Configuring object authentication with an external keystone server
The object protocol can be configured with an external keystone server. This can be accomplished by either using an existing internal keystone server that is already deployed in the local environment or by utilizing an external keystone server that is hosted outside of the local environment.
The following prerequisites must be met before you start configuring
an external keystone server with the IBM Spectrum Scale™ system.
- The external keystone server must be running and reachable from all protocol nodes.
- The keystone server administrator must create an object storage service for the required user, for object authentication configuration.
To configure an external keystone server with the IBM
Spectrum Scale system, issue
the mmuserauth service create command as shown
in the following example:
mmuserauth service create –data-access-method object –type
userdefined --ks-swift-user <SWIFTserviceUser> --ks-swift-pwd <SWIFTserviceUserpassword>
-ks-ext-endpoint <endpoint of keystone server>
Configuring an external keystone server for object authentication when using the installation toolkit
If you plan to configure authentication for IBM Spectrum Scale for object storage with an external keystone server and you are using the installation toolkit, perform the following steps:
- To configure an external keystone server for object authentication, start with a local authentication configuration by not providing the authentication object arguments to the IBM Spectrum Scale installation toolkit. Local authentication is the default for the installation toolkit.
- Run the following commands to configure object authentication with external
keystone:
mmuserauth service remove --data-access-method object mmuserauth service remove --data-access-method object --idmapdelete mmuserauth service create --data-access-method object --type userdefined --ks-ext-endpoint http://specscaleswift.example.com:35357/v3 --ks-swift-user swift --ks-swift-pwd password
Note: Cleaning up authentication leads to loss of data access
to the end clients. For example, in the preceding command sequence,
client access to data created with local authentication enabled is
lost when you remove local authentication before configuring external
keystone.
Configuring IBM Spectrum Scale for object storage with SSL-enabled external keystone
- Remove the object authentication along with the ID mapping ID
if it is present by running one of the following commands:
mmuserauth service remove --data-access-method object
mmuserauth service remove --data-access-method object --idmapdelete
- Copy the CA certificate with the external keystone on the node
where the mmuserauth command is being run.
The location and the name of the CA certificate on the current node is /var/mmfs/tmp/ks_ext_cacert.pem.
- Configure the object authentication by running the mmuserauth service create
command with the --enable-ks-ssl
option:
mmuserauth service create --data-access-method object --type userdefined --ks-ext-endpoint https://specscaleswift.example.com:35357/v3 --ks-swift-user swift --ks-swift-pwd password --enable-ks-ssl
Note: Object configuration with SSL-enabled external keystone
is not supported on the installer toolkit and mmcesobjcrbase.