Ceph RGW configuration does not act as a drop-in replacement for Swift, breaks public read ACLs and temp URLs

Bug #1800637 reported by Florian Haas on 2018-10-30
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openstack-ansible
Undecided
Jesse Pretorius

Bug Description

The way OSA currently configures Ceph radosgw out of the box does not make it behave like Swift users would expect it to. In particular, neither public read ACLs nor temp URLs work correctly.

The reason for this is that OSA does not configure radosgw to include the tenant ID in the Swift API URL, and does not configure the Keystone endpoint accordingly, either.

Fix proposed to branch: master
Review: https://review.openstack.org/614194

Changed in openstack-ansible:
assignee: nobody → Florian Haas (fghaas)
status: New → In Progress
Florian Haas (fghaas) on 2018-10-30
description: updated
Florian Haas (fghaas) wrote :

Quick before/after illustration using public read ACLs as an example:

Failure before applying patch:

$ swift post foobar
$ touch test
$ swift upload foobar test
test
$ swift post -r ".r:*" foobar
$ curl -i 'http://192.168.122.101:8080/swift/v1/foobar/test'
HTTP/1.1 403 Forbidden
Content-Length: 12
X-Trans-Id: tx00000000000000000001d-005bd8cd7d-4e0b-default
X-Openstack-Request-Id: tx00000000000000000001d-005bd8cd7d-4e0b-default
Accept-Ranges: bytes
Content-Type: text/plain; charset=utf-8
Date: Tue, 30 Oct 2018 21:30:37 GMT

AccessDenied

Apply patch:

$ git checkout bug-1800637-rocky
$ sudo openstack-ansible playbooks/ceph-rgw-install.yml
[...]

Repeat curl command, now with the AUTH_<tenant_id>:

$ curl -i 'http://192.168.122.101:8080/swift/v1/AUTH_efa36c21034144948ef39964a9d887e2/foobar/test'
HTTP/1.1 200 OK
Content-Length: 0
Accept-Ranges: bytes
Last-Modified: Tue, 30 Oct 2018 21:29:36 GMT
X-Timestamp: 1540934976.93130
etag: d41d8cd98f00b204e9800998ecf8427e
X-Trans-Id: tx00000000000000000000e-005bd8cea0-4e2b-default
X-Openstack-Request-Id: tx00000000000000000000e-005bd8cea0-4e2b-default
Content-Type: binary/octet-stream
Date: Tue, 30 Oct 2018 21:35:28 GMT

Changed in openstack-ansible:
assignee: Florian Haas (fghaas) → Jesse Pretorius (jesse-pretorius)

Reviewed: https://review.openstack.org/614194
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible/commit/?id=9dbdf71de04425473143bdf36412c5278830e993
Submitter: Zuul
Branch: master

commit 9dbdf71de04425473143bdf36412c5278830e993
Author: Florian Haas <email address hidden>
Date: Tue Oct 30 11:37:42 2018 +0100

    Include Swift AUTH_%(tenant_id)s suffix in rgw Keystone endpoint

    In order to make rgw a better drop-in replacement for Swift, this
    patch does two things:

    * Configure rgw to include the Swift account in its URL
    * Update the Keystone catalog entry so that the rgw endpoints
      include the AUTH_%(tenant_id)s suffix (just like the os_swift
      role does)

    Both of the above are necessary to make both public read ACLs
    and temp URLs work with rgw, the way they do with native Swift.

    In addition, the patch also:

    * Removes the rgw_s3_auth_use_keystone config override, which
      is useless in the default configuration that does not enable
      the S3 API.
    * Enables rgw_keystone_implicit_tenants to properly enable Swift
      multi-tenancy in rgw. Reference:
      http://docs.ceph.com/docs/mimic/radosgw/multitenancy/
    * Enables rgw_swift_versioning_enabled to support Swift's object
      versioning feature (and the default for the os_swift role's
      swift_allow_versions variable). A limitation applies here,
      which is that radosgw currently does support setting the
      X-Versions-Location header on a container, but does not
      understand X-History-Location.
    * Adds documentation to the users guide, about using rgw as a
      Swift replacement.
    * Adds a release note detailing possible upgrade issues,
      and the object versioning limitation.

    Closes-Bug: #1800637

    Change-Id: Iacd8f32f100f283ff590e063854d06b2c7c98cc2

Changed in openstack-ansible:
status: In Progress → Fix Released

This issue was fixed in the openstack/openstack-ansible 19.0.0.0b1 development milestone.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers