与 OpenStack Keystone 对接

It is possible to integrate the Ceph Object Gateway with Keystone, the OpenStackidentity service. This sets up the gateway to accept Keystone as the usersauthority. A user that Keystone authorizes to access the gateway will also beautomatically created on the Ceph Object Gateway (if didn’t exist beforehand). Atoken that Keystone validates will be considered as valid by the gateway.

The following configuration options are available for Keystone integration:

  1. [client.radosgw.gateway]
  2. rgw keystone url = {keystone server url:keystone server admin port}
  3. rgw keystone admin token = {keystone admin token}
  4. rgw keystone accepted roles = {accepted user roles}
  5. rgw keystone token cache size = {number of tokens to cache}
  6. rgw keystone revocation interval = {number of seconds before checking revoked tickets}
  7. rgw s3 auth use keystone = true
  8. nss db path = {path to nss db}

A Ceph Object Gateway user is mapped into a Keystone tenant. A Keystone userhas different roles assigned to it on possibly more than a single tenant. Whenthe Ceph Object Gateway gets the ticket, it looks at the tenant, and the userroles that are assigned to that ticket, and accepts/rejects the requestaccording to the rgwkeystoneacceptedroles configurable.

Kilo 之前

Keystone 自身作为对象存储服务的入口( endpoint ),需要配置为指向 Ceph 对象网关。

  1. keystone service-create --name swift --type object-store
  2. keystone endpoint-create --service-id <id> \
  3. --publicurl http://radosgw.example.com/swift/v1 \
  4. --internalurl http://radosgw.example.com/swift/v1 \
  5. --adminurl http://radosgw.example.com/swift/v1

从 Kilo 起

Keystone 自身作为对象存储服务的入口( endpoint ),需要配置为指向 Ceph 对象网关。

  1. openstack service create --name=swift \
  2. --description="Swift Service" \
  3. object-store
  4. +-------------+----------------------------------+
  5. | Field | Value |
  6. +-------------+----------------------------------+
  7. | description | Swift Service |
  8. | enabled | True |
  9. | id | 37c4c0e79571404cb4644201a4a6e5ee |
  10. | name | swift |
  11. | type | object-store |
  12. +-------------+----------------------------------+
  13.  
  14. openstack endpoint create --region RegionOne \
  15. --publicurl "http://radosgw.example.com:8080/swift/v1" \
  16. --adminurl "http://radosgw.example.com:8080/swift/v1" \
  17. --internalurl "http://radosgw.example.com:8080/swift/v1" \
  18. swift
  19. +--------------+------------------------------------------+
  20. | Field | Value |
  21. +--------------+------------------------------------------+
  22. | adminurl | http://radosgw.example.com:8080/swift/v1 |
  23. | id | e4249d2b60e44743a67b5e5b38c18dd3 |
  24. | internalurl | http://radosgw.example.com:8080/swift/v1 |
  25. | publicurl | http://radosgw.example.com:8080/swift/v1 |
  26. | region | RegionOne |
  27. | service_id | 37c4c0e79571404cb4644201a4a6e5ee |
  28. | service_name | swift |
  29. | service_type | object-store |
  30. +--------------+------------------------------------------+
  31.  
  32. $ openstack endpoint show object-store
  33. +--------------+------------------------------------------+
  34. | Field | Value |
  35. +--------------+------------------------------------------+
  36. | adminurl | http://radosgw.example.com:8080/swift/v1 |
  37. | enabled | True |
  38. | id | e4249d2b60e44743a67b5e5b38c18dd3 |
  39. | internalurl | http://radosgw.example.com:8080/swift/v1 |
  40. | publicurl | http://radosgw.example.com:8080/swift/v1 |
  41. | region | RegionOne |
  42. | service_id | 37c4c0e79571404cb4644201a4a6e5ee |
  43. | service_name | swift |
  44. | service_type | object-store |
  45. +--------------+------------------------------------------+

The keystone URL is the Keystone admin RESTful API URL. The admin token is thetoken that is configured internally in Keystone for admin requests.

The Ceph Object Gateway will query Keystone periodically for a list of revokedtokens. These requests are encoded and signed. Also, Keystone may be configuredto provide self-signed tokens, which are also encoded and signed. The gatewayneeds to be able to decode and verify these signed messages, and the processrequires that the gateway be set up appropriately. Currently, the Ceph ObjectGateway will only be able to perform the procedure if it was compiled with—with-nss. Configuring the Ceph Object Gateway to work with Keystone alsorequires converting the OpenSSL certificates that Keystone uses for creating therequests to the nss db format, for example:

  1. mkdir /var/ceph/nss
  2.  
  3. openssl x509 -in /etc/keystone/ssl/certs/ca.pem -pubkey | \
  4. certutil -d /var/ceph/nss -A -n ca -t "TCu,Cu,Tuw"
  5. openssl x509 -in /etc/keystone/ssl/certs/signing_cert.pem -pubkey | \
  6. certutil -A -d /var/ceph/nss -n signing_cert -t "P,P,P"