doc/rgw: document compress-encrypted zonegroup feature flag

Signed-off-by: Casey Bodley <cbodley@redhat.com>

diff --git a/doc/radosgw/compression.rst b/doc/radosgw/compression.rst
index 23655f1dce0eda7abe73a442f5880912ee4685d3..fba0681da9052dd6cbff6fa45706c60c0213c48e 100644 (file)
--- a/doc/radosgw/compression.rst
+++ b/doc/radosgw/compression.rst
@@ -7,6 +7,9 @@ Compression
 The Ceph Object Gateway supports server-side compression of uploaded objects,
 using any of Ceph's existing compression plugins.
 
+.. note:: The Reef release added a :ref:`feature_compress_encrypted` zonegroup
+   feature to enable compression with `Server-Side Encryption`_.
+
 
 Configuration
 =============
@@ -84,4 +87,5 @@ The ``size_utilized`` and ``size_kb_utilized`` fields represent the total
 size of compressed data, in bytes and kilobytes respectively.
 
 
+.. _`Server-Side Encryption`: ../encryption
 .. _`Multisite Configuration`: ../multisite

diff --git a/doc/radosgw/multisite.rst b/doc/radosgw/multisite.rst
index 459db811cc4380eb4aa1087752bcbe5aa95f6ffb..626f18df18512d71c1dea40bcd58a69674978ce9 100644 (file)
--- a/doc/radosgw/multisite.rst
+++ b/doc/radosgw/multisite.rst
@@ -1595,11 +1595,13 @@ On creation of new zones and zonegroups, all known features are supported/enable
 Supported Features
 ------------------
 
-+---------------------------+---------+----------+
-| Feature                   | Release | Default  |
-+===========================+=========+==========+
-| :ref:`feature_resharding` | Reef    | Enabled  |
-+---------------------------+---------+----------+
++-----------------------------------+---------+----------+
+| Feature                           | Release | Default  |
++===================================+=========+==========+
+| :ref:`feature_resharding`         | Reef    | Enabled  |
++-----------------------------------+---------+----------+
+| :ref:`feature_compress_encrypted` | Reef    | Disabled |
++-----------------------------------+---------+----------+
 
 .. _feature_resharding:
 
@@ -1618,6 +1620,21 @@ of its RGWs and OSDs have upgraded.
    the Reef release.
 
 
+.. _feature_compress_encrypted:
+
+compress-encrypted
+~~~~~~~~~~~~~~~~~~
+
+This feature enables support for combining `Server-Side Encryption`_ and
+`Compression`_ on the same object. Object data gets compressed before encryption.
+Prior to Reef, multisite would not replicate such objects correctly, so all zones
+must upgrade to Reef or later before enabling.
+
+.. warning:: The compression ratio may leak information about the encrypted data,
+   and allow attackers to distinguish whether two same-sized objects might contain
+   the same data. Due to these security considerations, this feature is disabled
+   by default.
+
 Commands
 --------
 
@@ -1665,3 +1682,5 @@ On any cluster in the realm:
 
 .. _`Pools`: ../pools
 .. _`Sync Policy Config`: ../multisite-sync-policy
+.. _`Server-Side Encryption`: ../encryption
+.. _`Compression`: ../compression