[ English | русский | Indonesia ]

Using Ceph Object Gateway (radosgw) as a drop-in replacement for Swift

OpenStack-Ansible gives you the option of deploying Ceph Object Gateway (radosgw) as a drop-in replacement for native OpenStack Swift.

In particular, the openstack.osa.ceph_rgw_install playbook (which includes openstack.osa.ceph_rgw_keystone_setup) will deploy radosgw to any ceph-rgw hosts, and create a corresponding Keystone object-store service catalog entry. The service endpoints do contain the AUTH_%(tenant_id)s prefix just like in native Swift, so public read ACLs and temp URLs will work just like they do in Swift.

Secara default, OSA mengaktifkan only API Swift di radosgw.

Menambahkan dukungan S3 API

Anda mungkin ingin mengaktifkan radosgw S3 API default, selain Swift API. Untuk melakukannya, Anda perlu mengganti variabel ceph_conf_overrides_rgw dalam user_variables.yml. Berikut ini cuplikan contoh konfigurasi:

Catatan

Mentioned below overrides are default ones and will be applied to ceph-rgw group

---
ceph_rgw_client_name: "client.rgw.{{ rgw_zone | default('default') }}.{{ hostvars[inventory_hostname]['ansible_facts']['hostname']}}.rgw0"
ceph_conf_overrides_rgw: |-
  {{
    {
      ceph_rgw_client_name: {
        'rgw_keystone_url': keystone_service_adminuri,
        'rgw_keystone_api_version': 3,
        'rgw_keystone_admin_user': radosgw_admin_user,
        'rgw_keystone_admin_password': radosgw_admin_password,
        'rgw_keystone_admin_project': radosgw_admin_tenant,
        'rgw_keystone_admin_domain': 'default',
        'rgw_keystone_accepted_roles': 'member, admin, swiftoperator',
        'rgw_keystone_implicit_tenants': 'true',
        'rgw_swift_account_in_url': 'true',
        'rgw_swift_versioning_enabled': 'true',
        'rgw_enable_apis': 'swift, s3',
        'rgw_s3_auth_use_keystone': 'true'
      }
    }
  }}

###
### Backend TLS
###

# Ceph configuration options to enable TLS on ceph-rgw
radosgw_frontend_ssl_certificate: "{{ ceph_rgw_backend_ssl is truthy | ternary(ceph_rgw_ssl_cert, '') }}"
# Ceph-ansible requires to include private key in `radosgw_frontend_ssl_certificate`
# which is not possible with ansible-role-pki.
# That is why `ssl_private_key` is defined in `radosgw_frontend_options`.
radosgw_frontend_options: "{{ ceph_rgw_backend_ssl is truthy | ternary('ssl_private_key=' + ceph_rgw_ssl_key, '') }}"

# Define if communication between haproxy and service backends should be
# encrypted with TLS.
ceph_rgw_backend_ssl: "{{ openstack_service_backend_ssl | default(False) }}"

# Storage location for SSL certificate authority
ceph_rgw_pki_dir: "{{ openstack_pki_dir | default('/etc/openstack_deploy/pki') }}"

# Delegated host for operating the certificate authority
ceph_rgw_pki_setup_host: "{{ openstack_pki_setup_host | default('localhost') }}"

# ceph_rgw server certificate
ceph_rgw_pki_keys_path: "{{ ceph_rgw_pki_dir ~ '/certs/private/' }}"
ceph_rgw_pki_certs_path: "{{ ceph_rgw_pki_dir ~ '/certs/certs/' }}"
ceph_rgw_pki_intermediate_cert_name: "{{ openstack_pki_service_intermediate_cert_name | default('ExampleCorpIntermediate') }}"
ceph_rgw_pki_regen_cert: ''
ceph_rgw_pki_san: "{{ openstack_pki_san | default('DNS:' ~ ansible_facts['hostname'] ~ ',IP:' ~ management_address) }}"
ceph_rgw_pki_certificates:
  - name: "ceph_rgw_{{ ansible_facts['hostname'] }}"
    provider: ownca
    cn: "{{ ansible_facts['hostname'] }}"
    san: "{{ ceph_rgw_pki_san }}"
    signed_by: "{{ ceph_rgw_pki_intermediate_cert_name }}"

# ceph_rgw destination files for SSL certificates
ceph_rgw_ssl_cert: /etc/ceph/ceph-rgw.pem
ceph_rgw_ssl_key: /etc/ceph/ceph-rgw.key

# Installation details for SSL certificates
ceph_rgw_pki_install_certificates:
  - src: "{{ ceph_rgw_user_ssl_cert | default(ceph_rgw_pki_certs_path ~ 'ceph_rgw_' ~ ansible_facts['hostname'] ~ '-chain.crt') }}"
    dest: "{{ ceph_rgw_ssl_cert }}"
    owner: "ceph"
    group: "ceph"
    mode: "0644"
  - src: "{{ ceph_rgw_user_ssl_key | default(ceph_rgw_pki_keys_path ~ 'ceph_rgw_' ~ ansible_facts['hostname'] ~ '.key.pem') }}"
    dest: "{{ ceph_rgw_ssl_key }}"
    owner: "ceph"
    group: "ceph"
    mode: "0600"

# Define user-provided SSL certificates
#ceph_rgw_user_ssl_cert: <path to cert on ansible deployment host>
#ceph_rgw_user_ssl_key: <path to cert on ansible deployment host>

Anda mungkin juga ingin menambahkan opsi rgw_dns_name jika Anda ingin mengaktifkan nama host bucket dengan API S3.