Chapter 3. Configuring the Ceph Object Gateway

As a storage administrator, you must configure the Ceph Object Gateway to accept authentication requests from the Keystone service.

3.1. Prerequisites

  • A running Red Hat OpenStack Platform 13, 15, or 16 environment.
  • A running Red Hat Ceph Storage environment.
  • A running Ceph Object Gateway environment.

3.2. Configuring the Ceph Object Gateway to use Keystone SSL

Converting the OpenSSL certificates that Keystone uses configures the Ceph Object Gateway to work with Keystone. When the Ceph Object Gateway interacts with OpenStack’s Keystone authentication, Keystone will terminate with a self-signed SSL certificate.

Prerequisites

  • A running Red Hat Ceph Storage cluster.
  • Access to the Ceph software repository.

Procedure

  1. Convert the OpenSSL certificate to the nss db format:

    Example

    [root@osp ~]# mkdir /var/ceph/nss
    
    [root@osp ~]# mkdir /var/ceph/nss openssl x509 -in /etc/keystone/ssl/certs/ca.pem -pubkey | \
        certutil -d /var/ceph/nss -A -n ca -t "TCu,Cu,Tuw"
    [root@osp ~]# mkdir /var/ceph/nss openssl x509 -in /etc/keystone/ssl/certs/signing_cert.pem -pubkey | \
        certutil -A -d /var/ceph/nss -n signing_cert -t "P,P,P"

  2. Install Keystone’s SSL certificate in the node running the Ceph Object Gateway. Alternatively set the value of the configurable rgw_keystone_verify_ssl setting to false.

    Setting rgw_keystone_verify_ssl to false means that the gateway won’t attempt to verify the certificate.

3.3. Configuring the Ceph Object Gateway to use Keystone authentication

Configure the Red Hat Ceph Storage to use OpenStack’s Keystone authentication.

Prerequisites

  • A running Red Hat Ceph Storage cluster.
  • Access to the Ceph software repository.
  • admin privileges to the production environment.

Procedure

  1. Edit the Ceph configuration file on the admin node.
  2. Navigate to the [client.radosgw.INSTANCE_NAME], where INSTANCE_NAME is the name of the Gateway instance to configure.
  3. Do the following for each gateway instance:

    1. Set the rgw_s3_auth_use_keystone setting to true.
    2. Set the nss_db_path setting to the path where the NSS database is stored.
  4. Provide authentication credentials:

    It is possible to configure a Keystone service tenant, user and password for keystone for v2.0 version of the OpenStack Identity API, similar to the way system administrators tend to configure OpenStack services. Providing a username and password avoids providing the shared secret to the rgw_keystone_admin_token setting.

    Important

    Red Hat recommends disabling authentication by admin token in production environments. The service tenant credentials should have admin privileges.

    The necessary configuration options are:

    rgw_keystone_admin_user = KEYSTONE_TENANT_USER_NAME
    rgw_keystone_admin_password = KEYSTONE_TENANT_USER_PASSWORD
    rgw_keystone_admin_tenant = KEYSTONE_TENANT_NAME

    A Ceph Object Gateway user is mapped into a Keystone tenant. A Keystone user has different roles assigned to it on possibly more than a single tenant. When the Ceph Object Gateway gets the ticket, it looks at the tenant, and the user roles that are assigned to that ticket, and accepts or rejects the request according to the rgw_keystone_accepted_roles configurable.

    A typical configuration might have the following settings:

    Example

    [client.radosgw.gateway]
    rgw_keystone_url = {keystone server url:keystone server admin port}
    ##Authentication using an admin token. Not preferred.
    #rgw_keystone_admin_token = {keystone admin token}
    ##Authentication using username, password and tenant. Preferred.
    rgw_keystone_admin_user = _KEYSTONE_TENANT_USER_NAME_
    rgw_keystone_admin_password =  _KEYSTONE_TENANT_USER_PASSWORD_
    rgw_keystone_admin_tenant =  _KEYSTONE_TENANT_NAME_
    rgw_keystone_accepted_roles = _KEYSTONE_ACCEPTED_USER_ROLES_
    ##
    rgw_keystone_token_cache_size = _NUMBER_OF_TOKENS_TO_CACHE_
    rgw_keystone_revocation_interval = _NUMBER_OF_SECONDS_BEFORE_CHECKING_REVOKED_TICKETS_
    rgw_keystone_make_new_tenants = _TRUE_FOR_PRIVATE_TENANT_FOR_EACH_NEW_USER_
    rgw_s3_auth_use_keystone = true
    nss_db_path = _PATH_TO_NSS_DB_

Additional Resources

3.4. Restarting the Ceph Object Gateway daemon

Restarting the Ceph Object Gateway must be done to active configuration changes.

Prerequisites

  • A running Red Hat Ceph Storage cluster.
  • Access to the Ceph software repository.
  • admin privileges to the production environment.

Procedure

  1. Once you have saved the Ceph configuration file and distributed it to each Ceph node, restart the Ceph Object Gateway instances:
[root@ceph~]# systemctl restart ceph-radosgw
[root@ceph~]# systemctl restart ceph-radosgw@rgw.`hostname -s`