Den mån 22 feb. 2021 kl 15:27 skrev Simon Pierre DESROSIERS < simonpierre.desrosiers@xxxxxxxxxxx>: > Hello, > > We have functional ceph swarm with a pair of S3 rgw in front that uses > A.B.C.D domain to be accessed. > > Now a new client asks to have access using the domain : E.C.D, but to > already existing buckets. This is not a scenario discussed in the docs. > Apparently, looking at the code and by trying it, rgw does not support > multiple domains for the variable rgw_dns_name. > > But reading through parts of the code, I am no dev, and my c++ is 25 years > rusty, I get the impression that maybe we could just add a second pair of > rgw S3 servers that would give service to the same buckets, but using a > different domain. > > Am I wrong ? Let's say this works, is this an unconscious behaviour that > the ceph team would remove down the road ? > We run this, a LB sends to one pool for one DNS name and to another pool for a different DNS name, and both rgws serve the "same" buckets. Since S3 auth v4 the dns name is very much a part of the hash to make your access work, so whatever the client thinks is the DNS name is what it will use to make the hash-of-hash-of-hash* combination to auth itself. We haven't made a huge attempt to break it by doing wacky parallel accesses from both directions, but it seems to work to move off clients from old name to new name and the stragglers that will never change will get the old small LB pool and the clients with a decent config get better service. In our case the domains are completely different, so not A.B.C.D vs B.C.D but rather F.G.H.I instead. *) SIGNATURE=$(HMAC-SHA256h $(HMAC-SHA256h $(HMAC-SHA256h $(HMAC-SHA256h $(HMAC-SHA256s $AWS4SECRET $REQUEST_DATE ) $REQUEST_REGION) $REQUEST_SERVICE) "aws4_request") $UPLOAD_REQUEST) -- May the most significant bit of your life be positive. _______________________________________________ ceph-users mailing list -- ceph-users@xxxxxxx To unsubscribe send an email to ceph-users-leave@xxxxxxx
 |