Ceph RGW configuration does not act as a drop-in replacement for Swift, breaks public read ACLs and temp URLs

Bug #1800637 reported by Florian Haas
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Fix Released
Jesse Pretorius

Bug Description

The way OSA currently configures Ceph radosgw out of the box does not make it behave like Swift users would expect it to. In particular, neither public read ACLs nor temp URLs work correctly.

The reason for this is that OSA does not configure radosgw to include the tenant ID in the Swift API URL, and does not configure the Keystone endpoint accordingly, either.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to openstack-ansible (master)

Fix proposed to branch: master
Review: https://review.openstack.org/614194

Changed in openstack-ansible:
assignee: nobody → Florian Haas (fghaas)
status: New → In Progress
Florian Haas (fghaas)
description: updated
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to openstack-ansible (stable/rocky)

Fix proposed to branch: stable/rocky
Review: https://review.openstack.org/614320

Revision history for this message
Florian Haas (fghaas) wrote :

Quick before/after illustration using public read ACLs as an example:

Failure before applying patch:

$ swift post foobar
$ touch test
$ swift upload foobar test
$ swift post -r ".r:*" foobar
$ curl -i ''
HTTP/1.1 403 Forbidden
Content-Length: 12
X-Trans-Id: tx00000000000000000001d-005bd8cd7d-4e0b-default
X-Openstack-Request-Id: tx00000000000000000001d-005bd8cd7d-4e0b-default
Accept-Ranges: bytes
Content-Type: text/plain; charset=utf-8
Date: Tue, 30 Oct 2018 21:30:37 GMT


Apply patch:

$ git checkout bug-1800637-rocky
$ sudo openstack-ansible playbooks/ceph-rgw-install.yml

Repeat curl command, now with the AUTH_<tenant_id>:

$ curl -i ''
HTTP/1.1 200 OK
Content-Length: 0
Accept-Ranges: bytes
Last-Modified: Tue, 30 Oct 2018 21:29:36 GMT
X-Timestamp: 1540934976.93130
etag: d41d8cd98f00b204e9800998ecf8427e
X-Trans-Id: tx00000000000000000000e-005bd8cea0-4e2b-default
X-Openstack-Request-Id: tx00000000000000000000e-005bd8cea0-4e2b-default
Content-Type: binary/octet-stream
Date: Tue, 30 Oct 2018 21:35:28 GMT

Changed in openstack-ansible:
assignee: Florian Haas (fghaas) → Jesse Pretorius (jesse-pretorius)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to openstack-ansible (master)

Reviewed: https://review.openstack.org/614194
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible/commit/?id=9dbdf71de04425473143bdf36412c5278830e993
Submitter: Zuul
Branch: master

commit 9dbdf71de04425473143bdf36412c5278830e993
Author: Florian Haas <email address hidden>
Date: Tue Oct 30 11:37:42 2018 +0100

    Include Swift AUTH_%(tenant_id)s suffix in rgw Keystone endpoint

    In order to make rgw a better drop-in replacement for Swift, this
    patch does two things:

    * Configure rgw to include the Swift account in its URL
    * Update the Keystone catalog entry so that the rgw endpoints
      include the AUTH_%(tenant_id)s suffix (just like the os_swift
      role does)

    Both of the above are necessary to make both public read ACLs
    and temp URLs work with rgw, the way they do with native Swift.

    In addition, the patch also:

    * Removes the rgw_s3_auth_use_keystone config override, which
      is useless in the default configuration that does not enable
      the S3 API.
    * Enables rgw_keystone_implicit_tenants to properly enable Swift
      multi-tenancy in rgw. Reference:
    * Enables rgw_swift_versioning_enabled to support Swift's object
      versioning feature (and the default for the os_swift role's
      swift_allow_versions variable). A limitation applies here,
      which is that radosgw currently does support setting the
      X-Versions-Location header on a container, but does not
      understand X-History-Location.
    * Adds documentation to the users guide, about using rgw as a
      Swift replacement.
    * Adds a release note detailing possible upgrade issues,
      and the object versioning limitation.

    Closes-Bug: #1800637

    Change-Id: Iacd8f32f100f283ff590e063854d06b2c7c98cc2

Changed in openstack-ansible:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/openstack-ansible

This issue was fixed in the openstack/openstack-ansible development milestone.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.