From 7da45d65be36d36b880cc55c5036e96c24b53f00 Mon Sep 17 00:00:00 2001 From: Qiaowei Ren Date: Thu, 1 Mar 2018 14:38:11 +0800 Subject: remove ceph code This patch removes initial ceph code, due to license issue. Change-Id: I092d44f601cdf34aed92300fe13214925563081c Signed-off-by: Qiaowei Ren --- src/ceph/doc/radosgw/barbican.rst | 120 -------------------------------------- 1 file changed, 120 deletions(-) delete mode 100644 src/ceph/doc/radosgw/barbican.rst (limited to 'src/ceph/doc/radosgw/barbican.rst') diff --git a/src/ceph/doc/radosgw/barbican.rst b/src/ceph/doc/radosgw/barbican.rst deleted file mode 100644 index 3a7fe6e..0000000 --- a/src/ceph/doc/radosgw/barbican.rst +++ /dev/null @@ -1,120 +0,0 @@ -============================== -OpenStack Barbican Integration -============================== - -OpenStack `Barbican`_ can be used as a secure key management service for -`Server-Side Encryption`_. - -.. image:: ../images/rgw-encryption-barbican.png - -#. `Configure Keystone`_ -#. `Create a Keystone user`_ -#. `Configure the Ceph Object Gateway`_ -#. `Create a key in Barbican`_ - -Configure Keystone -================== - -Barbican depends on Keystone for authorization and access control of its keys. - -See `OpenStack Keystone Integration`_. - -Create a Keystone user -====================== - -Create a new user that will be used by the Ceph Object Gateway to retrieve -keys. - -For example:: - - user = rgwcrypt-user - pass = rgwcrypt-password - tenant = rgwcrypt - -See OpenStack documentation for `Manage projects, users, and roles`_. - -Create a key in Barbican -======================== - -See Barbican documentation for `How to Create a Secret`_. Requests to -Barbican must include a valid Keystone token in the ``X-Auth-Token`` header. - -Example request:: - - POST /v1/secrets HTTP/1.1 - Host: barbican.example.com:9311 - Accept: */* - Content-Type: application/json - X-Auth-Token: 7f7d588dd29b44df983bc961a6b73a10 - Content-Length: 299 - - { - "name": "my-key", - "expiration": "2016-12-28T19:14:44.180394", - "algorithm": "aes", - "bit_length": 256, - "mode": "cbc", - "payload": "6b+WOZ1T3cqZMxgThRcXAQBrS5mXKdDUphvpxptl9/4=", - "payload_content_type": "application/octet-stream", - "payload_content_encoding": "base64" - } - -Response:: - - {"secret_ref": "http://barbican.example.com:9311/v1/secrets/d1e7ef3b-f841-4b7c-90b2-b7d90ca2d723"} - -In the response, ``d1e7ef3b-f841-4b7c-90b2-b7d90ca2d723`` is the key id that -can be used in any `SSE-KMS`_ request. - -This newly created key is not accessible by user ``rgwcrypt-user``. This -privilege must be added with an ACL. See `How to Set/Replace ACL`_ for more -details. - -Example request (assuming that the Keystone id of ``rgwcrypt-user`` is -``906aa90bd8a946c89cdff80d0869460f``):: - - PUT /v1/secrets/d1e7ef3b-f841-4b7c-90b2-b7d90ca2d723/acl HTTP/1.1 - Host: barbican.example.com:9311 - Accept: */* - Content-Type: application/json - X-Auth-Token: 7f7d588dd29b44df983bc961a6b73a10 - Content-Length: 101 - - { - "read":{ - "users":[ "906aa90bd8a946c89cdff80d0869460f" ], - "project-access": true - } - } - -Response:: - - {"acl_ref": "http://barbican.example.com:9311/v1/secrets/d1e7ef3b-f841-4b7c-90b2-b7d90ca2d723/acl"} - -Configure the Ceph Object Gateway -================================= - -Edit the Ceph configuration file to add information about the Barbican server -and Keystone user:: - - rgw barbican url = http://barbican.example.com:9311 - rgw keystone barbican user = rgwcrypt-user - rgw keystone barbican password = rgwcrypt-password - -When using Keystone API version 2:: - - rgw keystone barbican tenant = rgwcrypt - -When using API version 3:: - - rgw keystone barbican project - rgw keystone barbican domain - - -.. _Barbican: https://wiki.openstack.org/wiki/Barbican -.. _Server-Side Encryption: ../encryption -.. _OpenStack Keystone Integration: ../keystone -.. _Manage projects, users, and roles: https://docs.openstack.org/admin-guide/cli-manage-projects-users-and-roles.html#create-a-user -.. _How to Create a Secret: https://developer.openstack.org/api-guide/key-manager/secrets.html#how-to-create-a-secret -.. _SSE-KMS: http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingKMSEncryption.html -.. _How to Set/Replace ACL: https://developer.openstack.org/api-guide/key-manager/acls.html#how-to-set-replace-acl -- cgit 1.2.3-korg