diff --git a/doc/source/user/ceph/swift.rst b/doc/source/user/ceph/swift.rst new file mode 100644 index 0000000000..703138cad5 --- /dev/null +++ b/doc/source/user/ceph/swift.rst @@ -0,0 +1,47 @@ +================================================ +Using radosgw as a drop-in replacement for Swift +================================================ + +OpenStack-Ansible gives you the option of deploying radosgw as a +drop-in replacement for native OpenStack Swift. + +In particular, the ``ceph-rgw-install.yml`` playbook (which includes +``ceph-rgw-keystone-setup.yml``) will deploy radosgw to any +``ceph-rgw`` hosts, and create a corresponding Keystone +``object-store`` service catalog entry. The service endpoints do +contain the ``AUTH_%(tenant_id)s`` prefix just like in native Swift, +so public read ACLs and temp URLs will work just like they do in +Swift. + +By default, OSA enables *only* the Swift API in radosgw. + + +Adding S3 API support +~~~~~~~~~~~~~~~~~~~~~ + +You may want to enable the default radosgw S3 API, in addition to the +Swift API. In order to do so, you need to override the +``ceph_conf_overrides_rgw`` variable in ``user_variables.yml``. Below +is an example configuration snippet: + +.. code-block:: yaml + + ceph_conf_overrides_rgw: + "client.rgw.{{ hostvars[inventory_hostname]['ansible_hostname'] }}": + # OpenStack integration with Keystone + rgw_keystone_url: "{{ keystone_service_adminuri }}" + rgw_keystone_api_version: 3 + rgw_keystone_admin_user: "{{ radosgw_admin_user }}" + rgw_keystone_admin_password: "{{ radosgw_admin_password }}" + rgw_keystone_admin_tenant: "{{ radosgw_admin_tenant }}" + rgw_keystone_admin_domain: default + rgw_keystone_accepted_roles: 'member, _member_, admin, swiftoperator' + rgw_keystone_implicit_tenants: 'true' + rgw_swift_account_in_url: true + rgw_swift_versioning_enabled: 'true' + # Add S3 support, in addition to Swift + rgw_enable_apis: 'swift, s3' + rgw_s3_auth_use_keystone: 'true' + +You may also want to add the ``rgw_dns_name`` option if you want to +enable bucket hostnames with the S3 API. diff --git a/doc/source/user/index.rst b/doc/source/user/index.rst index 1240ad3094..e7b2eafae0 100644 --- a/doc/source/user/index.rst +++ b/doc/source/user/index.rst @@ -28,6 +28,7 @@ For in-depth technical information, see the limited-connectivity/index.rst l3pods/example.rst ceph/full-deploy.rst + ceph/swift.rst ceph/ceilometer.rst security/index.rst source-overrides/index.rst diff --git a/inventory/group_vars/all/ceph-rgw.yml b/inventory/group_vars/all/ceph-rgw.yml index 3d34703273..b093e5c4bc 100644 --- a/inventory/group_vars/all/ceph-rgw.yml +++ b/inventory/group_vars/all/ceph-rgw.yml @@ -13,8 +13,8 @@ radosgw_service_publicuri_proto: "{{ openstack_service_publicuri_proto | default radosgw_service_adminuri_proto: "{{ openstack_service_adminuri_proto | default(radosgw_service_proto) }}" radosgw_service_internaluri_proto: "{{ openstack_service_internaluri_proto | default(radosgw_service_proto) }}" radosgw_service_publicuri: "{{ radosgw_service_publicuri_proto }}://{{ external_lb_vip_address }}:{{ radosgw_service_port }}" -radosgw_service_publicurl: "{{ radosgw_service_publicuri }}/swift/v1" +radosgw_service_publicurl: "{{ radosgw_service_publicuri }}/swift/v1/AUTH_%(tenant_id)s" radosgw_service_adminuri: "{{ radosgw_service_adminuri_proto }}://{{ internal_lb_vip_address }}:{{ radosgw_service_port }}" -radosgw_service_adminurl: "{{ radosgw_service_adminuri }}/swift/v1" +radosgw_service_adminurl: "{{ radosgw_service_adminuri }}/swift/v1/AUTH_%(tenant_id)s" radosgw_service_internaluri: "{{ radosgw_service_internaluri_proto }}://{{ internal_lb_vip_address }}:{{ radosgw_service_port }}" -radosgw_service_internalurl: "{{ radosgw_service_internaluri }}/swift/v1" +radosgw_service_internalurl: "{{ radosgw_service_internaluri }}/swift/v1/AUTH_%(tenant_id)s" diff --git a/inventory/group_vars/ceph-rgw.yml b/inventory/group_vars/ceph-rgw.yml index dfd46c948a..f7b7355d0b 100644 --- a/inventory/group_vars/ceph-rgw.yml +++ b/inventory/group_vars/ceph-rgw.yml @@ -9,5 +9,7 @@ ceph_conf_overrides_rgw: rgw_keystone_admin_tenant: "{{ radosgw_admin_tenant }}" rgw_keystone_admin_domain: default rgw_keystone_accepted_roles: 'member, _member_, admin, swiftoperator' - rgw_s3_auth_use_keystone: true + rgw_keystone_implicit_tenants: 'true' rgw_enable_apis: swift + rgw_swift_account_in_url: 'true' + rgw_swift_versioning_enabled: 'true' \ No newline at end of file diff --git a/releasenotes/notes/ceph-rgw-swift-account-93350d92f0f33b20.yaml b/releasenotes/notes/ceph-rgw-swift-account-93350d92f0f33b20.yaml new file mode 100644 index 0000000000..4f4a77bbd4 --- /dev/null +++ b/releasenotes/notes/ceph-rgw-swift-account-93350d92f0f33b20.yaml @@ -0,0 +1,30 @@ +--- +upgrade: + - > + The ``ceph-rgw`` playbooks now set ``rgw_swift_account_in_url = + true`` and update the corresponding Keystone service catalog entry + accordingly. Applications (such as monitoring scripts) that do + *not* rely on service catalog lookup must be updated with the new + endpoint URL that includes ``AUTH_%(tenant_id)s`` just like native + Swift does --- or, alternatively, should be updated to honor the + service catalog after all. + - > + The ``ceph-rgw`` playbooks now set ``rgw_swift_versioning_enabled = + true``, adding support for object versioning for the ``object-store`` + service. +fixes: + - > + The ``ceph-rgw`` playbooks now include the ``AUTH_%(tenant_id)s`` + suffix in the Keystone ``object-store`` endpoint. This aligns + radosgw's behavior with that of native Swift. It also enables + radosgw to support public read ACLs on containers, and temporary + URLs on objects, in the same way that Swift does + (`bug 1800637 `_). +issues: + - > + Although the ``ceph-rgw`` playbooks do enable Swift object + versioning, support in radosgw is currently limited to setting + ``X-Versions-Location`` on a container. ``X-History-Location``, + understood by native Swift, is currently not supported by radosgw + (although the feature is `pending + `_ upstream). \ No newline at end of file