Hi everyone, I've recently started a documentation patch to better explain Swift compatibility and OpenStack integration for radosgw; a WIP PR is at https://github.com/ceph/ceph/pull/25056/. I have, however, run into an issue that I would really *like* to document, except I don't know whether what I'm seeing is how things are supposed to work. :) This is about multi-tenancy in radosgw, in combination with S3 authentication via Keystone (and EC2-compatible credentials generated from OpenStack, as explained in my doc patch). Now, when I enable rgw_s3_use_keystone_auth and rgw_keystone_implicit_tenants, then, if I create an S3 bucket in radosgw for the first time, naming that bucket "foo", the following things happen: * I see a user that has been created, and that I can query with "radosgw-admin user info", that is named ff569d377ecb4f77875fa1b3f89eb16f$ff569d377ecb4f77875fa1b3f89eb16f (that is, the Keystone tenant/project UUID twice[1], separated by a $ character). Its display_name is the name of my tenant. * With "radosgw-admin bucket list --uid='ff569d377ecb4f77875fa1b3f89eb16f$ff569d377ecb4f77875fa1b3f89eb16f'", I see a bucket that has been created, and that has been named "foo". So far, all is well. If I do this, then I can see an bucket named "foo" if I use an S3 client, and I can see a container named "foo", with identical content, if I use the Swift API. Now, if I enable rgw_swift_account_in_url, and update my Keystone object store endpoint to include AUTH_%(tenant_id)s, then using the Swift API I can also use public ACLs and temp URLs. However, I am stumped trying to to understand how exactly this is meant to work with the S3 API. So I have two questions: (1) What do I have to do to get publicly-readable buckets to work in the Keystone-authenticated scenario? Moreover, what is the correct path to use, for a non-S3 client like curl or a browser, to access an object? It seems that using http://host:port/ff569d377ecb4f77875fa1b3f89eb16f:foo/bar works for S3 objects with a public ACL set, but if I try to use the same approach with a signed object, I get a 403 with SignatureDoesNotMatch. It seems like what I have to use for a signed object is, instead, http://host:port/foo/bar?AWSAccessKeyId=something&Expires=something&Signature=something. However, if I do *ask* for a signed object that includes the tenant name, as in "s3cmd signurl s3://5ed51981f4a8468292bf2c578806ebf:foo/bar +120", then I *can* use the same URL format as for public ACL objects. Is this the intended behavior? If so, does that mean that an application using the S3 API, and access/secret keys from OpenStack-backed EC2, should configure always itself to use the "<tenant_id>:" prefix to precede the bucket name? (2) Do I understand the documentation (http://docs.ceph.com/docs/mimic/radosgw/multitenancy/#s3) correctly in that whenever one uses multitenancy of any kind in radosgw, S3 bucket hostnames can't ever be used? Thus, is it correct to say that if a radosgw instance is meant to *only* ever authenticate its users against Keystone, where there is always a radosgw tenant that is being created, then it's pointless to set rgw_dns_name? If anyone could shed a light on the above, I can write up the answer and amend the doc patch. Thanks! Cheers, Florian [1] This would be an additional question: why is the project UUID in there *twice*? Surely there's a good cause for that, but it presently escapes me. http://docs.ceph.com/docs/master/radosgw/multitenancy/ says "TBD – don’t forget to explain the function of rgw keystone implicit tenants = true" here, which isn't very helpful. :) _______________________________________________ ceph-users mailing list ceph-users@xxxxxxxxxxxxxx http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
 |