Hi,
We are operating a Luminous 12.2.2 radosgw, with the S3 Keystone
authentication enabled.
Some customers are uploading millions of objects per bucket at once,
therefore the radosgw is doing millions of s3tokens POST requests to the
Keystone. All those s3tokens requests to Keystone are the same (same
customer, same EC2 credentials). But because there is no cache in
radosgw for the EC2 credentials, every incoming S3 operation generates a
call to the external auth Keystone. It can generate hundreds of s3tokens
requests per second to Keystone.
We had already this problem with Jewel, but we implemented a workaround.
The EC2 credentials of the customer were added directly in the local
auth engine of radosgw. So for this particular heavy user, the radosgw
local authentication was checked first, and no external auth request to
Keystone was necessary.
But the default behavior for the S3 authentication have change in Luminous.
In Luminous, if you enable the S3 Keystone authentication, every
incoming S3 operation will first check for anonymous authentication,
then external authentication (Keystone and/or LDAP), and only then local
authentication.
See https://github.com/ceph/ceph/blob/master/src/rgw/rgw_auth_s3.h#L113-L141
Is there a way to get the old authentication behavior (anonymous ->
local -> external) to work again?
Or is it possible to implement a caching mechanism (similar to the Token
cache) for the EC2 credentials?
Cheers,
Valery
--
SWITCH
Valéry Tschopp, Software Engineer
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
email: valery.tschopp@xxxxxxxxx phone: +41 44 268 1544
30 years of pioneering the Swiss Internet.
Celebrate with us at https://swit.ch/30years
_______________________________________________
ceph-users mailing list
ceph-users@xxxxxxxxxxxxxx
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
