ceph/doc/radosgw/index.rst
Sergio de Carvalho 1e5b58ad50 rgw: add SSE-KMS with Vault using token auth
Extend server-side encryption functionality in Rados Gateway to support
HashiCorp Vault as a Key Management System in addition to existing
support for OpenStack Barbican.

This is the first part of this change, supporting Vault's token-based
authentication only. Agent-based authentication as well as other
features such as Vault namespaces will be added in subsequent commits.

Note that Barbican remains the default backend for SSE-KMS
(rgw crypt s3 kms backend) to avoid breaking existing deployments.

Feature: https://tracker.ceph.com/issues/41062
Notes: https://pad.ceph.com/p/rgw_sse-kms

Implemented so far:
* Move existing SSE-KMS functions from rgw_crypt.cc to rgw_kms.cc
* Vault authentication with a token read from file
* Add new ceph.conf settings for Vault
* Document new ceph.conf settings
* Update main encryption documentation page
* Add documentation page for SSE-KMS using Vault

Signed-off-by: Andrea Baglioni <andrea.baglioni@workday.com>
Signed-off-by: Sergio de Carvalho <sergio.carvalho@workday.com>
2019-10-01 19:55:23 +01:00

74 lines
2.9 KiB
ReStructuredText

.. _object-gateway:
=====================
Ceph Object Gateway
=====================
:term:`Ceph Object Gateway` is an object storage interface built on top of
``librados`` to provide applications with a RESTful gateway to
Ceph Storage Clusters. :term:`Ceph Object Storage` supports two interfaces:
#. **S3-compatible:** Provides object storage functionality with an interface
that is compatible with a large subset of the Amazon S3 RESTful API.
#. **Swift-compatible:** Provides object storage functionality with an interface
that is compatible with a large subset of the OpenStack Swift API.
Ceph Object Storage uses the Ceph Object Gateway daemon (``radosgw``), which is
an HTTP server for interacting with a Ceph Storage Cluster. Since it
provides interfaces compatible with OpenStack Swift and Amazon S3, the Ceph
Object Gateway has its own user management. Ceph Object Gateway can store data
in the same Ceph Storage Cluster used to store data from Ceph File System clients
or Ceph Block Device clients. The S3 and Swift APIs share a common namespace, so
you may write data with one API and retrieve it with the other.
.. ditaa:: +------------------------+ +------------------------+
| S3 compatible API | | Swift compatible API |
+------------------------+-+------------------------+
| radosgw |
+---------------------------------------------------+
| librados |
+------------------------+-+------------------------+
| OSDs | | Monitors |
+------------------------+ +------------------------+
.. note:: Ceph Object Storage does **NOT** use the Ceph Metadata Server.
.. toctree::
:maxdepth: 1
Manual Install w/Civetweb <../../install/install-ceph-gateway>
HTTP Frontends <frontends>
Pool Placement and Storage Classes <placement>
Multisite Configuration <multisite>
Configuring Pools <pools>
Config Reference <config-ref>
Admin Guide <admin>
S3 API <s3>
Swift API <swift>
Admin Ops API <adminops>
Python binding <api>
Export over NFS <nfs>
OpenStack Keystone Integration <keystone>
OpenStack Barbican Integration <barbican>
HashiCorp Vault Integration <vault>
Open Policy Agent Integration <opa>
Multi-tenancy <multitenancy>
Compression <compression>
LDAP Authentication <ldap-auth>
Server-Side Encryption <encryption>
Bucket Policy <bucketpolicy>
Dynamic bucket index resharding <dynamicresharding>
Multi factor authentication <mfa>
Sync Modules <sync-modules>
Bucket Notifications <notifications>
Data Layout in RADOS <layout>
STS Lite <STSLite>
Role <role>
troubleshooting
Manpage radosgw <../../man/8/radosgw>
Manpage radosgw-admin <../../man/8/radosgw-admin>
QAT Acceleration for Encryption and Compression <qat-accel>