Ceph can be integrated with the OpenStack identity management service, 'Keystone'. With this integration, the Ceph RGW is configured to accept keystone tokens for user authority. So, any user who is validated by Keystone will get rights to access the RGW.
Execute the following command on your openstack-node1
, unless otherwise specified:
# keystone service-create --name swift --type object-store --description "ceph object store" # keystone endpoint-create --service-id 6614554878344bbeaa7fec0d5dccca7f --publicurl http://192.168.1.106:7480/swift/v1 --internalurl http://192.168.1.106:7480/swift/v1 --adminurl http://192.168.1.106:7480/swift/v1 --region RegionOne
# cat /etc/keystone/keystone.conf | grep -i admin_token
# mkdir -p /var/ceph/nss
openssl
certificates:# openssl x509 -in /etc/keystone/ssl/certs/ca.pem -pubkey|certutil -d /var/ceph/nss -A -n ca -t "TCu,Cu,Tuw" # openssl x509 -in /etc/keystone/ssl/certs/signing_cert.pem -pubkey | certutil -A -d /var/ceph/nss -n signing_cert -t "P,P,P"
/var/ceph/nss
directory on rgw-node1
:# mkdir -p /var/ceph/nss
openstack-node1
, copy openssl
certificates to rgw-node1
. If you are logging in for the first time, you will get an SSH confirmation; type yes
and then type the root password, which is vagrant
for all the machines:# scp /var/ceph/nss/* rgw-node1:/var/ceph/nss
rgw-node1
, create directories and change the ownership to Apache:# mkdir /var/run/ceph # chown apache:apache /var/run/ceph # chown -R apache:apache /var/ceph/nss
/etc/ceph/ceph.conf
on rgw-node1
with the following entries under the [client.radosgw.gateway]
section:rgw keystone url = http://192.168.1.111:5000 rgw keystone admin token = f72adb0238d74bb885005744ce526148 rgw keystone accepted roles = admin, Member, swiftoperator rgw keystone token cache size = 500 rgw keystone revocation interval = 60 rgw s3 auth use keystone = true nss db path = /var/ceph/nss
ceph-radosgw
service:# systemctl restart ceph-radosgw
openstack-node1
and run basic Swift commands, and it should not ask for any user keys:# swift list # swift post swift-test-bucket # swift list
swift cli
as well as from the OpenStack horizon dashboard, the Object storage section, without being asked for user credentials for the Ceph RGW; this is because after this configuration changes, Keystone verified tokens are accepted by the Ceph RGW.18.219.239.118