RepoMirrors/ceph
1
0
Fork 0
mirror of https://github.com/ceph/ceph synced 2025-01-03 09:32:43 +00:00
Code Issues Packages Projects Releases Wiki Activity

rgw: fix nginx cache docs

Browse Source 
Signed-off-by: Or Friedmann <ofriedma@redhat.com>
This commit is contained in:
Or Friedmann 2020-05-17 16:46:12 +03:00
parent 737e1aa956
commit 892e9fa5fe
2 changed files with 15 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
doc/radosgw/rgw-cache.rst
View File

@ -6,10 +6,10 @@ RGW Data caching and CDN
.. contents::
This new feature adds to RGW the ability to securely cache objects and offload the workload from the cluster, using Nginx.
After an object is accessed the first time it will be stored on top of Nginx dir.
Every request the Nginx will not fetch data from the RGW or the cluster, It will only check for permissions for that user from the RGW.
This feature is based on some Nginx modules, ngx_http_auth_request_module, https://github.com/kaltura/nginx-aws-auth-module, Openresty for lua capablities.
This feature adds to RGW the ability to securely cache objects and offload the workload from the cluster, using Nginx.
After an object is accessed the first time it will be stored in Nginx directory.
When data is already cached, it need not be fetched from RGW. A permission check will be made against RGW to ensure the requesting user has access.
This feature is based on some Nginx modules, ngx_http_auth_request_module, https://github.com/kaltura/nginx-aws-auth-module, Openresty for lua capabilities.
Currently this feature only works for GET requests and it will cache only AWSv4 requests (only s3 requests).
The feature introduces 2 new APIs: Auth and Cache.
@ -18,20 +18,18 @@ New APIs
There are 2 new apis for this feature:
Auth API - Nginx using it to validate that an user can access the cached data
Auth API - The cache uses this to validate that an user can access the cached data
Cache API - Adding the ability to override securely Range header, that way Nginx can use it is own smart cache on top of S3:
Cache API - Adds the ability to override securely Range header, that way Nginx can use it is own smart cache on top of S3:
https://www.nginx.com/blog/smart-efficient-byte-range-caching-nginx/
Using this API giving the ability to read ahead objects when clients asking a specific range from the object.
The second time the client will ask another range, the Nginx will have it and it will provide the other range from the cache.
Using this API gives the ability to read ahead objects when clients asking a specific range from the object.
On subsequent accesses to the cached object, Nginx will satisfy requests for already-cached ranges from cache. Uncached ranges will be read from RGW (and cached).
Auth API
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This API meant to allow the RGW only check if a user is authorized to access an object or not.
To use it the client should add ``Auth`` Header to his request, if the client does it then the RGW will return 200 or 206 for successfully authorized.
If the client does not have permissions the RGW will return 403.
This APIValidates a specific authenticated access being made to the cache, using RGW's knowledge of the client credentials and stored access policy.
Returns success if the encapsulated request would be granted.
Cache API
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@ -44,10 +42,10 @@ Creating cache user
$ radosgw-admin user create --uid=<uid for cache user> --display-name="cache user" --caps="amz-cache=read"
This user can send to the RGW the Cache api header ``X-Amz-Cache``, this header contains the headers from the original request(before changing the Range header).
This user can send to the RGW the Cache API header ``X-Amz-Cache``, this header contains the headers from the original request(before changing the Range header).
It means that ``X-Amz-Cache`` built from several headers.
The headers that are building the ``X-Amz-Cache`` header are separated by char with ascii code 177 and the header name and value are separated by char ascii code 178.
The RGW will check that the cache user is authorized user and it is a cache user,
The RGW will check that the cache user is an authorized user and if it is a cache user,
if yes it will use the ``X-Amz-Cache`` to revalidate that the user have permissions, using the headers from the X-Amz-Cache.
During this flow the RGW will override the Range header.

6
src/rgw/rgw_rest_s3.cc
View File

@ -430,9 +430,9 @@ int RGWGetObj_ObjStore_S3::verify_requester(const rgw::auth::StrategyRegistry& a
int RGWGetObj_ObjStore_S3::override_range_hdr(const rgw::auth::StrategyRegistry& auth_registry)
{
int ret = -EINVAL;
ldpp_dout(this,2) << "cache override headers" << dendl;
ldpp_dout(this, 10) << "cache override headers" << dendl;
RGWEnv* rgw_env = const_cast<RGWEnv *>(s->info.env);
const char *backup_range = rgw_env->get("HTTP_RANGE");
const char* backup_range = rgw_env->get("HTTP_RANGE");
const char hdrs_split[2] = {(char)178,'\0'};
const char kv_split[2] = {(char)177,'\0'};
const char* cache_hdr = rgw_env->get("HTTP_X_AMZ_CACHE");
@ -447,7 +447,7 @@ int RGWGetObj_ObjStore_S3::override_range_hdr(const rgw::auth::StrategyRegistry&
key.append(*k);
boost::replace_all(key, "-", "_");
rgw_env->set(std::move(key), std::string(*v));
ldpp_dout(this,2) << "after splitting cache kv key: " << key << " " << rgw_env->get(key.c_str()) << dendl;
ldpp_dout(this, 10) << "after splitting cache kv key: " << key << " " << rgw_env->get(key.c_str()) << dendl;
}
ret = RGWOp::verify_requester(auth_registry);
if(!ret && backup_range) {