arrow-left arrow-right brightness-2 chevron-left chevron-right circle-half-full facebook-box facebook loader magnify menu-down rss-box star twitter-box twitter white-balance-sunny window-close
Integrate Ceph RGW multitenancy and S3 authentication with kolla-ansible
2 min read

Integrate Ceph RGW multitenancy and S3 authentication with kolla-ansible

Integrate Ceph RGW multitenancy and S3 authentication with kolla-ansible

If you've looked at some of my posts about the integration of Ceph RGW in your OpenStack deployment, maybe you want to integrate all of that in your kolla-ansible deployment. There it is!

Related posts:
How to integrate Ceph with OpenStack Object Storage on a Kolla deployment
How to enable Ceph multitenancy for object storage in OpenStack?

Before you start

❗❗❗ Note that the deployment of Ceph by kolla-ansible is a deprecated feature since Train and totally removed in the Ussuri release.❗❗❗

This documentation will not work with versions after Train, more informations here.

The deployment of OpenStack with kolla-ansible and an external Ceph cluster will be the subject of a next post.

Since only few people are already using Ussuri or even the latest stable version I think this documentation still could be relevant for a moment 🙂

Note

If the manipulation is performed after a deployment, changes related to multitenancy will only work for new users and new tenants.

Add the global options

Edit your globals.yml and theses 2 lines:

enable_ceph_rgw_keystone_multitenancy: "yes"
enable_ceph_rgw_keystone_s3: "yes"

Edit the Ceph template

Open the jinja2 template:

(openstack) [[email protected] openstack] $ vi share/kolla-ansible/ansible/roles/ceph/templates/ceph.conf.j2

and add theses lines inside the [client.radosgw.gateway] block:

{% if enable_ceph_rgw_keystone_s3 | bool %}
rgw_s3_auth_use_keystone = true
{% endif %}
{% if enable_ceph_rgw_keystone_multitenancy | bool %}
rgw_keystone_implicit_tenants = true
rgw_swift_account_in_url = true
{% endif %}

Edit the Ceph Ansible role

Open the main.yaml:

(openstack) [[email protected] ~] $ vi openstack/share/kolla-ansible/ansible/roles/ceph/defaults/main.yml

And add this at the end of swift_admin_endpoint, swift_internal_endpoint and swift_public_endpoint:

{{ '/%(tenant_id)s' if enable_ceph_rgw_keystone_multitenancy | bool else '

It will look like that:

101 ####################
102 ## Ceph_rgw_keystone
103 ####################
104 swift_admin_endpoint: "{{ admin_protocol }}://{{ kolla_internal_fqdn | put_address_in_context('url') }}:{{ rgw_port }}{{ '/' if ceph_rgw_compatibility|bool else '/swift/' }}v1{{ '/%(tenant_id)s' if enable_ceph_rgw_keystone_multitenancy | bool else '' }}"
105 swift_internal_endpoint: "{{ internal_protocol }}://{{ kolla_internal_fqdn | put_address_in_context('url') }}:{{ rgw_port }}{{ '/' if ceph_rgw_compatibility|bool else '/swift/' }}v1{{ '/%(tenant_id)s' if enable_ceph_rgw_keystone_multitenancy | bool else '' }}"
106 swift_public_endpoint: "{{ public_protocol }}://{{ kolla_external_fqdn | put_address_in_context('url') }}:{{ rgw_port }}{{ '/' if ceph_rgw_compatibility|bool else '/swift/' }}v1{{ '/%(tenant_id)s' if enable_ceph_rgw_keystone_multitenancy | bool else '' }}"

It'll works both with and without AUTH_ prefix. More informations here

Reconfigure

(openstack) [[email protected] ~] $ kolla-ansible -i ./multinode reconfigure --tags ceph

Result

You will see now that the endpoint will be created properly:

TASK [service-ks-register : ceph | Creating endpoints] **************************************************************************************
changed: [control01] => (item={u'url': u'http://172.16.11.10:6780/swift/v1/%(tenant_id)s', u'interface': u'admin', u'service': u'swift'})
changed: [control01] => (item={u'url': u'http://172.16.11.10:6780/swift/v1/%(tenant_id)s', u'interface': u'internal', u'service': u'swift'})
changed: [control01] => (item={u'url': u'http://172.16.10.10:6780/swift/v1/%(tenant_id)s', u'interface': u'public', u'service': u'swift'})

And same for the configuration:

[[email protected] ~] $ grep -n 's3_auth\|implicit_tenants\|swift_account' /etc/kolla/ceph-rgw/ceph.conf
35:rgw_s3_auth_use_keystone = true
36:rgw_keystone_implicit_tenants = true
37:rgw_swift_account_in_url = true

That's it, it's now integrated into your deployment!

If you want to turn off again theses features, just edit your globals.yml:

enable_ceph_rgw_keystone_multitenancy: "no"
enable_ceph_rgw_keystone_s3: "no"

Ressource: me and myself
Picture : Brett Jordan