From: Florian Haas Date: Mon, 12 Nov 2018 12:49:15 +0000 (+0100) Subject: Improve OpenStack integration and multitenancy docs for radosgw X-Git-Tag: v14.1.0~583^2 X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=refs%2Fpull%2F25056%2Fhead;p=ceph.git Improve OpenStack integration and multitenancy docs for radosgw Add explanatory information on: * "rgw swift account in url" (including the Swift account in the Swift API url and Keystone endpoint) * "rgw swift versioning enabled" (enabling Swift object versioning) * "rgw s3 auth use keystone" (enabling S3 authentication against Keystone) * "rgw keystone implicit tenants" (multi-tenancy via Keystone, including its implications for the Swift and S3 APIs) Fixes: http://tracker.ceph.com/issues/36765 Signed-off-by: Florian Haas --- diff --git a/doc/radosgw/config-ref.rst b/doc/radosgw/config-ref.rst index 3e95100772d0..44256462d94d 100644 --- a/doc/radosgw/config-ref.rst +++ b/doc/radosgw/config-ref.rst @@ -34,6 +34,11 @@ instances or all radosgw-admin commands can be put into the ``[global]`` or the ``rgw enable apis`` :Description: Enables the specified APIs. + + .. note:: Enabling the ``s3`` API is a requirement for + any radosgw instance that is meant to + participate in a `multi-site <../multisite>`_ + configuration. :Type: String :Default: ``s3, swift, swift_auth, admin`` All APIs. @@ -534,14 +539,29 @@ Swift Settings ``rgw swift url prefix`` -:Description: The URL prefix for the Swift StorageURL that goes in front of - the "/v1" part. This allows to run several Gateway instances - on the same host. For compatibility, setting this configuration - variable to empty causes the default "/swift" to be used. - Use explicit prefix "/" to start StorageURL at the root. - WARNING: setting this option to "/" will NOT work if S3 API is - enabled. From the other side disabling S3 will make impossible - to deploy RadosGW in the multi-site configuration! +:Description: The URL prefix for the Swift API, to distinguish it from + the S3 API endpoint. The default is ``swift``, which + makes the Swift API available at the URL + ``http://host:port/swift/v1`` (or + ``http://host:port/swift/v1/AUTH_%(tenant_id)s`` if + ``rgw swift account in url`` is enabled). + + For compatibility, setting this configuration variable + to the empty string causes the default ``swift`` to be + used; if you do want an empty prefix, set this option to + ``/``. + + .. warning:: If you set this option to ``/``, you must + disable the S3 API by modifying ``rgw + enable apis`` to exclude ``s3``. It is not + possible to operate radosgw with ``rgw + swift url prefix = /`` and simultaneously + support both the S3 and Swift APIs. If you + do need to support both APIs without + prefixes, deploy multiple radosgw instances + to listen on different hosts (or ports) + instead, enabling some for S3 and some for + Swift. :Default: ``swift`` :Example: "/swift-testing" @@ -562,6 +582,35 @@ Swift Settings :Default: ``auth`` +``rgw swift account in url`` + +:Description: Whether or not the Swift account name should be included + in the Swift API URL. + + If set to ``false`` (the default), then the Swift API + will listen on a URL formed like + ``http://host:port//v1``, and the + account name (commonly a Keystone project UUID if + radosgw is configured with `Keystone integration + <../keystone>`_) will be inferred from request + headers. + + If set to ``true``, the Swift API URL will be + ``http://host:port//v1/AUTH_`` + (or + ``http://host:port//v1/AUTH_``) + instead, and the Keystone ``object-store`` endpoint must + accordingly be configured to include the + ``AUTH_%(tenant_id)s`` suffix. + + You **must** set this option to ``true`` (and update the + Keystone service catalog) if you want radosgw to support + publicly-readable containers and `temporary URLs + <../swift/tempurl>`_. +:Type: Boolean +:Default: ``false`` + + ``rgw swift versioning enabled`` :Description: Enables the Object Versioning of OpenStack Object Storage API. @@ -572,6 +621,13 @@ Swift Settings control verification - ACLs are NOT taken into consideration. Those containers cannot be versioned by the S3 object versioning mechanism. + + The ``X-History-Location`` attribute, also understood by + OpenStack Swift for handling ``DELETE`` operations + `slightly differently + `_ + from ``X-Versions-Location``, is currently not + supported. :Type: Boolean :Default: ``false`` diff --git a/doc/radosgw/keystone.rst b/doc/radosgw/keystone.rst index db283e04cbf9..a476237eaf78 100644 --- a/doc/radosgw/keystone.rst +++ b/doc/radosgw/keystone.rst @@ -19,7 +19,6 @@ The following configuration options are available for Keystone integration:: rgw keystone token cache size = {number of tokens to cache} rgw keystone revocation interval = {number of seconds before checking revoked tickets} rgw keystone implicit tenants = {true for private tenant for each new user} - rgw s3 auth use keystone = true nss db path = {path to nss db} It is also possible to configure a Keystone service tenant, user & password for @@ -113,6 +112,10 @@ object-storage endpoint:: | service_type | object-store | +--------------+------------------------------------------+ +.. note:: If your radosgw ``ceph.conf`` sets the configuration option + ``rgw swift account in url = true``, your ``object-store`` + endpoint URLs must be set to include the suffix + ``/v1/AUTH_%(tenant_id)s`` (instead of just ``/v1``). The keystone URL is the Keystone admin RESTful API URL. The admin token is the token that is configured internally in Keystone for admin requests. @@ -145,3 +148,12 @@ configurable ``rgw keystone verify ssl`` to false. .. _Openstack keystone documentation: http://docs.openstack.org/developer/keystone/configuringservices.html#setting-up-projects-users-and-roles + + +Keystone integration with the S3 API +------------------------------------ + +It is possible to use Keystone for authentication even when using the +S3 API (with AWS-like access and secret keys), if the ``rgw s3 auth +use keystone`` option is set. For details, see +:doc:`s3/authentication`. diff --git a/doc/radosgw/multitenancy.rst b/doc/radosgw/multitenancy.rst index b1bc5b096c85..4719a5e580d9 100644 --- a/doc/radosgw/multitenancy.rst +++ b/doc/radosgw/multitenancy.rst @@ -84,6 +84,38 @@ that are not already valid in bucket names. Using a period creates an ambiguous syntax. Therefore, the bucket-in-URL-path format has to be used. +Due to the fact that the native S3 API does not deal with +multi-tenancy and radosgw's implementation does, things get a bit +involved when dealing with signed URLs and public read ACLs. + +* A **signed URL** does contain the ``AWSAccessKeyId`` query + parameters, from which radosgw is able to discern the correct user + and tenant owning the bucket. In other words, an application + generating signed URLs should be able to take just the un-prefixed + bucket name, and produce a signed URL that itself contains the + bucket name without the tenant prefix. However, it is *possible* to + include the prefix if you so choose. + + Thus, accessing a signed URL of an object ``bar`` in a container + ``foo`` belonging to the tenant ``7188e165c0ae4424ac68ae2e89a05c50`` + would be possible either via + ``http://:/foo/bar?AWSAccessKeyId=b200fb6634c547199e436a0f93c0c46e&Expires=1542890806&Signature=eok6CYQC%2FDwmQQmqvY5jTg6ehXU%3D``, + or via + ``http://:/7188e165c0ae4424ac68ae2e89a05c50:foo/bar?AWSAccessKeyId=b200fb6634c547199e436a0f93c0c46e&Expires=1542890806&Signature=eok6CYQC%2FDwmQQmqvY5jTg6ehXU%3D``, + depending on whether or not the tenant prefix was passed in on + signature generation. + +* A bucket with a **public read ACL** is meant to be read by an HTTP + client *without* including any query parameters that would allow + radosgw to discern tenants. Thus, publicly readable objects must + always be accessed using the bucket name with the tenant prefix. + + Thus, if you set a public read ACL on an object ``bar`` in a + container ``foo`` belonging to the tenant + ``7188e165c0ae4424ac68ae2e89a05c50``, you would need to access that + object via the public URL + ``http://:/7188e165c0ae4424ac68ae2e89a05c50:foo/bar``. + Swift with built-in authenticator --------------------------------- @@ -92,9 +124,33 @@ TBD -- not in test_multen.py yet Swift with Keystone ------------------- -TBD -- don't forget to explain the function of - rgw keystone implicit tenants = true - in commit e9259486decab52a362443d3fd3dec33b0ec654f +In the default configuration, although native Swift has inherent +multi-tenancy, radosgw does not enable multi-tenancy for the Swift +API. This is to ensure that a setup with legacy buckets --- that is, +buckets that were created before radosgw supported multitenancy ---, +those buckets retain their dual-API capability to be queried and +modified using either S3 or Swift. + +If you want to enable multitenancy for Swift, particularly if your +users only ever authenticate against OpenStack Keystone, you should +enable Keystone-based multitenancy with the following ``ceph.conf`` +configuration option:: + + rgw keystone implicit tenants = true + +Once you enable this option, any newly connecting user (whether they +are using the Swift API, or Keystone-authenticated S3) will prompt +radosgw to create a user named ``$`` is a Keystone tenant (project) UUID --- for example, +``7188e165c0ae4424ac68ae2e89a05c50$7188e165c0ae4424ac68ae2e89a05c50``. + +Whenever that user then creates an Swift container, radosgw internally +translates the given container name into +``/``, such as +``7188e165c0ae4424ac68ae2e89a05c50/foo``. This ensures that if there +are two or more different tenants all creating a container named +``foo``, radosgw is able to transparently discern them by their tenant +prefix. Notes and known issues ---------------------- @@ -102,6 +158,3 @@ Notes and known issues Just to be clear, it is not possible to create buckets in other tenants at present. The owner of newly created bucket is extracted from authentication information. - -This document needs examples of administration of Keystone users. -The keystone.rst may need to be updated. diff --git a/doc/radosgw/s3/authentication.rst b/doc/radosgw/s3/authentication.rst index 7d1f1288c5a5..c88f69f738ba 100644 --- a/doc/radosgw/s3/authentication.rst +++ b/doc/radosgw/s3/authentication.rst @@ -49,6 +49,41 @@ To normalize the header into canonical form: Replace the ``{hash-of-header-and-secret}`` with the base-64 encoded HMAC string. +Authentication against OpenStack Keystone +----------------------------------------- + +In a radosgw instance that is configured with authentication against +OpenStack Keystone, it is possible to use Keystone as an authoritative +source for S3 API authentication. To do so, you must set: + +* the ``rgw keystone`` configuration options explained in :doc:`../keystone`, +* ``rgw s3 auth use keystone = true``. + +In addition, a user wishing to use the S3 API must obtain an AWS-style +access key and secret key. They can do so with the ``openstack ec2 +credentials create`` command:: + + $ openstack --os-interface public ec2 credentials create + +------------+---------------------------------------------------------------------------------------------------------------------------------------------+ + | Field | Value | + +------------+---------------------------------------------------------------------------------------------------------------------------------------------+ + | access | c921676aaabbccdeadbeef7e8b0eeb2c | + | links | {u'self': u'https://auth.example.com:5000/v3/users/7ecbebaffeabbddeadbeefa23267ccbb24/credentials/OS-EC2/c921676aaabbccdeadbeef7e8b0eeb2c'} | + | project_id | 5ed51981aab4679851adeadbeef6ebf7 | + | secret | ******************************** | + | trust_id | None | + | user_id | 7ecbebaffeabbddeadbeefa23267cc24 | + +------------+---------------------------------------------------------------------------------------------------------------------------------------------+ + +The thus-generated access and secret key can then be used for S3 API +access to radosgw. + +.. note:: Consider that most production radosgw deployments + authenticating against OpenStack Keystone are also set up + for :doc:`../multitenancy`, for which special + considerations apply with respect to S3 signed URLs and + public read ACLs. + Access Control Lists (ACLs) --------------------------- diff --git a/doc/radosgw/swift.rst b/doc/radosgw/swift.rst index 89208e32c0fd..2cb2dde672e2 100644 --- a/doc/radosgw/swift.rst +++ b/doc/radosgw/swift.rst @@ -67,7 +67,9 @@ The following table describes the support status for current Swift functional fe +---------------------------------+-----------------+----------------------------------------+ | **Expiring Objects** | Supported | | +---------------------------------+-----------------+----------------------------------------+ -| **Object Versioning** | Supported | | +| **Temporary URLs** | Partial Support | No support for container-level keys | ++---------------------------------+-----------------+----------------------------------------+ +| **Object Versioning** | Partial Support | No support for ``X-History-Location`` | +---------------------------------+-----------------+----------------------------------------+ | **CORS** | Not Supported | | +---------------------------------+-----------------+----------------------------------------+ diff --git a/doc/radosgw/swift/containerops.rst b/doc/radosgw/swift/containerops.rst index f97429579d76..17ef4658b723 100644 --- a/doc/radosgw/swift/containerops.rst +++ b/doc/radosgw/swift/containerops.rst @@ -201,6 +201,15 @@ settings, which effectively enables all users to either read from or write to the container. Setting ``*`` makes the container public. That is it enables anonymous users to either read from or write to the container. +.. note:: If you are planning to expose public read ACL functionality + for the Swift API, it is strongly recommended to include the + Swift account name in the endpoint definition, so as to most + closely emulate the behavior of native OpenStack Swift. To + do so, set the ``ceph.conf`` configuration option ``rgw + swift account in url = true``, and update your Keystone + endpoint to the URL suffix ``/v1/AUTH_%(tenant_id)s`` + (instead of just ``/v1``). + Syntax ~~~~~~ @@ -257,6 +266,52 @@ Request Headers :Required: No +Enable Object Versioning for a Container +======================================== + +To enable object versioning a container, make a ``POST`` request with +the API version, account, and container name. You must have write +permissions on the container to add or update metadata. + +.. note:: Object versioning support is not enabled in radosgw by + default; you must set ``rgw swift versioning enabled = + true`` in ``ceph.conf`` to enable this feature. + +Syntax +~~~~~~ + +:: + + POST /{api version}/{account}/{container} HTTP/1.1 + Host: {fqdn} + X-Auth-Token: {auth-token} + X-Versions-Location: {archive-container} + +Request Headers +~~~~~~~~~~~~~~~ + +``X-Versions-Location`` + +:Description: The name of a container (the "archive container") that + will be used to store versions of the objects in the + container that the ``POST`` request is made on (the + "current container"). The archive container need not + exist at the time it is being referenced, but once + ``X-Versions-Location`` is set on the current container, + and object versioning is thus enabled, the archive + container must exist before any further objects are + updated or deleted in the current container. + + .. note:: ``X-Versions-Location`` is the only + versioning-related header that radosgw + interprets. ``X-History-Location``, supported + by native OpenStack Swift, is currently not + supported by radosgw. +:Type: String +:Required: No (if this header is passed with an empty value, object + versioning on the current container is disabled, but the + archive container continues to exist.) + Delete a Container ================== diff --git a/doc/radosgw/swift/tempurl.rst b/doc/radosgw/swift/tempurl.rst index 517e5c35dbf7..79b392de6226 100644 --- a/doc/radosgw/swift/tempurl.rst +++ b/doc/radosgw/swift/tempurl.rst @@ -10,14 +10,32 @@ initially the value of `X-Account-Meta-Temp-URL-Key` and optionally functionality relies on a HMAC-SHA1 signature against these secret keys. +.. note:: If you are planning to expose Temp URL functionality for the + Swift API, it is strongly recommended to include the Swift + account name in the endpoint definition, so as to most + closely emulate the behavior of native OpenStack Swift. To + do so, set the ``ceph.conf`` configuration option ``rgw + swift account in url = true``, and update your Keystone + endpoint to the URL suffix ``/v1/AUTH_%(tenant_id)s`` + (instead of just ``/v1``). + + POST Temp-URL Keys ================== -A ``POST`` request to the swift account with the required Key will set -the secret temp url key for the account against which temporary url +A ``POST`` request to the Swift account with the required key will set +the secret temp URL key for the account, against which temporary URL access can be provided to accounts. Up to two keys are supported, and signatures are checked against both the keys, if present, so that keys -can be rotated without invalidating the temporary urls. +can be rotated without invalidating the temporary URLs. + +.. note:: Native OpenStack Swift also supports the option to set + temporary URL keys at the container level, issuing a + ``POST`` or ``PUT`` request against a container that sets + ``X-Container-Meta-Temp-URL-Key`` or + ``X-Container-Meta-Temp-URL-Key-2``. This functionality is + not supported in radosgw; temporary URL keys can only be set + and used at the account level. Syntax ~~~~~~