Authentication considerations for multi-region object deployment
In a multi-region object deployment environment, all regions must use the same Keystone service.
The keystone service can be a local keystone installed with the object deployment or it can be an independent service. Subsequent clusters that join the environment must specify an external keystone server during installation.
The following two methods can be used for object authentication configuration with a multi-region setup:
- By using the external keystone
+------+-----------+--------------+--------------+---------+-----------+-------------------------------------------+ | ID | Region | Service Name | Service Type | Enabled | Interface | URL | +------+-----------+--------------+--------------+---------+-----------+-------------------------------------------+ | e310 | RegionOne | swift | object-store | True | public | http://region1:8080/v1/AUTH_%(tenant_id)s | | 1679 | RegionOne | swift | object-store | True | internal | http://region1:8080/v1/AUTH_%(tenant_id)s | | c458 | RegionOne | swift | object-store | True | admin | http://region1:8080 | | 8a01 | Region2 | swift | object-store | True | public | http://region2:8080/v1/AUTH_%(tenant_id)s | | b821 | Region2 | swift | object-store | True | internal | http://region2:8080/v1/AUTH_%(tenant_id)s | | 5188 | Region2 | swift | object-store | True | admin | http://region2:8080 | +------+-----------+--------------+--------------+---------+-----------+-------------------------------------------+
Note: The external keystone and HA must be managed and configured by the customers.- On all the participant clusters of the multi-region setup, configure the external keystone with the spectrumscale auth object external command.
- Set the keystone_url and configure_remote_keystone properties.
- For manual installation, use the mmobj swift base command with the --remote-keystone-url and --configure-remote-keystone arguments.
Note: The installer can automatically create these endpoints if the
option to configure the remote keystone is used during installation
and –configure-remote-keystone is specified.
- By using the keystone installed on one of the IBM Spectrum Scale™ clusters
+------+-----------+--------------+--------------+---------+-----------+-------------------------------------------+ | ID | Region | Service Name | Service Type | Enabled | Interface | URL | +------+-----------+--------------+--------------+---------+-----------+-------------------------------------------+ | e310 | RegionOne | swift | object-store | True | public | http://region1:8080/v1/AUTH_%(tenant_id)s | | 1679 | RegionOne | swift | object-store | True | internal | http://region1:8080/v1/AUTH_%(tenant_id)s | | c458 | RegionOne | swift | object-store | True | admin | http://region1:8080 | | 8a01 | Region2 | swift | object-store | True | public | http://region2:8080/v1/AUTH_%(tenant_id)s | | b821 | Region2 | swift | object-store | True | internal | http://region2:8080/v1/AUTH_%(tenant_id)s | | 5188 | Region2 | swift | object-store | True | admin | http://region2:8080 | +------+-----------+--------------+--------------+---------+-----------+-------------------------------------------+
Note: If the region1 cluster stops functioning, the complete multi-region setup will be unusable because the keystone service is not available.- On the first cluster of multi-region setup, configure local Keystone with the spectrumscale auth object local|ad|ldap command by using the spectrumscale installation toolkit.
- For manual installation, use the mmobj swift base command with the --local-keystone arguments for configuring with keystone with local authentication type.
- For configuring the object authentication with ad | ldap, use mmuserauth service create|delete command after mmobj swift base with -- local-keystone.
- On the second and third clusters of the multi-region setup, configure the external keystone with the spectrumscale auth object external command.
- Set the keystone_url and configure_remote_keystone properties.
- For manual installation, use the mmobj swift base command with the --remote-keystone-url and --configure-remote-keystone arguments.
Note: The installer can automatically create these endpoints if the option to configure remote keystone is used during installation if --configure-remote-keystone is specified.