Hi, On 1/31/19 6:11 PM, shubjero wrote:
Has anyone automated the ability to generate S3 keys for OpenStack users in Ceph? Right now we take in a users request manually (Hey we need an S3 API key for our OpenStack project 'X', can you help?). We as cloud/ceph admins just use radosgw-admin to create them an access/secret key pair for their specific OpenStack project and provide it to them manually. Was just wondering if there was a self-serve way to do that. Curious to hear what others have done in regards to this.
You can link RGW to Keystone, and pass authentication / signature check requests to it. The user can create project scoped EC2 credentials in Openstack (via API/CLI/web interface), and use these credentials for authentication to the RGW S3 API.
Works well on our side. You may want to ensure that default quotas for bucket/objects/size are in place.
The main drawback is the extra latency introduced by the keystone upcall. The EC2 credentials are not send to the RGW, so _each_ S3 request has to authenticated via the keystone API. Add TCP and SSL handshake overhead (not sure whether RGW uses a persistent connection)...
You can still use "local" authentication using credentials created with rgw-admin. AFAIK there's also a setting to define the order for trying authentication, so special users and services get a local set of credentials (and thus lower latency, but more administrative overhead), normal users can use the keystone calls and are completely self-service.
Regards, Burkhard _______________________________________________ ceph-users mailing list ceph-users@xxxxxxxxxxxxxx http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com