mirror of
https://github.com/ceph/ceph
synced 2025-01-02 00:52:22 +00:00
1e5b58ad50
Extend server-side encryption functionality in Rados Gateway to support HashiCorp Vault as a Key Management System in addition to existing support for OpenStack Barbican. This is the first part of this change, supporting Vault's token-based authentication only. Agent-based authentication as well as other features such as Vault namespaces will be added in subsequent commits. Note that Barbican remains the default backend for SSE-KMS (rgw crypt s3 kms backend) to avoid breaking existing deployments. Feature: https://tracker.ceph.com/issues/41062 Notes: https://pad.ceph.com/p/rgw_sse-kms Implemented so far: * Move existing SSE-KMS functions from rgw_crypt.cc to rgw_kms.cc * Vault authentication with a token read from file * Add new ceph.conf settings for Vault * Document new ceph.conf settings * Update main encryption documentation page * Add documentation page for SSE-KMS using Vault Signed-off-by: Andrea Baglioni <andrea.baglioni@workday.com> Signed-off-by: Sergio de Carvalho <sergio.carvalho@workday.com>
74 lines
2.9 KiB
ReStructuredText
74 lines
2.9 KiB
ReStructuredText
.. _object-gateway:
|
|
|
|
=====================
|
|
Ceph Object Gateway
|
|
=====================
|
|
|
|
:term:`Ceph Object Gateway` is an object storage interface built on top of
|
|
``librados`` to provide applications with a RESTful gateway to
|
|
Ceph Storage Clusters. :term:`Ceph Object Storage` supports two interfaces:
|
|
|
|
#. **S3-compatible:** Provides object storage functionality with an interface
|
|
that is compatible with a large subset of the Amazon S3 RESTful API.
|
|
|
|
#. **Swift-compatible:** Provides object storage functionality with an interface
|
|
that is compatible with a large subset of the OpenStack Swift API.
|
|
|
|
Ceph Object Storage uses the Ceph Object Gateway daemon (``radosgw``), which is
|
|
an HTTP server for interacting with a Ceph Storage Cluster. Since it
|
|
provides interfaces compatible with OpenStack Swift and Amazon S3, the Ceph
|
|
Object Gateway has its own user management. Ceph Object Gateway can store data
|
|
in the same Ceph Storage Cluster used to store data from Ceph File System clients
|
|
or Ceph Block Device clients. The S3 and Swift APIs share a common namespace, so
|
|
you may write data with one API and retrieve it with the other.
|
|
|
|
.. ditaa:: +------------------------+ +------------------------+
|
|
| S3 compatible API | | Swift compatible API |
|
|
+------------------------+-+------------------------+
|
|
| radosgw |
|
|
+---------------------------------------------------+
|
|
| librados |
|
|
+------------------------+-+------------------------+
|
|
| OSDs | | Monitors |
|
|
+------------------------+ +------------------------+
|
|
|
|
.. note:: Ceph Object Storage does **NOT** use the Ceph Metadata Server.
|
|
|
|
|
|
.. toctree::
|
|
:maxdepth: 1
|
|
|
|
Manual Install w/Civetweb <../../install/install-ceph-gateway>
|
|
HTTP Frontends <frontends>
|
|
Pool Placement and Storage Classes <placement>
|
|
Multisite Configuration <multisite>
|
|
Configuring Pools <pools>
|
|
Config Reference <config-ref>
|
|
Admin Guide <admin>
|
|
S3 API <s3>
|
|
Swift API <swift>
|
|
Admin Ops API <adminops>
|
|
Python binding <api>
|
|
Export over NFS <nfs>
|
|
OpenStack Keystone Integration <keystone>
|
|
OpenStack Barbican Integration <barbican>
|
|
HashiCorp Vault Integration <vault>
|
|
Open Policy Agent Integration <opa>
|
|
Multi-tenancy <multitenancy>
|
|
Compression <compression>
|
|
LDAP Authentication <ldap-auth>
|
|
Server-Side Encryption <encryption>
|
|
Bucket Policy <bucketpolicy>
|
|
Dynamic bucket index resharding <dynamicresharding>
|
|
Multi factor authentication <mfa>
|
|
Sync Modules <sync-modules>
|
|
Bucket Notifications <notifications>
|
|
Data Layout in RADOS <layout>
|
|
STS Lite <STSLite>
|
|
Role <role>
|
|
troubleshooting
|
|
Manpage radosgw <../../man/8/radosgw>
|
|
Manpage radosgw-admin <../../man/8/radosgw-admin>
|
|
QAT Acceleration for Encryption and Compression <qat-accel>
|
|
|