In jewel, "rgw keystone implicit tenants" only applied to swift. As of
luminous), this option applies to s3 also.
Sites that used this feature with jewel now have outstanding data that
depends on the old behavior.
The fix here is to expand "rgw keystone implicit tenants" so that it
can be set to any of "none", "all", "s3" or "swift" (also 0=false=none,
1=true=all). When set to "s3" or "swift", the actual id lookup
is also partitioned.
Formerly "rgw keystone implicit tenants" was a legacy opt.
This change converts it to the new style of option,
including support for dynamically changing it.
Fixes: http://tracker.ceph.com/issues/24348
Signed-off-by: Marcus Watts <mwatts@redhat.com>
Removed Kilo references in Keystone docs. Updated documentation
to align with Ocata & later releases.
Fixes: https://tracker.ceph.com/issues/38721
Signed-off-by: James McClune <jmcclune@mcclunetechnologies.net>
Add explanatory information on:
* "rgw swift account in url" (including the Swift account in the Swift
API url and Keystone endpoint)
* "rgw swift versioning enabled" (enabling Swift object versioning)
* "rgw s3 auth use keystone" (enabling S3 authentication against
Keystone)
* "rgw keystone implicit tenants" (multi-tenancy via Keystone, including
its implications for the Swift and S3 APIs)
Fixes: http://tracker.ceph.com/issues/36765
Signed-off-by: Florian Haas <florian@citynetwork.eu>
Permits setting restrictive permissions on these secrets.
Fixes: http://tracker.ceph.com/issues/36621
Signed-off-by: Matt Benjamin <mbenjamin@redhat.com>
Radosgw multitenancy configuration parameter
"rgw keystone make new tenants" never works even
applied. When gone through the code, itseems this
parameter is not used. But "rgw keystone implicit
tenants" works as the code looks for this.
Modified the configuration parameter in two files
mentioned below from "rgw keystone make new tenants"
to "rgw keystone implicit tenants"
Fixes: http://tracker.ceph.com/issues/17293
Signed-off-by: SirishaGuduru <SGuduru@walmartlabs.com>
Explain the configuration of `rgw keystone admin user`, tenant and
password which avoids the need for setting the keystone admin token
shared secret in ceph configuration, since this token is recommended to
be disabled in production environments.
Fixes: #13066, #13519
Signed-off-by: Abhishek Lekshmanan <abhishek@suse.com>
This, unfortunately, introduces possible double lookups, but
they should be cached. Also, the logic appears somewhat convoluted,
although the intent is quite simple: if you're an OpenStack user
with a Keystone authentication, we allow an implicit tenant of
the same name as the user.
Signed-off-by: Pete Zaitcev <zaitcev@redhat.com>
Conflicts:
src/rgw/rgw_swift.cc
Adding info about `rgw keystone verify ssl` to configuration reference,
also adding a note in rgw keystone to explain the usage.
Signed-off-by: Abhishek Lekshmanan <abhishek@suse.com>
Update the OpenStack doc with more options, recommendations and best
practices.
Update the Keystone configuration for the Kilo release with Rados
Gateway.
Signed-off-by: Sébastien Han <seb@redhat.com>
