版本
ceph版本:12.2.10
openstack版本:n版本
barbican版本:3.0.0
rgw对接keystone
http://docs.ceph.com/docs/master/radosgw/keystone/
http://docs.ceph.com/docs/master/radosgw/s3/authentication/
1.A user that Keystone authorizes to access the gateway will also be automatically created on the Ceph Object Gateway (if didn’t exist beforehand),若用户能通过keystone的认证,但还未在ceph里创建租户,则会新建一个ceph租户?
2.A Ceph Object Gateway user is mapped into a Keystone tenant. A Keystone user has different roles assigned to it on possibly more than a single tenant. When the Ceph Object Gateway gets the ticket, it looks at the tenant, and the user roles that are assigned to that ticket, and accepts/rejects the request according to the rgw keystone accepted roles configurable。一个ceph用户对应一个keystone租户,一个keystone用户在不同的keystone租户里可有不用的权限role,ceph用户对应哪个权限role是由ceph.conf里rgw_keystone_accepted_roles参数决定的。
3.In order to let a project (earlier called a ‘tenant’) access buckets belonging to a different project, rgw_swift_account_in_url needs to be enabled.一个ceph租户若属于openstack里多个项目,则此参数需要置为True
4.为了使s3 api可使用AWS-style access key and secret key,需要执行命令openstack --os-interface public ec2 credentials create ;如此生成的**格式就能用于S3 API访问rgw
ceph.conf配置
rgw_keystone_verify_ssl = #若rgw和keystone之间未部署https ssl则需要置为false
rgw_s3_auth_use_keystone = True #默认值为false
rgw_keystone_api_version = 2
rgw_keystone_url = ${keystone server url:keystone server admin port}
rgw_keystone_accepted_admin_roles = #这个参数是否需要设置,默认为空
rgw_keystone_accepted_roles = Member, admin
rgw_keystone_token_cache_size = 10000 #number of tokens to cache
rgw_keystone_implicit_tenants = True/False # true for private tenant for each new user
rgw_swift_account_in_url = true #根据情况设置,默认值=
rgw_keystone_admin_token =
暴露了rgw_keystone_admin_token 的方法不推荐在生产环境里使用,推荐下述的配置:
rgw_keystone_admin_user =
rgw_keystone_admin_password =
rgw_keystone_admin_tenant =
若使用v3版本的openstack keystone,则需要设置下述参数替代rgw_keystone_admin_tenant:
rgw_keystone_admin_domain =
rgw_keystone_admin_project =
例子:
rgw_keystone_verify_ssl = false
rgw_s3_auth_use_keystone = True
rgw_keystone_api_version = 3
rgw_keystone_url =http://100.75.0.19:35357
rgw_keystone_accepted_roles = admin,user,_normal_user_,_member_
rgw_keystone_token_cache_size = 10000
rgw_keystone_implicit_tenants = false
rgw_swift_account_in_url = false
rgw_keystone_admin_user = admin
rgw_keystone_admin_password = rh123456
rgw_keystone_admin_domain = default
rgw_keystone_admin_project = admin
keystone配置
1.创建service:
openstack service create --name=swift --description="Swift Service" object-store
2.创建endpoint:
openstack endpoint create --region RegionOne swift public http://100.75.0.19:8080/swift/v1
openstack endpoint create --region RegionOne swift admin http://100.75.0.19:8080/swift/v1
openstack endpoint create --region RegionOne swift internal http://100.75.0.19:8080/swift/v1
报错
重启rgw服务,重启keysone服务systemctl restart httpd.service
rgw有报错:
ERROR: keystone revocation processing returned error r=-22
keystone端报错:
Signing error: Unable to load certificate - ensure you have configured PKI with "keystone-manage pki_setup"
bug: http://tracker.ceph.com/issues/22312
查看/etc/keystone/keystone.conf里keystone使用的token类型为fernet
设置provider=pki,重启keystone,测试依然报错。
执行keystone-manage pki_setup --keystone-user keystone --keystone-group keystone
重启keystone,测试依然报错
把keystone.conf恢复原配置provider=fernet,
修改ceph.conf里rgw_keystone_token_cache_size = 0
重启rgw和重启keystone,测试通过。
是否需要设置pki_setup?
测试
rgw**
1.使用未对接keystone前已创建的rgw user进行测试,读取桶信息:
import os,sys
import boto.s3.connection
access_key = "haj-1-ak"
secret_key = "haj-1-sk"
bucket_name = "haj-1-b-1"
conn = boto.connect_s3(
aws_access_key_id=access_key,
aws_secret_access_key=secret_key,
host= '100.75.0.21',
port=7480,
is_secure=False,
calling_format=boto.s3.connection.OrdinaryCallingFormat())
bucket = conn.get_bucket(bucket_name)
2.查看rgw日志,rgw的**认证过程为:
首先S3AnonymousEngine驱动不通过认证,接着使用下一个AWSv2ExternalAuthStrategy驱动也验证不通过,最后使用LocalEngine驱动验证通过。
3.查看keystone日志,有告警:
找不到对应的credential
openstack **
1.新建一个openstack项目/用户:
openstack project create --domain default --description "haj project" haj
openstack user create --domain default --password-prompt haj
建立关联:openstack role add --project haj --user haj user
2.给该用户创建ec2 credentials :
openstack ec2 credentials create --project haj --user haj
3.用生成的证书创建一个桶:
import os,sys
import boto.s3.connection
access_key = "e2dd89eb439b44d091eeecbb40926ab4"
secret_key = "6d6d2fb104de4d778563869dd27ac644"
bucket_name = "haj-b-1"
conn = boto.connect_s3(
aws_access_key_id=access_key,
aws_secret_access_key=secret_key,
host= '100.75.0.21',
port=7480,
is_secure=False,
calling_format=boto.s3.connection.OrdinaryCallingFormat())
conn.create_bucket(bucket_name)
4.使用ceph命令查看新建成的桶,自动生成了一个用户,且rgw user id=openstack ec2 project id,由user信息里"type"可区分是keystone创建的或者是rgw创建的:
5.查看rgw日志,rgw的**认证过程为:
首先S3AnonymousEngine驱动不通过认证,接着使用下一个AWSv2ExternalAuthStrategy驱动验证通过
6.查看keystone日志,有告警:
v2 EC2的认证方法在m版本开始弃用,可使用相似功能的v3 Credential认证
换成如下v3 Credential命令创建的ec2 则也有上述告警:
openstack credential create --type ec2 --project haj haj '{"access": "haj-haj-ak","secret":"haj-haj-sk","trust_id": null}'
权限控制
相同project/user:
1.给openstack里的user haj 再创建一个ec2 credentials:
2.使用openstack credential list 可查看到haj下有2个ec2类型的credential
3.新生成的ec2**可以访问对应ceph user下所有的桶
相同project/不同user:
1.给openstack里的haj 创建一个新user haj-1:
建立关联:openstack role add --project haj --user haj-1 user
2.给openstack里的user haj-1 创建一个ec2 credentials:
3.新生成的ec2**可以访问对应ceph user下所有的桶
其它测试
1.把使用ec2**创建的ceph桶删除,对应的ceph user下没有任何桶,该ceph user不会自动删除。