Configuring object authentication with an external keystone server

The object protocol can be configured with an external keystone server. This can be accomplished by either using an existing internal keystone server that is already deployed in the local environment or by utilizing an external keystone server that is hosted outside of the local environment.

The following prerequisites must be met before you start configuring an external keystone server with the IBM Spectrum Scale™ system.
  • The external keystone server must be running and reachable from all protocol nodes.
  • The keystone server administrator must create an object storage service for the required user, for object authentication configuration.
To configure an external keystone server with the IBM Spectrum Scale system, enter the mmuserauth service create command as shown in the following examples:
  • mmuserauth service create --data-access-method object --type userdefined 
--ks-swift-user <SWIFTserviceUser> --ks-swift-pwd <SWIFTserviceUserpassword> 
--ks-ext-endpoint <endpoint of keystone server>
  • mmuserauth service create --data-access-method object --type userdefined 
--ks-ext-endpoint http://specscaleswift.example.com:35357/v3
--ks-swift-user swift --ks-swift-pwd password

Configuring IBM Spectrum Scale for object storage with SSL-enabled external keystone

  1. Remove the object authentication along with the ID mapping ID if it is present by running one of the following commands:
    mmuserauth service remove --data-access-method object
    mmuserauth service remove --data-access-method object --idmapdelete
  2. Copy the CA certificate with the external keystone on the node where the mmuserauth command is being run.

    The location and the name of the CA certificate on the current node is /var/mmfs/tmp/ks_ext_cacert.pem.

  3. Configure the object authentication by running the mmuserauth service create command with the --enable-ks-ssl option:
    mmuserauth service create --data-access-method object --type userdefined 
--ks-ext-endpoint https://specscaleswift.example.com:35357/v3
--ks-swift-user swift --ks-swift-pwd password --enable-ks-ssl
Note: Object configuration with SSL-enabled external keystone is not supported on the installer toolkit and mmcesobjcrbase.
Parent topic: Configuring authentication for object access
Related concepts:
Configuring an AD-based authentication for object access
Configuring an LDAP-based authentication for object access
Managing object users, roles, and projects
Related tasks:
Configuring local authentication for object access
Creating object accounts
Deleting expired tokens
Related reference:
mmuserauth command