Configure the Secure Token Service (STS) for use with the Ceph Object Gateway.
Before you begin
Before you begin, make sure that you have the following prerequisites in place:
- A running IBM Storage Ceph cluster.
- A running Ceph Object Gateway.
- Root-level access to a Ceph Manager node.
About this task
Configure the Secure Token Service (STS) for use with the Ceph Object Gateway by setting the rgw_sts_key, and rgw_s3_auth_use_sts options.
Important: Do not use the STS
backward_compatibility configuration option in new
IBM Storage Ceph 9.9.09.9.0 deployments. If the option is present in an existing configuration, remove it. This option is planned for deprecation along with tenant IAM/Roles. For more information, see
Deprecated functionality .
Note: The S3 and STS APIs co-exist in the same namespace, and both can be accessed from the same endpoint in the Ceph Object Gateway.
Procedure
-
Set the following configuration options for the Ceph Object Gateway client.
ceph config set RGW_CLIENT_NAME rgw_sts_key STS_KEY
ceph config set RGW_CLIENT_NAME rgw_s3_auth_use_sts true
The
rgw_sts_key is the STS key for encrypting or decrypting the session token and is exactly 16 hex characters.
Important: The STS key needs to be alphanumeric.
For example,
[root@mgr ~]# ceph config set client.rgw rgw_sts_key 7f8fd8dd4700mnop
[root@mgr ~]# ceph config set client.rgw rgw_s3_auth_use_sts true
-
Restart the Ceph Object Gateway for the added key to take effect.
Note: Use the output from the ceph orch ps command, under the NAME column, to get the SERVICE_TYPE.ID information.
- Restart the Ceph Object Gateway on an individual node in the storage cluster.
systemctl restart ceph-CLUSTER_ID@SERVICE_TYPE.ID.service
For example,
[root@host01 ~]# systemctl restart ceph-c4b34c6f-8365-11ba-dc31-529020a7702d@rgw.realm.zone.host01.gwasto.service
- Restart the Ceph Object Gateways on all nodes in the storage cluster.
ceph orch restart SERVICE_TYPE
For example,
[ceph: root@host01 /]# ceph orch restart rgw