Comment 2 for bug 1540426
Revision history for this message
| Radoslaw Zarzynski (rzarzynski) wrote | #2 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
Enabling or disabling S3/Keystone integration in radosgw
is a decision associated with a trade-off: load on Keystone
(performance) vs easiness of configuration and management.
For technical details, please take a look at the comment's
bottom.
IMO the decision should be taken directly by user and
leaving Ceph's defaults for "rgw_s3_
we followed for ages seems to be a reasonable option for
MOS 8. For MOS 9 and above we should have a checkbox
in Fuel with warning/message explaining the trade-off.
=== root cause of performance problem ===
An application employing S3 API authenticates a message,
assures its integrity and prohibits replay attacks through
appending result of HMAC function calculated against his
signing key and some parts of the message (including
current time):
signature := HMAC(<signing key>, <parts of message>)
Then, signature and user ID are appended to the message.
RadosGW cannot know user credentials (its solely Keystone's
responsibility), so it has to ask Keystone each time when it
comes to verification whether the signature is correct or not.
As the signature is specific for a given message, caching which
is normally employed in case of Swift API, won't be effective
here.