Hi all, Bringing up this old thread with a couple questions: 1. Did anyone ever follow up on the 2nd part of this thread? -- is there any way to cache keystone EC2 credentials? 2. A question for Valery: could you please explain exactly how you added the EC2 credentials to the local backend (your workaround)? Did you add the key to the existing uid with type=keystone? or did you create a new user (rgw-admin user create..) with the needed EC2 creds? Cheers, Dan On Thu, Feb 1, 2018 at 4:45 PM Valery Tschopp <valery.tschopp@xxxxxxxxx> wrote: > > Hi, > > We are operating a Luminous 12.2.2 radosgw, with the S3 Keystone > authentication enabled. > > Some customers are uploading millions of objects per bucket at once, > therefore the radosgw is doing millions of s3tokens POST requests to the > Keystone. All those s3tokens requests to Keystone are the same (same > customer, same EC2 credentials). But because there is no cache in > radosgw for the EC2 credentials, every incoming S3 operation generates a > call to the external auth Keystone. It can generate hundreds of s3tokens > requests per second to Keystone. > > We had already this problem with Jewel, but we implemented a workaround. > The EC2 credentials of the customer were added directly in the local > auth engine of radosgw. So for this particular heavy user, the radosgw > local authentication was checked first, and no external auth request to > Keystone was necessary. > > But the default behavior for the S3 authentication have change in Luminous. > > In Luminous, if you enable the S3 Keystone authentication, every > incoming S3 operation will first check for anonymous authentication, > then external authentication (Keystone and/or LDAP), and only then local > authentication. > See https://github.com/ceph/ceph/blob/master/src/rgw/rgw_auth_s3.h#L113-L141 > > Is there a way to get the old authentication behavior (anonymous -> > local -> external) to work again? > > Or is it possible to implement a caching mechanism (similar to the Token > cache) for the EC2 credentials? > > Cheers, > Valery > > -- > SWITCH > Valéry Tschopp, Software Engineer > Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland > email: valery.tschopp@xxxxxxxxx phone: +41 44 268 1544 > > 30 years of pioneering the Swiss Internet. > Celebrate with us at https://swit.ch/30years > > _______________________________________________ > ceph-users mailing list > ceph-users@xxxxxxxxxxxxxx > http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com _______________________________________________ ceph-users mailing list ceph-users@xxxxxxxxxxxxxx http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
 |