Hi Matt, That's great! I sent the PR here: https://github.com/ceph/ceph/pull/21846 I don't have the necessary karma, but it would be really nice if this could be added the the luminous backport queue. Thanks! Dan On Fri, May 4, 2018 at 5:18 PM, Matt Benjamin <mbenjami@xxxxxxxxxx> wrote: > Hi Dan, > > We agreed in upstream RGW to make this change. Do you intend to > submit this as a PR? > > regards > > Matt > > On Fri, May 4, 2018 at 10:57 AM, Dan van der Ster <dan@xxxxxxxxxxxxxx> wrote: >> Hi Valery, >> >> Did you eventually find a workaround for this? I *think* we'd also >> prefer rgw to fallback to external plugins, rather than checking them >> before local. But I never understood the reasoning behind the change >> from jewel to luminous. >> >> I saw that there is work towards a cache for ldap [1] and I assume a >> similar approach would be useful for keystone as well. >> >> In the meantime, would a patch like [2] work? >> >> Cheers, Dan >> >> [1] https://github.com/ceph/ceph/pull/20624 >> >> [2] diff --git a/src/rgw/rgw_auth_s3.h b/src/rgw/rgw_auth_s3.h >> index 6bcdebaf1c..3c343adf66 100644 >> --- a/src/rgw/rgw_auth_s3.h >> +++ b/src/rgw/rgw_auth_s3.h >> @@ -129,20 +129,17 @@ public: >> add_engine(Control::SUFFICIENT, anonymous_engine); >> } >> >> + /* The local auth. */ >> + if (cct->_conf->rgw_s3_auth_use_rados) { >> + add_engine(Control::SUFFICIENT, local_engine); >> + } >> + >> /* The external auth. */ >> Control local_engine_mode; >> if (! external_engines.is_empty()) { >> add_engine(Control::SUFFICIENT, external_engines); >> - >> - local_engine_mode = Control::FALLBACK; >> - } else { >> - local_engine_mode = Control::SUFFICIENT; >> } >> >> - /* The local auth. */ >> - if (cct->_conf->rgw_s3_auth_use_rados) { >> - add_engine(local_engine_mode, local_engine); >> - } >> } >> >> const char* get_name() const noexcept override { >> >> >> On Thu, Feb 1, 2018 at 4:44 PM, Valery Tschopp <valery.tschopp@xxxxxxxxx> wrote: >>> Hi, >>> >>> We are operating a Luminous 12.2.2 radosgw, with the S3 Keystone >>> authentication enabled. >>> >>> Some customers are uploading millions of objects per bucket at once, >>> therefore the radosgw is doing millions of s3tokens POST requests to the >>> Keystone. All those s3tokens requests to Keystone are the same (same >>> customer, same EC2 credentials). But because there is no cache in radosgw >>> for the EC2 credentials, every incoming S3 operation generates a call to the >>> external auth Keystone. It can generate hundreds of s3tokens requests per >>> second to Keystone. >>> >>> We had already this problem with Jewel, but we implemented a workaround. The >>> EC2 credentials of the customer were added directly in the local auth engine >>> of radosgw. So for this particular heavy user, the radosgw local >>> authentication was checked first, and no external auth request to Keystone >>> was necessary. >>> >>> But the default behavior for the S3 authentication have change in Luminous. >>> >>> In Luminous, if you enable the S3 Keystone authentication, every incoming S3 >>> operation will first check for anonymous authentication, then external >>> authentication (Keystone and/or LDAP), and only then local authentication. >>> See https://github.com/ceph/ceph/blob/master/src/rgw/rgw_auth_s3.h#L113-L141 >>> >>> Is there a way to get the old authentication behavior (anonymous -> local -> >>> external) to work again? >>> >>> Or is it possible to implement a caching mechanism (similar to the Token >>> cache) for the EC2 credentials? >>> >>> Cheers, >>> Valery >>> >>> -- >>> SWITCH >>> Valéry Tschopp, Software Engineer >>> Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland >>> email: valery.tschopp@xxxxxxxxx phone: +41 44 268 1544 >>> >>> 30 years of pioneering the Swiss Internet. >>> Celebrate with us at https://swit.ch/30years >>> >>> _______________________________________________ >>> ceph-users mailing list >>> ceph-users@xxxxxxxxxxxxxx >>> http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com >> _______________________________________________ >> ceph-users mailing list >> ceph-users@xxxxxxxxxxxxxx >> http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com > > > > -- > > Matt Benjamin > Red Hat, Inc. > 315 West Huron Street, Suite 140A > Ann Arbor, Michigan 48103 > > http://www.redhat.com/en/technologies/storage > > tel. 734-821-5101 > fax. 734-769-8938 > cel. 734-216-5309 _______________________________________________ ceph-users mailing list ceph-users@xxxxxxxxxxxxxx http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com