Integrate Ceph RGW multitenancy and S3 authentication with kolla-ansible
If you've looked at some of my posts about the integration of Ceph RGW in your OpenStack deployment, maybe you want to integrate all of that in your kolla-ansible deployment. There it is!
Related posts:
How to integrate Ceph with OpenStack Object Storage on a Kolla deployment
How to enable Ceph multitenancy for object storage in OpenStack?
Before you start
❗❗❗ Note that the deployment of Ceph by kolla-ansible is a deprecated feature since Train and totally removed in the Ussuri release.❗❗❗
This documentation will not work with versions after Train, more informations here.
The deployment of OpenStack with kolla-ansible and an external Ceph cluster will be the subject of a next post.
Since only few people are already using Ussuri or even the latest stable version I think this documentation still could be relevant for a moment 🙂
Note
If the manipulation is performed after a deployment, changes related to multitenancy will only work for new users and new tenants.
Add the global options
Edit your globals.yml and theses 2 lines:
enable_ceph_rgw_keystone_multitenancy: "yes"
enable_ceph_rgw_keystone_s3: "yes"
Edit the Ceph template
Open the jinja2 template:
(openstack) [openstack@kolla01 openstack] $ vi share/kolla-ansible/ansible/roles/ceph/templates/ceph.conf.j2
and add theses lines inside the [client.radosgw.gateway] block:
{% if enable_ceph_rgw_keystone_s3 | bool %}
rgw_s3_auth_use_keystone = true
{% endif %}
{% if enable_ceph_rgw_keystone_multitenancy | bool %}
rgw_keystone_implicit_tenants = true
rgw_swift_account_in_url = true
{% endif %}
Edit the Ceph Ansible role
Open the main.yaml:
(openstack) [openstack@centos-kolla ~] $ vi openstack/share/kolla-ansible/ansible/roles/ceph/defaults/main.yml
And add this at the end of swift_admin_endpoint, swift_internal_endpoint and swift_public_endpoint:
{{ '/%(tenant_id)s' if enable_ceph_rgw_keystone_multitenancy | bool else '
It will look like that:
101 ####################
102 ## Ceph_rgw_keystone
103 ####################
104 swift_admin_endpoint: "{{ admin_protocol }}://{{ kolla_internal_fqdn | put_address_in_context('url') }}:{{ rgw_port }}{{ '/' if ceph_rgw_compatibility|bool else '/swift/' }}v1{{ '/%(tenant_id)s' if enable_ceph_rgw_keystone_multitenancy | bool else '' }}"
105 swift_internal_endpoint: "{{ internal_protocol }}://{{ kolla_internal_fqdn | put_address_in_context('url') }}:{{ rgw_port }}{{ '/' if ceph_rgw_compatibility|bool else '/swift/' }}v1{{ '/%(tenant_id)s' if enable_ceph_rgw_keystone_multitenancy | bool else '' }}"
106 swift_public_endpoint: "{{ public_protocol }}://{{ kolla_external_fqdn | put_address_in_context('url') }}:{{ rgw_port }}{{ '/' if ceph_rgw_compatibility|bool else '/swift/' }}v1{{ '/%(tenant_id)s' if enable_ceph_rgw_keystone_multitenancy | bool else '' }}"
It'll works both with and without AUTH_ prefix. More informations here
Reconfigure
(openstack) [openstack@centos-kolla ~] $ kolla-ansible -i ./multinode reconfigure --tags ceph
Result
You will see now that the endpoint will be created properly:
TASK [service-ks-register : ceph | Creating endpoints] **************************************************************************************
changed: [control01] => (item={u'url': u'http://172.16.11.10:6780/swift/v1/%(tenant_id)s', u'interface': u'admin', u'service': u'swift'})
changed: [control01] => (item={u'url': u'http://172.16.11.10:6780/swift/v1/%(tenant_id)s', u'interface': u'internal', u'service': u'swift'})
changed: [control01] => (item={u'url': u'http://172.16.10.10:6780/swift/v1/%(tenant_id)s', u'interface': u'public', u'service': u'swift'})
And same for the configuration:
[openstack@controller-1 ~] $ grep -n 's3_auth\|implicit_tenants\|swift_account' /etc/kolla/ceph-rgw/ceph.conf
35:rgw_s3_auth_use_keystone = true
36:rgw_keystone_implicit_tenants = true
37:rgw_swift_account_in_url = true
That's it, it's now integrated into your deployment!
If you want to turn off again theses features, just edit your globals.yml:
enable_ceph_rgw_keystone_multitenancy: "no"
enable_ceph_rgw_keystone_s3: "no"
Ressource: me and myself
Picture : Brett Jordan