Merge "Include Swift AUTH_%(tenant_id)s suffix in rgw Keystone endpoint"

2018-12-01 14:18:54 +00:00 · 2018-12-01 14:18:54 +00:00 · 7257084366
commit 7257084366
parent fc9a2d03dc 9dbdf71de0
5 changed files with 84 additions and 4 deletions
--- a/doc/source/user/ceph/swift.rst
+++ b/doc/source/user/ceph/swift.rst
@ -0,0 +1,47 @@
+================================================
+Using radosgw as a drop-in replacement for Swift
+================================================
+
+OpenStack-Ansible gives you the option of deploying radosgw as a
+drop-in replacement for native OpenStack Swift.
+
+In particular, the ``ceph-rgw-install.yml`` playbook (which includes
+``ceph-rgw-keystone-setup.yml``) will deploy radosgw to any
+``ceph-rgw`` hosts, and create a corresponding Keystone
+``object-store`` service catalog entry. The service endpoints do
+contain the ``AUTH_%(tenant_id)s`` prefix just like in native Swift,
+so public read ACLs and temp URLs will work just like they do in
+Swift.
+
+By default, OSA enables *only* the Swift API in radosgw.
+
+
+Adding S3 API support
+~~~~~~~~~~~~~~~~~~~~~
+
+You may want to enable the default radosgw S3 API, in addition to the
+Swift API. In order to do so, you need to override the
+``ceph_conf_overrides_rgw`` variable in ``user_variables.yml``. Below
+is an example configuration snippet:
+
+.. code-block:: yaml
+
+    ceph_conf_overrides_rgw:
+      "client.rgw.{{ hostvars[inventory_hostname]['ansible_hostname'] }}":
+        # OpenStack integration with Keystone
+        rgw_keystone_url: "{{ keystone_service_adminuri }}"
+        rgw_keystone_api_version: 3
+        rgw_keystone_admin_user: "{{ radosgw_admin_user }}"
+        rgw_keystone_admin_password: "{{ radosgw_admin_password }}"
+        rgw_keystone_admin_tenant: "{{ radosgw_admin_tenant }}"
+        rgw_keystone_admin_domain: default
+        rgw_keystone_accepted_roles: 'member, _member_, admin, swiftoperator'
+        rgw_keystone_implicit_tenants: 'true'
+        rgw_swift_account_in_url: true
+        rgw_swift_versioning_enabled: 'true'
+        # Add S3 support, in addition to Swift
+        rgw_enable_apis: 'swift, s3'
+        rgw_s3_auth_use_keystone: 'true'
+
+You may also want to add the ``rgw_dns_name`` option if you want to
+enable bucket hostnames with the S3 API.
--- a/doc/source/user/index.rst
+++ b/doc/source/user/index.rst
@ -28,6 +28,7 @@ For in-depth technical information, see the
   limited-connectivity/index.rst
   l3pods/example.rst
   ceph/full-deploy.rst
+   ceph/swift.rst
   ceph/ceilometer.rst
   security/index.rst
   source-overrides/index.rst
--- a/inventory/group_vars/all/ceph-rgw.yml
+++ b/inventory/group_vars/all/ceph-rgw.yml
@ -13,8 +13,8 @@ radosgw_service_publicuri_proto: "{{ openstack_service_publicuri_proto | default
 radosgw_service_adminuri_proto: "{{ openstack_service_adminuri_proto | default(radosgw_service_proto) }}"
 radosgw_service_internaluri_proto: "{{ openstack_service_internaluri_proto | default(radosgw_service_proto) }}"
 radosgw_service_publicuri: "{{ radosgw_service_publicuri_proto }}://{{ external_lb_vip_address }}:{{ radosgw_service_port }}"
-radosgw_service_publicurl: "{{ radosgw_service_publicuri }}/swift/v1"
+radosgw_service_publicurl: "{{ radosgw_service_publicuri }}/swift/v1/AUTH_%(tenant_id)s"
 radosgw_service_adminuri: "{{ radosgw_service_adminuri_proto }}://{{ internal_lb_vip_address }}:{{ radosgw_service_port }}"
-radosgw_service_adminurl: "{{ radosgw_service_adminuri }}/swift/v1"
+radosgw_service_adminurl: "{{ radosgw_service_adminuri }}/swift/v1/AUTH_%(tenant_id)s"
 radosgw_service_internaluri: "{{ radosgw_service_internaluri_proto }}://{{ internal_lb_vip_address }}:{{ radosgw_service_port }}"
-radosgw_service_internalurl: "{{ radosgw_service_internaluri }}/swift/v1"
+radosgw_service_internalurl: "{{ radosgw_service_internaluri }}/swift/v1/AUTH_%(tenant_id)s"
--- a/inventory/group_vars/ceph-rgw.yml
+++ b/inventory/group_vars/ceph-rgw.yml
@ -9,5 +9,7 @@ ceph_conf_overrides_rgw:
    rgw_keystone_admin_tenant: "{{ radosgw_admin_tenant }}"
    rgw_keystone_admin_domain: default
    rgw_keystone_accepted_roles: 'member, _member_, admin, swiftoperator'
-    rgw_s3_auth_use_keystone: true
+    rgw_keystone_implicit_tenants: 'true'
    rgw_enable_apis: swift
+    rgw_swift_account_in_url: 'true'
+    rgw_swift_versioning_enabled: 'true'
--- a/releasenotes/notes/ceph-rgw-swift-account-93350d92f0f33b20.yaml
+++ b/releasenotes/notes/ceph-rgw-swift-account-93350d92f0f33b20.yaml
@ -0,0 +1,30 @@
+---
+upgrade:
+  - >
+    The ``ceph-rgw`` playbooks now set ``rgw_swift_account_in_url =
+    true`` and update the corresponding Keystone service catalog entry
+    accordingly. Applications (such as monitoring scripts) that do
+    *not* rely on service catalog lookup must be updated with the new
+    endpoint URL that includes ``AUTH_%(tenant_id)s`` just like native
+    Swift does --- or, alternatively, should be updated to honor the
+    service catalog after all.
+  - >
+    The ``ceph-rgw`` playbooks now set ``rgw_swift_versioning_enabled =
+    true``, adding support for object versioning for the ``object-store``
+    service.
+fixes:
+  - >
+    The ``ceph-rgw`` playbooks now include the ``AUTH_%(tenant_id)s``
+    suffix in the Keystone ``object-store`` endpoint. This aligns
+    radosgw's behavior with that of native Swift. It also enables
+    radosgw to support public read ACLs on containers, and temporary
+    URLs on objects, in the same way that Swift does
+    (`bug 1800637 <https://bugs.launchpad.net/openstack-ansible/+bug/1800637>`_).
+issues:
+  - >
+    Although the ``ceph-rgw`` playbooks do enable Swift object
+    versioning, support in radosgw is currently limited to setting
+    ``X-Versions-Location`` on a container. ``X-History-Location``,
+    understood by native Swift, is currently not supported by radosgw
+    (although the feature is `pending
+    <https://github.com/ceph/ceph/pull/15020>`_ upstream).