Red Hat Ceph Storage 2 Using Keystone to Authenticate Ceph Object Gateway Users

Similar documents
Red Hat Ceph Storage 3

Red Hat CloudForms 4.0

Red Hat Ceph Storage 3

Red Hat Developer Studio 12.0

Red Hat 3scale 2.3 Accounts

Red Hat 3Scale 2.0 Terminology

Red Hat OpenStack Platform 8 Configure firewall rules for Red Hat OpenStack Platform director

Red Hat CloudForms 4.1

Red Hat CloudForms 4.0

Red Hat CloudForms 4.5 Integration with AWS CloudFormation and OpenStack Heat

Red Hat OpenStack Platform 9 Introduction to the OpenStack Dashboard

Red Hat JBoss Developer Studio 11.1

Red Hat OpenStack Platform 13

Red Hat OpenStack Platform 13

.NET Core 2.0 Release Notes for Containers

Red Hat CloudForms 4.6

Red Hat Enterprise Linux OpenStack Platform 7 Fujitsu ETERNUS Back End Guide

Red Hat OpenStack Platform 13

Red Hat OpenStack Platform 10

Red Hat CloudForms 4.5

Red Hat Process Automation Manager 7.0 Managing and monitoring business processes in Business Central

Red Hat Process Automation Manager 7.0 Executing a business process in Business Central

Red Hat OpenStack Platform 13

Red Hat JBoss A-MQ 6.0

Red Hat Satellite 6.3

Red Hat Ceph Storage 3

Red Hat OpenStack Platform 11 Monitoring Tools Configuration Guide

Red Hat Application Migration Toolkit 4.0

Red Hat Quay 2.9 Deploy Red Hat Quay - Basic

Red Hat JBoss Data Virtualization 6.2 Using the Dashboard Builder. David Sage

Red Hat JBoss BRMS 6.0

Red Hat OpenStack Platform 12

Red Hat JBoss A-MQ 6.3

Red Hat OpenStack Platform 13

Red Hat Enterprise Virtualization 3.6

Red Hat CloudForms 4.6

Red Hat Application Migration Toolkit 4.2

Red Hat OpenStack Platform 10 CephFS Back End Guide for the Shared File System Service

Red Hat JBoss Fuse 6.1

Red Hat Virtualization 4.1 Hardware Considerations for Implementing SR-IOV

Red Hat Mobile Application Platform Hosted 3

Red Hat Virtualization 4.2

Red Hat Process Automation Manager 7.0 Planning a Red Hat Process Automation Manager installation

Red Hat OpenStack Platform 10 Product Guide

Red Hat AMQ 7.2 Introducing Red Hat AMQ 7

Red Hat Virtualization 4.0

Red Hat Development Suite 1.1 Installation Guide

Red Hat JBoss Enterprise Application Platform 7.1

Red Hat JBoss Data Grid 7.1 Feature Support Document

Red Hat Cloud Infrastructure 1.1

Red Hat Ceph Storage Release Notes

Red Hat JBoss Data Virtualization 6.3 Getting Started Guide

Red Hat CloudForms 4.6

Red Hat JBoss Fuse 6.1

Red Hat Enterprise Virtualization 3.6

Red Hat JBoss Enterprise Application Platform 7.2

Red Hat CloudForms 4.5 Introduction to the Self Service User Interface

Red Hat OpenShift Application Runtimes 1

Red Hat OpenStack Platform 14

Red Hat Cloud Suite 1.1

Red Hat JBoss Developer Studio Integration Stack 10.0 Installation Guide

Red Hat Enterprise Linux 7 Getting Started with Cockpit

Red Hat JBoss Enterprise Application Platform 7.0

Red Hat JBoss Enterprise Application Platform 7.2

3.6. How to Use the Reports and Data Warehouse Capabilities of Red Hat Enterprise Virtualization. Last Updated:

Red Hat Decision Manager 7.0 Designing a decision service using guided rules

Red Hat Decision Manager 7.0

Red Hat JBoss Developer Studio Integration Stack 9.0 Installation Guide

OpenShift Dedicated 3 Release Notes

Red Hat Decision Manager 7.0 Migrating from Red Hat JBoss BRMS 6.4 to Red Hat Decision Manager 7.0

Red Hat JBoss Data Grid 6.4

Red Hat JBoss Fuse 6.3

Red Hat Security Data API 1.0

Red Hat Enterprise Virtualization 3.6

Red Hat Enterprise Virtualization 3.6 Introduction to the User Portal

Red Hat OpenStack Platform 13

Red Hat OpenStack Platform 12

Red Hat JBoss Fuse 7.0-TP

Red Hat OpenStack Platform 13

Red Hat Fuse 7.2 Fuse Online Sample Integration Tutorials

Red Hat Mobile Application Platform Hosted 3

Red Hat Enterprise Linux Atomic Host 7 Getting Started with Cockpit

Red Hat Development Suite 2.1

JBoss Enterprise Application Platform 5

Red Hat Container Development Kit 3.0 Release Notes and Known Issues

Red Hat OpenStack Platform 10

Red Hat Network Satellite 5.4

Red Hat Developer Studio 12.9

Red Hat JBoss Data Virtualization 6.4 Quick Starts Guide

Red Hat CloudForms 4.6

Red Hat Fuse 7.1 Fuse Online Sample Integration Tutorials

Red Hat JBoss BRMS 6.1

Red Hat JBoss Middleware for OpenShift 3

Red Hat 3scale 2-saas

Red Hat Decision Manager 7.0 Migrating from Red Hat JBoss BRMS 6.4 to Red Hat Decision Manager 7.0

Red Hat CloudForms 4.0

Red Hat Virtualization 4.1 Product Guide

Red Hat JBoss Developer Studio Integration Stack 8.0

Red Hat JBoss BRMS 6.4

Red Hat Certified Cloud and Service Provider Certification 1.0

Transcription:

Red Hat Ceph Storage 2 Using Keystone to Authenticate Ceph Object Gateway Users Configuring OpenStack and Ceph Object Gateway to use Keystone for user authentication. Red Hat Ceph Storage Documentation Team

Red Hat Ceph Storage 2 Using Keystone to Authenticate Ceph Object Gateway Users Configuring OpenStack and Ceph Object Gateway to use Keystone for user authentication.

Legal Notice Copyright 2017 Red Hat, Inc. The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version. Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law. Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries. Linux is the registered trademark of Linus Torvalds in the United States and other countries. Java is a registered trademark of Oracle and/or its affiliates. XFS is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries. MySQL is a registered trademark of MySQL AB in the United States, the European Union and other countries. Node.js is an official trademark of Joyent. Red Hat Software Collections is not formally related to or endorsed by the official Joyent Node.js open source or commercial project. The OpenStack Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community. All other trademarks are the property of their respective owners. Abstract This document describes how to configure OpenStack and Ceph Object Gateway to use Keystone for user authentication.

Table of Contents Table of Contents. PREFACE............................................................................................ 3.. CHAPTER......... 1... CONFIGURING............. OPENSTACK.................................................................... 4. 1.1. CREATING THE SWIFT SERVICE 4 1.2. SETTING THE ENDPOINTS 4 1.3. VERIFYING THE SETTINGS 5. CHAPTER......... 2... CONFIGURING............. THE.... CEPH...... OBJECT........ GATEWAY.................................................. 7. 2.1. CONFIGURING SSL 7 2.2. CONFIGURING CIVETWEB 7 2.3. RESTARTING CIVETWEB 12 1

Red Hat Ceph Storage 2 Using Keystone to Authenticate Ceph Object Gateway Users 2

PREFACE PREFACE Organizations using OpenStack Keystone to authenticate users can integrate Keystone with the Ceph Object Gateway, which enables the gateway to accept a Keystone token, authenticate the user and create a corresponding Ceph Object Gateway user. When Keystone validates a token, the gateway considers the user authenticated. Benefits include: Managing Users with Keystone Automatic User Creation in the Ceph Object Gateway The Ceph Object Gateway will query Keystone periodically for a list of revoked tokens. 3

Red Hat Ceph Storage 2 Using Keystone to Authenticate Ceph Object Gateway Users CHAPTER 1. CONFIGURING OPENSTACK Before configuring the Ceph Object Gateway, configure Keystone so that the Swift service is enabled and pointing to the Ceph Object Gateway. 1.1. CREATING THE SWIFT SERVICE To use OpenStack to validate Swift users, first create the Swift service. # openstack service create --name=swift --description="swift Service" object-store Creating the service will echo the service settings. For example: Field Value description Swift Service enabled True id 37c4c0e79571404cb4644201a4a6e5ee name swift type object-store 1.2. SETTING THE ENDPOINTS After creating the Swift service, point it to a Ceph Object Gateway. Replace {region-name} with the name of the gateway s zone group name or region name. Replace the exemplary URLs with URLs appropriate for the Ceph Object Gateway. # openstack endpoint create --region {region-name} \ --publicurl "http://radosgw.example.com:8080/swift/v1" \ --adminurl "http://radosgw.example.com:8080/swift/v1" \ --internalurl "http://radosgw.example.com:8080/swift/v1" \ swift Setting the endpoints will echo the service endpoint settings. For example: 4

CHAPTER 1. CONFIGURING OPENSTACK Field Value adminurl http://radosgw.example.com:8080/swift/v1 id e4249d2b60e44743a67b5e5b38c18dd3 internalurl http://radosgw.example.com:8080/swift/v1 publicurl http://radosgw.example.com:8080/swift/v1 region us-west service_id 37c4c0e79571404cb4644201a4a6e5ee service_name swift service_type object-store 1.3. VERIFYING THE SETTINGS After creating the Swift service and setting the endpoints, show the endpoints to ensure that all the settings are correct. # openstack endpoint show object-store Showing the endpoints will echo the endpoints settings, and the service settings. For example: Field Value adminurl http://radosgw.example.com:8080/swift/v1 enabled True id e4249d2b60e44743a67b5e5b38c18dd3 5

Red Hat Ceph Storage 2 Using Keystone to Authenticate Ceph Object Gateway Users Field Value internalurl http://radosgw.example.com:8080/swift/v1 publicurl http://radosgw.example.com:8080/swift/v1 region us-west service_id 37c4c0e79571404cb4644201a4a6e5ee service_name swift service_type object-store 6

CHAPTER 2. CONFIGURING THE CEPH OBJECT GATEWAY CHAPTER 2. CONFIGURING THE CEPH OBJECT GATEWAY 2.1. CONFIGURING SSL Configuring the Ceph Object Gateway to work with Keystone requires converting the OpenSSL certificates that Keystone uses for creating the requests to the nss db format, for example: mkdir /var/ceph/nss openssl x509 -in /etc/keystone/ssl/certs/ca.pem -pubkey \ certutil -d /var/ceph/nss -A -n ca -t "TCu,Cu,Tuw" openssl x509 -in /etc/keystone/ssl/certs/signing_cert.pem -pubkey \ certutil -A -d /var/ceph/nss -n signing_cert -t "P,P,P" Openstack Keystone may also be terminated with a self-signed SSL certificate, in order for the Ceph Object Gateway to interact with Keystone. Either install Keystone s SSL certificate in the node running the Ceph Object Gateway, or alternatively set the value of the configurable rgw_keystone_verify_ssl setting to false. Setting rgw_keystone_verify_ssl to false means that the gateway won t attempt to verify the certificate. 2.2. CONFIGURING CIVETWEB To configure the Ceph Object Gateway to use Keystone, open the Ceph configuration file on the admin node and navigate to the [client.radosgw.{instance-name}], where {instancename} is the name of the Gateway instance to configure. For each gateway instance, set the rgw_s3_auth_use_keystone setting to true, and set the nss_db_path setting to the path where the NSS database is stored. Provide authentication credentials. It is possible to configure a Keystone service tenant, user and password for keystone for v2.0 version of the OpenStack Identity API, similar to the way system administrators tend to configure OpenStack services. Providing a username and password avoids providing the shared secret to the rgw_keystone_admin_token setting. Red Hat recommends disabling authentication by admin token in production environments. The service tenant credentials should have admin privileges. For more details refer to the User and Role Management documentation, which explains the process in detail. The requisite configuration options for are: rgw_keystone_admin_user = {keystone service tenant user name} rgw_keystone_admin_password = {keystone service tenant user password} rgw_keystone_admin_tenant = {keystone service tenant name} A Ceph Object Gateway user is mapped into a Keystone tenant. A Keystone user has different roles assigned to it on possibly more than a single tenant. When the Ceph Object Gateway gets the ticket, it looks at the tenant, and the user roles that are assigned to that ticket, and accepts/rejects the request according to the rgw_keystone_accepted_roles configurable. A typical configuration might have the following settings: [client.radosgw.gateway] rgw_keystone_url = {keystone server url:keystone server admin port} ##Authentication using an admin token. Not preferred. #rgw_keystone_admin_token = {keystone admin token} 7

Red Hat Ceph Storage 2 Using Keystone to Authenticate Ceph Object Gateway Users ##Authentication using username, password and tenant. Preferred. rgw_keystone_admin_user = {keystone service tenant user name} rgw_keystone_admin_password = {keystone service tenant user password} rgw_keystone_admin_tenant = {keystone service tenant name} rgw_keystone_accepted_roles = {accepted user roles} ## rgw_keystone_token_cache_size = {number of tokens to cache} rgw_keystone_revocation_interval = {number of seconds before checking revoked tickets} rgw_keystone_make_new_tenants = {true for private tenant for each new user} rgw_s3_auth_use_keystone = true nss_db_path = {path to nss db} Save the changes to the Ceph configuration file. Then, copy the updated Ceph configuration file to each Ceph node. For example: # scp /etc/ceph/ceph.conf <node-name>:/etc/ceph/ See below for a detailed description of the available Keystone integration configuration options: rgw_s3_auth_use_keystone If set to true, the Ceph Object Gateway will authenticate users using Keystone. Boolean false nss_db_path The path to the NSS database. rgw_keystone_url The URL for the administrative RESTful API on the Keystone server. 8

CHAPTER 2. CONFIGURING THE CEPH OBJECT GATEWAY rgw_keystone_admin_token The token or shared secret that is configured internally in Keystone for administrative requests. rgw_keystone_admin_user The keystone admin user name. rgw_keystone_admin_password The keystone admin user password. rgw_keystone_admin_tenant The Keystone admin user tenant for keystone v2.0. 9

Red Hat Ceph Storage 2 Using Keystone to Authenticate Ceph Object Gateway Users rgw_keystone_admin_project The Keystone admin user project for keystone v3. rgw_keystone_admin_domain The Keystone admin user domain. rgw_keystone_api_version The version of the Keystone API to use. Valid options are 2 or 3. Integer 2 rgw_keystone_accepted_roles The roles required to serve requests. "Member, admin" rgw_keystone_accepted_admin_roles 10

CHAPTER 2. CONFIGURING THE CEPH OBJECT GATEWAY The list of roles allowing a user to gain administrative privileges. rgw_keystone_token_cache_size The maximum number of entries in the Keystone token cache. Integer 10000 rgw_keystone_revocation_interval The number seconds between tokens revocation check. Integer 15 * 60 rgw_keystone_verify_ssl If true Ceph will try to verify Keystone s SSL certificate. Boolean true rgw_keystone_implicit_tenants Create new users in their own tenants of the same name. 11

Red Hat Ceph Storage 2 Using Keystone to Authenticate Ceph Object Gateway Users Boolean false 2.3. RESTARTING CIVETWEB Once you have saved the Ceph configuration file and distributed it to each Ceph node, restart the Ceph Object Gateway instances. Usage should be one of: # systemctl restart ceph-radosgw # systemctl restart ceph-radosgw@rgw.`hostname -s` 12

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback