# -*- mode: YAML -*- --- options: # According to AWS S3(http://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html), # An ACL may have up to 100 grants. - name: rgw_acl_grants_max_num type: int level: advanced desc: The maximum number of ACL grants in a single request. default: 100 services: - rgw with_legacy: true # A user may have up to 100 IAM user policies. - name: rgw_user_policies_max_num type: int level: advanced desc: The maximum number of IAM user policies for a single user. default: 100 services: - rgw with_legacy: true # According to AWS S3 (http://docs.aws.amazon.com/AmazonS3/latest/dev/cors.html), # A CORS request may have up to 100 rules. - name: rgw_cors_rules_max_num type: int level: advanced desc: The maximum number of CORS rules in a single request. default: 100 services: - rgw with_legacy: true # According to AWS S3 (https://docs.aws.amazon.com/AmazonS3/latest/dev/DeletingObjects.html), # Amazon S3 also provides the Multi-Object Delete API that you can use to delete up to 1000 # objects in a single HTTP request. - name: rgw_delete_multi_obj_max_num type: int level: advanced desc: The maximum number of objects in a single multi-object delete request. default: 1000 services: - rgw with_legacy: true # According to AWS S3, An website routing config can have up to 50 rules. - name: rgw_website_routing_rules_max_num type: int level: advanced desc: The maximum number of website routing rules in a single request. default: 50 services: - rgw with_legacy: true - name: rgw_rados_tracing type: bool level: advanced desc: Enables LTTng-UST tracepoints. default: false services: - rgw - name: rgw_op_tracing type: bool level: advanced desc: Enables LTTng-UST operator tracepoints. default: false services: - rgw - name: rgw_max_chunk_size type: size level: advanced desc: The maximum RGW chunk size. long_desc: The chunk size is the size of RADOS I/O requests that RGW sends when accessing data objects. RGW read and write operations will never request more than this amount in a single request. This also defines the RGW head object size, as head operations need to be atomic, and anything larger than this would require more than a single operation. When RGW objects are written to the default storage class, up to this amount of payload data will be stored alongside metadata in the head object. default: 4_M services: - rgw with_legacy: true - name: rgw_put_obj_min_window_size type: size level: advanced desc: The minimum RADOS write window size (in bytes). long_desc: The window size determines the total concurrent RADOS writes of a single RGW object. When writing an object RGW will send multiple chunks to RADOS. The total size of the writes does not exceed the window size. The window size may be adjusted dynamically in order to better utilize the pipe. default: 16_M services: - rgw see_also: - rgw_put_obj_max_window_size - rgw_max_chunk_size with_legacy: true - name: rgw_put_obj_max_window_size type: size level: advanced desc: The maximum RADOS write window size (in bytes). long_desc: The window size may be dynamically adjusted, but will not surpass this value. default: 64_M services: - rgw see_also: - rgw_put_obj_min_window_size - rgw_max_chunk_size with_legacy: true - name: rgw_max_put_size type: size level: advanced desc: The maximum size (in bytes) of regular (non multi-part) object upload. long_desc: Plain object upload is capped at this amount of data. In order to upload larger objects, a special upload mechanism is required. The S3 API provides the multi-part upload, and Swift provides DLO and SLO. default: 5_G services: - rgw with_legacy: true - name: rgw_max_put_param_size type: size level: advanced desc: The maximum size (in bytes) of data input of certain RESTful requests. default: 1_M services: - rgw with_legacy: true - name: rgw_max_attr_size type: size level: advanced desc: The maximum length of metadata value. 0 skips the check default: 0 services: - rgw with_legacy: true - name: rgw_max_attr_name_len type: size level: advanced desc: The maximum length of metadata name. 0 skips the check default: 0 services: - rgw with_legacy: true - name: rgw_max_attrs_num_in_req type: uint level: advanced desc: The maximum number of metadata items that can be put via single request default: 0 services: - rgw with_legacy: true # override max bucket index shards in zone configuration (if not zero) # # Represents the number of shards for the bucket index object, a value of zero # indicates there is no sharding. By default (no sharding, the name of the object # is '.dir.{marker}', with sharding, the name is '.dir.{markder}.{sharding_id}', # sharding_id is zero-based value. It is not recommended to set a too large value # (e.g. thousand) as it increases the cost for bucket listing. - name: rgw_override_bucket_index_max_shards type: uint level: dev desc: The default number of bucket index shards for newly-created buckets. This value overrides bucket_index_max_shards stored in the zone. Setting this value in the zone is preferred, because it applies globally to all radosgw daemons running in the zone. fmt_desc: Represents the number of shards for the bucket index object, a value of zero indicates there is no sharding. It is not recommended to set a value too large (e.g. thousand) as it increases the cost for bucket listing. This variable should be set in the client or global sections so that it is automatically applied to radosgw-admin commands. default: 0 services: - rgw with_legacy: true # Represents the maximum AIO pending requests for the bucket index object shards. - name: rgw_bucket_index_max_aio type: uint level: advanced desc: Max number of concurrent RADOS requests when handling bucket shards. default: 128 services: - rgw with_legacy: true - name: rgw_multi_obj_del_max_aio type: uint level: advanced desc: Max number of concurrent RADOS requests per multi-object delete request. default: 16 services: - rgw with_legacy: true # whether or not the quota/gc threads should be started - name: rgw_enable_quota_threads type: bool level: advanced desc: Enables the quota maintenance thread. long_desc: The quota maintenance thread is responsible for quota related maintenance work. The thread itself can be disabled, but in order for quota to work correctly, at least one RGW in each zone needs to have this thread running. Having the thread enabled on multiple RGW processes within the same zone can spread some of the maintenance work between them. default: true services: - rgw see_also: - rgw_enable_gc_threads - rgw_enable_lc_threads with_legacy: true - name: rgw_enable_gc_threads type: bool level: advanced desc: Enables the garbage collection maintenance thread. long_desc: The garbage collection maintenance thread is responsible for garbage collector maintenance work. The thread itself can be disabled, but in order for garbage collection to work correctly, at least one RGW in each zone needs to have this thread running. Having the thread enabled on multiple RGW processes within the same zone can spread some of the maintenance work between them. default: true services: - rgw see_also: - rgw_enable_quota_threads - rgw_enable_lc_threads with_legacy: true - name: rgw_enable_lc_threads type: bool level: advanced desc: Enables the lifecycle maintenance thread. This is required on at least one rgw for each zone. long_desc: The lifecycle maintenance thread is responsible for lifecycle related maintenance work. The thread itself can be disabled, but in order for lifecycle to work correctly, at least one RGW in each zone needs to have this thread running. Havingthe thread enabled on multiple RGW processes within the same zone can spread some of the maintenance work between them. default: true services: - rgw see_also: - rgw_enable_gc_threads - rgw_enable_quota_threads with_legacy: true - name: rgw_data type: str level: advanced desc: Alternative location for RGW configuration. long_desc: If this is set, the different Ceph system configurables (such as the keyring file will be located in the path that is specified here. fmt_desc: Sets the location of the data files for Ceph RADOS Gateway. default: /var/lib/ceph/radosgw/$cluster-$id services: - rgw flags: - no_mon_update with_legacy: true - name: rgw_enable_apis type: str level: advanced desc: A list of set of RESTful APIs that rgw handles. fmt_desc: | Enables the specified APIs. .. note:: Enabling the ``s3`` API is a requirement for any ``radosgw`` instance that is meant to participate in a `multi-site <../multisite>`_ configuration. default: s3, s3website, swift, swift_auth, admin, sts, iam, notifications services: - rgw with_legacy: true - name: rgw_cache_enabled type: bool level: advanced desc: Enable RGW metadata cache. long_desc: The metadata cache holds metadata entries that RGW requires for processing requests. Metadata entries can be user info, bucket info, and bucket instance info. If not found in the cache, entries will be fetched from the backing RADOS store. fmt_desc: Whether the Ceph Object Gateway cache is enabled. default: true services: - rgw see_also: - rgw_cache_lru_size with_legacy: true - name: rgw_cache_lru_size type: int level: advanced desc: Max number of items in RGW metadata cache. long_desc: When full, the RGW metadata cache evicts least recently used entries. fmt_desc: The number of entries in the Ceph Object Gateway cache. default: 10000 services: - rgw see_also: - rgw_cache_enabled with_legacy: true - name: rgw_dns_name type: str level: advanced desc: The host names that RGW uses. long_desc: A comma separated list of DNS names. This is Needed for virtual hosting of buckets to work properly, unless configured via zonegroup configuration. fmt_desc: The DNS names of the served domains. See also the ``hostnames`` setting within zonegroups. services: - rgw with_legacy: true - name: rgw_dns_s3website_name type: str level: advanced desc: The host name that RGW uses for static websites (S3) long_desc: This is needed for virtual hosting of buckets, unless configured via zonegroup configuration. services: - rgw with_legacy: true - name: rgw_numa_node type: int level: advanced desc: set rgw's cpu affinity to a numa node (-1 for none) default: -1 services: - rgw flags: - startup - name: rgw_service_provider_name type: str level: advanced desc: Service provider name which is contained in http response headers long_desc: As S3 or other cloud storage providers do, http response headers should contain the name of the provider. This name will be placed in http header 'Server'. services: - rgw with_legacy: true - name: rgw_content_length_compat type: bool level: advanced desc: Multiple content length headers compatibility long_desc: Try to handle requests with abiguous multiple content length headers (Content-Length, Http-Content-Length). fmt_desc: Enable compatibility handling of FCGI requests with both ``CONTENT_LENGTH`` and ``HTTP_CONTENT_LENGTH`` set. default: false services: - rgw with_legacy: true - name: rgw_relaxed_region_enforcement type: bool level: advanced desc: Disable region constraint enforcement long_desc: Enable requests such as bucket creation to succeed irrespective of region restrictions (Jewel compat). default: false services: - rgw - name: rgw_lifecycle_work_time type: str level: advanced desc: Lifecycle allowed work time long_desc: Local time window in which the lifecycle maintenance thread can work. default: 00:00-06:00 services: - rgw with_legacy: true - name: rgw_lc_lock_max_time type: int level: dev default: 90 services: - rgw with_legacy: true - name: rgw_lc_thread_delay type: int level: advanced desc: Delay after processing of bucket listing chunks (i.e., per 1000 entries) in milliseconds default: 0 services: - rgw - name: rgw_lc_max_worker type: int level: advanced desc: Number of LCWorker tasks that will be run in parallel long_desc: Number of LCWorker tasks that will run in parallel--used to permit >1 bucket/index shards to be processed simultaneously fmt_desc: This option specifies the number of lifecycle worker threads to run in parallel, thereby processing bucket and index shards simultaneously. default: 3 services: - rgw with_legacy: true - name: rgw_lc_max_wp_worker type: int level: advanced desc: Number of workpool threads per LCWorker long_desc: Number of threads in per-LCWorker workpools--used to accelerate per-bucket processing fmt_desc: This option specifies the number of threads in each lifecycle workers work pool. This option can help accelerate processing each bucket. default: 3 services: - rgw with_legacy: true - name: rgw_lc_max_objs type: int level: advanced desc: Number of lifecycle data shards long_desc: Number of RADOS objects to use for storing lifecycle index. This affects concurrency of lifecycle maintenance, as shards can be processed in parallel. default: 32 services: - rgw with_legacy: true - name: rgw_lc_max_rules type: uint level: advanced desc: Max number of lifecycle rules set on one bucket long_desc: Number of lifecycle rules set on one bucket should be limited. default: 1000 services: - rgw with_legacy: true - name: rgw_lc_debug_interval type: int level: dev desc: The number of seconds that simulate one "day" in order to debug RGW LifeCycle. Do *not* modify for a production cluster. long_desc: For debugging RGW LifeCycle, the number of seconds that are equivalent to one simulated "day". Values less than 1 are ignored and do not change LifeCycle behavior. For example, during debugging if one wanted every 10 minutes to be equivalent to one day, then this would be set to 600, the number of seconds in 10 minutes. default: -1 services: - rgw with_legacy: true - name: rgw_mp_lock_max_time type: int level: advanced desc: Multipart upload max completion time long_desc: Time length to allow completion of a multipart upload operation. This is done to prevent concurrent completions on the same object with the same upload id. default: 10_min services: - rgw - name: rgw_script_uri type: str level: dev fmt_desc: The alternative value for the ``SCRIPT_URI`` if not set in the request. services: - rgw with_legacy: true - name: rgw_request_uri type: str level: dev fmt_desc: The alternative value for the ``REQUEST_URI`` if not set in the request. services: - rgw with_legacy: true - name: rgw_ignore_get_invalid_range type: bool level: advanced desc: Treat invalid (e.g., negative) range request as full long_desc: Treat invalid (e.g., negative) range request as request for the full object (AWS compatibility) default: false services: - rgw with_legacy: true - name: rgw_swift_url type: str level: advanced desc: Swift-auth storage URL long_desc: Used in conjunction with rgw internal swift authentication. This affects the X-Storage-Url response header value. fmt_desc: The URL for the Ceph Object Gateway Swift API. services: - rgw see_also: - rgw_swift_auth_entry with_legacy: true - name: rgw_swift_url_prefix type: str level: advanced desc: Swift URL prefix long_desc: The URL path prefix for swift requests. fmt_desc: | The URL prefix for the Swift API, to distinguish it from the S3 API endpoint. The default is ``swift``, which makes the Swift API available at the URL ``http://host:port/swift/v1`` (or ``http://host:port/swift/v1/AUTH_%(tenant_id)s`` if ``rgw swift account in url`` is enabled). For compatibility, setting this configuration variable to the empty string causes the default ``swift`` to be used; if you do want an empty prefix, set this option to ``/``. .. warning:: If you set this option to ``/``, you must disable the S3 API by modifying ``rgw enable apis`` to exclude ``s3``. It is not possible to operate radosgw with ``rgw swift url prefix = /`` and simultaneously support both the S3 and Swift APIs. If you do need to support both APIs without prefixes, deploy multiple radosgw instances to listen on different hosts (or ports) instead, enabling some for S3 and some for Swift. example: /swift-testing default: swift services: - rgw with_legacy: true - name: rgw_swift_auth_url type: str level: advanced desc: Swift auth URL long_desc: Default url to which RGW connects and verifies tokens for v1 auth (if not using internal swift auth). services: - rgw with_legacy: true - name: rgw_swift_auth_entry type: str level: advanced desc: Swift auth URL prefix long_desc: URL path prefix for internal swift auth requests. fmt_desc: The entry point for a Swift auth URL. default: auth services: - rgw see_also: - rgw_swift_url with_legacy: true - name: rgw_swift_tenant_name type: str level: advanced desc: Swift tenant name long_desc: Tenant name that is used when constructing the swift path. services: - rgw see_also: - rgw_swift_account_in_url with_legacy: true - name: rgw_swift_account_in_url type: bool level: advanced desc: Swift account encoded in URL long_desc: Whether the swift account is encoded in the uri path (AUTH_). fmt_desc: | Whether or not the Swift account name should be included in the Swift API URL. If set to ``false`` (the default), then the Swift API will listen on a URL formed like ``http://host:port//v1``, and the account name (commonly a Keystone project UUID if radosgw is configured with `Keystone integration <../keystone>`_) will be inferred from request headers. If set to ``true``, the Swift API URL will be ``http://host:port//v1/AUTH_`` (or ``http://host:port//v1/AUTH_``) instead, and the Keystone ``object-store`` endpoint must accordingly be configured to include the ``AUTH_%(tenant_id)s`` suffix. You **must** set this option to ``true`` (and update the Keystone service catalog) if you want radosgw to support publicly-readable containers and `temporary URLs <../swift/tempurl>`_. default: false services: - rgw see_also: - rgw_swift_tenant_name with_legacy: true - name: rgw_swift_enforce_content_length type: bool level: advanced desc: Send content length when listing containers (Swift) long_desc: Whether content length header is needed when listing containers. When this is set to false, RGW will send extra info for each entry in the response. default: false services: - rgw with_legacy: true - name: rgw_keystone_url type: str level: basic desc: The URL to the Keystone server. services: - rgw with_legacy: true - name: rgw_keystone_admin_token type: str level: advanced desc: 'DEPRECATED: The admin token (shared secret) that is used for the Keystone requests.' fmt_desc: The Keystone admin token (shared secret). In Ceph RGW authentication with the admin token has priority over authentication with the admin credentials (``rgw_keystone_admin_user``, ``rgw_keystone_admin_password``, ``rgw_keystone_admin_tenant``, ``rgw_keystone_admin_project``, ``rgw_keystone_admin_domain``). The Keystone admin token has been deprecated, but can be used to integrate with older environments. It is preferred to instead configure ``rgw_keystone_admin_token_path`` to avoid exposing the token. services: - rgw with_legacy: true - name: rgw_keystone_admin_token_path type: str level: advanced desc: Path to a file containing the admin token (shared secret) that is used for the Keystone requests. fmt_desc: Path to a file containing the Keystone admin token (shared secret). In Ceph RadosGW authentication with the admin token has priority over authentication with the admin credentials (``rgw_keystone_admin_user``, ``rgw_keystone_admin_password``, ``rgw_keystone_admin_tenant``, ``rgw_keystone_admin_project``, ``rgw_keystone_admin_domain``). The Keystone admin token has been deprecated, but can be used to integrate with older environments. services: - rgw with_legacy: true - name: rgw_keystone_admin_user type: str level: advanced desc: Keystone admin user. fmt_desc: The name of OpenStack user with admin privilege for Keystone authentication (Service User) when using OpenStack Identity API v2 services: - rgw with_legacy: true - name: rgw_keystone_admin_password type: str level: advanced desc: 'DEPRECATED: Keystone admin password.' fmt_desc: The password for OpenStack admin user when using OpenStack Identity API v2. It is preferred to instead configure ``rgw_keystone_admin_password_path`` to avoid exposing the token. services: - rgw with_legacy: true - name: rgw_keystone_admin_password_path type: str level: advanced desc: Path to a file containing the Keystone admin password. fmt_desc: Path to a file containing the password for OpenStack admin user when using OpenStack Identity API v2. services: - rgw with_legacy: true - name: rgw_keystone_admin_tenant type: str level: advanced desc: Keystone admin user tenant. fmt_desc: The name of OpenStack tenant with admin privilege (Service Tenant) when using OpenStack Identity API v2 services: - rgw with_legacy: true - name: rgw_keystone_admin_project type: str level: advanced desc: Keystone admin user project (for Keystone v3). fmt_desc: The name of OpenStack project with admin privilege when using OpenStack Identity API v3. If left unspecified, value of ``rgw keystone admin tenant`` will be used instead. services: - rgw with_legacy: true - name: rgw_keystone_admin_domain type: str level: advanced desc: Keystone admin user domain (for Keystone v3). fmt_desc: The name of OpenStack domain with admin privilege when using OpenStack Identity API v3. services: - rgw with_legacy: true - name: rgw_keystone_service_token_enabled type: bool level: advanced desc: Service tokens allowing the usage of expired Keystone auth tokens fmt_desc: The service token support allows the incoming request to contain a X-Service-Token header with a Keystone token that if it has acceptable roles allows using an expired token in the X-Auth-Token header. default: false see_also: - rgw_keystone_service_token_accepted_roles - rgw_keystone_expired_token_cache_expiration services: - rgw with_legacy: true - name: rgw_keystone_service_token_accepted_roles type: str level: advanced desc: Only users with one of these roles will be valid for service users. fmt_desc: The users that created the service token given must have one of these roles to be considered a valid service user. default: admin see_also: - rgw_keystone_service_token_enabled services: - rgw with_legacy: true - name: rgw_keystone_expired_token_cache_expiration type: int level: advanced desc: The number of seconds to add to current time for expired token expiration fmt_desc: The expired token that is allowed when a valid service token is given need a new expiration date for the caching. This is the seconds to add to the current time and then set on an expired token that is verified with a service token. default: 3600 services: - rgw see_also: - rgw_keystone_service_token_enabled with_legacy: true - name: rgw_keystone_barbican_user type: str level: advanced desc: Keystone user to access barbican secrets. fmt_desc: The name of the OpenStack user with access to the `Barbican`_ secrets used for `Encryption`_. services: - rgw with_legacy: true - name: rgw_keystone_barbican_password type: str level: advanced desc: Keystone password for barbican user. fmt_desc: The password associated with the `Barbican`_ user. services: - rgw with_legacy: true - name: rgw_keystone_barbican_tenant type: str level: advanced desc: Keystone barbican user tenant (Keystone v2.0). fmt_desc: The name of the OpenStack tenant associated with the `Barbican`_ user when using OpenStack Identity API v2. services: - rgw with_legacy: true - name: rgw_keystone_barbican_project type: str level: advanced desc: Keystone barbican user project (Keystone v3). fmt_desc: The name of the OpenStack project associated with the `Barbican`_ user when using OpenStack Identity API v3. services: - rgw with_legacy: true - name: rgw_keystone_barbican_domain type: str level: advanced desc: Keystone barbican user domain. fmt_desc: The name of the OpenStack domain associated with the `Barbican`_ user when using OpenStack Identity API v3. services: - rgw with_legacy: true - name: rgw_keystone_api_version type: int level: advanced desc: Version of Keystone API to use (2 or 3). fmt_desc: The version (2 or 3) of OpenStack Identity API that should be used for communication with the Keystone server. default: 2 services: - rgw with_legacy: true - name: rgw_keystone_accepted_roles type: str level: advanced desc: Only users with one of these roles will be served when doing Keystone authentication. fmt_desc: The roles required to serve requests. default: Member, admin services: - rgw with_legacy: true - name: rgw_keystone_accepted_admin_roles type: str level: advanced desc: List of roles allowing user to gain admin privileges (Keystone). services: - rgw with_legacy: true - name: rgw_keystone_token_cache_size type: int level: advanced desc: Keystone token cache size long_desc: Max number of Keystone tokens that will be cached. Token that is not cached requires RGW to access the Keystone server when authenticating. fmt_desc: The maximum number of entries in each Keystone token cache. default: 10000 services: - rgw with_legacy: true - name: rgw_keystone_verify_ssl type: bool level: advanced desc: Should RGW verify the Keystone server SSL certificate. fmt_desc: Verify SSL certificates while making token requests to keystone. default: true services: - rgw with_legacy: true - name: rgw_keystone_implicit_tenants type: str level: advanced desc: RGW Keystone implicit tenants creation long_desc: Implicitly create new users in their own tenant with the same name when authenticating via Keystone. Can be limited to s3 or swift only. default: 'false' services: - rgw enum_values: - 'false' - 'true' - swift - s3 - both - '0' - '1' - none with_legacy: true - name: rgw_cross_domain_policy type: str level: advanced desc: RGW handle cross domain policy long_desc: Returned cross domain policy when accessing the crossdomain.xml resource (Swift compatiility). default: services: - rgw with_legacy: true - name: rgw_healthcheck_disabling_path type: str level: dev desc: Swift health check api can be disabled if a file can be accessed in this path. services: - rgw with_legacy: true - name: rgw_s3_auth_use_rados type: bool level: advanced desc: Should S3 authentication use credentials stored in RADOS backend. default: true services: - rgw with_legacy: true - name: rgw_s3_auth_use_keystone type: bool level: advanced desc: Should S3 authentication use Keystone. default: false services: - rgw with_legacy: true - name: rgw_s3_auth_order type: str level: advanced desc: Authentication strategy order to use for s3 authentication long_desc: Order of authentication strategies to try for s3 authentication, the allowed options are a comma separated list of engines external, local. The default order is to try all the externally configured engines before attempting local rados based authentication default: sts, external, local services: - rgw with_legacy: true - name: rgw_barbican_url type: str level: advanced desc: URL to barbican server. fmt_desc: The URL for the Barbican server. services: - rgw with_legacy: true # OpenLDAP-style LDAP parameter strings - name: rgw_ldap_uri type: str level: advanced desc: Space-separated list of LDAP servers in URI format. default: ldaps:// services: - rgw with_legacy: true - name: rgw_ldap_binddn type: str level: advanced desc: LDAP entry RGW will bind with (user match). default: uid=admin,cn=users,dc=example,dc=com services: - rgw with_legacy: true - name: rgw_ldap_searchdn type: str level: advanced desc: LDAP search base (basedn). default: cn=users,cn=accounts,dc=example,dc=com services: - rgw with_legacy: true - name: rgw_ldap_dnattr type: str level: advanced desc: LDAP attribute containing RGW user names (to form binddns). default: uid services: - rgw with_legacy: true - name: rgw_ldap_secret type: str level: advanced desc: Path to file containing credentials for rgw_ldap_binddn. default: /etc/openldap/secret services: - rgw with_legacy: true - name: rgw_s3_auth_use_ldap type: bool level: advanced desc: Should S3 authentication use LDAP. default: false services: - rgw with_legacy: true - name: rgw_ldap_searchfilter type: str level: advanced desc: LDAP search filter. services: - rgw with_legacy: true - name: rgw_opa_url type: str level: advanced desc: URL to OPA server. services: - rgw with_legacy: true - name: rgw_opa_token type: str level: advanced desc: The Bearer token OPA uses to authenticate client requests. services: - rgw with_legacy: true - name: rgw_opa_verify_ssl type: bool level: advanced desc: Should RGW verify the OPA server SSL certificate. default: true services: - rgw with_legacy: true - name: rgw_use_opa_authz type: bool level: advanced desc: Should OPA be used to authorize client requests. default: false services: - rgw with_legacy: true - name: rgw_admin_entry type: str level: advanced desc: Path prefix to be used for accessing RGW RESTful admin API. fmt_desc: The entry point for an admin request URL. default: admin services: - rgw with_legacy: true - name: rgw_enforce_swift_acls type: bool level: advanced desc: RGW enforce swift acls long_desc: Should RGW enforce special Swift-only ACLs. Swift has a special ACL that gives permission to access all objects in a container. fmt_desc: Enforces the Swift Access Control List (ACL) settings. default: true services: - rgw with_legacy: true - name: rgw_swift_token_expiration type: int level: advanced desc: Expiration time (in seconds) for token generated through RGW Swift auth. fmt_desc: The time in seconds for expiring a Swift token. default: 1_day services: - rgw with_legacy: true - name: rgw_print_continue type: bool level: advanced desc: RGW support of 100-continue long_desc: Should RGW explicitly send 100 (continue) responses. This is mainly relevant when using FastCGI, as some FastCGI modules do not fully support this feature. fmt_desc: Enable ``100-continue`` if it is operational. default: true services: - rgw with_legacy: true - name: rgw_print_prohibited_content_length type: bool level: advanced desc: RGW RFC-7230 compatibility long_desc: Specifies whether RGW violates RFC 7230 and sends Content-Length with 204 or 304 statuses. default: false services: - rgw with_legacy: true - name: rgw_remote_addr_param type: str level: advanced desc: HTTP header that holds the remote address in incoming requests. long_desc: RGW will use this header to extract requests origin. When RGW runs behind a reverse proxy, the remote address header will point at the proxy's address and not at the originator's address. Therefore it is sometimes possible to have the proxy add the originator's address in a separate HTTP header, which will allow RGW to log it correctly. fmt_desc: The remote address parameter. For example, the HTTP field containing the remote address, or the ``X-Forwarded-For`` address if a reverse proxy is operational. default: REMOTE_ADDR services: - rgw see_also: - rgw_enable_ops_log with_legacy: true - name: rgw_op_thread_timeout type: int level: dev desc: Timeout for async rados coroutine operations. fmt_desc: The timeout in seconds for open threads. default: 10_min services: - rgw with_legacy: true - name: rgw_op_thread_suicide_timeout type: int level: dev default: 0 fmt_desc: The time ``timeout`` in seconds before a Ceph Object Gateway process dies. Disabled if set to ``0``. services: - rgw with_legacy: true - name: rgw_thread_pool_size type: int level: basic desc: RGW requests handling thread pool size. long_desc: This parameter determines the number of concurrent requests RGW can process when using either the civetweb, or the fastcgi frontends. The higher this number is, RGW will be able to deal with more concurrent requests at the cost of more resource utilization. fmt_desc: The size of the thread pool. default: 512 services: - rgw with_legacy: true - name: rgw_num_control_oids type: int level: advanced desc: Number of control objects used for cross-RGW communication. long_desc: RGW uses certain control objects to send messages between different RGW processes running on the same zone. These messages include metadata cache invalidation info that is being sent when metadata is modified (such as user or bucket information). A higher number of control objects allows better concurrency of these messages, at the cost of more resource utilization. fmt_desc: The number of notification objects used for cache synchronization between different ``rgw`` instances. default: 8 services: - rgw with_legacy: true - name: rgw_verify_ssl type: bool level: advanced desc: Should RGW verify SSL when connecing to a remote HTTP server long_desc: RGW can send requests to other RGW servers (e.g., in multi-site sync work). This configurable selects whether RGW should verify the certificate for the remote peer and host. fmt_desc: Verify SSL certificates while making requests. default: true services: - rgw see_also: - rgw_keystone_verify_ssl with_legacy: true # The following are tunables for caches of RGW NFS (and other file # client) objects. # # The file handle cache is a partitioned hash table # (fhcache_partitions), each with a closed hash part and backing # b-tree mapping. The number of partions is expected to be a small # prime, the cache size something larger but less than 5K, the total # size of the cache is n_part * cache_size. - name: rgw_nfs_lru_lanes type: int level: advanced default: 5 services: - rgw with_legacy: true - name: rgw_nfs_lru_lane_hiwat type: int level: advanced default: 911 services: - rgw with_legacy: true - name: rgw_nfs_fhcache_partitions type: int level: advanced default: 3 services: - rgw with_legacy: true - name: rgw_nfs_fhcache_size type: int level: advanced default: 2017 services: - rgw with_legacy: true - name: rgw_nfs_namespace_expire_secs type: int level: advanced default: 5_min services: - rgw min: 1 with_legacy: true - name: rgw_nfs_max_gc type: int level: advanced default: 5_min services: - rgw min: 1 with_legacy: true - name: rgw_nfs_write_completion_interval_s type: int level: advanced default: 10 services: - rgw with_legacy: true # use fast S3 attrs from bucket index--currently assumes NFS mounts are immutable - name: rgw_nfs_s3_fast_attrs type: bool level: advanced desc: use fast S3 attrs from bucket index (immutable only) long_desc: use fast S3 attrs from bucket index (assumes NFS mounts are immutable) default: false services: - rgw with_legacy: true # overrides for librgw/nfs - name: rgw_nfs_run_gc_threads type: bool level: advanced desc: run GC threads in librgw (default off) default: false services: - rgw with_legacy: true - name: rgw_nfs_run_lc_threads type: bool level: advanced desc: run lifecycle threads in librgw (default off) default: false services: - rgw with_legacy: true - name: rgw_nfs_run_quota_threads type: bool level: advanced desc: run quota threads in librgw (default off) default: false services: - rgw with_legacy: true - name: rgw_nfs_run_sync_thread type: bool level: advanced desc: run sync thread in librgw (default off) default: false services: - rgw with_legacy: true - name: rgw_nfs_frontends type: str level: basic desc: RGW frontends configuration when running as librgw/nfs long_desc: A comma-delimited list of frontends configuration. Each configuration contains the type of the frontend followed by an optional space delimited set of key=value config parameters. fmt_desc: Configures the HTTP frontend(s). The configuration for multiple frontends can be provided in a comma-delimited list. Each frontend configuration may include a list of options separated by spaces, where each option is in the form "key=value" or "key". See `HTTP Frontends`_ for more on supported options. default: rgw-nfs services: - rgw with_legacy: true see_also: - rgw_frontends - name: rgw_rados_pool_autoscale_bias type: float level: advanced desc: pg_autoscale_bias value for RGW metadata (omap-heavy) pools default: 4 services: - rgw min: 0.01 max: 100000 - name: rgw_rados_pool_recovery_priority type: uint level: advanced desc: recovery_priority value for RGW metadata (omap-heavy) pools default: 5 services: - rgw min: -10 max: 10 - name: rgw_zone type: str level: advanced desc: Zone name fmt_desc: The name of the zone for the gateway instance. If no zone is set, a cluster-wide default can be configured with the command ``radosgw-admin zone default``. services: - rgw see_also: - rgw_zonegroup - rgw_realm with_legacy: true - name: rgw_zone_id type: str level: advanced desc: Zone ID services: - rgw see_also: - rgw_zone - rgw_zonegroup - rgw_realm - name: rgw_zone_root_pool type: str level: advanced desc: Zone root pool name long_desc: The zone root pool, is the pool where the RGW zone configuration located. default: .rgw.root services: - rgw see_also: - rgw_zonegroup_root_pool - rgw_realm_root_pool - rgw_period_root_pool with_legacy: true - name: rgw_default_zone_info_oid type: str level: advanced desc: Default zone info object id long_desc: Name of the RADOS object that holds the default zone information. default: default.zone services: - rgw with_legacy: true - name: rgw_region type: str level: advanced desc: Region name long_desc: Obsolete config option. The rgw_zonegroup option should be used instead. services: - rgw see_also: - rgw_zonegroup with_legacy: true - name: rgw_region_root_pool type: str level: advanced desc: Region root pool long_desc: Obsolete config option. The rgw_zonegroup_root_pool should be used instead. default: .rgw.root services: - rgw see_also: - rgw_zonegroup_root_pool with_legacy: true - name: rgw_default_region_info_oid type: str level: advanced desc: Default region info object id long_desc: Obsolete config option. The rgw_default_zonegroup_info_oid should be used instead. default: default.region services: - rgw see_also: - rgw_default_zonegroup_info_oid with_legacy: true - name: rgw_zonegroup type: str level: advanced desc: Zonegroup name fmt_desc: The name of the zonegroup for the gateway instance. If no zonegroup is set, a cluster-wide default can be configured with the command ``radosgw-admin zonegroup default``. services: - rgw see_also: - rgw_zone - rgw_realm with_legacy: true - name: rgw_zonegroup_id type: str level: advanced desc: Zonegroup ID services: - rgw see_also: - rgw_zone - rgw_zonegroup - rgw_realm - name: rgw_zonegroup_root_pool type: str level: advanced desc: Zonegroup root pool long_desc: The zonegroup root pool, is the pool where the RGW zonegroup configuration located. default: .rgw.root services: - rgw see_also: - rgw_zone_root_pool - rgw_realm_root_pool - rgw_period_root_pool with_legacy: true - name: rgw_default_zonegroup_info_oid type: str level: advanced default: default.zonegroup services: - rgw with_legacy: true - name: rgw_realm type: str level: advanced fmt_desc: The name of the realm for the gateway instance. If no realm is set, a cluster-wide default can be configured with the command ``radosgw-admin realm default``. services: - rgw with_legacy: true - name: rgw_realm_id type: str level: advanced services: - rgw - name: rgw_realm_root_pool type: str level: advanced desc: Realm root pool long_desc: The realm root pool, is the pool where the RGW realm configuration located. default: .rgw.root services: - rgw see_also: - rgw_zonegroup_root_pool - rgw_zone_root_pool - rgw_period_root_pool with_legacy: true - name: rgw_default_realm_info_oid type: str level: advanced default: default.realm services: - rgw with_legacy: true - name: rgw_period_root_pool type: str level: advanced desc: Period root pool long_desc: The period root pool, is the pool where the RGW period configuration located. default: .rgw.root services: - rgw see_also: - rgw_zonegroup_root_pool - rgw_zone_root_pool - rgw_realm_root_pool with_legacy: true - name: rgw_period_latest_epoch_info_oid type: str level: dev default: .latest_epoch services: - rgw with_legacy: true - name: rgw_log_nonexistent_bucket type: bool level: advanced desc: Should RGW log operations on bucket that does not exist long_desc: This config option applies to the ops log. When this option is set, the ops log will log operations that are sent to non existing buckets. These operations inherently fail, and do not correspond to a specific user. fmt_desc: Enables Ceph Object Gateway to log a request for a non-existent bucket. default: false services: - rgw see_also: - rgw_enable_ops_log with_legacy: true # man date to see codes (a subset are supported) - name: rgw_log_object_name type: str level: advanced desc: Ops log object name format long_desc: Defines the format of the RADOS objects names that ops log uses to store ops log data fmt_desc: The logging format for an object name. See ma npage :manpage:`date` for details about format specifiers. default: '%Y-%m-%d-%H-%i-%n' services: - rgw see_also: - rgw_enable_ops_log with_legacy: true - name: rgw_log_object_name_utc type: bool level: advanced desc: Should ops log object name based on UTC long_desc: If set, the names of the RADOS objects that hold the ops log data will be based on UTC time zone. If not set, it will use the local time zone. fmt_desc: Whether a logged object name includes a UTC time. If ``false``, it uses the local time. default: false services: - rgw see_also: - rgw_enable_ops_log - rgw_log_object_name with_legacy: true - name: rgw_usage_max_shards type: int level: advanced desc: Number of shards for usage log. long_desc: The number of RADOS objects that RGW will use in order to store the usage log data. fmt_desc: The maximum number of shards for usage logging. default: 32 services: - rgw see_also: - rgw_enable_usage_log with_legacy: true - name: rgw_usage_max_user_shards type: int level: advanced desc: Number of shards for single user in usage log long_desc: The number of shards that a single user will span over in the usage log. fmt_desc: The maximum number of shards used for a single user's usage logging. default: 1 services: - rgw see_also: - rgw_enable_usage_log min: 1 with_legacy: true # enable logging every rgw operation - name: rgw_enable_ops_log type: bool level: advanced desc: Enable ops log fmt_desc: Enable logging for each successful Ceph Object Gateway operation. default: false services: - rgw see_also: - rgw_log_nonexistent_bucket - rgw_log_object_name - rgw_ops_log_rados - rgw_ops_log_socket_path - rgw_ops_log_file_path with_legacy: true # enable logging bandwidth usage - name: rgw_enable_usage_log type: bool level: advanced desc: Enable the usage log default: false services: - rgw see_also: - rgw_usage_max_shards with_legacy: true # whether ops log should go to rados - name: rgw_ops_log_rados type: bool level: advanced desc: Use RADOS for ops log long_desc: If set, RGW will store ops log information in RADOS. WARNING, there is no automation to clean up these log entries, so by default they will pile up without bound. This MUST NOT be enabled unless the admin has a strategy to manage and trim these log entries with `radosgw-admin log rm`. fmt_desc: Whether the operations log should be written to the Ceph Storage Cluster backend. default: false services: - rgw see_also: - rgw_enable_ops_log - rgw_log_object_name_utc - rgw_log_object_name with_legacy: true # path to unix domain socket where ops log can go - name: rgw_ops_log_socket_path type: str level: advanced desc: Unix domain socket path for ops log. long_desc: Path to unix domain socket that RGW will listen for connection on. When connected, RGW will send ops log data through it. fmt_desc: The Unix domain socket for writing operations logs. services: - rgw see_also: - rgw_enable_ops_log - rgw_ops_log_data_backlog with_legacy: true # path to file where ops log can go - name: rgw_ops_log_file_path type: str level: advanced desc: File-system path for ops log. long_desc: Path to file that RGW will log ops logs to. A cephadm deployment will automatically rotate these logs under /var/log/ceph/. Other deployments should arrange for similar log rotation. fmt_desc: The file-system path for writing operations logs. daemon_default: /var/log/ceph/ops-log-$cluster-$name.log services: - rgw see_also: - rgw_enable_ops_log with_legacy: true # max data backlog for ops log - name: rgw_ops_log_data_backlog type: size level: advanced desc: Ops log socket backlog long_desc: Maximum amount of data backlog that RGW can keep when ops log is configured to send info through unix domain socket. When data backlog is higher than this, ops log entries will be lost. In order to avoid ops log information loss, the listener needs to clear data (by reading it) quickly enough. fmt_desc: The maximum data backlog data size for operations logs written to a Unix domain socket. default: 5_M services: - rgw see_also: - rgw_enable_ops_log - rgw_ops_log_socket_path with_legacy: true - name: rgw_usage_log_flush_threshold type: int level: advanced desc: Number of entries in usage log before flushing long_desc: This is the max number of entries that will be held in the usage log, before it will be flushed to the backend. Note that the usage log is periodically flushed, even if number of entries does not reach this threshold. A usage log entry corresponds to one or more operations on a single bucket.i fmt_desc: The number of dirty merged entries in the usage log before flushing synchronously. default: 1024 services: - rgw see_also: - rgw_enable_usage_log - rgw_usage_log_tick_interval with_legacy: true - name: rgw_usage_log_tick_interval type: int level: advanced desc: Number of seconds between usage log flush cycles long_desc: The number of seconds between consecutive usage log flushes. The usage log will also flush itself to the backend if the number of pending entries reaches a certain threshold. fmt_desc: Flush pending usage log data every ``n`` seconds. default: 30 services: - rgw see_also: - rgw_enable_usage_log - rgw_usage_log_flush_threshold with_legacy: true - name: rgw_init_timeout type: int level: basic desc: Initialization timeout long_desc: The time length (in seconds) that RGW will allow for its initialization. RGW process will give up and quit if initialization is not complete after this amount of time. fmt_desc: The number of seconds before Ceph Object Gateway gives up on initialization. default: 5_min services: - rgw with_legacy: true - name: rgw_mime_types_file type: str level: basic desc: Path to local mime types file long_desc: The mime types file is needed in Swift when uploading an object. If object's content type is not specified, RGW will use data from this file to assign a content type to the object. fmt_desc: The path and location of the MIME-types file. Used for Swift auto-detection of object types. default: /etc/mime.types services: - rgw with_legacy: true - name: rgw_gc_max_objs type: int level: advanced desc: Number of shards for garbage collector data long_desc: The number of garbage collector data shards, is the number of RADOS objects that RGW will use to store the garbage collection information on. fmt_desc: The maximum number of objects that may be handled by garbage collection in one garbage collection processing cycle. Please do not change this value after the first deployment. default: 32 services: - rgw see_also: - rgw_gc_obj_min_wait - rgw_gc_processor_max_time - rgw_gc_processor_period - rgw_gc_max_concurrent_io with_legacy: true # wait time before object may be handled by gc, recommended lower limit is 30 mins - name: rgw_gc_obj_min_wait type: int level: advanced desc: Garbage collection object expiration time long_desc: The length of time (in seconds) that the RGW collector will wait before purging a deleted object's data. RGW will not remove object immediately, as object could still have readers. A mechanism exists to increase the object's expiration time when it's being read. The recommended value of its lower limit is 30 minutes fmt_desc: The minimum wait time before a deleted object may be removed and handled by garbage collection processing. default: 2_hr services: - rgw see_also: - rgw_gc_max_objs - rgw_gc_processor_max_time - rgw_gc_processor_period - rgw_gc_max_concurrent_io with_legacy: true - name: rgw_gc_processor_max_time type: int level: advanced desc: Length of time GC processor can lease shard long_desc: Garbage collection thread in RGW process holds a lease on its data shards. These objects contain the information about the objects that need to be removed. RGW takes a lease in order to prevent multiple RGW processes from handling the same objects concurrently. This time signifies that maximum amount of time (in seconds) that RGW is allowed to hold that lease. In the case where RGW goes down uncleanly, this is the amount of time where processing of that data shard will be blocked. fmt_desc: The maximum time between the beginning of two consecutive garbage collection processing cycles. default: 1_hr services: - rgw see_also: - rgw_gc_max_objs - rgw_gc_obj_min_wait - rgw_gc_processor_period - rgw_gc_max_concurrent_io with_legacy: true - name: rgw_gc_processor_period type: int level: advanced desc: Garbage collector cycle run time long_desc: The amount of time between the start of consecutive runs of the garbage collector threads. If garbage collector runs takes more than this period, it will not wait before running again. fmt_desc: The cycle time for garbage collection processing. default: 1_hr services: - rgw see_also: - rgw_gc_max_objs - rgw_gc_obj_min_wait - rgw_gc_processor_max_time - rgw_gc_max_concurrent_io - rgw_gc_max_trim_chunk with_legacy: true - name: rgw_gc_max_concurrent_io type: int level: advanced desc: Max concurrent RADOS IO operations for garbage collection long_desc: The maximum number of concurrent IO operations that the RGW garbage collection thread will use when purging old data. default: 10 services: - rgw see_also: - rgw_gc_max_objs - rgw_gc_obj_min_wait - rgw_gc_processor_max_time - rgw_gc_max_trim_chunk with_legacy: true - name: rgw_gc_max_trim_chunk type: int level: advanced desc: Max number of keys to remove from garbage collector log in a single operation default: 16 services: - rgw see_also: - rgw_gc_max_objs - rgw_gc_obj_min_wait - rgw_gc_processor_max_time - rgw_gc_max_concurrent_io with_legacy: true - name: rgw_gc_max_deferred_entries_size type: uint level: advanced desc: maximum allowed size of deferred entries in queue head for gc default: 3_K services: - rgw with_legacy: true - name: rgw_gc_max_queue_size type: uint level: advanced desc: Maximum allowed queue size for gc long_desc: The maximum allowed size of each gc queue, and its value should not be greater than (osd_max_object_size - rgw_gc_max_deferred_entries_size - 1K). default: 131068_K services: - rgw see_also: - osd_max_object_size - rgw_gc_max_deferred_entries_size with_legacy: true - name: rgw_gc_max_deferred type: uint level: advanced desc: Number of maximum deferred data entries to be stored in queue for gc default: 50 services: - rgw with_legacy: true - name: rgw_s3_success_create_obj_status type: int level: advanced desc: HTTP return code override for object creation long_desc: If not zero, this is the HTTP return code that will be returned on a successful S3 object creation. fmt_desc: The alternate success status response for ``create-obj``. default: 0 services: - rgw with_legacy: true - name: rgw_s3_client_max_sig_ver type: int level: advanced desc: Max S3 authentication signature version long_desc: If greater than zero, would force max signature version to use default: -1 services: - rgw - name: rgw_resolve_cname type: bool level: advanced desc: Support vanity domain names via CNAME long_desc: If true, RGW will query DNS when detecting that it's serving a request that was sent to a host in another domain. If a CNAME record is configured for that domain it will use it instead. This gives user to have the ability of creating a unique domain of their own to point at data in their bucket. fmt_desc: Whether ``rgw`` should use DNS CNAME record of the request hostname field (if hostname is not equal to ``rgw dns name``). default: false services: - rgw with_legacy: true - name: rgw_obj_stripe_size type: size level: advanced desc: RGW object stripe size long_desc: The size of an object stripe for RGW objects. This is the maximum size a backing RADOS object will have. RGW objects that are larger than this will span over multiple objects. fmt_desc: The size of an object stripe for Ceph Object Gateway objects. See `Architecture`_ for details on striping. default: 4_M services: - rgw with_legacy: true # list of extended attrs that can be set on objects (beyond the default) - name: rgw_extended_http_attrs type: str level: advanced desc: RGW support extended HTTP attrs long_desc: Add new set of attributes that could be set on an object. These extra attributes can be set through HTTP header fields when putting the objects. If set, these attributes will return as HTTP fields when doing GET/HEAD on the object. fmt_desc: Add new set of attributes that could be set on an entity (user, bucket or object). These extra attributes can be set through HTTP header fields when putting the entity or modifying it using POST method. If set, these attributes will return as HTTP fields when doing GET/HEAD on the entity. services: - rgw example: content_foo, content_bar, x-foo-bar with_legacy: true - name: rgw_exit_timeout_secs type: int level: advanced desc: RGW shutdown timeout long_desc: Number of seconds to wait for a process before exiting unconditionally. default: 2_min services: - rgw with_legacy: true - name: rgw_get_obj_window_size type: size level: advanced desc: RGW object read window size long_desc: The window size in bytes for a single object read request default: 16_M services: - rgw with_legacy: true - name: rgw_get_obj_max_req_size type: size level: advanced desc: RGW object read chunk size long_desc: The maximum request size of a single object read operation sent to RADOS fmt_desc: The maximum request size of a single get operation sent to the Ceph Storage Cluster. default: 4_M services: - rgw with_legacy: true - name: rgw_relaxed_s3_bucket_names type: bool level: advanced desc: RGW enable relaxed S3 bucket names long_desc: RGW enable relaxed S3 bucket name rules for US region buckets. fmt_desc: Enables relaxed S3 bucket names rules for US region buckets. default: false services: - rgw with_legacy: true - name: rgw_defer_to_bucket_acls type: str level: advanced desc: Bucket ACLs override object ACLs long_desc: If not empty, a string that selects that mode of operation. 'recurse' will use bucket's ACL for the authorization. 'full-control' will allow users that users that have full control permission on the bucket have access to the object. services: - rgw with_legacy: true - name: rgw_list_buckets_max_chunk type: int level: advanced desc: Max number of buckets to retrieve in a single listing operation long_desc: When RGW fetches lists of user's buckets from the backend, this is the max number of entries it will try to retrieve in a single operation. Note that the backend may choose to return a smaller number of entries. fmt_desc: The maximum number of buckets to retrieve in a single operation when listing user buckets. default: 1000 services: - rgw with_legacy: true - name: rgw_md_log_max_shards type: int level: advanced desc: RGW number of metadata log shards long_desc: The number of shards the RGW metadata log entries will reside in. This affects the metadata sync parallelism as a shard can only be processed by a single RGW at a time fmt_desc: The maximum number of shards for the metadata log. default: 64 services: - rgw with_legacy: true - name: rgw_curl_buffersize type: int level: dev long_desc: 'Pass a long specifying your preferred size (in bytes) for the receivebuffer in libcurl. See: https://curl.se/libcurl/c/CURLOPT_BUFFERSIZE.html' default: 524288 services: - rgw min: 1024 max: 524288 with_legacy: true - name: rgw_curl_wait_timeout_ms type: int level: dev default: 1000 fmt_desc: The timeout in milliseconds for certain ``curl`` calls. services: - rgw with_legacy: true - name: rgw_curl_low_speed_limit type: int level: advanced long_desc: It contains the average transfer speed in bytes per second that the transfer should be below during rgw_curl_low_speed_time seconds for libcurl to consider it to be too slow and abort. Set it zero to disable this. default: 1024 services: - rgw with_legacy: true - name: rgw_curl_low_speed_time type: int level: advanced long_desc: It contains the time in number seconds that the transfer speed should be below the rgw_curl_low_speed_limit for the library to consider it too slow and abort. Set it zero to disable this. default: 5_min services: - rgw with_legacy: true - name: rgw_curl_tcp_keepalive type: int level: advanced long_desc: Enable TCP keepalive on the HTTP client sockets managed by libcurl. This does not apply to connections received by the HTTP frontend, but only to HTTP requests sent by radosgw. Examples include requests to Keystone for authentication, sync requests from multisite, and requests to key management servers for SSE. enum_values: - 0 - 1 default: 0 services: - rgw with_legacy: true - name: rgw_copy_obj_progress type: bool level: advanced desc: Send progress report through copy operation long_desc: If true, RGW will send progress information when copy operation is executed. fmt_desc: Enables output of object progress during long copy operations. default: true services: - rgw with_legacy: true - name: rgw_copy_obj_progress_every_bytes type: size level: advanced desc: Send copy-object progress info after these many bytes fmt_desc: The minimum bytes between copy progress output. default: 1_M services: - rgw with_legacy: true - name: rgw_max_copy_obj_concurrent_io type: int level: advanced desc: Number of refcount operations to process concurrently when executing copy_obj default: 10 services: - rgw with_legacy: true - name: rgw_sync_obj_etag_verify type: bool level: advanced desc: Verify if the object copied from remote is identical to its source long_desc: If true, this option computes the MD5 checksum of the data which is written at the destination and checks if it is identical to the ETAG stored in the source. It ensures integrity of the objects fetched from a remote server over HTTP including multisite sync. default: false services: - rgw with_legacy: true - name: rgw_obj_tombstone_cache_size type: int level: advanced desc: Max number of entries to keep in tombstone cache long_desc: The tombstone cache is used when doing a multi-zone data sync. RGW keeps there information about removed objects which is needed in order to prevent re-syncing of objects that were already removed. default: 1000 services: - rgw with_legacy: true - name: rgw_data_log_window type: int level: advanced desc: Data log time window long_desc: The data log keeps information about buckets that have objectst that were modified within a specific timeframe. The sync process then knows which buckets are needed to be scanned for data sync. fmt_desc: The data log entries window in seconds. default: 30 services: - rgw with_legacy: true - name: rgw_data_log_changes_size type: int level: dev desc: Max size of pending changes in data log long_desc: RGW will trigger update to the data log if the number of pending entries reached this number. fmt_dsec: The number of in-memory entries to hold for the data changes log. default: 1000 services: - rgw with_legacy: true - name: rgw_data_log_num_shards type: int level: advanced desc: Number of data log shards long_desc: The number of shards the RGW data log entries will reside in. This affects the data sync parallelism as a shard can only be processed by a single RGW at a time. fmt_desc: The number of shards (objects) on which to keep the data changes log. default: 128 services: - rgw with_legacy: true - name: rgw_data_log_obj_prefix type: str level: dev default: data_log fmt_desc: The object name prefix for the data log. services: - rgw with_legacy: true - name: rgw_data_sync_poll_interval type: int level: dev default: 20 fmt_desc: Once multisite's incremental sync of a datalog shard is caught up with its source, it will wait this long (in seconds) before polling for more changes. services: - rgw see_also: - rgw_meta_sync_poll_interval with_legacy: true - name: rgw_meta_sync_poll_interval type: int level: dev default: 20 fmt_desc: Once multisite's incremental sync of a mdlog shard is caught up with its source, it will wait this long (in seconds) before polling for more changes. services: - rgw see_also: - rgw_data_sync_poll_interval with_legacy: true - name: rgw_bucket_sync_spawn_window type: int level: dev default: 20 fmt_desc: The maximum number of items that bucket sync is willing to process in parallel (per remote bilog shard). services: - rgw see_also: - rgw_data_sync_spawn_window - rgw_meta_sync_spawn_window with_legacy: true - name: rgw_data_sync_spawn_window type: int level: dev default: 20 fmt_desc: The maximum number of items that data sync is willing to process in parallel (per remote datalog shard). services: - rgw see_also: - rgw_bucket_sync_spawn_window - rgw_meta_sync_spawn_window with_legacy: true - name: rgw_meta_sync_spawn_window type: int level: dev default: 20 fmt_desc: The maximum number of items that metadata sync is willing to process in parallel (per remote mdlog shard). services: - rgw see_also: - rgw_bucket_sync_spawn_window - rgw_data_sync_spawn_window with_legacy: true - name: rgw_bucket_quota_ttl type: int level: advanced desc: Bucket quota stats cache TTL long_desc: Length of time for bucket stats to be cached within RGW instance. fmt_desc: The amount of time in seconds cached quota information is trusted. After this timeout, the quota information will be re-fetched from the cluster. default: 10_min services: - rgw with_legacy: true - name: rgw_bucket_quota_cache_size type: int level: advanced desc: RGW quota stats cache size long_desc: Maximum number of entries in the quota stats cache. default: 10000 services: - rgw with_legacy: true - name: rgw_bucket_default_quota_max_objects type: int level: basic desc: Default quota for max objects in a bucket long_desc: The default quota configuration for max number of objects in a bucket. A negative number means 'unlimited'. fmt_desc: Default max number of objects per bucket. Set on new users, if no other quota is specified. Has no effect on existing users. This variable should be set in the client or global sections so that it is automatically applied to radosgw-admin commands. default: -1 services: - rgw with_legacy: true - name: rgw_bucket_default_quota_max_size type: int level: advanced desc: Default quota for total size in a bucket long_desc: The default quota configuration for total size of objects in a bucket. A negative number means 'unlimited'. fmt_desc: Default max capacity per bucket, in bytes. Set on new users, if no other quota is specified. Has no effect on existing users. default: -1 services: - rgw with_legacy: true - name: rgw_expose_bucket type: bool level: advanced desc: Send Bucket HTTP header with the response long_desc: If true, RGW will send a Bucket HTTP header with the responses. The header will contain the name of the bucket the operation happened on. default: false services: - rgw with_legacy: true - name: rgw_frontends type: str level: basic desc: RGW frontends configuration long_desc: A comma delimited list of frontends configuration. Each configuration contains the type of the frontend followed by an optional space delimited set of key=value config parameters. fmt_desc: Configures the HTTP frontend(s). The configuration for multiple frontends can be provided in a comma-delimited list. Each frontend configuration may include a list of options separated by spaces, where each option is in the form "key=value" or "key". See `HTTP Frontends`_ for more on supported options. default: beast port=7480 services: - rgw with_legacy: true - name: rgw_frontend_defaults type: str level: advanced desc: RGW frontends default configuration long_desc: A comma delimited list of default frontends configuration. default: beast ssl_certificate=config://rgw/cert/$realm/$zone.crt ssl_private_key=config://rgw/cert/$realm/$zone.key services: - rgw - name: rgw_beast_enable_async type: bool level: dev desc: Enable async request processing under beast using coroutines long_desc: When enabled, the beast frontend will process requests using coroutines, allowing the concurrent processing of several requests on the same thread. When disabled, the number of concurrent requests will be limited by the thread count, but debugging and tracing the synchronous calls can be easier. default: true services: - rgw with_legacy: true - name: rgw_user_quota_bucket_sync_interval type: int level: advanced desc: User quota bucket sync interval long_desc: Time period for accumulating modified buckets before syncing these stats. fmt_desc: The amount of time in seconds bucket quota information is accumulated before syncing to the cluster. During this time, other RGW instances will not see the changes in bucket quota stats from operations on this instance. default: 3_min services: - rgw with_legacy: true - name: rgw_user_quota_sync_interval type: int level: advanced desc: User quota sync interval long_desc: Time period for accumulating modified buckets before syncing entire user stats. fmt_desc: The amount of time in seconds user quota information is accumulated before syncing to the cluster. During this time, other RGW instances will not see the changes in user quota stats from operations on this instance. default: 1_day services: - rgw with_legacy: true - name: rgw_user_quota_sync_idle_users type: bool level: advanced desc: Should sync idle users quota long_desc: Whether stats for idle users be fully synced. default: false services: - rgw with_legacy: true - name: rgw_user_quota_sync_wait_time type: int level: advanced desc: User quota full-sync wait time long_desc: Minimum time between two full stats sync for non-idle users. default: 1_day services: - rgw with_legacy: true - name: rgw_user_default_quota_max_objects type: int level: basic desc: User quota max objects long_desc: The default quota configuration for total number of objects for a single user. A negative number means 'unlimited'. fmt_desc: Default max number of objects for a user. This includes all objects in all buckets owned by the user. Set on new users, if no other quota is specified. Has no effect on existing users. default: -1 services: - rgw with_legacy: true - name: rgw_user_default_quota_max_size type: int level: basic desc: User quota max size long_desc: The default quota configuration for total size of objects for a single user. A negative number means 'unlimited'. fmt_desc: The value for user max size quota in bytes set on new users, if no other quota is specified. Has no effect on existing users. default: -1 services: - rgw with_legacy: true - name: rgw_multipart_min_part_size type: size level: advanced desc: Minimum S3 multipart-upload part size long_desc: When doing a multipart upload, each part (other than the last part) must be at least this size. default: 5_M services: - rgw with_legacy: true - name: rgw_multipart_part_upload_limit type: int level: advanced desc: Max number of parts in multipart upload default: 10000 services: - rgw with_legacy: true - name: rgw_max_slo_entries type: int level: advanced desc: Max number of entries in Swift Static Large Object manifest default: 1000 services: - rgw with_legacy: true - name: rgw_olh_pending_timeout_sec type: int level: dev desc: Max time for pending OLH change to complete long_desc: OLH is a versioned object's logical head. Operations on it are journaled and as pending before completion. If an operation doesn't complete with this amount of seconds, we remove the operation from the journal. default: 1_hr services: - rgw with_legacy: true - name: rgw_user_max_buckets type: int level: basic desc: Max number of buckets per user long_desc: A user can create at most this number of buckets. Zero means no limit; a negative value means users cannot create any new buckets, although users will retain buckets already created. default: 1000 services: - rgw with_legacy: true - name: rgw_objexp_gc_interval type: uint level: advanced desc: Swift objects expirer garbage collector interval default: 600 services: - rgw with_legacy: true - name: rgw_objexp_hints_num_shards type: uint level: advanced desc: Number of object expirer data shards long_desc: The number of shards the (Swift) object expirer will store its data on. default: 127 services: - rgw with_legacy: true # maximum number of entries in a single operation when processing objexp data - name: rgw_objexp_chunk_size type: uint level: dev default: 100 services: - rgw with_legacy: true - name: rgw_enable_static_website type: bool level: basic desc: Enable static website APIs long_desc: This configurable controls whether RGW handles the website control APIs. RGW can server static websites if s3website hostnames are configured, and unrelated to this configurable. default: false services: - rgw with_legacy: true - name: rgw_user_unique_email type: bool level: basic desc: Require local RGW users to have unique email addresses long_desc: Enforce builtin user accounts to have unique email addresses. This setting is historical. In future, non-enforcement of email address uniqueness is likely to become the default. default: true services: - rgw - name: rgw_log_http_headers type: str level: basic desc: List of HTTP headers to log long_desc: A comma delimited list of HTTP headers to log when seen, ignores case (e.g., http_x_forwarded_for). fmt_desc: Comma-delimited list of HTTP headers to include with ops log entries. Header names are case insensitive, and use the full header name with words separated by underscores. example: http_x_forwarded_for, http_x_special_k services: - rgw with_legacy: true - name: rgw_num_async_rados_threads type: int level: advanced desc: Number of concurrent RADOS operations in multisite sync long_desc: The number of concurrent RADOS IO operations that will be triggered for handling multisite sync operations. This includes control related work, and not the actual sync operations. default: 32 services: - rgw with_legacy: true - name: rgw_md_notify_interval_msec type: int level: advanced desc: Length of time to aggregate metadata changes long_desc: Length of time (in milliseconds) in which the master zone aggregates all the metadata changes that occurred, before sending notifications to all the other zones. default: 200 services: - rgw with_legacy: true - name: rgw_run_sync_thread type: bool level: advanced desc: Should run sync thread fmt_desc: If there are other zones in the realm to sync from, spawn threads to handle the sync of data and metadata. default: true services: - rgw with_legacy: true - name: rgw_sync_lease_period type: int level: dev default: 2_min services: - rgw with_legacy: true - name: rgw_sync_log_trim_interval type: int level: advanced desc: Sync log trim interval long_desc: Time in seconds between attempts to trim sync logs. default: 20_min services: - rgw with_legacy: true - name: rgw_sync_log_trim_max_buckets type: int level: advanced desc: Maximum number of buckets to trim per interval long_desc: The maximum number of buckets to consider for bucket index log trimming each trim interval, regardless of the number of bucket index shards. Priority is given to buckets with the most sync activity over the last trim interval. default: 16 services: - rgw see_also: - rgw_sync_log_trim_interval - rgw_sync_log_trim_min_cold_buckets - rgw_sync_log_trim_concurrent_buckets - name: rgw_sync_log_trim_min_cold_buckets type: int level: advanced desc: Minimum number of cold buckets to trim per interval long_desc: Of the `rgw_sync_log_trim_max_buckets` selected for bucket index log trimming each trim interval, at least this many of them must be 'cold' buckets. These buckets are selected in order from the list of all bucket instances, to guarantee that all buckets will be visited eventually. default: 4 services: - rgw see_also: - rgw_sync_log_trim_interval - rgw_sync_log_trim_max_buckets - rgw_sync_log_trim_concurrent_buckets - name: rgw_sync_log_trim_concurrent_buckets type: int level: advanced desc: Maximum number of buckets to trim in parallel default: 4 services: - rgw see_also: - rgw_sync_log_trim_interval - rgw_sync_log_trim_max_buckets - rgw_sync_log_trim_min_cold_buckets - name: rgw_sync_data_inject_err_probability type: float level: dev default: 0 services: - rgw with_legacy: true - name: rgw_sync_meta_inject_err_probability type: float level: dev default: 0 services: - rgw with_legacy: true - name: rgw_sync_data_full_inject_err_probability type: float level: dev default: 0 services: - rgw with_legacy: true - name: rgw_sync_trace_history_size type: size level: advanced desc: Sync trace history size long_desc: Maximum number of complete sync trace entries to keep. default: 4_K services: - rgw with_legacy: true - name: rgw_sync_trace_per_node_log_size type: int level: advanced desc: Sync trace per-node log size long_desc: The number of log entries to keep per sync-trace node. default: 32 services: - rgw with_legacy: true - name: rgw_sync_trace_servicemap_update_interval type: int level: advanced desc: Sync-trace service-map update interval long_desc: Number of seconds between service-map updates of sync-trace events. default: 10 services: - rgw with_legacy: true - name: rgw_period_push_interval type: float level: advanced desc: Period push interval long_desc: Number of seconds to wait before retrying 'period push' operation. default: 2 services: - rgw with_legacy: true - name: rgw_period_push_interval_max type: float level: advanced desc: Period push maximum interval long_desc: The max number of seconds to wait before retrying 'period push' after exponential backoff. default: 30 services: - rgw with_legacy: true - name: rgw_safe_max_objects_per_shard type: int level: advanced desc: Safe number of objects per shard long_desc: This is the max number of objects per bucket index shard that RGW considers safe. RGW will warn if it identifies a bucket where its per-shard count is higher than a percentage of this number. default: 102400 services: - rgw see_also: - rgw_shard_warning_threshold with_legacy: true # pct of safe max at which to warn - name: rgw_shard_warning_threshold type: float level: advanced desc: Warn about max objects per shard long_desc: Warn if number of objects per shard in a specific bucket passed this percentage of the safe number. default: 90 services: - rgw see_also: - rgw_safe_max_objects_per_shard with_legacy: true - name: rgw_swift_versioning_enabled type: bool level: advanced desc: Enable Swift versioning fmt_desc: | Enables the Object Versioning of OpenStack Object Storage API. This allows clients to put the ``X-Versions-Location`` attribute on containers that should be versioned. The attribute specifies the name of container storing archived versions. It must be owned by the same user that the versioned container due to access control verification - ACLs are NOT taken into consideration. Those containers cannot be versioned by the S3 object versioning mechanism. A slightly different attribute, ``X-History-Location``, which is also understood by `OpenStack Swift `_ for handling ``DELETE`` operations, is currently not supported. default: false services: - rgw with_legacy: true - name: rgw_swift_custom_header type: str level: advanced desc: Enable swift custom header long_desc: If not empty, specifies a name of HTTP header that can include custom data. When uploading an object, if this header is passed RGW will store this header info and it will be available when listing the bucket. services: - rgw with_legacy: true - name: rgw_swift_need_stats type: bool level: advanced desc: Enable stats on bucket listing in Swift default: true services: - rgw with_legacy: true - name: rgw_reshard_num_logs type: uint level: advanced default: 16 services: - rgw - rgw min: 1 - name: rgw_reshard_bucket_lock_duration type: uint level: advanced desc: Number of seconds the timeout on the reshard locks (bucket reshard lock and reshard log lock) are set to. As a reshard proceeds these locks can be renewed/extended. If too short, reshards cannot complete and will fail, causing a future reshard attempt. If too long a hung or crashed reshard attempt will keep the bucket locked for an extended period, not allowing RGW to detect the failed reshard attempt and recover. default: 360 tags: - performance services: - rgw - rgw min: 30 - name: rgw_debug_inject_set_olh_err type: uint level: dev desc: Whether to inject errors between rados olh modification initialization and bucket index instance linking. The value determines the error code. This exists for development and testing purposes to help simulate cases where bucket index entries aren't cleaned up by the request thread after an error scenario. default: 0 with_legacy: true services: - rgw - name: rgw_debug_inject_olh_cancel_modification_err type: bool level: dev desc: Whether to inject an error to simulate a failure to cancel olh modification. This exists for development and testing purposes. default: false with_legacy: true services: - rgw - name: rgw_reshard_batch_size type: uint level: advanced desc: Number of reshard entries to batch together before sending the operations to the CLS back-end default: 64 tags: - performance services: - rgw - rgw min: 8 - name: rgw_reshard_max_aio type: uint level: advanced desc: Maximum number of outstanding asynchronous I/O operations to allow at a time during resharding default: 128 tags: - performance services: - rgw - rgw min: 16 - name: rgw_trust_forwarded_https type: bool level: advanced desc: Trust Forwarded and X-Forwarded-Proto headers long_desc: When a proxy in front of radosgw is used for ssl termination, radosgw does not know whether incoming http connections are secure. Enable this option to trust the Forwarded and X-Forwarded-Proto headers sent by the proxy when determining whether the connection is secure. This is required for some features, such as server side encryption. (Never enable this setting if you do not have a trusted proxy in front of radosgw, or else malicious users will be able to set these headers in any request.) fmt_desc: When a proxy in front of radosgw is used for ssl termination, radosgw does not know whether incoming http connections are secure. Enable this option to trust the ``Forwarded`` and ``X-Forwarded-Proto`` headers sent by the proxy when determining whether the connection is secure. This is required for some features, such as server side encryption. (Never enable this setting if you do not have a trusted proxy in front of radosgw, or else malicious users will be able to set these headers in any request.) default: false services: - rgw see_also: - rgw_crypt_require_ssl with_legacy: true - name: rgw_crypt_require_ssl type: bool level: advanced desc: Requests including encryption key headers must be sent over ssl default: true services: - rgw with_legacy: true # base64 encoded key for encryption of rgw objects - name: rgw_crypt_default_encryption_key type: str level: dev services: - rgw with_legacy: true - name: rgw_crypt_s3_kms_backend type: str level: advanced desc: Where the SSE-KMS encryption keys are stored. Supported KMS systems are OpenStack Barbican ('barbican', the default) and HashiCorp Vault ('vault'). fmt_desc: Where the SSE-KMS encryption keys are stored. Supported KMS systems are OpenStack Barbican (``barbican``, the default) and HashiCorp Vault (``vault``). default: barbican services: - rgw enum_values: - barbican - vault - testing - kmip with_legacy: true # extra keys that may be used for aws:kms # defined as map "key1=YmluCmJvb3N0CmJvb3N0LQ== key2=b3V0CnNyYwpUZXN0aW5nCg==" - name: rgw_crypt_s3_kms_encryption_keys type: str level: dev services: - rgw with_legacy: true - name: rgw_crypt_vault_auth type: str level: advanced desc: Type of authentication method to be used with Vault. fmt_desc: Type of authentication method to be used. The only method currently supported is ``token``. default: token services: - rgw see_also: - rgw_crypt_s3_kms_backend - rgw_crypt_vault_addr - rgw_crypt_vault_token_file enum_values: - token - agent with_legacy: true - name: rgw_crypt_vault_token_file type: str level: advanced desc: If authentication method is 'token', provide a path to the token file, which for security reasons should readable only by Rados Gateway. services: - rgw see_also: - rgw_crypt_s3_kms_backend - rgw_crypt_vault_auth - rgw_crypt_vault_addr with_legacy: true - name: rgw_crypt_vault_addr type: str level: advanced desc: Vault server base address. fmt_desc: Vault server base address, e.g. ``http://vaultserver:8200``. services: - rgw see_also: - rgw_crypt_s3_kms_backend - rgw_crypt_vault_auth - rgw_crypt_vault_prefix with_legacy: true # Optional URL prefix to Vault secret path - name: rgw_crypt_vault_prefix type: str level: advanced desc: Vault secret URL prefix, which can be used to restrict access to a particular subset of the Vault secret space. fmt_desc: The Vault secret URL prefix, which can be used to restrict access to a particular subset of the secret space, e.g. ``/v1/secret/data``. services: - rgw see_also: - rgw_crypt_s3_kms_backend - rgw_crypt_vault_addr - rgw_crypt_vault_auth with_legacy: true # kv, transit or other supported secret engines - name: rgw_crypt_vault_secret_engine type: str level: advanced desc: Vault Secret Engine to be used to retrieve encryption keys. fmt_desc: | Vault Secret Engine to be used to retrieve encryption keys: choose between kv-v2, transit. default: transit services: - rgw see_also: - rgw_crypt_s3_kms_backend - rgw_crypt_vault_auth - rgw_crypt_vault_addr with_legacy: true # Vault Namespace (only availabe in Vault Enterprise Version) - name: rgw_crypt_vault_namespace type: str level: advanced desc: Vault Namespace to be used to select your tenant fmt_desc: If set, Vault Namespace provides tenant isolation for teams and individuals on the same Vault Enterprise instance, e.g. ``acme/tenant1`` services: - rgw see_also: - rgw_crypt_s3_kms_backend - rgw_crypt_vault_auth - rgw_crypt_vault_addr with_legacy: true # Enable TLS authentication rgw and vault - name: rgw_crypt_vault_verify_ssl type: bool level: advanced desc: Should RGW verify the vault server SSL certificate. default: true services: - rgw with_legacy: true # TLS certs options - name: rgw_crypt_vault_ssl_cacert type: str level: advanced desc: Path for custom ca certificate for accessing vault server services: - rgw with_legacy: true - name: rgw_crypt_vault_ssl_clientcert type: str level: advanced desc: Path for custom client certificate for accessing vault server services: - rgw with_legacy: true - name: rgw_crypt_vault_ssl_clientkey type: str level: advanced desc: Path for private key required for client cert services: - rgw with_legacy: true - name: rgw_crypt_kmip_addr type: str level: advanced desc: kmip server address services: - rgw with_legacy: true - name: rgw_crypt_kmip_ca_path type: str level: advanced desc: ca for kmip servers services: - rgw with_legacy: true - name: rgw_crypt_kmip_username type: str level: advanced desc: when authenticating via username services: - rgw with_legacy: true - name: rgw_crypt_kmip_password type: str level: advanced desc: optional w/ username services: - rgw with_legacy: true - name: rgw_crypt_kmip_client_cert type: str level: advanced desc: connect using client certificate services: - rgw with_legacy: true - name: rgw_crypt_kmip_client_key type: str level: advanced desc: connect using client certificate services: - rgw with_legacy: true - name: rgw_crypt_kmip_kms_key_template type: str level: advanced desc: sse-kms; kmip key names services: - rgw with_legacy: true - name: rgw_crypt_kmip_s3_key_template type: str level: advanced desc: sse-s3; kmip key template default: $keyid services: - rgw with_legacy: true - name: rgw_crypt_suppress_logs type: bool level: advanced desc: Suppress logs that might print client key default: true services: - rgw with_legacy: true - name: rgw_crypt_sse_s3_backend type: str level: advanced desc: Where the SSE-S3 encryption keys are stored. The only valid choice here is HashiCorp Vault ('vault'). fmt_desc: Where the SSE-S3 encryption keys are stored. The only valid choice is HashiCorp Vault (``vault``). default: vault services: - rgw enum_values: - vault with_legacy: true - name: rgw_crypt_sse_s3_vault_secret_engine type: str level: advanced desc: Vault Secret Engine to be used to retrieve encryption keys. fmt_desc: | Vault Secret Engine to be used to retrieve encryption keys. The only valid choice here is transit. default: transit services: - rgw see_also: - rgw_crypt_sse_s3_backend - rgw_crypt_sse_s3_vault_auth - rgw_crypt_sse_s3_vault_addr with_legacy: true - name: rgw_crypt_sse_s3_key_template type: str level: advanced desc: template for per-bucket sse-s3 keys in vault. long_desc: This is the template for per-bucket sse-s3 keys. This string may include ``%bucket_id`` which will be expanded out to the bucket marker, a unique uuid assigned to that bucket. It could contain ``%owner_id``, which will expand out to the owner's id. Any other use of % is reserved and should not be used. If the template contains ``%bucket_id``, associated bucket keys will be automatically removed when the bucket is removed. services: - rgw default: "%bucket_id" see_also: - rgw_crypt_sse_s3_backend - rgw_crypt_sse_s3_vault_auth - rgw_crypt_sse_s3_vault_addr with_legacy: true - name: rgw_crypt_sse_s3_vault_auth type: str level: advanced desc: Type of authentication method to be used with SSE-S3 and Vault. fmt_desc: Type of authentication method to be used. The only method currently supported is ``token``. default: token services: - rgw see_also: - rgw_crypt_sse_s3_backend - rgw_crypt_sse_s3_vault_addr - rgw_crypt_sse_s3_vault_token_file enum_values: - token - agent with_legacy: true - name: rgw_crypt_sse_s3_vault_token_file type: str level: advanced desc: If authentication method is 'token', provide a path to the token file, which for security reasons should readable only by Rados Gateway. services: - rgw see_also: - rgw_crypt_sse_s3_backend - rgw_crypt_sse_s3_vault_auth - rgw_crypt_sse_s3_vault_addr with_legacy: true - name: rgw_crypt_sse_s3_vault_addr type: str level: advanced desc: SSE-S3 Vault server base address. fmt_desc: Vault server base address, e.g. ``http://vaultserver:8200``. services: - rgw see_also: - rgw_crypt_sse_s3_backend - rgw_crypt_sse_s3_vault_auth - rgw_crypt_sse_s3_vault_prefix with_legacy: true # Optional URL prefix to Vault secret path - name: rgw_crypt_sse_s3_vault_prefix type: str level: advanced desc: SSE-S3 Vault secret URL prefix, which can be used to restrict access to a particular subset of the Vault secret space. fmt_desc: The Vault secret URL prefix, which can be used to restrict access to a particular subset of the secret space, e.g. ``/v1/secret/data``. services: - rgw see_also: - rgw_crypt_sse_s3_backend - rgw_crypt_sse_s3_vault_addr - rgw_crypt_sse_s3_vault_auth with_legacy: true # Vault Namespace (only availabe in Vault Enterprise Version) - name: rgw_crypt_sse_s3_vault_namespace type: str level: advanced desc: Vault Namespace to be used to select your tenant fmt_desc: If set, Vault Namespace provides tenant isolation for teams and individuals on the same Vault Enterprise instance, e.g. ``acme/tenant1`` services: - rgw see_also: - rgw_crypt_sse_s3_backend - rgw_crypt_sse_s3_vault_auth - rgw_crypt_sse_s3_vault_addr with_legacy: true # Enable TLS authentication rgw and vault - name: rgw_crypt_sse_s3_vault_verify_ssl type: bool level: advanced desc: Should RGW verify the vault server SSL certificate. default: true services: - rgw with_legacy: true # TLS certs options - name: rgw_crypt_sse_s3_vault_ssl_cacert type: str level: advanced desc: Path for custom ca certificate for accessing vault server services: - rgw with_legacy: true - name: rgw_crypt_sse_s3_vault_ssl_clientcert type: str level: advanced desc: Path for custom client certificate for accessing vault server services: - rgw with_legacy: true - name: rgw_crypt_sse_s3_vault_ssl_clientkey type: str level: advanced desc: Path for private key required for client cert services: - rgw with_legacy: true - name: rgw_list_bucket_min_readahead type: int level: advanced desc: Minimum number of entries to request from rados for bucket listing default: 1000 services: - rgw with_legacy: true - name: rgw_rest_getusage_op_compat type: bool level: advanced desc: REST GetUsage request backward compatibility default: false services: - rgw with_legacy: true # The following are tunables for torrent data - name: rgw_torrent_flag type: bool level: advanced desc: When true, uploaded objects will calculate and store a SHA256 hash of object data so the object can be retrieved as a torrent file default: false services: - rgw with_legacy: true - name: rgw_torrent_tracker type: str level: advanced desc: Torrent field announce and announce list services: - rgw with_legacy: true - name: rgw_torrent_createby type: str level: advanced desc: torrent field created by services: - rgw with_legacy: true - name: rgw_torrent_comment type: str level: advanced desc: Torrent field comment services: - rgw with_legacy: true - name: rgw_torrent_encoding type: str level: advanced desc: torrent field encoding services: - rgw with_legacy: true - name: rgw_data_notify_interval_msec type: int level: advanced desc: data changes notification interval to followers long_desc: In multisite, radosgw will occasionally broadcast new entries in its data changes log to peer zones, so they can prioritize sync of some of the most recent changes. Can be disabled with 0. default: 0 services: - rgw with_legacy: true - name: rgw_torrent_origin type: str level: advanced desc: Torrent origin services: - rgw with_legacy: true - name: rgw_torrent_sha_unit type: size level: advanced default: 512_K services: - rgw with_legacy: true - name: rgw_dynamic_resharding type: bool level: basic desc: Enable dynamic resharding long_desc: If true, RGW will dynamically increase the number of shards in buckets that have a high number of objects per shard. default: true services: - rgw see_also: - rgw_max_objs_per_shard - rgw_max_dynamic_shards - name: rgw_max_objs_per_shard type: uint level: basic desc: Max objects per shard for dynamic resharding long_desc: This is the max number of objects per bucket index shard that RGW will allow with dynamic resharding. RGW will trigger an automatic reshard operation on the bucket if it exceeds this number. default: 100000 services: - rgw see_also: - rgw_dynamic_resharding - rgw_max_dynamic_shards - name: rgw_max_dynamic_shards type: uint level: advanced desc: Max shards that dynamic resharding can create long_desc: This is the maximum number of bucket index shards that dynamic sharding is able to create on its own. This does not limit user requested resharding. Ideally this value is a prime number. default: 1999 services: - rgw see_also: - rgw_dynamic_resharding - rgw_max_objs_per_shard min: 1 - name: rgw_reshard_thread_interval type: uint level: advanced desc: Number of seconds between processing of reshard log entries default: 600 services: - rgw min: 10 - name: rgw_cache_expiry_interval type: uint level: advanced desc: Number of seconds before entries in the cache are assumed stale and re-fetched. Zero is never. long_desc: The Rados Gateway stores metadata and objects in an internal cache. This should be kept consistent by the OSD's relaying notify events between multiple watching RGW processes. In the event that this notification protocol fails, bounding the length of time that any data in the cache will be assumed valid will ensure that any RGW instance that falls out of sync will eventually recover. This seems to be an issue mostly for large numbers of RGW instances under heavy use. If you would like to turn off cache expiry, set this value to zero. default: 900 tags: - performance services: - rgw - rgw - name: rgw_inject_notify_timeout_probability type: float level: dev desc: Likelihood of ignoring a notify long_desc: This is the probability that the RGW cache will ignore a cache notify message. It exists to help with the development and testing of cache consistency and recovery improvements. Please do not set it in a production cluster, as it actively causes failures. Set this to a floating point value between 0 and 1. default: 0 tags: - fault injection - testing services: - rgw - rgw min: 0 max: 1 - name: rgw_max_notify_retries type: uint level: advanced desc: Number of attempts to notify peers before giving up. long_desc: The number of times we will attempt to update a peer's cache in the event of error before giving up. This is unlikely to be an issue unless your cluster is very heavily loaded. Beware that increasing this value may cause some operations to take longer in exceptional cases and thus may, rarely, cause clients to time out. default: 10 tags: - error recovery services: - rgw - rgw - name: rgw_sts_entry type: str level: advanced desc: STS URL prefix long_desc: URL path prefix for internal STS requests. default: sts services: - rgw with_legacy: true - name: rgw_sts_key type: str level: advanced desc: STS Key long_desc: Key used for encrypting/ decrypting session token. default: sts services: - rgw with_legacy: true # should we try to use sts for s3? - name: rgw_s3_auth_use_sts type: bool level: advanced desc: Should S3 authentication use STS. default: false services: - rgw with_legacy: true - name: rgw_sts_max_session_duration type: uint level: advanced desc: Session token max duration long_desc: Max duration in seconds for which the session token is valid. default: 43200 services: - rgw with_legacy: true - name: rgw_sts_min_session_duration type: uint level: advanced desc: Minimum allowed duration of a session default: 900 services: - rgw with_legacy: true - name: rgw_max_listing_results type: uint level: advanced desc: Upper bound on results in listing operations, ListBucket max-keys long_desc: This caps the maximum permitted value for listing-like operations in RGW S3. Affects ListBucket(max-keys), ListBucketVersions(max-keys), ListBucketMultipartUploads(max-uploads), ListMultipartUploadParts(max-parts) default: 1000 services: - rgw - rgw min: 1 max: 100000 - name: rgw_sts_token_introspection_url type: str level: advanced desc: STS Web Token introspection URL long_desc: URL for introspecting an STS Web Token. services: - rgw with_legacy: true - name: rgw_sts_client_id type: str level: advanced desc: Client Id long_desc: Client Id needed for introspecting a Web Token. services: - rgw with_legacy: true - name: rgw_sts_client_secret type: str level: advanced desc: Client Secret long_desc: Client Secret needed for introspecting a Web Token. services: - rgw with_legacy: true - name: rgw_max_concurrent_requests type: int level: basic desc: Maximum number of concurrent HTTP requests. long_desc: Maximum number of concurrent HTTP requests that the beast frontend will process. Tuning this can help to limit memory usage under heavy load. default: 1024 tags: - performance services: - rgw see_also: - rgw_frontends - name: rgw_scheduler_type type: str level: advanced desc: Set the type of dmclock scheduler, defaults to throttler Other valid values are dmclock which is experimental fmt_desc: | The RGW scheduler to use. Valid values are ``throttler` and ``dmclock``. Currently defaults to ``throttler`` which throttles Beast frontend requests. ``dmclock` is *experimental* and requires the ``dmclock`` to be included in the ``experimental_feature_enabled`` configuration option. The options below tune the experimental dmclock scheduler. For additional reading on dmclock, see :ref:`dmclock-qos`. `op_class` for the flags below is one of ``admin``, ``auth``, ``metadata``, or ``data``. default: throttler services: - rgw - name: rgw_dmclock_admin_res type: float level: advanced desc: mclock reservation for admin requests default: 100 services: - rgw see_also: - rgw_dmclock_admin_wgt - rgw_dmclock_admin_lim - name: rgw_dmclock_admin_wgt type: float level: advanced desc: mclock weight for admin requests default: 100 services: - rgw see_also: - rgw_dmclock_admin_res - rgw_dmclock_admin_lim - name: rgw_dmclock_admin_lim type: float level: advanced desc: mclock limit for admin requests default: 0 services: - rgw see_also: - rgw_dmclock_admin_res - rgw_dmclock_admin_wgt - name: rgw_dmclock_auth_res type: float level: advanced desc: mclock reservation for object data requests default: 200 services: - rgw see_also: - rgw_dmclock_auth_wgt - rgw_dmclock_auth_lim - name: rgw_dmclock_auth_wgt type: float level: advanced desc: mclock weight for object data requests default: 100 services: - rgw see_also: - rgw_dmclock_auth_res - rgw_dmclock_auth_lim - name: rgw_dmclock_auth_lim type: float level: advanced desc: mclock limit for object data requests default: 0 services: - rgw see_also: - rgw_dmclock_auth_res - rgw_dmclock_auth_wgt - name: rgw_dmclock_data_res type: float level: advanced desc: mclock reservation for object data requests default: 500 services: - rgw see_also: - rgw_dmclock_data_wgt - rgw_dmclock_data_lim - name: rgw_dmclock_data_wgt type: float level: advanced desc: mclock weight for object data requests default: 500 services: - rgw see_also: - rgw_dmclock_data_res - rgw_dmclock_data_lim - name: rgw_dmclock_data_lim type: float level: advanced desc: mclock limit for object data requests default: 0 services: - rgw see_also: - rgw_dmclock_data_res - rgw_dmclock_data_wgt - name: rgw_dmclock_metadata_res type: float level: advanced desc: mclock reservation for metadata requests default: 500 services: - rgw see_also: - rgw_dmclock_metadata_wgt - rgw_dmclock_metadata_lim - name: rgw_dmclock_metadata_wgt type: float level: advanced desc: mclock weight for metadata requests default: 500 services: - rgw see_also: - rgw_dmclock_metadata_res - rgw_dmclock_metadata_lim - name: rgw_dmclock_metadata_lim type: float level: advanced desc: mclock limit for metadata requests default: 0 services: - rgw see_also: - rgw_dmclock_metadata_res - rgw_dmclock_metadata_wgt - name: rgw_default_data_log_backing type: str level: advanced desc: Default backing store for the RGW data sync log long_desc: Whether to use the older OMAP backing store or the high performance FIFO based backing store by default. This only covers the creation of the log on startup if none exists. default: fifo services: - rgw enum_values: - fifo - omap - name: rgw_d3n_l1_local_datacache_enabled type: bool level: advanced desc: Enable datacenter-scale dataset delivery local cache default: false services: - rgw with_legacy: true - name: rgw_d3n_l1_datacache_persistent_path type: str level: advanced desc: path for the directory for storing the local cache objects data default: /tmp/rgw_datacache/ services: - rgw with_legacy: true - name: rgw_d3n_l1_datacache_size type: size level: advanced desc: datacache maximum size on disk in bytes default: 1_G services: - rgw with_legacy: true - name: rgw_d3n_l1_evict_cache_on_start type: bool level: advanced desc: clear the content of the persistent data cache directory on start default: true services: - rgw with_legacy: true - name: rgw_d3n_l1_fadvise type: int level: advanced desc: posix_fadvise() flag for access pattern of cache files long_desc: for example to bypass the page-cache - POSIX_FADV_DONTNEED=4 default: 4 services: - rgw with_legacy: true - name: rgw_d3n_l1_eviction_policy type: str level: advanced desc: select the d3n cache eviction policy default: lru services: - rgw enum_values: - lru - random with_legacy: true - name: rgw_d3n_libaio_aio_threads type: int level: advanced desc: specifies the maximum number of worker threads that may be used by libaio default: 20 services: - rgw see_also: - rgw_thread_pool_size with_legacy: true - name: rgw_d3n_libaio_aio_num type: int level: advanced desc: specifies the maximum number of simultaneous I/O requests that libaio expects to enqueue default: 64 services: - rgw see_also: - rgw_thread_pool_size with_legacy: true - name: rgw_backend_store type: str level: advanced desc: experimental Option to set backend store type long_desc: defaults to rados. Other valid values are dbstore, motr, and daos (All experimental). default: rados services: - rgw enum_values: - rados - dbstore - motr - daos - name: rgw_config_store type: str level: advanced desc: Configuration storage backend default: rados services: - rgw enum_values: - rados - dbstore - json - name: rgw_filter type: str level: advanced desc: experimental Option to set a filter long_desc: defaults to none. Other valid values are base and trace (both experimental). default: none services: - rgw enum_values: - none - base - trace - name: dbstore_db_dir type: str level: advanced desc: path for the directory for storing the db backend store data default: /var/lib/ceph/radosgw services: - rgw - name: dbstore_db_name_prefix type: str level: advanced desc: prefix to the file names created by db backend store default: dbstore services: - rgw - name: dbstore_config_uri type: str level: advanced desc: 'Config database URI. URIs beginning with file: refer to local files opened with SQLite.' default: file:/var/lib/ceph/radosgw/dbstore-config.db see_also: - rgw_config_store services: - rgw - name: rgw_json_config type: str level: advanced desc: Path to a json file that contains the static zone and zonegroup configuration. Requires rgw_config_store=json. default: /var/lib/ceph/radosgw/config.json see_also: - rgw_config_store services: - rgw - name: motr_profile_fid type: str level: advanced desc: experimental Option to set Motr profile fid long_desc: example value 0x7000000000000001:0x4f default: 0x7000000000000001:0x0 services: - rgw - name: motr_my_fid type: str level: advanced desc: experimental Option to set my Motr fid long_desc: example value 0x7200000000000001:0x29 default: 0x7200000000000001:0x0 services: - rgw - name: motr_admin_fid type: str level: advanced desc: Admin Tool Motr FID for admin-level access. long_desc: example value 0x7200000000000001:0x2c default: 0x7200000000000001:0x0 services: - rgw - name: motr_admin_endpoint type: str level: advanced desc: experimental Option to set Admin Motr endpoint address long_desc: example value 192.168.180.182@tcp:12345:4:1 default: 192.168.180.182@tcp:12345:4:1 services: - rgw - name: motr_my_endpoint type: str level: advanced desc: experimental Option to set my Motr endpoint address long_desc: example value 192.168.180.182@tcp:12345:4:1 default: 192.168.180.182@tcp:12345:4:1 services: - rgw - name: motr_ha_endpoint type: str level: advanced desc: experimental Option to set Motr HA agent endpoint address long_desc: example value 192.168.180.182@tcp:12345:1:1 default: 192.168.180.182@tcp:12345:1:1 services: - rgw - name: motr_tracing_enabled type: bool level: advanced desc: Set to true when Motr client debugging is needed default: false services: - rgw - name: rgw_luarocks_location type: str level: advanced desc: Directory where luarocks install packages from allowlist default: @rgw_luarocks_location@ services: - rgw flags: - startup - name: rgwlc_auto_session_clear type: bool level: advanced desc: Automatically clear stale lifecycle sessions (i.e., after 2 idle processing cycles) default: true services: - rgw with_legacy: true - name: rgwlc_skip_bucket_step type: bool level: advanced desc: Conditionally skip the processing (but not the scheduling) of bucket lifecycle default: false services: - rgw with_legacy: true - name: rgw_pending_bucket_index_op_expiration type: uint level: advanced default: 120 desc: Number of seconds a pending operation can remain in bucket index shard. long_desc: Number of seconds a pending operation can remain in bucket index shard before it expires. Used for transactional bucket index operations, and if the operation does not complete in this time period, the operation will be dropped. services: - rgw - osd with_legacy: true - name: rgw_bucket_index_transaction_instrumentation type: bool level: dev default: false desc: Turns on extra instrumentation surrounding bucket index transactions. services: - rgw - osd with_legacy: true - name: rgw_allow_notification_secrets_in_cleartext type: bool level: advanced desc: Allows sending secrets (e.g. passwords) over non encrypted HTTP messages. long_desc: When bucket notification endpoint require secrets (e.g. passwords), we allow the topic creation only over HTTPS messages. This parameter can be set to "true" to bypass this check. Use this only if radosgw is on a trusted private network, and the message broker cannot be configured without password authentication. Otherwise, this will leak the credentials of your message broker and compromise its security. default: false services: - rgw see_also: - rgw_trust_forwarded_https - name: daos_pool type: str level: advanced desc: DAOS Pool to use default: tank services: - rgw - name: rgw_policy_reject_invalid_principals type: bool level: basic desc: Whether to reject policies with invalid principals long_desc: If true, policies with invalid principals will be rejected. We don't support Canonical User identifiers or some other form of policies that Amazon does, so if you are mirroring policies between RGW and AWS, you may wish to set this to false. default: true services: - rgw