rgw: implement support for creating swift sub-users via the user CR

Documentation/Storage-Configuration/Object-Storage-RGW/object-storage.md

@@ -490,6 +490,49 @@ kubectl -n rook-ceph get secret rook-ceph-object-user-my-store-my-user -o jsonpa
 kubectl -n rook-ceph get secret rook-ceph-object-user-my-store-my-user -o jsonpath='{.data.SecretKey}' | base64 --decode
 ```
 
+### Creating subusers for Swift access
+
+The access to the Swift API is granted by creating a subuser of an RGW user.
+While commonly the access is granted via projects mapped from Keystone, explicit
+creation of subusers is supported by adding the section `spec.subUsers`:
+
+```yaml
+apiVersion: ceph.rook.io/v1
+kind: CephObjectStoreUser
+metadata:
+  name: my-user
+  namespace: rook-ceph
+spec:
+  store: my-store
+  subUsers:
+  - name: swift 
+    access: full
+```
+
+Possible values for `access` are: possible values are: `read`, `write`,
+`readwrite`, `full`. These values take their meanings from the possible values
+of the `--access-level` option of `radosgw-admin subuser create`, as documented
+in the [radosgw admin guide](https://docs.ceph.com/en/octopus/radosgw/admin/#create-a-subuser).
+
+Like for the S3 access keys for the users, the swift keys created for the
+sub-users will be automatically injected into Secret objects. The credentials
+for the subusers are mapped to separate secrets, in the case of the example the
+following secret will be created:
+```yaml
+apiVersion:
+kind: Secret
+metadata:
+  name: rook-ceph-object-subuser-my-store-my-user-swift 
+  namespace: rook-ceph
+data:
+  SWIFT_USER: my-user:swift                             
+  SWIFT_SECRET_KEY: $KEY                                
+  SWIFT_AUTH_ENDPOINT: https://rgw.example:6000/auth    
+```
+
+For more information see the
+[design document](https://github.com/rook/rook/blob/459604a3bd383ded82d62463b963f19869331216/design/ceph/object/swift-and-keystone-integration.md#swift-integration).
+
 ## Object Multisite
 
 Multisite is a feature of Ceph that allows object stores to replicate its data over multiple Ceph clusters.

PendingReleaseNotes.md

@@ -22,3 +22,4 @@ read affinity setting in cephCluster CR (CSIDriverOptions section) in [PR](https
 - Support for virtual style hosting for s3 buckets in the CephObjectStore.
 - Add option to specify prefix for the OBC provisioner.
 - Support Azure Key Vault for storing OSD encryption keys.
+- Support creating swift sub-users through Kubernetes CRs (see [#9088](https://github.com/rook/rook/issues/9088)).

deploy/charts/rook-ceph/templates/resources.yaml

@@ -10053,6 +10053,41 @@ spec:
                   items:
                     type: string
                   type: array
+                auth:
+                  description: The authentication configuration
+                  properties:
+                    keystone:
+                      description: The spec for Keystone
+                      nullable: true
+                      properties:
+                        acceptedRoles:
+                          description: The roles requires to serve requests.
+                          items:
+                            type: string
+                          type: array
+                        implicitTenants:
+                          description: Create new users in their own tenants of the same name. Possible values are true, false, swift and s3. The latter have the effect of splitting the identity space such that only the indicated protocol will use implicit tenants.
+                          type: string
+                        revocationInterval:
+                          description: The number of seconds between token revocation checks.
+                          nullable: true
+                          type: integer
+                        serviceUserSecretName:
+                          description: The name of the secret containing the credentials for the service user account used by RGW. It has to be in the same namespace as the object store resource.
+                          type: string
+                        tokenCacheSize:
+                          description: The maximum number of entries in each Keystone token cache.
+                          nullable: true
+                          type: integer
+                        url:
+                          description: The URL for the Keystone server.
+                          type: string
+                      required:
+                        - acceptedRoles
+                        - serviceUserSecretName
+                        - url
+                      type: object
+                  type: object
                 dataPool:
                   description: The data pool settings
                   nullable: true
@@ -11344,6 +11379,40 @@ spec:
                 preservePoolsOnDelete:
                   description: Preserve pools on object store deletion
                   type: boolean
+                protocols:
+                  description: The protocol specification
+                  properties:
+                    s3:
+                      description: The spec for S3
+                      nullable: true
+                      properties:
+                        authUseKeystone:
+                          description: Whether to use Keystone for authentication. This option maps directly to the rgw_s3_auth_use_keystone option. Enabling it allows generating S3 credentials via an OpenStack API call, see the docs. If not given, the defaults of the corresponding RGW option apply.
+                          nullable: true
+                          type: boolean
+                        enabled:
+                          description: Whether to enable S3. This defaults to true (even if protocols.s3 is not present in the CRD). This maintains backwards compatibility – by default S3 is enabled.
+                          nullable: true
+                          type: boolean
+                      type: object
+                    swift:
+                      description: The spec for Swift
+                      nullable: true
+                      properties:
+                        accountInUrl:
+                          description: Whether or not the Swift account name should be included in the Swift API URL. If set to false (the default), then the Swift API will listen on a URL formed like http://host:port/<rgw_swift_url_prefix>/v1. If set to true, the Swift API URL will be http://host:port/<rgw_swift_url_prefix>/v1/AUTH_<account_name>. You must set this option to true (and update the Keystone service catalog) if you want radosgw to support publicly-readable containers and temporary URLs.
+                          nullable: true
+                          type: boolean
+                        urlPrefix:
+                          description: The URL prefix for the Swift API, to distinguish it from the S3 API endpoint. The default is swift, which makes the Swift API available at the URL http://host:port/swift/v1 (or http://host:port/swift/v1/AUTH_%(tenant_id)s if rgw swift account in url is enabled).
+                          nullable: true
+                          type: string
+                        versioningEnabled:
+                          description: Enables the Object Versioning of OpenStack Object Storage API. This allows clients to put the X-Versions-Location attribute on containers that should be versioned.
+                          nullable: true
+                          type: boolean
+                      type: object
+                  type: object
                 security:
                   description: Security represents security settings
                   nullable: true
@@ -11702,6 +11771,19 @@ spec:
                 store:
                   description: The store the user will be created in
                   type: string
+                subUsers:
+                  items:
+                    properties:
+                      access:
+                        type: string
+                      name:
+                        type: string
+                    required:
+                      - access
+                      - name
+                    type: object
+                  nullable: true
+                  type: array
               type: object
             status:
               description: ObjectStoreUserStatus represents the status Ceph Object Store Gateway User

deploy/examples/crds.yaml

@@ -10044,6 +10044,41 @@ spec:
                   items:
                     type: string
                   type: array
+                auth:
+                  description: The authentication configuration
+                  properties:
+                    keystone:
+                      description: The spec for Keystone
+                      nullable: true
+                      properties:
+                        acceptedRoles:
+                          description: The roles requires to serve requests.
+                          items:
+                            type: string
+                          type: array
+                        implicitTenants:
+                          description: Create new users in their own tenants of the same name. Possible values are true, false, swift and s3. The latter have the effect of splitting the identity space such that only the indicated protocol will use implicit tenants.
+                          type: string
+                        revocationInterval:
+                          description: The number of seconds between token revocation checks.
+                          nullable: true
+                          type: integer
+                        serviceUserSecretName:
+                          description: The name of the secret containing the credentials for the service user account used by RGW. It has to be in the same namespace as the object store resource.
+                          type: string
+                        tokenCacheSize:
+                          description: The maximum number of entries in each Keystone token cache.
+                          nullable: true
+                          type: integer
+                        url:
+                          description: The URL for the Keystone server.
+                          type: string
+                      required:
+                        - acceptedRoles
+                        - serviceUserSecretName
+                        - url
+                      type: object
+                  type: object
                 dataPool:
                   description: The data pool settings
                   nullable: true
@@ -11335,6 +11370,40 @@ spec:
                 preservePoolsOnDelete:
                   description: Preserve pools on object store deletion
                   type: boolean
+                protocols:
+                  description: The protocol specification
+                  properties:
+                    s3:
+                      description: The spec for S3
+                      nullable: true
+                      properties:
+                        authUseKeystone:
+                          description: Whether to use Keystone for authentication. This option maps directly to the rgw_s3_auth_use_keystone option. Enabling it allows generating S3 credentials via an OpenStack API call, see the docs. If not given, the defaults of the corresponding RGW option apply.
+                          nullable: true
+                          type: boolean
+                        enabled:
+                          description: Whether to enable S3. This defaults to true (even if protocols.s3 is not present in the CRD). This maintains backwards compatibility – by default S3 is enabled.
+                          nullable: true
+                          type: boolean
+                      type: object
+                    swift:
+                      description: The spec for Swift
+                      nullable: true
+                      properties:
+                        accountInUrl:
+                          description: Whether or not the Swift account name should be included in the Swift API URL. If set to false (the default), then the Swift API will listen on a URL formed like http://host:port/<rgw_swift_url_prefix>/v1. If set to true, the Swift API URL will be http://host:port/<rgw_swift_url_prefix>/v1/AUTH_<account_name>. You must set this option to true (and update the Keystone service catalog) if you want radosgw to support publicly-readable containers and temporary URLs.
+                          nullable: true
+                          type: boolean
+                        urlPrefix:
+                          description: The URL prefix for the Swift API, to distinguish it from the S3 API endpoint. The default is swift, which makes the Swift API available at the URL http://host:port/swift/v1 (or http://host:port/swift/v1/AUTH_%(tenant_id)s if rgw swift account in url is enabled).
+                          nullable: true
+                          type: string
+                        versioningEnabled:
+                          description: Enables the Object Versioning of OpenStack Object Storage API. This allows clients to put the X-Versions-Location attribute on containers that should be versioned.
+                          nullable: true
+                          type: boolean
+                      type: object
+                  type: object
                 security:
                   description: Security represents security settings
                   nullable: true
@@ -11692,6 +11761,19 @@ spec:
                 store:
                   description: The store the user will be created in
                   type: string
+                subUsers:
+                  items:
+                    properties:
+                      access:
+                        type: string
+                      name:
+                        type: string
+                    required:
+                      - access
+                      - name
+                    type: object
+                  nullable: true
+                  type: array
               type: object
             status:
               description: ObjectStoreUserStatus represents the status Ceph Object Store Gateway User

deploy/examples/object-user.yaml

@@ -1,5 +1,5 @@
 #################################################################################################################
-# Create an object store user for access to the s3 endpoint.
+# Create an object store user for access to the s3/swift endpoint.
 #  kubectl create -f object-user.yaml
 #################################################################################################################
 
@@ -23,6 +23,10 @@ spec:
   #   metadata: "*"
   #   usage: "*"
   #   zone: "*"
+  # Create subusers for swift access to the object store
+  # subUsers:
+  # - name: swift
+  #   access: full # Possible values are: read, write, readwrite, full
   # If the CephObjectStoreUser is created in a namespace other than the Rook cluster namespace,
   # specify the namespace where the cluster and object store are found.
   # "allowUsersInNamespaces" must include this namespace to enable this feature.

design/ceph/object/swift-and-keystone-integration.md

@@ -80,11 +80,11 @@ Annotations:
   options](https://docs.ceph.com/en/octopus/radosgw/config-ref/#keystone-settings),
   the corresponding RGW option is formed by prefixing it with
   `rgw_keystone_` and replacing upper case letters by their lower case
-  letter followed by an underscore. E.g. `tokenCacheSize` maps to
+  letter preceded by an underscore. E.g. `tokenCacheSize` maps to
   `rgw_keystone_token_cache_size`.
 * `[2]` These settings are required in the `keystone` section if
   present.
-* `[1]` The name of the secret containing the credentials for the
+* `[3]` The name of the secret containing the credentials for the
   service user account used by RGW. It has to be in the same namespace
   as the object store resource.
 
@@ -173,12 +173,12 @@ Annotations:
   options](https://docs.ceph.com/en/octopus/radosgw/config-ref/#swift-settings),
   the corresponding RGW option is formed by prefixing it with
   `rgw_swift_` and replacing upper case letters by their lower case
-  letter followed by an underscore. E.g. `urlPrefix` maps to
+  letter preceded by an underscore. E.g. `urlPrefix` maps to
   `rgw_swift_url_prefix`. They are optional. If not given, the defaults
   of the corresponding RGW option apply.
 
-The access to the Swift API is granted by creating a subuser of an RGW
-user. While commonly the access is granted via projects
+Access to the Swift API is granted by creating a subuser of an RGW
+user. While commonly access is granted via projects
 mapped from Keystone, explicit creation of subusers is supported by
 extending the `cephobjectstoreuser` resource with a new optional section
 `spec.subUsers`: