Configuring the Ceph Object Gateway to use Keystone authentication

Configure the IBM Storage Ceph to use OpenStack's Keystone authentication.

Before you begin

Before you begin, make sure that you have the following prerequisites in place:
  • A running, and healthy IBM Storage Ceph cluster.
  • Access to the Ceph software repository.
  • Have admin privileges to the production environment.

Procedure

  1. For each gateway instance, set nss_db_path to the path where the NSS database is stored.
    For example,
    [ceph: root@host01 /]# ceph config set client.rgw nss_db_path "/var/lib/ceph/radosgw/ceph-rgw.rgw01/nss"
  2. Provide authentication credentials.
    It is possible to configure a Keystone service tenant, user, and password for keystone for the OpenStack Identity API, similar to the way system administrators tend to configure OpenStack services. Providing a username and password avoids providing the shared secret to the rgw_keystone_admin_token setting.
    Important: Disable authentication by admin token in production environments. The service tenant credentials should have admin privileges.
    Set the following necessary configuration options:
    ceph config set client.rgw rgw_keystone_verify_ssl TRUE/FALSE
    ceph config set client.rgw rgw_s3_auth_use_keystone TRUE/FALSE
    ceph config set client.rgw rgw_keystone_url KEYSTONE_URL:ADMIN_PORT
    ceph config set client.rgw rgw_keystone_accepted_roles ACCEPTED_ROLES_
    ceph config set client.rgw rgw_keystone_accepted_admin_roles ACCEPTED_ADMIN_ROLES
    ceph config set client.rgw rgw_keystone_admin_domain default
    ceph config set client.rgw rgw_keystone_admin_project SERVICE_NAME
    ceph config set client.rgw rgw_keystone_admin_user KEYSTONE_TENANT_USER_NAME
    ceph config set client.rgw rgw_keystone_admin_password KEYSTONE_TENANT_USER_PASSWORD
    ceph config set client.rgw rgw_keystone_implicit_tenants KEYSTONE_IMPLICIT_TENANT_NAME
    ceph config set client.rgw rgw_swift_versioning_enabled TRUE/FALSE
    ceph config set client.rgw rgw_swift_enforce_content_length TRUE/FALSE
    ceph config set client.rgw rgw_swift_account_in_url TRUE/FALSE
    ceph config set client.rgw rgw_trust_forwarded_https TRUE/FALSE
    ceph config set client.rgw rgw_max_attr_name_len MAXIMUM_LENGTH_OF_METADATA_NAMES
    ceph config set client.rgw rgw_max_attrs_num_in_req MAXIMUM_NUMBER_OF_METADATA_ITEMS
    ceph config set client.rgw rgw_max_attr_size MAXIMUM_LENGTH_OF_METADATA_VALUE
    ceph config set client.rgw rgw_keystone_accepted_reader_roles SwiftSystemReader
    For example,
    [ceph: root@host01 /]# ceph config set client.rgw rgw_keystone_verify_ssl false
    [ceph: root@host01 /]# ceph config set client.rgw rgw_s3_auth_use_keystone true
    [ceph: root@host01 /]# ceph config set client.rgw rgw_keystone_url http://<public Keystone endpoint>:5000/
    [ceph: root@host01 /]# ceph config set client.rgw rgw_keystone_accepted_roles 'member, Member, admin'
    [ceph: root@host01 /]# ceph config set client.rgw rgw_keystone_accepted_admin_roles 'ResellerAdmin, swiftoperator'
    [ceph: root@host01 /]# ceph config set client.rgw rgw_keystone_admin_domain default
    [ceph: root@host01 /]# ceph config set client.rgw rgw_keystone_admin_project service
    [ceph: root@host01 /]# ceph config set client.rgw rgw_keystone_admin_user swift
    [ceph: root@host01 /]# ceph config set client.rgw rgw_keystone_admin_password password
    [ceph: root@host01 /]# ceph config set client.rgw rgw_keystone_implicit_tenants true
    [ceph: root@host01 /]# ceph config set client.rgw rgw_swift_versioning_enabled  true
    [ceph: root@host01 /]# ceph config set client.rgw rgw_swift_enforce_content_length true
    [ceph: root@host01 /]# ceph config set client.rgw rgw_swift_account_in_url true
    [ceph: root@host01 /]# ceph config set client.rgw rgw_trust_forwarded_https true
    [ceph: root@host01 /]# ceph config set client.rgw rgw_max_attr_name_len 128
    [ceph: root@host01 /]# ceph config set client.rgw rgw_max_attrs_num_in_req 90
    [ceph: root@host01 /]# ceph config set client.rgw rgw_max_attr_size  1024
    [ceph: root@host01 /]# ceph config set client.rgw rgw_keystone_accepted_reader_roles SwiftSystemReader
    A Ceph Object Gateway user is mapped into a Keystone tenant. A Keystone user has different roles assigned to it on possibly more than a single tenant. When the Ceph Object Gateway gets the ticket, it looks at the tenant, and the user roles that are assigned to that ticket, and accepts or rejects the request according to the rgw_keystone_accepted_roles configurable.