Integrating with OpenStack Keystone

Integrating with OpenStack Keystone

It is possible to integrate the Ceph Object Gateway with Keystone, the OpenStackidentity service. This sets up the gateway to accept Keystone as the usersauthority. A user that Keystone authorizes to access the gateway will also beautomatically created on the Ceph Object Gateway (if didn’t exist beforehand). Atoken that Keystone validates will be considered as valid by the gateway.

The following configuration options are available for Keystone integration:

[client.radosgw.gateway]
rgw keystone api version = {keystone api version}
rgw keystone url = {keystone server url:keystone server admin port}
rgw keystone admin token = {keystone admin token}
rgw keystone admin token path = {path to keystone admin token} #preferred
rgw keystone accepted roles = {accepted user roles}
rgw keystone token cache size = {number of tokens to cache}
rgw keystone implicit tenants = {true for private tenant for each new user}

It is also possible to configure a Keystone service tenant, user & password forKeystone (for v2.0 version of the OpenStack Identity API), similar to the wayOpenStack services tend to be configured, this avoids the need for setting theshared secret rgw keystone admin token in the configuration file, which isrecommended to be disabled in production environments. The service tenantcredentials should have admin privileges, for more details refer the OpenStackKeystone documentation, which explains the process in detail. The requisiteconfiguration options for are:

rgw keystone admin user = {keystone service tenant user name}
rgw keystone admin password = {keystone service tenant user password}
rgw keystone admin password = {keystone service tenant user password path} # preferred
rgw keystone admin tenant = {keystone service tenant name}

A Ceph Object Gateway user is mapped into a Keystone tenant. A Keystone userhas different roles assigned to it on possibly more than a single tenant. Whenthe Ceph Object Gateway gets the ticket, it looks at the tenant, and the userroles that are assigned to that ticket, and accepts/rejects the requestaccording to the rgw keystone accepted roles configurable.

For a v3 version of the OpenStack Identity API you should replacergw keystone admin tenant with:

rgw keystone admin domain = {keystone admin domain name}
rgw keystone admin project = {keystone admin project name}

For compatibility with previous versions of ceph, it is alsopossible to set rgw keystone implicit tenants to eithers3 or swift. This has the effect of splittingthe identity space such that the indicated protocol willonly use implicit tenants, and the other protocol willnever use implicit tenants. Some older versions of cephonly supported implicit tenants with swift.

Ocata (and later)

Keystone itself needs to be configured to point to the Ceph Object Gateway as anobject-storage endpoint:

openstack service create --name=swift \
                         --description="Swift Service" \
                         object-store
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | Swift Service                    |
| enabled     | True                             |
| id          | 37c4c0e79571404cb4644201a4a6e5ee |
| name        | swift                            |
| type        | object-store                     |
+-------------+----------------------------------+
 
openstack endpoint create --region RegionOne \
     --publicurl   "http://radosgw.example.com:8080/swift/v1" \
     --adminurl    "http://radosgw.example.com:8080/swift/v1" \
     --internalurl "http://radosgw.example.com:8080/swift/v1" \
     swift
+--------------+------------------------------------------+
| Field        | Value                                    |
+--------------+------------------------------------------+
| adminurl     | http://radosgw.example.com:8080/swift/v1 |
| id           | e4249d2b60e44743a67b5e5b38c18dd3         |
| internalurl  | http://radosgw.example.com:8080/swift/v1 |
| publicurl    | http://radosgw.example.com:8080/swift/v1 |
| region       | RegionOne                                |
| service_id   | 37c4c0e79571404cb4644201a4a6e5ee         |
| service_name | swift                                    |
| service_type | object-store                             |
+--------------+------------------------------------------+
 
$ openstack endpoint show object-store
+--------------+------------------------------------------+
| Field        | Value                                    |
+--------------+------------------------------------------+
| adminurl     | http://radosgw.example.com:8080/swift/v1 |
| enabled      | True                                     |
| id           | e4249d2b60e44743a67b5e5b38c18dd3         |
| internalurl  | http://radosgw.example.com:8080/swift/v1 |
| publicurl    | http://radosgw.example.com:8080/swift/v1 |
| region       | RegionOne                                |
| service_id   | 37c4c0e79571404cb4644201a4a6e5ee         |
| service_name | swift                                    |
| service_type | object-store                             |
+--------------+------------------------------------------+

Note

If your radosgw ceph.conf sets the configuration optionrgw swift account in url = true, your object-storeendpoint URLs must be set to include the suffix/v1/AUTH_%(tenant_id)s (instead of just /v1).

The Keystone URL is the Keystone admin RESTful API URL. The admin token is thetoken that is configured internally in Keystone for admin requests.

OpenStack Keystone may be terminated with a self signed ssl certificate, inorder for radosgw to interact with Keystone in such a case, you could eitherinstall Keystone’s ssl certificate in the node running radosgw. Alternativelyradosgw could be made to not verify the ssl certificate at all (similar toOpenStack clients with a —insecure switch) by setting the value of theconfigurable rgw keystone verify ssl to false.

Cross Project(Tenant) Access

In order to let a project (earlier called a ‘tenant’) access buckets belonging to a different project, the following config option needs to be enabled:

rgw swift account in url = true

The Keystone object-store endpoint must accordingly be configured to include the AUTH_%(project_id)s suffix:

 openstack endpoint create --region RegionOne \
     --publicurl   "http://radosgw.example.com:8080/swift/v1/AUTH_$(project_id)s" \
     --adminurl    "http://radosgw.example.com:8080/swift/v1/AUTH_$(project_id)s" \
     --internalurl "http://radosgw.example.com:8080/swift/v1/AUTH_$(project_id)s" \
     swift
+--------------+--------------------------------------------------------------+
| Field        | Value                                                        |
+--------------+--------------------------------------------------------------+
| adminurl     | http://radosgw.example.com:8080/swift/v1/AUTH_$(project_id)s |
| id           | e4249d2b60e44743a67b5e5b38c18dd3                             |
| internalurl  | http://radosgw.example.com:8080/swift/v1/AUTH_$(project_id)s |
| publicurl    | http://radosgw.example.com:8080/swift/v1/AUTH_$(project_id)s |
| region       | RegionOne                                                    |
| service_id   | 37c4c0e79571404cb4644201a4a6e5ee                             |
| service_name | swift                                                        |
| service_type | object-store                                                 |
+--------------+--------------------------------------------------------------+

Keystone integration with the S3 API

It is possible to use Keystone for authentication even when using theS3 API (with AWS-like access and secret keys), if the rgw s3 authuse keystone option is set. For details, seeAuthentication and ACLs.

OpenStack Keystone Integration

Integrating with OpenStack Keystone

Ocata (and later)

Cross Project(Tenant) Access

Keystone integration with the S3 API