Chapter 3. Configuring the Ceph Object Gateway

Procedure

1. Convert the OpenSSL certificate to the nss db format:

   Example

   [root@osp ~]# mkdir /var/ceph/nss
   
   [root@osp ~]# mkdir /var/ceph/nss openssl x509 -in /etc/keystone/ssl/certs/ca.pem -pubkey | \
       certutil -d /var/ceph/nss -A -n ca -t "TCu,Cu,Tuw"
   [root@osp ~]# mkdir /var/ceph/nss openssl x509 -in /etc/keystone/ssl/certs/signing_cert.pem -pubkey | \
       certutil -A -d /var/ceph/nss -n signing_cert -t "P,P,P"

   Copy to Clipboard Toggle word wrap

2. Install Keystone’s SSL certificate in the node running the Ceph Object Gateway. Alternatively set the value of the configurable rgw_keystone_verify_ssl setting to false.

   Setting rgw_keystone_verify_ssl to false means that the gateway won’t attempt to verify the certificate.

Procedure

1. Edit the Ceph configuration file on the admin node.
2. Navigate to the [client.radosgw.INSTANCE_NAME], where INSTANCE_NAME is the name of the Gateway instance to configure.

3. Do the following for each gateway instance:

   1. Set the rgw_s3_auth_use_keystone setting to true.
   2. Set the nss_db_path setting to the path where the NSS database is stored.

4. Provide authentication credentials:

   It is possible to configure a Keystone service tenant, user and password for keystone for v2.0 version of the OpenStack Identity API, similar to the way system administrators tend to configure OpenStack services. Providing a username and password avoids providing the shared secret to the rgw_keystone_admin_token setting.

   Important

   Red Hat recommends disabling authentication by admin token in production environments. The service tenant credentials should have admin privileges.

   The necessary configuration options are:

   rgw_keystone_admin_user = KEYSTONE_TENANT_USER_NAME
   rgw_keystone_admin_password = KEYSTONE_TENANT_USER_PASSWORD
   rgw_keystone_admin_tenant = KEYSTONE_TENANT_NAME

   Copy to Clipboard Toggle word wrap

   A Ceph Object Gateway user is mapped into a Keystone tenant. A Keystone user has different roles assigned to it on possibly more than a single tenant. When the Ceph Object Gateway gets the ticket, it looks at the tenant, and the user roles that are assigned to that ticket, and accepts or rejects the request according to the rgw_keystone_accepted_roles configurable.

   A typical configuration might have the following settings:

   Example

   [client.radosgw.gateway]
   rgw_keystone_url = {keystone server url:keystone server admin port}
   ##Authentication using an admin token. Not preferred.
   #rgw_keystone_admin_token = {keystone admin token}
   ##Authentication using username, password and tenant. Preferred.
   rgw_keystone_admin_user = _KEYSTONE_TENANT_USER_NAME_
   rgw_keystone_admin_password =  _KEYSTONE_TENANT_USER_PASSWORD_
   rgw_keystone_admin_tenant =  _KEYSTONE_TENANT_NAME_
   rgw_keystone_accepted_roles = _KEYSTONE_ACCEPTED_USER_ROLES_
   ##
   rgw_keystone_token_cache_size = _NUMBER_OF_TOKENS_TO_CACHE_
   rgw_keystone_revocation_interval = _NUMBER_OF_SECONDS_BEFORE_CHECKING_REVOKED_TICKETS_
   rgw_keystone_make_new_tenants = _TRUE_FOR_PRIVATE_TENANT_FOR_EACH_NEW_USER_
   rgw_s3_auth_use_keystone = true
   nss_db_path = _PATH_TO_NSS_DB_

   Copy to Clipboard Toggle word wrap

Procedure

1. Once you have saved the Ceph configuration file and distributed it to each Ceph node, restart the Ceph Object Gateway instances: