Warn users about the implications of enabling this option when there is
no trusted proxy in front of radosgw.
Signed-off-by: Ken Dreyer <kdreyer@redhat.com>
* refactor rgw_kms.cc to support extension to multiple secret engines.
* introduced support to Vault Namesapces
* added support for Vault Agent
Signed-off-by: Andrea Baglioni <andrea.baglioni@workday.com>
Signed-off-by: Sergio de Carvalho <sergio.carvalho@workday.com>
* add 'rgw crypt vault prefix' config setting to allow restricting
secret space in Vault where RGW can retrieve keys from
* refuse Vault token file if permissions are too open
* improve concatenation of URL paths to avoid constructing an invalid
URL (missing or double '/')
* doc: clarify SSE-KMS keys must be 256-bit long and base64 encoded,
document Vault policies and tokens, plus other minor doc improvements
* qa: check SHA256 signature of Vault zip download
* qa: fix teuthology tests broken by previous PR which made SSE-KMS
backend default to Barbican
Signed-off-by: Andrea Baglioni <andrea.baglioni@workday.com>
Signed-off-by: Sergio de Carvalho <sergio.carvalho@workday.com>
Minor fix to config documentation.
Signed-off-by: Andrea Baglioni <andrea.baglioni@workday.com>
Signed-off-by: Sergio de Carvalho <sergio.carvalho@workday.com>
Extend server-side encryption functionality in Rados Gateway to support
HashiCorp Vault as a Key Management System in addition to existing
support for OpenStack Barbican.
This is the first part of this change, supporting Vault's token-based
authentication only. Agent-based authentication as well as other
features such as Vault namespaces will be added in subsequent commits.
Note that Barbican remains the default backend for SSE-KMS
(rgw crypt s3 kms backend) to avoid breaking existing deployments.
Feature: https://tracker.ceph.com/issues/41062
Notes: https://pad.ceph.com/p/rgw_sse-kms
Implemented so far:
* Move existing SSE-KMS functions from rgw_crypt.cc to rgw_kms.cc
* Vault authentication with a token read from file
* Add new ceph.conf settings for Vault
* Document new ceph.conf settings
* Update main encryption documentation page
* Add documentation page for SSE-KMS using Vault
Signed-off-by: Andrea Baglioni <andrea.baglioni@workday.com>
Signed-off-by: Sergio de Carvalho <sergio.carvalho@workday.com>
config-ref: add a note on current scheduler settings.
Reviewed-by: Casey Bodley <cbodley@redhat.com>
Reviewed-by: J. Eric Ivancich <ivancich@redhat.com>
Adding a note on configuirables for max concurrent requests and the rest of
experimental options for tuning dmclock scheduler
Signed-off-by: Abhishek Lekshmanan <abhishek@suse.com>
Add explanatory information on:
* "rgw swift account in url" (including the Swift account in the Swift
API url and Keystone endpoint)
* "rgw swift versioning enabled" (enabling Swift object versioning)
* "rgw s3 auth use keystone" (enabling S3 authentication against
Keystone)
* "rgw keystone implicit tenants" (multi-tenancy via Keystone, including
its implications for the Swift and S3 APIs)
Fixes: http://tracker.ceph.com/issues/36765
Signed-off-by: Florian Haas <florian@citynetwork.eu>
Permits setting restrictive permissions on these secrets.
Fixes: http://tracker.ceph.com/issues/36621
Signed-off-by: Matt Benjamin <mbenjamin@redhat.com>
remove region stuff, radosgw-agent stuff, and zone/pool stuff that is
duplicated in the multisite page
moved sync log config options into multisite section, added description
for rgw_run_sync_thread
Signed-off-by: Casey Bodley <cbodley@redhat.com>
This is to make it apply whenever the radsogw-admin
command is run without specifying the instance name
Signed-off-by: Ali Maredia <amaredia@redhat.com>
rgw: add suport for Swift-at-root dependent features of Swift API
Reviewed-by: Casey Bodley <cbodley@redhat.com>
Reviewed-by: Pritha Srivastava <prsrivas@redhat.com>
Reviewed-by: Radoslaw Zarzynski <rzarzynski@mirantis.com>
This patch brings a small fix for broken formatting around
two configurables in doc/radosgw/config-ref.rst. Those are:
* rgw keystone admin user,
* rgw keystone admin password.
Signed-off-by: Radoslaw Zarzynski <rzarzynski@mirantis.com>
This patch fixes to the support for placing the Swift API in the root
of URL hierarchy. Unfortunately, the whole concept exhibits a severe side
effect: inability to deploy RadosGW in multi-site configuration.
The sole reason behind this fix is the fact we claimed in documentation
that the feature is available.
Fixes: http://tracker.ceph.com/issues/16673
Signed-off-by: Radoslaw Zarzynski <rzarzynski@mirantis.com>
This patch allows RadosGW to pass the RefStack with an accuracy
to the RFC7230 violation issue which is clearly a Tempest bug.
Fixes: http://tracker.ceph.com/issues/15925
Signed-off-by: Radoslaw Zarzynski <rzarzynski@mirantis.com>
Adding the short descriptions of the keystone admin tenant, user and
password options to the config reference as well. Also adding a note
that this applies to only v2 of Openstack Identity API
Signed-off-by: Abhishek Lekshmanan <abhishek@suse.com>
