Bookmark this page

Chapter 8. Providing Object Storage Using a RADOS Gateway

Abstract

Goal	Configure Red Hat Ceph Storage to provide object storage for clients using a RADOS Gateway (RGW).
Objectives	Deploy a RADOS Gateway to provide clients with access to Ceph object storage. Configure the RADOS Gateway with multisite support to allow objects to be stored in two or more geographically diverse Ceph storage clusters.
Sections	Deploying an Object Storage Gateway (and Guided Exercise) Configuring a Multisite Object Storage Deployment (and Guided Exercise)
Lab	Providing Object Storage Using a RADOS Gateway

Deploying an Object Storage Gateway

Objectives

After completing this section, you should be able to deploy a RADOS Gateway to provide clients with access to Ceph object storage.

Introducing Object Storage

Object storage stores data as discrete items, each individually called an object. Unlike files in a file system, objects are not organized in a tree of directories and subdirectories. Instead, objects are stored in a flat namespace. Each object is retrieved by using the object's unique object ID, also known as an object key.

Applications do not use normal file-system operations to access object data. Instead, applications access a REST API to send and receive objects. Red Hat Ceph Storage supports the two most common object APIs, Amazon S3 (Simple Storage Service) and OpenStack Swift (OpenStack Object Storage).

Amazon S3 calls the flat namespace for object storage a bucket while OpenStack Swift calls it a container. Because a namespace is flat, neither buckets nor containers can be nested. Ceph typically uses the term bucket, as does this lecture.

A single user account can be configured for access to multiple buckets on the same storage cluster. Buckets can each have different access permissions and be used to store objects for different use cases.

The advantage of object storage is that it is easy to use, expand, and scale. Because each object has a unique ID, it can be stored or retrieved without the user knowing the object's location. Without the directory hierarchy, relationships between objects are simplified.

Objects, similar to files, contain a binary data stream and can grow to arbitrarily large sizes. Objects also contain metadata about the object data, and natively support extended metadata information, typically in the form of key-value pairs. You can also create your own metadata keys and store custom information in the object as key values.

Introducing the RADOS Gateway

The RADOS Gateway, also called the Object Gateway (RGW), is a service that provides access to the Ceph cluster for clients using standard object storage APIs. The RADOS Gateway supports both the Amazon S3 and OpenStack Swift APIs.

The core daemon, radosgw, is built on top of the librados library. The daemon provides a web service interface, based on the Beast HTTP, WebSocket, and networking protocol library, as a front-end to handle API requests.

The radosgw is a client to Red Hat Ceph Storage that provides object access to other client applications. Client applications use standard APIs to communicate with the RADOS Gateway, and the RADOS Gateway uses librados module calls to communicate with the Ceph cluster.

Figure 8.1: RADOS Gateway service architecture

The RADOS Gateway provides the radosgw-admin utility for creating users for using the gateway. These users can only access the gateway, and are not cdephx users with direct access to the storage cluster. RADOS Gateway clients authenticate using these gateway user accounts when submitting Amazon S3 or OpenStack Swift API requests. After a gateway user is authenticated by the RADOS Gateway, the gateway uses cephx credentials to authenticate to the storage cluster to handle the object request. Gateway users can also be managed by integrating an external LDAP-based authentication service.

The RADOS Gateway service automatically creates pools on a per-zone basis. These pools use placement group values from the configuration database and use the default CRUSH hierarchy. The default pool settings might not be optimal for a production environment.

The RADOS Gateway creates multiple pools for the default zone.

.rgw.root - Stores information records
.default.rgw.control - Used as the control pool
.default.rgw.meta - Stores user_keys and other critical metadata
.default.rgw.log - Contains logs of all bucket/container and object actions such as create, read, and delete
.default.rgw.buckets.index - Stores indexes of the buckets
.default.rgw.buckets.data - Stores bucket data
.default.rgw.buckets.non-ec - Used for multipart object metadata uploads

You can manually create pools with custom settings. Red Hat recommends using the zone name as a prefix for manually created pools, as in .<zone-name>.rgw.control. For example, using .us-east-1.rgw.buckets.data as a pool name when us-east-1 is the zone name.

Supporting Static Web Hosting with RADOS Gateway

RADOS Gateway supports static website hosting in S3 buckets, which can be more efficient than using virtual machines for website hosting. This is suitable for websites that only use static elements such as XHTML or HTML files, or CSS.

Deploying RADOS Gateway instances for static web hosting has restrictions.

Instances cannot also be used for S3 or Swift API access.
Instances should have domain names that are different from and do not overlap those of the standard S3 and Swift API gateway instances.
Instances should use public-facing IP addresses that are different from the standard S3 and Swift API gateway instances.

RADOS Gateway Deployment

The cephadm tool deploys RADOS Gateway services as a collection of daemons that manage a single cluster or a multisite deployment. Use the client.rgw.* section in the centralized configuration database to define parameters and characteristics for new RADOS Gateway daemons.

Use the Ceph Orchestrator to deploy or remove RADOS Gateway services. Use the Ceph Orchestrator with either the command-line interface or a service specification file.

[ceph: root@node /]# ceph orch apply rgw <service-name> [--realm=<realm>] \
[--zone=<zone>] [--port=<port>] --placement="<num-daemons> [<host1> ...]" \
[--unmanaged]

In this example, the Ceph Orchestrator deploys the my_rgw_service RADOS Gateway service with two daemons in a single cluster, and presents the service on port 80.

[ceph: root@node /]# ceph orch apply rgw my_rgw_service

If no configuration is defined in the client.rgw.* section or passed to the Ceph orchestrator at build time, then the deployment uses these default settings.

The following example YAML file contains common parameters defined for a RADOS Gateway deployment.

service_type: rgw
service_name: rgw_service_name
placement:
  count: 2
  hosts:
  - node01
  - node02
spec:
  rgw_frontend_port: 8080
  rgw_realm: realm_name
  rgw_zone: zone_name
  ssl: true
  rgw_frontend_ssl_certificate: |
    -----BEGIN PRIVATE KEY-----
    ...output omitted...
    -----END PRIVATE KEY-----
    -----BEGIN CERTIFICATE-----
    ...output omitted...
    -----END CERTIFICATE-----
  networks:
    - 172.25.200.0/24

In this example, a RGW service is created with similar parameters than the previous one, but now using the CLI.

[ceph: root@node /]# ceph orch apply rgw rgw_service_name --realm=realm_name \
--zone=zone_name --port 8080 --placement="2 node01 node 02" --ssl

Notice that in the service specification file, the parameter names for the realm, zone, and port are different than the used by the CLI. Some parameters such as the network to be used by RGW instances or the ssl certificate content can only be defined by using the service speficiation file.

The count parameter sets the number of RGW instances to be created on each server defined in the hosts parameter. If you create more than one instance, then the Ceph orchestrator sets the port of the first instance to the specified rgw_frontend_port or port value from. For each subsequent instance, the port value is increased by 1. Using the previous YAML file example, the service deployment creates:

Two RGW instances in the node01 server, one with port 8080, another with port 8081.
Two RGW instances in the node02 server, one with port 8080, another with port 8081.

Each instance has its own unique port enabled for access and creates the same responses to requests. Configure high availability for the RADOS Gateway by deploying a load-balancer service that presents a single service IP address and port.

Note

The Ceph orchestrator service names the daemons by using the format rgw.<realm>.<zone>.<host>.<random-string>

Customizing the Service Configuration

Configure the Beast front-end web port for the RADOS Gateway by using the port option in the rgw_frontends parameter in the cluster configuration client.rgw section. View the current configuration with the ceph config command.

[ceph: root@node /]# ceph config get client.rgw rgw_frontends
beast port=7480

When using Transport Layer Security/Secure Socket Layer (TLS/SSL), the ports are defined using an s character at the end of the port number, such as port=443s. The port option supports a dual-port configuration using the plus character (+), so that users can access the RADOS Gateway on either of two different ports.

For example, a rgw_frontends configuration can enable the RADOS Gateway to listen on the 80/TCP port, and with TLS/SSL support on the 443/TCP port.

[ceph: root@node /]# ceph config get client.rgw rgw_frontends
beast port=80+443s

Using the Beast Front-end

The RADOS Gateway provides Beast embedded HTTP servers as a front-end. A Beast front-end uses the Boost.Beast library for HTTP parsing and the Boost.Asio library for asynchronous network I/O.

Beast Configuration Options

Configure the Beast web server to use TLS by configuring certificates from a Certificate Authority (CA) with the hostname of the RGW instances and matching secret keys.

Beast configuration options are passed to the embedded web server in the Ceph configuration file or from the configuration database. If a value is not specified, the default value is empty.

port and ssl_port: Sets the listening port number for the IPv4 and IPv6 protocols and can be specified multiple times, as in port=80 port=8000.
endpoint and ssl_endpoint: Sets the listening address in the form address[:port], and can be specified multiple times, as in endpoint=[::1] endpoint=192.168.0.100:8000.
ssl_certificate: Specifies the path to the SSL certificate file used for SSL-enabled endpoints.
ssl_private_key: Specifies an SSL private key, but if a value is not provided, then the file specified by ssl_certificate is used as the private key.
tcp_nodelay: Sets performance optimization parameters in some environments.

Important

Red Hat recommends use of HAProxy and keepalived services to configure TLS/SSL access in production environments.

High Availability Proxy and Encryption

When the RADOS Gateway service load increases, you can deploy more RGW instances to support the workload. You can add instances in a single zone group deployment, but consider that each RGW instance has its own IP address and it can be difficult to balance requests to different instances in a single zone.

Instead, configure HAProxy and keepalived to balance the load across RADOS Gateway servers. HAProxy presents only one IP address and it balances the requests to all RGW instances. Keepalived ensures that the proxy nodes maintain the same presented IP address, independent of node availability.

Note

Configure at least two separated hosts for HAProxy and keepalived services to maintain high availability.

You can configure the HAProxy service to use HTTPS. To enable HTTPS, generate SSL keys and certificates for the configuration. If you do not have a certificate from a Certificate Authority, then use a self-signed certificate.

Server-side Encryption

You can enable server-side encryption to allow sending requests to the RADOS Gateway service using unsecured HTTP when it is not possible to send encrypted requests over SSL. Currently, the server-side encryption scenario is only supported when using the Amazon S3 API.

There are two options to configure server-side encryption for the RADOS Gateway, customer-provided keys or a key management service.

Customer-provided Keys

This option is implemented according to the Amazon SSE-C specification. Each read or write request to the RADOS Gateway service contains an encryption key provided by the user via the S3 client.

An object can only be encrypted with one key and users use different keys to encrypt different objects. It is the user's responsibility to track the keys used to encrypt each object.

Key Management Service

You can configure a key management service to securely store keys for the RADOS Gateway service. When a key management service is configured, the RADOS Gateway service retrieves keys on demand to encrypt or decrypt objects.

SectionFigure 8.2: HashiCorp key management integration demonstrates the encryption flow between RADOS Gateway and an example HashiCorp Vault key management service.

Figure 8.2: HashiCorp key management integration

Currently, HashiCorp Vault and OpenStack Barbican are the tested key management service implementations for RADOS Gateway.

Note

Integration with OpenStack Barbican is in technology preview and is not yet supported for production environments.

References

For more information, refer to Red Hat RADOS Gateway for Production Guide at https://access.redhat.com/documentation/en-us/red_hat_ceph_storage/5/html-single/object_gateway_guide/

For more information, refer to The Beast front-end web server at https://access.redhat.com/documentation/en-us/red_hat_ceph_storage/5/html-single/object_gateway_guide/index#the-beast-front-end-web-server_rgw

For more information, refer to The HashiCorp Vault at https://access.redhat.com/documentation/en-us/red_hat_ceph_storage/5/html-single/object_gateway_guide/index#the-hashicorp-vault

Discuss Cloud Storage with Red Hat Ceph Storage

Go to community

Red Hat Ceph Storage for OpenStack (CL260)

Haley_Ruccio

3 sie 2023

Build, expand and maintain cloud-scale, clustered storage for your applications with Red Hat Ceph StorageCloud Storage with Red Hat Ceph Storage (CL260) is designed for storage administrators and cloud operators who deploy Red Hat Ceph Storage in a production data center environment or as a component of a Red Hat OpenStack Platform or OpenShift Container Platform infrastructure. Learn how to deploy, manage, and scale a Ceph storage cluster to provide hybrid storage resources, including Amazon S3 and OpenStack Swift-compatible object storage, Ceph-native and iSCSI-based block storage, and shared file storage. This course is based on Red Hat Ceph Storage 5.0.Course summaryDeploy and manage a Red Hat Ceph Storage cluster on commodity servers.Perform common management operations using the web-based management interface.Create, expand, and control access to storage pools provided by the Ceph cluster.Access Red Hat Ceph Storage from clients using object, block, and file-based methods.Analyze and tune Red Hat Ceph Storage performance.Integrate Red Hat OpenStack Platform image, object, block, and file storage with a Red Hat Ceph Storage cluster.Integrate OpenShift Container Platform with a Red Hat Ceph Storage cluster.Target AudienceThis course is intended for storage administrators and cloud operators who want to learn how to deploy and manage Red Hat Ceph Storage on servers in an enterprise data center or within a Red Hat OpenStack Platform or OpenShift Container Platform environment.Developers writing applications that use cloud-based storage will learn the distinctions of various storage types and client access methods.Recommended trainingTake our free assessment to gauge whether this offering is the best fit for your skills.Red Hat Certified System Administrator (RHCSA) certification, or equivalent experience.For candidates that have not earned an RHCSA or equivalent, confirmation of the correct skill set knowledge can be obtained by taking the online skills assessment.Some experience with storage administration is recommended but not required.Technology considerationsThis course does not have any special technical requirements.This course is not intended for BYOD.Internet access is recommended.

Welcome to the Red Hat Ceph Storage for OpenStack (CL260) group in the Red Hat Learning Community!

cschunke

31 lip 2023

We are excited to launch a space dedicated to the Red Hat Training course CL260! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to CL260.Read more about Red Hat Ceph Storage for OpenStack here.

381

Revision: cl260-5.0-29d2128