ on the same object. Object data gets compressed before encryption.
+This feature enables support for combining :ref:`Server-Side Encryption <radosgw-encryption>` and
+:ref:`radosgw-compression` on the same object. Object data gets compressed before encryption.
Prior to Reef, multisite would not replicate such objects correctly, so all zones
must upgrade to Reef or later before enabling.
radosgw-admin zonegroup modify --rgw-zonegroup={zonegroup-name} --disable-feature={feature-name}
radosgw-admin period update --commit
-
-.. _`Server-Side Encryption`: ../encryption
-.. _`Compression`: ../compression
projects / ceph-ci.git / commitdiff