Configure Openstack Keystone Auth in MicroCeph RGW

Ceph Object Gateway (RGW) can be configured to use Openstack Keystone for providing user authentication service. A Keystone authorised user to the gateway will also be automatically created on the Ceph Object Gateway. A token that Keystone validates will be considered as valid by the gateway.

MicroCeph supports setting the following Keystone config keys:

Supported Config Keys

Key

Description

rgw_s3_auth_use_keystone

Whether to use keystone auth for the S3 endpoints.

rgw_keystone_url

Keystone server address in {url:port} format

rgw_keystone_admin_token

Keystone admin token (not recommended in production)

rgw_keystone_admin_token_path

Path to Keystone admin token (recommended for production)

rgw_keystone_admin_user

Keystone service tenant user name

rgw_keystone_admin_password

Keystone service tenant user password

rgw_keystone_admin_password_path

Path to Keystone service tenant user password file

rgw_keystone_admin_project

Keystone admin project name

rgw_keystone_admin_domain

Keystone admin domain name

rgw_keystone_service_token_enabled

Whether to allow expired tokens with service token in requests

rgw_keystone_service_token_accepted_roles

Specify user roles accepted as service roles

rgw_keystone_expired_token_cache_expiration

Cache expiration period for an expired token allowed with a service token

rgw_keystone_api_version

Keystone API version

rgw_keystone_accepted_roles

Accepted user roles for Keystone users

rgw_keystone_accepted_admin_roles

List of roles allowing user to gain admin privileges

rgw_keystone_token_cache_size

The maximum number of entries in each Keystone token cache

rgw_keystone_verify_ssl

Whether to verify SSL certificates while making token requests to Keystone

rgw_keystone_implicit_tenants

Whether to create new users in their own tenants of the same name

rgw_swift_account_in_url

Whether the Swift account is encoded in the URL path

rgw_swift_versioning_enabled

Enables object versioning

rgw_swift_enforce_content_length

Whether content length header is needed when listing containers

rgw_swift_custom_header

Enable swift custom header

A user can set/get/list/reset the above mentioned config keys as follows:

  1. Supported config keys can be configured using the ‘set’ command:

$ sudo microceph cluster config set rgw_swift_account_in_url true

  1. Config value for a particular key could be queried using the ‘get’ command:

$ sudo microceph cluster config get rgw_swift_account_in_url
+---+--------------------------+-------+
| # |           KEY            | VALUE |
+---+--------------------------+-------+
| 0 | rgw_swift_account_in_url | true  |
+---+--------------------------+-------+

  1. A list of all the configured keys can be fetched using the ‘list’ command:

$ sudo microceph cluster config list
+---+--------------------------+-------+
| # |           KEY            | VALUE |
+---+--------------------------+-------+
| 0 | rgw_swift_account_in_url | true  |
+---+--------------------------+-------+

  1. Resetting a config key (i.e. setting the key to its default value) can performed using the ‘reset’ command:

$ sudo microceph cluster config reset rgw_swift_account_in_url
$ sudo microceph cluster config list
+---+-----+-------+
| # | KEY | VALUE |
+---+-----+-------+

For detailed documentation of what keys should be configured, visit Ceph Docs