Lab 10 : Integrate Ceph with Keystone

POD parameters : user0 POD0 10.1.64.110
User admin node1 node2 node3 spare
user0
pod0-admin
eth0            : 10.1.64.110
eth1            : 10.1.65.110
eth2            : ext-net
Netmask  : 255.255.255.0
Gateway  : 10.1.64.1
pod0-node1
eth0            : 10.1.64.110
eth1            : 10.1.65.110
eth2            : ext-net
Netmask  : 255.255.255.0
Gateway  : 10.1.64.1
pod0-node2
eth0            : 10.1.64.110
eth1            : 10.1.65.110
eth2            : ext-net
Netmask  : 255.255.255.0
Gateway  : 10.1.64.1
pod0-node3
eth0            : 10.1.64.110
eth1            : 10.1.65.110
eth2            : ext-net
Netmask  : 255.255.255.0
Gateway  : 10.1.64.1
pod0-spare
eth0            : 10.1.64.110
eth1            : 10.1.65.110
eth2            : ext-net
Netmask  : 255.255.255.0
Gateway  : 10.1.64.1

Configuring OpenStack and Ceph Object Gateway to use Keystone for user authentication.

OpenStack Keystone to authenticate users can integrate Keystone with the Ceph Object Gateway, which enables the gateway to accept a Keystone token, authenticate the user and create a corresponding Ceph Object Gateway user. When Keystone validates a token, the gateway considers the user authenticated.

Benefits include:

  • Managing Users with Keystone
  • Automatic User Creation in the Ceph Object Gateway
  • The Ceph Object Gateway will query Keystone periodically for a list of revoked tokens.

1. Login into Openstack node :

ssh centos@pod0-spare
sudo su -

Configuring OpenStack

Before configuring the Ceph Object Gateway, configure Keystone so that the Swift service is enabled and pointing to the Ceph Object Gateway.

2. verify the existing Swift Service

openstack service list

Output:

+----------------------------------+----------+--------------+
| ID                               | Name     | Type         |
+----------------------------------+----------+--------------+
| 25c03e3214df4f619689cae13a84ff03 | keystone | identity     |
| 373c6ec53a514fa694f94893b91fed44 | nova_ec2 | ec2          |
| 65510c0582664e3fbd191d9d30821f25 | swift    | object-store |
| 7e2c4135206940c6b717cdf7e4381c70 | novav3   | computev3    |
| 81c6b49adb3c4a6ea9362cb56ce3e919 | glance   | image        |
| 9213d486e6ce4ab094ea7e736f92735d | neutron  | network      |
| 9c42543390b54a3180a8b41839c6c029 | nova     | compute      |
| b3701e1558684d209bac1aa2ef49dc84 | cinderv2 | volumev2     |
| e7a4922b749642cd924a28bc44394550 | cinder   | volume       |
+----------------------------------+----------+--------------+

3. Verifying swift endpoints:

After creating the Swift service and setting the endpoints, show the endpoints to ensure that all the settings are correct.

openstack endpoint show object-store

Output:

+--------------+-----------------------------------------------+
| Field        | Value                                         |
+--------------+-----------------------------------------------+
| adminurl     | http://10.1.64.120:8080                       |
| enabled      | True                                          |
| id           | 0f0f18ed91384bb08126581eed25a0ad              |
| internalurl  | http://10.1.64.120:8080/v1/AUTH_%(tenant_id)s |
| publicurl    | http://10.1.64.120:8080/v1/AUTH_%(tenant_id)s |
| region       | RegionOne                                     |
| service_id   | 65510c0582664e3fbd191d9d30821f25              |
| service_name | swift                                         |
| service_type | object-store                                  |
+--------------+-----------------------------------------------+

Configuring the Ceph Object Gateway

3. Configuring SSL:

Configuring the Ceph Object Gateway to work with Keystone requires converting the OpenSSL certificates that Keystone uses for creating the requests to the nss db format,

mkdir -p /var/ceph/nss
openssl x509 -in /etc/keystone/ssl/certs/ca.pem -pubkey | \
    certutil -d /var/ceph/nss -A -n ca -t "TCu,Cu,Tuw"
openssl x509 -in /etc/keystone/ssl/certs/signing_cert.pem -pubkey | \
    certutil -A -d /var/ceph/nss -n signing_cert -t "P,P,P"

Openstack Keystone may also be terminated with a self-signed SSL certificate, in order for the Ceph Object Gateway to interact with Keystone. Either install Keystone’s SSL certificate in the node running the Ceph Object Gateway, or alternatively set the value of the configurable rgw_keystone_verify_ssl setting to false. Setting rgw_keystone_verify_ssl to false means that the gateway won’t attempt to verify the certificate.

Configure and Integrate with Keystone

4. configure a Keystone service tenant, user & password for keystone (for v2.0 version of the OpenStack Identity API),

similar to the way OpenStack services tend to be configured, this avoids the need for setting the shared secret rgw keystone admin token in the configuration file, which is recommended to be disabled in production environments.

rgw_keystone_admin_user=admin
rgw_keystone_admin_password=onecloud
rgw_keystone_admin_tenant=admin

5. The following configuration options are available for Keystone integration:

cat >> /etc/ceph/ceph.conf <<EOF
[client.radosgw.gateway]
rgw_keystone_url = http://10.1.64.110:35357/v2.0
rgw_keystone_admin_user = admin
rgw_keystone_admin_password = onecloud
rgw_keystone_admin_tenant = admin
rgw_keystone_accepted_roles = admin
rgw_keystone_token_cache_size = 1000
rgw_keystone_revocation_interval = 100
rgw_keystone_make_new_tenants = true
rgw_s3_auth_use_keystone = true
nss_db_path = /var/ceph/nss
EOF

6. Copy the updated Ceph configuration file to each Ceph node. 

scp /etc/ceph/ceph.conf root@pod0-admin:/etc/ceph/
scp /etc/ceph/ceph.conf root@pod0-node1:/etc/ceph/
scp /etc/ceph/ceph.conf root@pod0-osd2:/etc/ceph/
scp /etc/ceph/ceph.conf root@pod0-osd3:/etc/ceph/

7. Restarting Civetweb

Once you have saved the Ceph configuration file and distributed it to each Ceph node, restart the Ceph Object Gateway instances. Usage should be one of:

ssh pod2-node3 systemctl restart ceph-radosgw.target
ssh pod2-node3 systemctl status ceph-radosgw.target