Shulou(Shulou.com)06/01 Report--

This article introduces the "ceph and keystone configuration tutorial" related knowledge, in the actual case operation process, many people will encounter such a dilemma, and then let the editor lead you to learn how to deal with these situations! I hope you can read it carefully and be able to achieve something!

First, background introduction

The Ceph object storage module rgw and keystone can be docked. Thus, all the object storage account information can be managed by keystone, and keystone is responsible for saving and authenticating the accounts and passwords of swift and S3. This account information does not need to be created manually in rgw. When the client connects S3 and swift, rgw will send an authentication request to keystone. It is up to keystone to decide whether to pass the authentication.

II. Configuration documentation

1.ceph configuration

Rgw supports keystone v2 and keystone v3 certification. For my keystone v2 production environment, the configuration required for rgw is as follows:

# enable S3 keystone authentication

Rgw_s3_auth_use_keystone = true

# keystone service authenticates the endpoint address. S3 as an internal service, the community recommends using the 35357 internal port.

Rgw_keystone_url = http://192.168.242.128:35357

# it is recommended to turn off admin_token authentication in the production environment. Replace with the following user,password,tenant combinations

# rgw_keystone_admin_token = 1

# Information of admin in keystone

# if you log in using admin_user, you need to configure a nss_db_path address

Nss_db_path = / var/ceph/nss

Rgw_keystone_admin_user = admin

Rgw_keystone_admin_password = 1

Rgw_keystone_admin_tenant=admin

# keystone v2 Certification

Rgw_keystone_api_version = 2

# currently, ssl authentication is not enabled in the production environment keystone, so this authentication is disabled.

Rgw_keystone_verify_ssl=false

# rgw accepts role names in keystone.

Rgw_keystone_accepted_roles = _ member_, Member, admin

2.keystone configuration

Modify / etc/keystone/keystone-paste.ini the following fields to the following red font

[filter:revoke_extension]

Paste.filter_factory = keystone.contrib.s3:S3Extension.factory

[pipeline:public_api]

# The last item in this pipeline must be public_service or an equivalent

# application. It cannot be a filter.

Pipeline = sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension s3_extension user_crud_extension public_service

[pipeline:admin_api]

# The last item in this pipeline must be admin_service or an equivalent

# application. It cannot be a filter.

Pipeline = sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension s3_extension crud_extension admin_service

3. Generate PKI (not required for admin_token mode)

Keystone-manage pki_setup

4. Restart the keystone service

5. Create a swift service

Keystone service-create-name swift-type object-storekeystone endpoint-create-service-id-publicurl http://radosgw.example.com/swift/v1\-internalurl http://radosgw.example.com/swift/v1-adminurl http://radosgw.example.com/swift/v1

6. Sign pki (must switch to root user. Error is reported by sudo)

Mkdir / var/ceph/nss

Openssl x509-in / etc/keystone/ssl/certs/ca.pem-pubkey |\ certutil-d / var/ceph/nss-A-n ca-t "TCu,Cu,Tuw" openssl x509-in / etc/keystone/ssl/certs/signing_cert.pem-pubkey |\ certutil-A-d / var/ceph/nss-n signing_cert-t

7. Copy the generated files under / var/ceph/nss/ to the directory (nss_db_path) under the rgw host and modify them to ceph:ceph users / groups.

8. Start the rgw service

The following AWS access accounts can be created through the openstack ec2 series command. Access Key and Secret Key are used to access S3.

Rgw's account corresponds to Keystone's tenant. The user in Keystone corresponds to the subuser in Gateway. In S3, there is no concept of subuser, so multiple access and secret key generated by the ec2 command access the same bucket resources if they belong to one Project ID. At the same time, it should be noted that if the private cloud uses S3 as the backup or lightweight io load, keystone authentication is fine. If the io request load is too heavy, it will make the validation of keystone become a bottleneck and cause the request of S3 to time out.

This is the end of the "ceph and keystone configuration tutorial". Thank you for reading. If you want to know more about the industry, you can follow the website, the editor will output more high-quality practical articles for you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.