Remote Authentication

An external identity provider (Openstack Keystone) can be used as the authentication engine for the Object Storage. This integration will expose Zadara’s Object Storage service directly to the Openstack dashboard (Horizon); the Object Storage will be available immediately to all Openstack registered users.

The following section will provide an overview of this capability along with the required steps to properly integrate Keystone (the OpenStack identity service) with Zadara VPSA Object Storage.

Openstack version: Train and later

remote-auth-layout

Openstack Prerequisites

Creating Openstack Object-Store Service

$ openstack service create --name=vpsa-obs --description "Zadara Object Storage" object-store

The expected output is a confirmation the service was created, similar to the following:

+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | Zadara Object Storage            |
+-------------+----------------------------------+
| enabled     | True                             |
+-------------+----------------------------------+
| id          | 74b0f72dcf3f4c7eb50462122c1d40cc |
+-------------+----------------------------------+
| name        | vpsa-obs                         |
+-------------+----------------------------------+
| type        | object-store                     |
+-------------+----------------------------------+

Creating Object-Store Endpoints

The Object Store service endpoints should direct Openstack users to use the VPSA Object Storage, the URL in the following examples (https://vsa-0000004e-zadara-iop-01.zadara.com) should be replaced with the actual target VPSA Object Storage.

The service exposes three endpoints: internal, public & admin endpoints. All three should be configured in order to allow seamless integration.

Internal Endpoint

$ openstack endpoint create --region RegionOne vpsa-obs internal "https://vsa-0000004e-zadara-iop-01.zadara.com/v1/KEY_\$(tenant_id)s"

Public Endpoint

$ openstack endpoint create --region RegionOne vpsa-obs public "https://vsa-0000004e-zadara-iop-01.zadara.com/v1/KEY_\$(tenant_id)s"

Admin Endpoint

$ openstack endpoint create --region RegionOne vpsa-obs admin "https://vsa-0000004e-zadara-iop-01.zadara.com/v1/"

Confirm all 3 endpoints were created as expected.

Note

Openstack is not actively testing for endpoint connectivity, it is recommended to ensure the endpoint is accessible prior its configuration.

$ openstack endpoint list --service vpsa-obs -c 'Service Name' -c 'Service Type' -c URL

The expected result is the list of all three endpoints as configured in the previous steps, similar to the following:

+--------------+--------------+------------------------------------------------------------------------+
| Service Name | Service Type | URL                                                                    |
+--------------+--------------+------------------------------------------------------------------------+
| vpsa-obs     | object-store | https://vsa-0000004e-zadara-iop-01.zadara.com/v1/KEY_$(tenant_id)s |
+--------------+--------------+------------------------------------------------------------------------+
| vpsa-obs     | object-store | https://vsa-0000004e-zadara-iop-01.zadara.com/v1/                  |
+--------------+--------------+------------------------------------------------------------------------+
| vpsa-obs     | object-store | https://vsa-0000004e-zadara-iop-01.zadara.com/v1/KEY_$(tenant_id)s |
+--------------+--------------+------------------------------------------------------------------------+

Horizon Dashboard

At this point, horizon should have an additional section “Object Storage”.

horizon-object-service

VPSA Object Storage Configuration

The VPSA Object Storage will require the Openstack endpoint URL. Ensure you have a valid endpoint prior proceeding to the next step.

Private domain names are supported, however, will require the VPSA Object Storage administrator to set a custom name server under Settings > Network.

The endpoint can be retrieved from Horizon or by using the openstack cli tool, as in the following example:

$ openstack endpoint list --service identity

+--------------+--------------+-------------------------------+
| Service Name | Service Type | URL                           |
+--------------+--------------+-------------------------------+
| keystone     | identity     | http://192.168.13.37/identity |
+--------------+--------------+-------------------------------+
| keystone     | identity     | http://192.168.13.37/identity |
+--------------+--------------+-------------------------------+

Important

It is expected that the Keystone Authentication endpoint will be accessible from the VPSA Object Storage Front End network, public/secondary VNI network endpoint or are not supported.

Enabling Remote Authentication

In the VPSA Object Storage management interface, navigate to the Account Management > Remote Authentication view.

enable-remote-auth

The following information is required:

  • Authentication service endpoint URL - the Openstack Keystone identity URL as retrieved from Openstack.

  • Administrator username - the openstack administrator username.

  • Administrator password - the openstack administrator password.

  • Administrator project name - the openstack administrator project.

Upon submitting the form, the VPSA Object Storage user interface will reload in order to apply the changes.

Important

As of this point all user management will be subject to the Openstack Keystone service and will not be managed from the VPSA Object Storage GUI. Only the ZIOS_ADMIN account and the cloud_admin user (via Zadara Command Center) will have access to the VPSA Object Storage user interface. All existing local accounts will not be accessible.

Navigating to the Accounts view in the VPSA Object Storage user interface section will now list all Openstack Projects. This view is the administrative visibility to the account consumption and utilization.

In the accounts listing, the administrator will be able to review:

  1. Account name as defined in keystone.

  2. Status - the status of the account in the VPSA Object Storage. An account will be considered active if one of its users have used the Object Storage service from Openstack. This is useful when managing a large cluster with a large number of users/projects.

  3. The account id (project ID) as defined in Openstack.

  4. The container count for the selected account.

  5. The overall object count (across all containers)

  6. Used capacity for the selected account.

Note

The consumption usage may take a couple of minutes to reflect the actual usage.

Verify The Keystone User Access To The Object Storage Service

Openstack CLI

  1. Source a valid user information.

  2. Try to create a container using the openstack cli

    $ openstack container create shlomi

  3. Try to list the container recently created

    $ openstack container list

+--------+
| Name   |
+--------+
| shlomi |
+--------+

S3 Credentials

Openstack will allow its users to interact with the cluster resources using aws s3 credentials.

These credentials can be used in order to configure S3 clients for Object Storage operations.

  1. Create ec2 credentials

    $ openstack ec2 credentials create

  2. Use the provided credentials to access the Object Storage using an S3 client.

  3. The S3 Object Storage client should be configured with the VPSA Object Storage endpoint along with the aws credentials that were created in Openstack.

Note

Clients that support AWS v4 Signatures will be required to set the Object Storage “Region”. The default region in the VPSA Object Storage is us-east-1 and can be modified to match the Openstack region field.

Horizon Dashboard

From the Horizon dashboard, all registered users will be able to execute Object Storage related operations such as:

  • Container creation

  • Container deletion

  • Object Upload/Download/Deletion

zios-horizon-op

Limitations & Known Issues

Limitations

  • 18597 - ZIOS_ADMIN account cannot add additional admin users once external authentication is enabled.

  • VPSA Object Storage GUI is accessible only by ZIOS_ADMIN/CLOUD_ADMIN (via Zadara Command Center).

  • VPSA Object Storage REST API is accessible for ZIOS_ADMIN account only.

  • VPSA Object Storage REST API will require local authentication.

  • The VPSA Object Storage is caching the remote account and users information to avoid synchronization issues, the update interval is set to 30 minutes.

Known Issues

  • 18810 - Modifying the main projects will not be populated to the VPSA Object Storage user interface and not account information will be displayed for the user.

  • 18797 - When terminating an account, the VPSA Object Storage account should be deleted prior to the OS account deletion.