openstack-ansible

Ceph RGW configuration does not act as a drop-in replacement for Swift, breaks public read ACLs and temp URLs

Bug #1800637 reported by Florian Haas on 2018-10-30

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	openstack-ansible	Fix Released	Undecided	Jesse Pretorius

Bug Description

The way OSA currently configures Ceph radosgw out of the box does not make it behave like Swift users would expect it to. In particular, neither public read ACLs nor temp URLs work correctly.

The reason for this is that OSA does not configure radosgw to include the tenant ID in the Swift API URL, and does not configure the Keystone endpoint accordingly, either.

See original description

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-10-30: Fix proposed to openstack-ansible (master)

Fix proposed to branch: master
Review: https://review.openstack.org/614194

Changed in openstack-ansible:
assignee:	nobody → Florian Haas (fghaas)
status:	New → In Progress

Florian Haas (fghaas) on 2018-10-30

description:

updated

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-10-30: Fix proposed to openstack-ansible (stable/rocky)

Fix proposed to branch: stable/rocky
Review: https://review.openstack.org/614320

Revision history for this message

Florian Haas (fghaas) wrote on 2018-10-30:

Quick before/after illustration using public read ACLs as an example:

Failure before applying patch:

$ swift post foobar
$ touch test
$ swift upload foobar test
test
$ swift post -r ".r:*" foobar
$ curl -i 'http://192.168.122.101:8080/swift/v1/foobar/test'
HTTP/1.1 403 Forbidden
Content-Length: 12
X-Trans-Id: tx00000000000000000001d-005bd8cd7d-4e0b-default
X-Openstack-Request-Id: tx00000000000000000001d-005bd8cd7d-4e0b-default
Accept-Ranges: bytes
Content-Type: text/plain; charset=utf-8
Date: Tue, 30 Oct 2018 21:30:37 GMT

AccessDenied

Apply patch:

$ git checkout bug-1800637-rocky
$ sudo openstack-ansible playbooks/ceph-rgw-install.yml
[...]

Repeat curl command, now with the AUTH_<tenant_id>:

$ curl -i 'http://192.168.122.101:8080/swift/v1/AUTH_efa36c21034144948ef39964a9d887e2/foobar/test'
HTTP/1.1 200 OK
Content-Length: 0
Accept-Ranges: bytes
Last-Modified: Tue, 30 Oct 2018 21:29:36 GMT
X-Timestamp: 1540934976.93130
etag: d41d8cd98f00b204e9800998ecf8427e
X-Trans-Id: tx00000000000000000000e-005bd8cea0-4e2b-default
X-Openstack-Request-Id: tx00000000000000000000e-005bd8cea0-4e2b-default
Content-Type: binary/octet-stream
Date: Tue, 30 Oct 2018 21:35:28 GMT

OpenStack Infra (hudson-openstack) on 2018-11-28

Changed in openstack-ansible:
assignee:	Florian Haas (fghaas) → Jesse Pretorius (jesse-pretorius)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-12-01: Fix merged to openstack-ansible (master)

Reviewed: https://review.openstack.org/614194
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible/commit/?id=9dbdf71de04425473143bdf36412c5278830e993
Submitter: Zuul
Branch: master

commit 9dbdf71de04425473143bdf36412c5278830e993
Author: Florian Haas <email address hidden>
Date: Tue Oct 30 11:37:42 2018 +0100

Include Swift AUTH_%(tenant_id)s suffix in rgw Keystone endpoint

In order to make rgw a better drop-in replacement for Swift, this
patch does two things:

    * Configure rgw to include the Swift account in its URL
    * Update the Keystone catalog entry so that the rgw endpoints
      include the AUTH_%(tenant_id)s suffix (just like the os_swift
      role does)

Both of the above are necessary to make both public read ACLs
and temp URLs work with rgw, the way they do with native Swift.

In addition, the patch also:

    * Removes the rgw_s3_auth_use_keystone config override, which
      is useless in the default configuration that does not enable
      the S3 API.
    * Enables rgw_keystone_implicit_tenants to properly enable Swift
      multi-tenancy in rgw. Reference:
      http://docs.ceph.com/docs/mimic/radosgw/multitenancy/
    * Enables rgw_swift_versioning_enabled to support Swift's object
      versioning feature (and the default for the os_swift role's
      swift_allow_versions variable). A limitation applies here,
      which is that radosgw currently does support setting the
      X-Versions-Location header on a container, but does not
      understand X-History-Location.
    * Adds documentation to the users guide, about using rgw as a
      Swift replacement.
    * Adds a release note detailing possible upgrade issues,
      and the object versioning limitation.

Closes-Bug: #1800637

Change-Id: Iacd8f32f100f283ff590e063854d06b2c7c98cc2

Changed in openstack-ansible:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-03-20: Fix included in openstack/openstack-ansible 19.0.0.0b1

This issue was fixed in the openstack/openstack-ansible 19.0.0.0b1 development milestone.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.