Integrating RADOS Gateway with OpenStack Keystone

Ceph can be integrated with the OpenStack identity management service, 'Keystone'. With this integration, the Ceph RGW is configured to accept keystone tokens for user authority. So, any user who is validated by Keystone will get rights to access the RGW.

How to do it…

Execute the following command on your openstack-node1, unless otherwise specified:

  1. Configure OpenStack to point to the Ceph RGW by creating the service and its endpoints:
    # keystone service-create --name swift --type object-store --description "ceph object store"
# keystone endpoint-create --service-id 6614554878344bbeaa7fec0d5dccca7f --publicurl http://192.168.1.106:7480/swift/v1 --internalurl http://192.168.1.106:7480/swift/v1 --adminurl http://192.168.1.106:7480/swift/v1 --region RegionOne
    How to do it…
  2. Get the keystone admin token, which will be used for the RGW configuration:
    # cat /etc/keystone/keystone.conf | grep -i admin_token
  3. Create a directory for certificates:
    # mkdir -p /var/ceph/nss
  4. Generate openssl certificates:
    # openssl x509 -in /etc/keystone/ssl/certs/ca.pem -pubkey|certutil -d /var/ceph/nss -A -n ca -t "TCu,Cu,Tuw"
# openssl x509 -in /etc/keystone/ssl/certs/signing_cert.pem -pubkey | certutil -A -d /var/ceph/nss -n signing_cert -t "P,P,P"
    How to do it…
  5. Create the /var/ceph/nss directory on rgw-node1:
    # mkdir -p /var/ceph/nss
  6. From openstack-node1, copy openssl certificates to rgw-node1. If you are logging in for the first time, you will get an SSH confirmation; type yes and then type the root password, which is vagrant for all the machines:
    # scp /var/ceph/nss/* rgw-node1:/var/ceph/nss
  7. On rgw-node1, create directories and change the ownership to Apache:
    # mkdir /var/run/ceph
# chown apache:apache /var/run/ceph
# chown -R apache:apache /var/ceph/nss
  8. Update /etc/ceph/ceph.conf on rgw-node1 with the following entries under the [client.radosgw.gateway] section:
    rgw keystone url = http://192.168.1.111:5000
rgw keystone admin token = f72adb0238d74bb885005744ce526148
rgw keystone accepted roles = admin, Member, swiftoperator
        rgw keystone token cache size = 500
        rgw keystone revocation interval = 60
        rgw s3 auth use keystone = true
nss db path = /var/ceph/nss

    Note

    rgw keystone url must be the keystone management URL that can be gotten from the # keystone endpoint-list command.

    rgw keystone admin token is the token value that we saved in Step 2 of this recipe.

  9. Finally, restart the ceph-radosgw service:
    # systemctl restart ceph-radosgw
  10. Now, to test the Keystone and Ceph integration, switch back to openstack-node1 and run basic Swift commands, and it should not ask for any user keys:
    # swift list
# swift post swift-test-bucket
# swift list
    How to do it…
  11. You should be able to perform all sorts of bucket operations using both swift cli as well as from the OpenStack horizon dashboard, the Object storage section, without being asked for user credentials for the Ceph RGW; this is because after this configuration changes, Keystone verified tokens are accepted by the Ceph RGW.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.219.239.118