[ English | Deutsch | Indonesia | English (United Kingdom) | español | русский ]

Menggunakan radosgw sebagai pengganti (drop-in replacement) untuk Swift

OpenStack-Ansible memberi Anda opsi untuk menyebarkan radosgw sebagai pengganti drop-in untuk OpenStack Swift asli.

Secara khusus, playbook ceph-rgw-install.yml (yang mencakup ceph-rgw-keystone-setup.yml) akan menyebarkan radosgw ke host ceph-rgw apa pun, dan membuat entri katalog layanan Keystone object-store yang sesuai. Endpoint layanan memang berisi awalan AUTH_%(tenant_id)s seperti di Swift asli, jadi ACL yang dibaca publik dan URL temp akan berfungsi sama seperti yang ada di Swift.

Secara default, OSA mengaktifkan only API Swift di radosgw.

Menambahkan dukungan S3 API

Anda mungkin ingin mengaktifkan radosgw S3 API default, selain Swift API. Untuk melakukannya, Anda perlu mengganti variabel ceph_conf_overrides_rgw dalam user_variables.yml. Berikut ini cuplikan contoh konfigurasi:

Catatan

Mentioned below overrides are default ones and will be applied to ceph-rgw group

---
ceph_conf_overrides_rgw: |-
  {{
    {
      'client.rgw.' ~ hostvars[inventory_hostname]['ansible_facts']['hostname'] ~ '.rgw0': {
        'rgw_keystone_url': keystone_service_adminuri,
        'rgw_keystone_api_version': 3,
        'rgw_keystone_admin_user': radosgw_admin_user,
        'rgw_keystone_admin_password': radosgw_admin_password,
        'rgw_keystone_admin_project': radosgw_admin_tenant,
        'rgw_keystone_admin_domain': 'default',
        'rgw_keystone_accepted_roles': 'member, admin, swiftoperator',
        'rgw_keystone_implicit_tenants': 'true',
        'rgw_swift_account_in_url': 'true',
        'rgw_swift_versioning_enabled': 'true',
        'rgw_enable_apis': 'swift, s3',
        'rgw_s3_auth_use_keystone': 'true'
      }
    }
  }}

###
### Backend TLS
###

# Ceph configuration options to enable TLS on ceph-rgw
radosgw_frontend_ssl_certificate: "{{ ceph_rgw_backend_ssl is truthy | ternary(ceph_rgw_ssl_cert, '') }}"
# Ceph-ansible requires to include private key in `radosgw_frontend_ssl_certificate`
# which is not possible with ansible-role-pki.
# That is why `ssl_private_key` is defined in `radosgw_frontend_options`.
radosgw_frontend_options: "{{ ceph_rgw_backend_ssl is truthy | ternary('ssl_private_key=' + ceph_rgw_ssl_key, '') }}"

# Define if communication between haproxy and service backends should be
# encrypted with TLS.
ceph_rgw_backend_ssl: "{{ openstack_service_backend_ssl | default(False) }}"

# Storage location for SSL certificate authority
ceph_rgw_pki_dir: "{{ openstack_pki_dir | default('/etc/openstack_deploy/pki') }}"

# Delegated host for operating the certificate authority
ceph_rgw_pki_setup_host: "{{ openstack_pki_setup_host | default('localhost') }}"

# ceph_rgw server certificate
ceph_rgw_pki_keys_path: "{{ ceph_rgw_pki_dir ~ '/certs/private/' }}"
ceph_rgw_pki_certs_path: "{{ ceph_rgw_pki_dir ~ '/certs/certs/' }}"
ceph_rgw_pki_intermediate_cert_name: "{{ openstack_pki_service_intermediate_cert_name | default('ExampleCorpIntermediate') }}"
ceph_rgw_pki_regen_cert: ''
ceph_rgw_pki_san: "{{ openstack_pki_san | default('DNS:' ~ ansible_facts['hostname'] ~ ',IP:' ~ management_address) }}"
ceph_rgw_pki_certificates:
  - name: "ceph_rgw_{{ ansible_facts['hostname'] }}"
    provider: ownca
    cn: "{{ ansible_facts['hostname'] }}"
    san: "{{ ceph_rgw_pki_san }}"
    signed_by: "{{ ceph_rgw_pki_intermediate_cert_name }}"

# ceph_rgw destination files for SSL certificates
ceph_rgw_ssl_cert: /etc/ceph/ceph-rgw.pem
ceph_rgw_ssl_key: /etc/ceph/ceph-rgw.key

# Installation details for SSL certificates
ceph_rgw_pki_install_certificates:
  - src: "{{ ceph_rgw_user_ssl_cert | default(ceph_rgw_pki_certs_path ~ 'ceph_rgw_' ~ ansible_facts['hostname'] ~ '-chain.crt') }}"
    dest: "{{ ceph_rgw_ssl_cert }}"
    owner: "ceph"
    group: "ceph"
    mode: "0644"
  - src: "{{ ceph_rgw_user_ssl_key | default(ceph_rgw_pki_keys_path ~ 'ceph_rgw_' ~ ansible_facts['hostname'] ~ '.key.pem') }}"
    dest: "{{ ceph_rgw_ssl_key }}"
    owner: "ceph"
    group: "ceph"
    mode: "0600"

# Define user-provided SSL certificates
#ceph_rgw_user_ssl_cert: <path to cert on ansible deployment host>
#ceph_rgw_user_ssl_key: <path to cert on ansible deployment host>

Anda mungkin juga ingin menambahkan opsi rgw_dns_name jika Anda ingin mengaktifkan nama host bucket dengan API S3.