Operator should be able to decide whether the S3 API/Keystone integration in Ceph RADOS Gateway is enabled or not through checkbox in Fuel.
Administrator should be informed about a trade-off that is associated with enabling the integration.
Ceph RADOS Gateway offers multiple backends for client authenication for both OpenStack Open Storage v1 API (aka Swift API) and S3 API.
Unfortunately, request authentication in S3 API is very different in comparison to its counterpart in OpenStack. Instead of providing tokens, a client application always may access the object store with a frequently varying zero-knowledge proof. This assures extra security guarantees but - conjuncted with the principle that Keystone cannot reveal credentials it stores - also increases load and latency as each S3 request will be reflected in request to Keystone. This is an architectural limitation that cannot be addressed through introduction of caching like in case of Swift API.
Thus, enabling the S3/Keystone integration in RadosGW is decision associated with a fundamental trade-off and should be made after careful consideration. However, administrator should be able to decide to turn on the integration through graphical user interface.
Enabling S3 API/Keystone integration requires changes in Ceph configuration files:
On controller side:
Interaction with the Web UI may be similar to the following scenario:
None
None
See items in Proposed changes section.
None
None
User will be able to authenticate requests made through S3 API basing solely on credentials stored and handlded by Keystone.
None
None
Load on Keystone may be significantly increased. Latency of request to object store made through S3 API will be increased.
None
None
None
TBD
TBD
None