New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
rgw: implement support for authentication using keystone for s3 and swift #13807
base: master
Are you sure you want to change the base?
Conversation
abf98c0
to
acc11c5
Compare
acc11c5
to
2e9695d
Compare
export TEST_HELM_PATH=/tmp/rook-tests-scripts-helm/linux-amd64/helm | ||
export TEST_HELM_PATH=/tmp/rook-tests-scripts-helm/helm |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm curious about this change. Was this fixing a CI bug, or is this related to a change here?
@subhamkrai do you have insights here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
After running helm.sh up
, I have:
$ ls /tmp/rook-tests-scripts-helm/
helm helm.tar.gz LICENSE README.md
I suspect the layout in the Helm archive changed (again). Last time appears to have been in 2020, when --strip-components 1
was introduced in 27c7146. Maybe this needs to be reverted now instead of changing the path in the docs, but either way export TEST_HELM_PATH=/tmp/rook-tests-scripts-helm/linux-amd64/helm
did not work for me.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm impressed how well this PR is put together. There are detailed docs, full test files, and good comments.
I've also really only started scratching the surface of this review. There is a lot here, and it will take time.
One question related to #13808 : Is one of these PRs needed as a basis for the other?
!!! note | ||
This sample requires *at least 3 bluestore OSDs*, with each OSD located on a *different node*. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this note makes the most sense immediately before the yaml below. I was confused about what "sample" meant here until I read and re-read this a couple times.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
!!! note | ||
This example assumes that there already is an existing OpenStack Keystone instance ready to use for authentication. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Probably best to include this in the same note which will be moved below, to just above the yaml example.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
title: Object Store with Keystone and Swift | ||
--- | ||
|
||
You can configure the Swift API and the Keystone integration of Ceph RGW natively via the Object Store CRD, which allows native integration of the Rook operated Ceph RGW into [OpenStack](https://www.openstack.org/) clouds. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a little pedantic, but when we had the Ceph foundation's doc expert review our docs, the biggest suggestion he gave was for us to avoid use of "you," "our," "we," etc.
He suggested that we use "imperative" language in our docs. So this doc line should be shifted around to read something like this:
"Ceph RGW can integrate natively with the Swift API and Keystone via the CephObjectStore CRD. This allows native integration of Rook-operated Ceph RGWs into OpenStack"
Please adjust the rest of the document as well. Doing a file search for "you" is usually sufficient to find which lines should be adjusted.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is not pedantic but good advice! Thanks. I rephrased the document accordingly.
I would suggest to add a section on the imperative language in the Contributing/documentation.md file.
Alternatively, if you have an existing Ceph cluster with Rados Gateways, see the | ||
[external section](#connect-to-an-external-object-store) to consume it from Rook. | ||
Most commonly, the object store will be configured in Kubernetes by Rook. | ||
Alternatively, if you have an existing Ceph cluster with [Rados Gateways](https://docs.ceph.com/en/quincy/radosgw/index.html), see the [external section](#connect-to-an-external-object-store) to consume it from Rook. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please adjust based on "you" usage here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't see that commit as part of the PR any more.
Also, as a preparation, we will ask you to squash all the commits before final merge. It's fine to keep each commit separate while we are working, however.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Seems as if this commit has already been squased already. Trying to cherry-pick it I ended up with an empty commit.
If you could please do a quick check whether the "you" based language is not gone.
Documentation/Storage-Configuration/Object-Storage-RGW/object-storage.md
Outdated
Show resolved
Hide resolved
pkg/apis/ceph.rook.io/v1/types.go
Outdated
@@ -1440,6 +1440,16 @@ type ObjectStoreSpec struct { | |||
// +nullable | |||
Gateway GatewaySpec `json:"gateway"` | |||
|
|||
// The protocol specification | |||
// +optional | |||
// +nullable |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not nullable because not a pointer to a struct.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Addressed in 556765c
pkg/apis/ceph.rook.io/v1/types.go
Outdated
|
||
// The authentication configuration | ||
// +optional | ||
// +nullable |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not nullable because not a pointer to a struct.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Addressed in 556765c
pkg/apis/ceph.rook.io/v1/types.go
Outdated
Enabled *bool `json:"enabled,omitempty"` | ||
AuthUseKeystone *bool `json:"authUseKeystone,omitempty"` | ||
} | ||
|
||
// SwiftSpec represents Ceph Object Store specification for the Swift API | ||
type SwiftSpec struct { | ||
AccountInUrl *bool `json:"accountInUrl,omitempty"` | ||
UrlPrefix *string `json:"urlPrefix,omitempty"` | ||
VersioningEnabled *bool `json:"versioningEnabled,omitempty"` | ||
} | ||
|
||
// AuthSpec represents the authentication protocol configuration of a Ceph Object Store Gateway | ||
type AuthSpec struct { | ||
// +optional | ||
// +nullable | ||
Keystone *KeystoneSpec `json:"keystone,omitempty"` | ||
} | ||
|
||
// KeystoneSpec represents the Keystone authentication configuration of a Ceph Object Store Gateway | ||
type KeystoneSpec struct { | ||
Url string `json:"url"` | ||
ServiceUserSecretName string `json:"serviceUserSecretName"` | ||
AcceptedRoles []string `json:"acceptedRoles"` | ||
ImplicitTenants ImplicitTenantSetting `json:"implicitTenants,omitempty"` | ||
TokenCacheSize *int `json:"tokenCacheSize,omitempty"` | ||
RevocationInterval *int `json:"revocationInterval,omitempty"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please add godoc comments to all fields, and mark pointer types as nullable.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Addressed in 556765c
pkg/apis/ceph.rook.io/v1/types.go
Outdated
@@ -1763,6 +1826,7 @@ type ObjectUserQuotaSpec struct { | |||
MaxObjects *int64 `json:"maxObjects,omitempty"` | |||
} | |||
|
|||
// CephObjectRealm represents a Ceph Object Store Gateway Realm |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why is this line duplicated here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That looks like a rebase mess up. Will fix.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
pkg/operator/ceph/config/monstore.go
Outdated
// https://docs.ceph.com/docs/master/rados/configuration/ceph-conf/#monitor-configuration-database | ||
// https://docs.ceph.com/en/latest/rados/configuration/ceph-conf/#monitor-configuration-database |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Were these links broken?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, docs/master
was broken when we tried to access them. I see it now redirects to en/latest
. Shall we revert this change?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If the old link is working, I think it's best to revert this. If it's still broken, I'm not too concerned.
But most of our links are in this format, and if they all break, we would want to fix them all at once I think.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
pkg/operator/ceph/object/config.go
Outdated
if ks := rgwConfig.Auth.Keystone; ks != nil { | ||
|
||
logger.Info("Configuring authentication with keystone") | ||
|
||
configOptions["rgw_keystone_url"] = ks.Url | ||
configOptions["rgw_keystone_accepted_roles"] = strings.Join(ks.AcceptedRoles, ",") | ||
if ks.ImplicitTenants != "" { | ||
|
||
// only four values are valid here (swift, s3, true and false) | ||
// | ||
// https://docs.ceph.com/en/latest/radosgw/keystone/#integrating-with-openstack-keystone | ||
if strings.ToLower(string(ks.ImplicitTenants)) != "true" && | ||
strings.ToLower(string(ks.ImplicitTenants)) != "false" && | ||
strings.ToLower(string(ks.ImplicitTenants)) != "swift" && | ||
strings.ToLower(string(ks.ImplicitTenants)) != "s3" { | ||
|
||
errString := fmt.Sprintf("ImplicitTenantSetting can only be 'swift', 's3', 'true' or 'false', not %s", string(ks.ImplicitTenants)) | ||
logger.Errorf(errString) | ||
return errors.New(errString) | ||
|
||
} | ||
|
||
configOptions["rgw_keystone_implicit_tenants"] = string(ks.ImplicitTenants) | ||
|
||
} | ||
if ks.TokenCacheSize != nil { | ||
configOptions["rgw_keystone_token_cache_size"] = fmt.Sprintf("%d", *ks.TokenCacheSize) | ||
} | ||
if rgwConfig.KeystoneSecret == nil { | ||
logger.Error("Cannot find keystone secret!") | ||
return errors.New("Cannot find keystone secret") | ||
} | ||
|
||
var err error | ||
configOptions, err = mapKeystoneSecretToConfig(configOptions, rgwConfig.KeystoneSecret) | ||
if err != nil { | ||
logger.Infof("error mapping keystone secret %s to config: %s", rgwConfig.KeystoneSecret.Name, err) | ||
return err | ||
} | ||
|
||
} else { | ||
logger.Info("Authentication with keystone is disabled") | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this block seems as a good candidate for a proper function
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
|
||
// test that a second object store can be created (and deleted) while the first exists | ||
s.T().Run("run a second object store", func(t *testing.T) { | ||
otherStoreName := "other-" + storeName | ||
// The lite e2e test is perfect, as it only creates a cluster, checks that it is healthy, | ||
// and then deletes it. | ||
deleteStore := true | ||
runObjectE2ETestLite(t, helper, k8sh, installer, namespace, otherStoreName, 1, deleteStore, tlsEnable) | ||
// TODO: Why ist swiftAndKeystone always set to false? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
please, address the TODO
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
0a9fdf9
(These TODOs were already dealt with and are now removed.)
This pull request has merge conflicts that must be resolved before it can be merged. @jklippel please rebase it. https://rook.io/docs/rook/latest/Contributing/development-flow/#updating-your-fork |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
From an upstream maintainer perspective, I am really impressed by the implementation and thoroughness that I see in this PR. At the same time, I have some concerns about how this feature fits into our community, and I want to acknowledge and address those before we get too far along with reviewing and merging this code.
There do seem to be users that are interested in this feature, but that interest also seems pretty small. This is evidenced by the fact that the design doc for this feature is over 2 years old at this point, and the person who created it didn't see fit to continue to complete the work as designed.
I am concerned that this may be a feature that gets added but then doesn't have anyone sticking around to maintain and troubleshoot for other Rook users. As it is, none of the current Rook maintainers have much OpenStack experience that would allow us to (or motivate us to) keep this feature up-to-date.
While we could declare this feature "experimental," I am still concerned about the possibility of it becoming a long-term maintenance burden that could lead us to ultimately remove it down the road.
@jklippel and @Lykos153 could you tell us more about what your and your company's positions are on feature maintenance for Keystone/Swift integration? I'd like to hear more about what is driving you implement this functionality and what the time scale is for how long it will be used in production. It's also fine if you want to message me and @travisn directly on slack about this since I understand it could be slightly sensitive.
@BlaineEXE @Lykos153 and I (@jklippel) just sat together and discussed the points you brought up.
Does this suffice as commitment to the cause from our side or do you need more/something else entirely? |
We created a list of TODO-issues in "our" forked repository to handle the mentioned issues. We linked back to this issue, so do not mind the long list of issues listed here. |
Hi @travisn, @BlaineEXE, I'm working at CLOUD&HEAT Technologies GmbH, as team lead of @Lykos153 and former rook contributor (#5483), and I'd like to add a few bits from our perspective. We have been using Ceph RadosGW with OpenStack in production since 2018 (at least) and we intend to migrate the data from our main Ceph cluster (based on chef-ceph. Yes.) to rook. The lack of RadosGW/OpenStack integration has been a partial blocker (we are currently migrating block storage only because of this), so we are committed to getting this implemented. Likewise, we need this to work in the future, as our object store offering will depend on it. With all data and information available to me to date, I expect that we offer OpenStack+Rook-based Object Store for the lifetime of the company, however long that may be ("the foreseeable future"). That also implies that we can invest some resources in keeping this feature going, if there turn out to be issues with it in the future. Hope that helps :). P.S.: This is my last day before a week of PTO, so if you're pinging me specifically, I may only reply from March 11th onward. |
This pull request has merge conflicts that must be resolved before it can be merged. @jklippel please rebase it. https://rook.io/docs/rook/latest/Contributing/development-flow/#updating-your-fork |
fa106d4
to
c6495fc
Compare
This pull request has merge conflicts that must be resolved before it can be merged. @jklippel please rebase it. https://rook.io/docs/rook/latest/Contributing/development-flow/#updating-your-fork |
ecaa4b0
to
5b8b850
Compare
This pull request has merge conflicts that must be resolved before it can be merged. @jklippel please rebase it. https://rook.io/docs/rook/latest/Contributing/development-flow/#updating-your-fork |
e188a29
to
5b8b850
Compare
This pull request has merge conflicts that must be resolved before it can be merged. @jklippel please rebase it. https://rook.io/docs/rook/latest/Contributing/development-flow/#updating-your-fork |
The design document for the swift and keystone integration contains incorrectly numbered annotations. Thie commit fixes the numeration of the annotations. Additionally some minor wording changes are made. Signed-off-by: Silvio Ankermann <silvio.ankermann@cloudandheat.com>
For the specification see: <https://github.com/rook/rook/blob/master/design/ceph/object/swift-and-keystone-integration.md> Signed-off-by: Sebastian Riese <sebastian.riese@cloudandheat.com> Signed-off-by: Silvio Ankermann <silvio.ankermann@cloudandheat.com>
* The parameter lists of the API call have changes, as parameters ignored by the RGW Admin Ops API are no longer serialized, therefore the mock has to be adapted. * There is now validation for the user keys that are passed to the User get API, therefore things failed when we had empty keys in our User proxy object. Co-authored-by: Jan Klippel <jan.klippel@uhurutec.com> Signed-off-by: Sebastian Riese <sebastian.riese@cloudandheat.com> Signed-off-by: Silvio Ankermann <silvio.ankermann@cloudandheat.com>
For the specification see: <https://github.com/rook/rook/blob/master/design/ceph/object/swift-and-keystone-integration.md> Co-authored-by: Jan Klippel <jan.klippel@uhurutec.com> Signed-off-by: Sebastian Riese <sebastian.riese@cloudandheat.com> Signed-off-by: Silvio Ankermann <silvio.ankermann@cloudandheat.com>
Minikube decides CPU cores and memory automatically based on the available resources on the machine which may be insufficient to run rook. This commit adds an environment variable to add arbitrary arguments to the minikube command, so both can be specified if desired. Signed-off-by: Silvio Ankermann <silvio.ankermann@cloudandheat.com>
The new integration of swift or s3 and keystone support by rook does not have any integration tests yet. This commit introduces integration tests for swift and keystone. The tests are done against a minimal keystone setup (keystone container image from Yaook-project (https://yaook.cloud), sqlite as database backend, cert-manager and trust-manager for test certificate setup). To prevent hardcoded credentials, passwords are generated by the tests. The integration tests use the openstack client (keystone- and swift-functionality) (https://docs.openstack.org/python-openstackclient/ latest/). This was a concious design decision to use client tooling as close as possible to the end user instead of using other go-libraries (such as gophercloud). Signed-off-by: Jan Klippel <jan.klippel@uhurutec.com>
Currently there is no documentation on the use of Swift to access an object store as well as the use of OpenStack keystone for authentication. This commit adds documentation on the use of Swift and OpenStack keystone, as well as CRD-related documentation and an example setup. Signed-off-by: Jan Klippel <jan.klippel@uhurutec.com>
5b8b850
to
904c5f7
Compare
This commit introduces integration tests for s3 and keystone. The tests are run against the same minimal keystone setup that the tests for swift and keystone use. The integration tests use the aws s3 client to use client tooling as close as possible to the end user instead of using other go-libraries. Signed-off-by: Silvio Ankermann <silvio.ankermann@cloudandheat.com>
176a755
to
30ece5d
Compare
Signed-off-by: Jan Klippel <jan.klippel@uhurutec.com>
…gration Signed-off-by: Jan Klippel <jan.klippel@uhurutec.com>
9adb92c
to
c4c6ff8
Compare
Signed-off-by: Jan Klippel <jan.klippel@uhurutec.com>
Signed-off-by: Jan Klippel <jan.klippel@uhurutec.com>
…gration Signed-off-by: Jan Klippel <jan.klippel@uhurutec.com>
1ced5e8
to
32c00ca
Compare
implicitTenants: | ||
description: Create new users in their own tenants of the same name. Possible values are true, false, swift and s3. The latter have the effect of splitting the identity space such that only the indicated protocol will use implicit tenants. | ||
type: string | ||
revocationInterval: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't see that this value is used anywhere to configure rgw. Also in my CEPH env I cannot set this option:
Error EINVAL: unrecognized config option 'rgw_keystone_revocation_interval'
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good catch! This parameter was removed sometime in the past (last seen in the pacific documentation).
We will remove it.
Thanks again!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I assume there isn't a replacement config either? I don't see anything similar in current Ceph docs.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It was removed with this commit ceph/ceph@6b4c985
If I understand the commit message correctly there was no need for a replacement.
This PR implements the authentication using keystone of swift and s3 as described in the already existing design document swift-and-keystone-integration (see #9444 for the design request and #9088 for the general issue).
The design document describes another feature namely using k8s custom resources to create swift sub-users which will be implemented in a another PR.
Resolves #9088
Checklist: