From: Casey Bodley <cbodley@redhat.com>
Date: Mon, 3 Jul 2023 18:59:51 +0000 (-0400)
Subject: doc/rgw: document compress-encrypted zonegroup feature flag
X-Git-Tag: v18.1.3~40^2~1
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=1bdcedc6ce722f750ba748bfe76ede4b8dca0d87;p=ceph.git

doc/rgw: document compress-encrypted zonegroup feature flag

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit d85011a7fc5d3df42a2c046ec7a43fe29f1db08f)
---

diff --git a/doc/radosgw/compression.rst b/doc/radosgw/compression.rst
index 23655f1dce0e..fba0681da905 100644
--- a/doc/radosgw/compression.rst
+++ b/doc/radosgw/compression.rst
@@ -7,6 +7,9 @@ Compression
 The Ceph Object Gateway supports server-side compression of uploaded objects,
 using any of Ceph's existing compression plugins.
 
+.. note:: The Reef release added a :ref:`feature_compress_encrypted` zonegroup
+   feature to enable compression with `Server-Side Encryption`_.
+
 
 Configuration
 =============
@@ -84,4 +87,5 @@ The ``size_utilized`` and ``size_kb_utilized`` fields represent the total
 size of compressed data, in bytes and kilobytes respectively.
 
 
+.. _`Server-Side Encryption`: ../encryption
 .. _`Multisite Configuration`: ../multisite
diff --git a/doc/radosgw/multisite.rst b/doc/radosgw/multisite.rst
index be4625dab18b..a53c0794c93c 100644
--- a/doc/radosgw/multisite.rst
+++ b/doc/radosgw/multisite.rst
@@ -1574,11 +1574,13 @@ On creation of new zones and zonegroups, all known features are supported/enable
 Supported Features
 ------------------
 
-+---------------------------+---------+----------+
-| Feature                   | Release | Default  |
-+===========================+=========+==========+
-| :ref:`feature_resharding` | Reef    | Enabled  |
-+---------------------------+---------+----------+
++-----------------------------------+---------+----------+
+| Feature                           | Release | Default  |
++===================================+=========+==========+
+| :ref:`feature_resharding`         | Reef    | Enabled  |
++-----------------------------------+---------+----------+
+| :ref:`feature_compress_encrypted` | Reef    | Disabled |
++-----------------------------------+---------+----------+
 
 .. _feature_resharding:
 
@@ -1597,6 +1599,21 @@ of its RGWs and OSDs have upgraded.
    the Reef release.
 
 
+.. _feature_compress_encrypted:
+
+compress-encrypted
+~~~~~~~~~~~~~~~~~~
+
+This feature enables support for combining `Server-Side Encryption`_ and
+`Compression`_ on the same object. Object data gets compressed before encryption.
+Prior to Reef, multisite would not replicate such objects correctly, so all zones
+must upgrade to Reef or later before enabling.
+
+.. warning:: The compression ratio may leak information about the encrypted data,
+   and allow attackers to distinguish whether two same-sized objects might contain
+   the same data. Due to these security considerations, this feature is disabled
+   by default.
+
 Commands
 --------
 
@@ -1644,3 +1661,5 @@ On any cluster in the realm:
 
 .. _`Pools`: ../pools
 .. _`Sync Policy Config`: ../multisite-sync-policy
+.. _`Server-Side Encryption`: ../encryption
+.. _`Compression`: ../compression