Openstack Train配置手册-Barbican实现

snow chuai汇总、整理、撰写---2020/3/4

1. 拓扑

     ------------+---------------------------+---------------------------+------------
                 |                           |                           |
             eth0|192.168.10.11          eth0|192.168.10.12          eth0|192.168.10.13
     +-----------+-----------+   +-----------+-----------+   +-----------+-----------+
     |    [ Control Node ]   |   |    [ Compute Node ]   |   |   [ Network Node ]    |
     |   [node1.1000cc.net]  |   |   [node2.1000cc.net]  |   |  [node3.1000cc.net]   |
     |  MariaDB    RabbitMQ  |   |         ibvirt        |   |      Open vSwitch     |
     |  Memcached  httpd     |   |       Nova Compute    |   |        L2 Agent       |
     |  Keystone   Glance    |   |       Open vSwitch    |   |        L3 Agent       |
     |  Nova API  Cinder API |   |        L2 Agent       |   |      Cinder-Volume    |
     |  Neutron Server       |   |                       |   |                       |
     |  Metadata Agent       |   |                       |   |                       |
     |  Barbican API         |   |                       |   |                       |
     +-----------------------+   +-----------------------+   +-----------------------+

2. 配置Barbican

1) 添加Barbican信息及endpotin信息
[root@node1 ~(keystone)]# openstack user create --domain default --project service --password servicepassword barbican
+---------------------+----------------------------------+
| Field               | Value                            |
+---------------------+----------------------------------+
| default_project_id  | 7972f61f4a1c4f2592d2bb6dc7711e81 |
| domain_id           | default                          |
| enabled             | True                             |
| id                  | 696834e7b95a44edac246828de5780a7 |
| name                | barbican                         |
| options             | {}                               |
| password_expires_at | None                             |
+---------------------+----------------------------------+

[root@node1 ~(keystone)]# openstack role add --project service --user barbican admin

[root@node1 ~(keystone)]# openstack service create --name barbican --description "OpenStack Key Manager" key-manager
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | OpenStack Key Manager            |
| enabled     | True                             |
| id          | 08c96befa0f64959871f7eb7bb48c94d |
| name        | barbican                         |
| type        | key-manager                      |
+-------------+----------------------------------+

[root@node1 ~(keystone)]# openstack endpoint create --region RegionOne key-manager public http://192.168.10.11:9311
+--------------+----------------------------------+
| Field        | Value                            |
+--------------+----------------------------------+
| enabled      | True                             |
| id           | b758093153274112a4296c93c3a2d724 |
| interface    | public                           |
| region       | RegionOne                        |
| region_id    | RegionOne                        |
| service_id   | 08c96befa0f64959871f7eb7bb48c94d |
| service_name | barbican                         |
| service_type | key-manager                      |
| url          | http://192.168.10.11:9311        |
+--------------+----------------------------------+

[root@node1 ~(keystone)]# openstack endpoint create --region RegionOne key-manager internal http://192.168.10.11:9311
+--------------+----------------------------------+
| Field        | Value                            |
+--------------+----------------------------------+
| enabled      | True                             |
| id           | 26920b9ada844ef787d0236b0e04a6cf |
| interface    | internal                         |
| region       | RegionOne                        |
| region_id    | RegionOne                        |
| service_id   | 08c96befa0f64959871f7eb7bb48c94d |
| service_name | barbican                         |
| service_type | key-manager                      |
| url          | http://192.168.10.11:9311        |
+--------------+----------------------------------+

[root@node1 ~(keystone)]# openstack endpoint create --region RegionOne key-manager admin http://192.168.10.11:9311
+--------------+----------------------------------+
| Field        | Value                            |
+--------------+----------------------------------+
| enabled      | True                             |
| id           | 16712444394f49ca8c4d2506494adc54 |
| interface    | admin                            |
| region       | RegionOne                        |
| region_id    | RegionOne                        |
| service_id   | 08c96befa0f64959871f7eb7bb48c94d |
| service_name | barbican                         |
| service_type | key-manager                      |
| url          | http://192.168.10.11:9311        |
+--------------+----------------------------------+

2) 配置数据库
[root@node1 ~(keystone)]# mysql -u root -p
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 64
Server version: 10.1.20-MariaDB MariaDB Server

Copyright (c) 2000, 2016, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> create database barbican;
Query OK, 1 row affected (0.00 sec)

MariaDB [(none)]> grant all privileges on barbican.* to barbican@'localhost' identified by 'password';
Query OK, 0 rows affected (0.01 sec)

MariaDB [(none)]> grant all privileges on barbican.* to barbican@'%' identified by 'password';
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> flush privileges;
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> exit
Bye

3) 安装Barbican
[root@node1 ~(keystone)]# yum --enablerepo=centos-openstack-train,epel install openstack-barbican -y

4) 配置Barbican
[root@node1 ~(keystone)]# mv /etc/barbican/barbican.conf /etc/barbican/barbican.conf.bak
[root@node1 ~(keystone)]# vim /etc/barbican/barbican.conf
[DEFAULT]
bind_host = 0.0.0.0
bind_port = 9311
host_href = http://192.168.10.11:9311
log_file = /var/log/barbican/api.log

sql_connection = mysql+pymysql://barbican:password@192.168.10.11/barbican

transport_url = rabbit://openstack:password@192.168.10.11

[oslo_policy]
policy_file = /etc/barbican/policy.json
policy_default_rule = default

[secretstore]
namespace = barbican.secretstore.plugin
enabled_secretstore_plugins = store_crypto

[crypto]
namespace = barbican.crypto.plugin
enabled_crypto_plugins = simple_crypto

[simple_crypto_plugin]
kek = 'dGhpcnR5X3R3b19ieXRlX2tleWJsYWhibGFoYmxhaGg='

[keystone_authtoken]
www_authenticate_uri = http://192.168.10.11:5000
auth_url = http://192.168.10.11:5000
memcached_servers = 1192.168.10.11:11211
auth_type = password
project_domain_name = default
user_domain_name = default
project_name = service
username = barbican
password = servicepassword

[root@node1 ~(keystone)]# chmod 644 /etc/barbican/barbican.conf
[root@node1 ~(keystone)]# su -s /bin/bash barbican -c "barbican-manage db upgrade"
[root@node1 ~(keystone)]# systemctl enable --now openstack-barbican-api

5) 防火墙设定
[root@node1 ~(keystone)]# firewall-cmd --add-port=9311/tcp --permanent
success
[root@node1 ~(keystone)]# firewall-cmd --reload
success

3. 使用Barbican

1) 存储key
[root@node1 ~(keystone)]# openstack secret store --name secret01 --payload secretkey
# 语法:--name [key's名] --payload [key's数据]
+---------------+---------------------------------------------------------------------------+
| Field         | Value                                                                     |
+---------------+---------------------------------------------------------------------------+
| Secret href   | http://192.168.10.11:9311/v1/secrets/0f32f833-2249-4e20-a0e0-40b5129562a8 |
| Name          | secret01                                                                  |
| Created       | None                                                                      |
| Status        | None                                                                      |
| Content types | None                                                                      |
| Algorithm     | aes                                                                       |
| Bit length    | 256                                                                       |
| Secret type   | opaque                                                                    |
| Mode          | cbc                                                                       |
| Expiration    | None                                                                      |
+---------------+---------------------------------------------------------------------------+

[root@node1 ~(keystone)]# openstack secret list
+---------------------------------------------------------------------------+----------+---------------------------+--------+-----------------------------+-----------+------------+-------------+------+------------+
| Secret href                                                               | Name     | Created                   | Status | Content types               | Algorithm | Bit length | Secret type | Mode | Expiration |
+---------------------------------------------------------------------------+------------------
| http://192.168.10.11:9311/v1/secrets/0f32f833-2249-4e20-a0e0-40b5129562a8 | secret01 ......
+---------------------------------------------------------------------------+------------------

2) 获取key
# 获取key的元数据
[root@node1 ~(keystone)]# openstack secret get http://192.168.10.11:9311/v1/secrets/0f32f833-2249-4e20-a0e0-40b5129562a8
+---------------+---------------------------------------------------------------------------+
| Field         | Value                                                                     |
+---------------+---------------------------------------------------------------------------+
| Secret href   | http://192.168.10.11:9311/v1/secrets/0f32f833-2249-4e20-a0e0-40b5129562a8 |
| Name          | secret01                                                                  |
| Created       | 2020-03-04T10:35:31+00:00                                                 |
| Status        | ACTIVE                                                                    |
| Content types | {u'default': u'text/plain'}                                               |
| Algorithm     | aes                                                                       |
| Bit length    | 256                                                                       |
| Secret type   | opaque                                                                    |
| Mode          | cbc                                                                       |
| Expiration    | None                                                                      |
+---------------+---------------------------------------------------------------------------+

# 获取key的数据
[root@node1 ~(keystone)]# openstack secret get http://192.168.10.11:9311/v1/secrets/0f32f833-2249-4e20-a0e0-40b5129562a8 --payload
+---------+-----------+
| Field   | Value     |
+---------+-----------+
| Payload | secretkey |
+---------+-----------+

3) 生成并存储key
[root@node1 ~(keystone)]# openstack secret order create --name secret02 --algorithm aes --bit-length 256 --mode cbc --payload-content-type application/octet-stream key
+----------------+--------------------------------------------------------------------------+
| Field          | Value                                                                    |
+----------------+--------------------------------------------------------------------------+
| Order href     | http://192.168.10.11:9311/v1/orders/201d347b-501e-483a-99e5-f82dba4b69d3 |
| Type           | Key                                                                      |
| Container href | N/A                                                                      |
| Secret href    | None                                                                     |
| Created        | None                                                                     |
| Status         | None                                                                     |
| Error code     | None                                                                     |
| Error message  | None                                                                     |
+----------------+--------------------------------------------------------------------------+

4) 显示生成的key列表
[root@node1 ~(keystone)]# openstack secret order list
+--------------------------------------------------------------------------+------+----------------+---------------------------------------------------------------------------+---------------------------+--------+------------+---------------+
| Order href                                                               | Type | Container href | Secret href                                                               | Created                   | Status | Error code | Error message |
+--------------------------------------------------------------------------+------+----------------+---------------------------------------------------------------------------+---------------------------+--------+------------+---------------+
| http://192.168.10.11:9311/v1/orders/201d347b-501e-483a-99e5-f82dba4b69d3 | Key  | N/A            | http://192.168.10.11:9311/v1/secrets/f8e9318e-3736-4601-b95d-49ccb3517307 | 2020-03-04T10:39:50+00:00 | ACTIVE | None       | None          |
+--------------------------------------------------------------------------+------+----------------+---------------------------------------------------------------------------+---------------------------+--------+------------+---------------+

5) 显示生成的key
[root@node1 ~(keystone)]# openstack secret order get http://192.168.10.11:9311/v1/orders/201d347b-501e-483a-99e5-f82dba4b69d3
+----------------+---------------------------------------------------------------------------+
| Field          | Value                                                                     |
+----------------+---------------------------------------------------------------------------+
| Order href     | http://192.168.10.11:9311/v1/orders/201d347b-501e-483a-99e5-f82dba4b69d3  |
| Type           | Key                                                                       |
| Container href | N/A                                                                       |
| Secret href    | http://192.168.10.11:9311/v1/secrets/f8e9318e-3736-4601-b95d-49ccb3517307 |
| Created        | 2020-03-04T10:39:50+00:00                                                 |
| Status         | ACTIVE                                                                    |
| Error code     | None                                                                      |
| Error message  | None                                                                      |
+----------------+---------------------------------------------------------------------------+

6) 显示生成的key的元数据
[root@srv1 ~(keystone)]# openstack secret get http://192.168.10.11:9311/v1/secrets/f8e9318e-3736-4601-b95d-49ccb3517307
+---------------+---------------------------------------------------------------------------+
| Field         | Value                                                                     |
+---------------+---------------------------------------------------------------------------+
| Secret href   | http://192.168.10.11:9311/v1/secrets/f8e9318e-3736-4601-b95d-49ccb3517307 |
| Name          | secret02                                                                  |
| Created       | 2020-03-04T10:39:50+00:00                                                 |
| Status        | ACTIVE                                                                    |
| Content types | {u'default': u'application/octet-stream'}                                 |
| Algorithm     | aes                                                                       |
| Bit length    | 256                                                                       |
| Secret type   | symmetric                                                                 |
| Mode          | cbc                                                                       |
| Expiration    | None                                                                      |
+---------------+---------------------------------------------------------------------------+

如对您有帮助，请随缘打个赏。^-^

gold