openstack/openstack-manuals
Code Issues Proposed changes

Adds a warning about the requirement to use Identity API 2.0

Browse Source 
Object Storage is unaware of domains so ACLs cannot be enforced
when using Identity API 3.0

Change-Id: I6a1f8853e7cfcb5c4e8f789fa7fe8dfd6d3f7fdd
Closes-bug: 1299146
This commit is contained in:
Anne Gentle 2014-04-28 16:11:48 -05:00
parent 35c235d38d
commit 918f300626
1 changed files with 59 additions and 59 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

118
doc/install-guide/object-storage/section_object-storage-install.xml
View File

@ -4,50 +4,52 @@
xmlns:xi="http://www.w3.org/2001/XInclude" xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0"> xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0">
<title>Install Object Storage</title> <title>Install Object Storage</title>
<para>Though you can install OpenStack Object Storage for <para>Though you can install OpenStack Object Storage for development or
development or testing purposes on one server, a testing purposes on one server, a multiple-server installation enables
multiple-server installation enables the high availability and the high availability and redundancy you want in a production
redundancy you want in a production distributed object storage distributed object storage system.</para>
system.</para> <para>To perform a single-node installation for development purposes from
<para>To perform a single-node installation for development source code, use the Swift All In One instructions (Ubuntu) or DevStack
purposes from source code, use the Swift All In One (multiple distros). See <link
instructions (Ubuntu) or DevStack (multiple distros). See
<link
xlink:href="http://swift.openstack.org/development_saio.html" xlink:href="http://swift.openstack.org/development_saio.html"
>http://swift.openstack.org/development_saio.html</link> >http://swift.openstack.org/development_saio.html</link> for manual
for manual instructions or <link instructions or <link xlink:href="http://devstack.org"
xlink:href="http://devstack.org" >http://devstack.org</link> for all-in-one including authentication
>http://devstack.org</link> for all-in-one including with the Identity Service (keystone) v2.0 API.</para>
authentication with the Identity Service (keystone).</para> <warning>
<para>In this guide we recommend installing and configuring the Identity
service so that it implements Identity API v2.0. The Object Storage
service is unaware of domains when implementing Access Control Lists
(ACLs), so you must use the v2.0 API to avoid having identical user
names in different domains, which would enable two users to access
the same objects.</para>
</warning>
<section xml:id="before-you-begin-swift-install"> <section xml:id="before-you-begin-swift-install">
<title>Before you begin</title> <title>Before you begin</title>
<para>Have a copy of the operating system installation media <para>Have a copy of the operating system installation media available
available if you are installing on a new server.</para> if you are installing on a new server.</para>
<para>These steps assume you have set up repositories for <para>These steps assume you have set up repositories for packages for
packages for your operating system as shown in <link your operating system as shown in <link linkend="basics-packages"
linkend="basics-packages">OpenStack >OpenStack Packages</link>.</para>
Packages</link>.</para> <para>This document demonstrates how to install a cluster by using the
<para>This document demonstrates how to install a cluster by following types of nodes:</para>
using the following types of nodes:</para>
<itemizedlist> <itemizedlist>
<listitem> <listitem>
<para>One proxy node which runs the swift-proxy-server <para>One proxy node which runs the swift-proxy-server
processes. The proxy server proxies requests to processes. The proxy server proxies requests to the
the appropriate storage nodes.</para> appropriate storage nodes.</para>
</listitem> </listitem>
<listitem> <listitem>
<para>Five storage nodes that run the <para>Five storage nodes that run the swift-account-server,
swift-account-server, swift-container-server, and swift-container-server, and swift-object-server processes
swift-object-server processes which control which control storage of the account databases, the
storage of the account databases, the container container databases, as well as the actual stored
databases, as well as the actual stored
objects.</para> objects.</para>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
<note> <note>
<para>Fewer storage nodes can be used initially, but a <para>Fewer storage nodes can be used initially, but a minimum of
minimum of five is recommended for a production five is recommended for a production cluster.</para>
cluster.</para>
</note> </note>
</section> </section>
<section xml:id="general-installation-steps-swift"> <section xml:id="general-installation-steps-swift">
@ -55,17 +57,18 @@
<procedure> <procedure>
<step os="rhel;centos;fedora;opensuse;sles;ubuntu"> <step os="rhel;centos;fedora;opensuse;sles;ubuntu">
<para>Create a <literal>swift</literal> user that the Object <para>Create a <literal>swift</literal> user that the Object
Storage Service can use to authenticate with the Identity Service. Storage Service can use to authenticate with the Identity
Choose a password and specify an email address for the Service. Choose a password and specify an email address for
<literal>swift</literal> user. Use the the <literal>swift</literal> user. Use the
<literal>service</literal> tenant and give the user the <literal>service</literal> tenant and give the user the
<literal>admin</literal> role:</para> <literal>admin</literal> role:</para>
<screen><prompt>$</prompt> <userinput>keystone user-create --name=swift --pass=<replaceable>SWIFT_PASS</replaceable> \ <screen><prompt>$</prompt> <userinput>keystone user-create --name=swift --pass=<replaceable>SWIFT_PASS</replaceable> \
--email=<replaceable>swift@example.com</replaceable></userinput> --email=<replaceable>swift@example.com</replaceable></userinput>
<prompt>$</prompt> <userinput>keystone user-role-add --user=swift --tenant=service --role=admin</userinput></screen> <prompt>$</prompt> <userinput>keystone user-role-add --user=swift --tenant=service --role=admin</userinput></screen>
</step> </step>
<step> <step>
<para>Create a service entry for the Object Storage Service:</para> <para>Create a service entry for the Object Storage
Service:</para>
<screen><prompt>$</prompt> <userinput>keystone service-create --name=swift --type=object-store \ <screen><prompt>$</prompt> <userinput>keystone service-create --name=swift --type=object-store \
--description="OpenStack Object Storage"</userinput> --description="OpenStack Object Storage"</userinput>
<computeroutput>+-------------+----------------------------------+ <computeroutput>+-------------+----------------------------------+
@ -76,15 +79,17 @@
| name | swift | | name | swift |
| type | object-store | | type | object-store |
+-------------+----------------------------------+</computeroutput></screen> +-------------+----------------------------------+</computeroutput></screen>
<note><para>The service ID is randomly generated and is different from <note>
the one shown here.</para></note> <para>The service ID is randomly generated and is different
from the one shown here.</para>
</note>
</step> </step>
<step> <step>
<para>Specify an API endpoint for the Object Storage Service by using <para>Specify an API endpoint for the Object Storage Service by
the returned service ID. When you specify an endpoint, you using the returned service ID. When you specify an endpoint,
provide URLs for the public API, internal API, and admin API. you provide URLs for the public API, internal API, and admin
In this guide, the <literal>controller</literal> host name is API. In this guide, the <literal>controller</literal> host
used:</para> name is used:</para>
<screen><prompt>$</prompt> <userinput>keystone endpoint-create \ <screen><prompt>$</prompt> <userinput>keystone endpoint-create \
--service-id=$(keystone service-list | awk '/ object-store / {print $2}') \ --service-id=$(keystone service-list | awk '/ object-store / {print $2}') \
--publicurl='http://<replaceable>controller</replaceable>:8080/v1/AUTH_%(tenant_id)s' \ --publicurl='http://<replaceable>controller</replaceable>:8080/v1/AUTH_%(tenant_id)s' \
@ -102,27 +107,22 @@
+-------------+---------------------------------------------------+</computeroutput></screen> +-------------+---------------------------------------------------+</computeroutput></screen>
</step> </step>
<step> <step>
<para>Create the configuration directory on <para>Create the configuration directory on all nodes:</para>
all nodes:</para>
<screen><prompt>#</prompt> <userinput>mkdir -p /etc/swift</userinput></screen> <screen><prompt>#</prompt> <userinput>mkdir -p /etc/swift</userinput></screen>
</step> </step>
<step> <step>
<para>Create <para>Create <filename>/etc/swift/swift.conf</filename> on all
<filename>/etc/swift/swift.conf</filename> on nodes:</para>
all nodes:</para>
<programlisting language="ini"><xi:include parse="text" href="../samples/swift.conf.txt"/></programlisting> <programlisting language="ini"><xi:include parse="text" href="../samples/swift.conf.txt"/></programlisting>
</step> </step>
</procedure> </procedure>
<note> <note>
<para>The suffix value in <para>The suffix value in <filename>/etc/swift/swift.conf</filename>
<filename>/etc/swift/swift.conf</filename> should should be set to some random string of text to be used as a salt
be set to some random string of text to be used as a when hashing to determine mappings in the ring. This file must
salt when hashing to determine mappings in the ring. be the same on every node in the cluster!</para>
This file must be the same on every node in the
cluster!</para>
</note> </note>
<para>Next, set up your storage nodes and proxy node. This <para>Next, set up your storage nodes and proxy node. This example uses
example uses the Identity Service for the common the Identity Service for the common authentication piece.</para>
authentication piece.</para>
</section> </section>
</section> </section>