From 1bdcedc6ce722f750ba748bfe76ede4b8dca0d87 Mon Sep 17 00:00:00 2001 From: Casey Bodley Date: Mon, 3 Jul 2023 14:59:51 -0400 Subject: [PATCH] doc/rgw: document compress-encrypted zonegroup feature flag Signed-off-by: Casey Bodley (cherry picked from commit d85011a7fc5d3df42a2c046ec7a43fe29f1db08f) --- doc/radosgw/compression.rst | 4 ++++ doc/radosgw/multisite.rst | 29 ++++++++++++++++++++++++----- 2 files changed, 28 insertions(+), 5 deletions(-) diff --git a/doc/radosgw/compression.rst b/doc/radosgw/compression.rst index 23655f1dce0ed..fba0681da9052 100644 --- a/doc/radosgw/compression.rst +++ b/doc/radosgw/compression.rst @@ -7,6 +7,9 @@ Compression The Ceph Object Gateway supports server-side compression of uploaded objects, using any of Ceph's existing compression plugins. +.. note:: The Reef release added a :ref:`feature_compress_encrypted` zonegroup + feature to enable compression with `Server-Side Encryption`_. + Configuration ============= @@ -84,4 +87,5 @@ The ``size_utilized`` and ``size_kb_utilized`` fields represent the total size of compressed data, in bytes and kilobytes respectively. +.. _`Server-Side Encryption`: ../encryption .. _`Multisite Configuration`: ../multisite diff --git a/doc/radosgw/multisite.rst b/doc/radosgw/multisite.rst index be4625dab18bd..a53c0794c93c3 100644 --- a/doc/radosgw/multisite.rst +++ b/doc/radosgw/multisite.rst @@ -1574,11 +1574,13 @@ On creation of new zones and zonegroups, all known features are supported/enable Supported Features ------------------ -+---------------------------+---------+----------+ -| Feature | Release | Default | -+===========================+=========+==========+ -| :ref:`feature_resharding` | Reef | Enabled | -+---------------------------+---------+----------+ ++-----------------------------------+---------+----------+ +| Feature | Release | Default | ++===================================+=========+==========+ +| :ref:`feature_resharding` | Reef | Enabled | ++-----------------------------------+---------+----------+ +| :ref:`feature_compress_encrypted` | Reef | Disabled | ++-----------------------------------+---------+----------+ .. _feature_resharding: @@ -1597,6 +1599,21 @@ of its RGWs and OSDs have upgraded. the Reef release. +.. _feature_compress_encrypted: + +compress-encrypted +~~~~~~~~~~~~~~~~~~ + +This feature enables support for combining `Server-Side Encryption`_ and +`Compression`_ on the same object. Object data gets compressed before encryption. +Prior to Reef, multisite would not replicate such objects correctly, so all zones +must upgrade to Reef or later before enabling. + +.. warning:: The compression ratio may leak information about the encrypted data, + and allow attackers to distinguish whether two same-sized objects might contain + the same data. Due to these security considerations, this feature is disabled + by default. + Commands -------- @@ -1644,3 +1661,5 @@ On any cluster in the realm: .. _`Pools`: ../pools .. _`Sync Policy Config`: ../multisite-sync-policy +.. _`Server-Side Encryption`: ../encryption +.. _`Compression`: ../compression -- 2.39.5