4.1 KiB
S3 API/Keystone Integration
Operator should be able to decide whether the S3 API/Keystone integration in Ceph RADOS Gateway is enabled or not through checkbox in Fuel.
Administrator should be informed about a trade-off that is associated with enabling the integration.
Problem description
Ceph RADOS Gateway offers multiple backends for client authenication for both OpenStack Open Storage v1 API (aka Swift API) and S3 API.
Unfortunately, request authentication in S3 API is very different in comparison to its counterpart in OpenStack. Instead of providing tokens, a client application always may access the object store with a frequently varying zero-knowledge proof. This assures extra security guarantees but - conjuncted with the principle that Keystone cannot reveal credentials it stores - also increases load and latency as each S3 request will be reflected in request to Keystone. This is an architectural limitation that cannot be addressed through introduction of caching like in case of Swift API.
Thus, enabling the S3/Keystone integration in RadosGW is decision associated with a fundamental trade-off and should be made after careful consideration. However, administrator should be able to decide to turn on the integration through graphical user interface.
Proposed changes
Enabling S3 API/Keystone integration requires changes in Ceph configuration files:
On controller side:
- Put "rgw_s3_auth_use_keystone = True" into a section of /etc/ceph/ceph.conf dedicated to RadosGW.
Web UI
Interaction with the Web UI may be similar to the following scenario:
- Administrator navigates to the Storage section of the Settings tab.
- Administrator is presented with an option "Enable S3 API Authentication via Keystone" (or other appropriate from existing ones) and hint - "Please note that enabling this will increase the load on Keystone service. Please consult with documentation (link) and Mirantis Support on mitigating the risks related with load."
- If user checks the option from step 2 - S3 API on RadosGW is configured for authentication via Keystone
Nailgun
Nailgun-agent
None
Bootstrap
None
Data model
None
REST API
None
Orchestration
None
RPC Protocol
Only payload changes
Fuel Client
None
Plugins
None
Fuel Library
See items in Proposed changes section.
Alternatives
None
Upgrade impact
None
Security impact
User will be able to authenticate requests made through S3 API basing solely on credentials stored and handlded by Keystone.
Notifications impact
None
End user impact
None
Performance impact
Load on Keystone may be significantly increased. Latency of request to object store made through S3 API will be increased.
Deployment impact
None
Developer impact
None
Infrastructure impact
None
Documentation impact
TBD
Implementation
Assignee(s)
TBD
Work Items
- Enable S3 API/Keystone integration in fuel-library (already done)
- UI changes
- Manual testing
Dependencies
None
Testing, QA
- Automated API/CLI test cases for the configuring S3 authenication via Keystone.
Acceptance criteria
- Operator should be able to enable and disable the S3 API/Keystone in RadosGW through Web UI.