Ceph RGW configuration does not act as a drop-in replacement for Swift, breaks public read ACLs and temp URLs

Fix proposed to branch: master
Review: https://review.openstack.org/614194

Fix proposed to branch: stable/rocky
Review: https://review.openstack.org/614320

Quick before/after illustration using public read ACLs as an example:

Failure before applying patch:

$ swift post foobar
$ touch test
$ swift upload foobar test
test
$ swift post -r ".r:*" foobar
$ curl -i 'http://192.168.122.101:8080/swift/v1/foobar/test'
HTTP/1.1 403 Forbidden
Content-Length: 12
X-Trans-Id: tx00000000000000000001d-005bd8cd7d-4e0b-default
X-Openstack-Request-Id: tx00000000000000000001d-005bd8cd7d-4e0b-default
Accept-Ranges: bytes
Content-Type: text/plain; charset=utf-8
Date: Tue, 30 Oct 2018 21:30:37 GMT

AccessDenied

Apply patch:

$ git checkout bug-1800637-rocky
$ sudo openstack-ansible playbooks/ceph-rgw-install.yml
[...]

Repeat curl command, now with the AUTH_<tenant_id>:

$ curl -i 'http://192.168.122.101:8080/swift/v1/AUTH_efa36c21034144948ef39964a9d887e2/foobar/test'
HTTP/1.1 200 OK
Content-Length: 0
Accept-Ranges: bytes
Last-Modified: Tue, 30 Oct 2018 21:29:36 GMT
X-Timestamp: 1540934976.93130
etag: d41d8cd98f00b204e9800998ecf8427e
X-Trans-Id: tx00000000000000000000e-005bd8cea0-4e2b-default
X-Openstack-Request-Id: tx00000000000000000000e-005bd8cea0-4e2b-default
Content-Type: binary/octet-stream
Date: Tue, 30 Oct 2018 21:35:28 GMT

Reviewed: https://review.openstack.org/614194
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible/commit/?id=9dbdf71de04425473143bdf36412c5278830e993
Submitter: Zuul
Branch: master

commit 9dbdf71de04425473143bdf36412c5278830e993
Author: Florian Haas <email address hidden>
Date: Tue Oct 30 11:37:42 2018 +0100

    Include Swift AUTH_%(tenant_id)s suffix in rgw Keystone endpoint

    In order to make rgw a better drop-in replacement for Swift, this
    patch does two things:

    * Configure rgw to include the Swift account in its URL
    * Update the Keystone catalog entry so that the rgw endpoints
      include the AUTH_%(tenant_id)s suffix (just like the os_swift
      role does)

    Both of the above are necessary to make both public read ACLs
    and temp URLs work with rgw, the way they do with native Swift.

    In addition, the patch also:

    * Removes the rgw_s3_auth_use_keystone config override, which
      is useless in the default configuration that does not enable
      the S3 API.
    * Enables rgw_keystone_implicit_tenants to properly enable Swift
      multi-tenancy in rgw. Reference:
      http://docs.ceph.com/docs/mimic/radosgw/multitenancy/
    * Enables rgw_swift_versioning_enabled to support Swift's object
      versioning feature (and the default for the os_swift role's
      swift_allow_versions variable). A limitation applies here,
      which is that radosgw currently does support setting the
      X-Versions-Location header on a container, but does not
      understand X-History-Location.
    * Adds documentation to the users guide, about using rgw as a
      Swift replacement.
    * Adds a release note detailing possible upgrade issues,
      and the object versioning limitation.

    Closes-Bug: #1800637

    Change-Id: Iacd8f32f100f283ff590e063854d06b2c7c98cc2

This issue was fixed in the openstack/openstack-ansible 19.0.0.0b1 development milestone.