OpenStack Ussuri : Barbican
OpenStack Ussuri : Barbican
----------------------- ----------------------- -----------------------
| [ Controller Node ] | | [ Compute Node ] | | [ Network Node ] |
| | | Libvirt | | Open vSwitch |
| MariaDB RabbitMQ | | Nova compute | | L2 Agent |
| Memcached Keystone | | Open vSwitch | | L3 Agent |
| httpd Cinder API | | L2 Agent | | metadata agent |
| Nova-API Compute | | Cinder-LVM | | Swift-proxy |
| L2 agent L3 agent | | NFS | | Heat API |
| metadata agent | ----------------------- | API-CFN |
| Neutron Server | | Heat Engine |
| Gnocchi Trove API | | Designate Services |
| Barbican API | -----------------------
-----------------------OpenStack Ussuri : Barbican
- Barbican은 키 관리 서비스 입니다.
- 비밀 데이터의 안전한 저장, 프로비저닝 및 관리를 제공합니다. 여기에는 대칭 키, 비대칭 키, 인증서 및 원시 바이너리 데이터와 같은 키 자료가 포함됩니다.
- 자세한 설명은 Barbican을 참조해주세요.
Barbican service 및 User 생성
$ controller ~(keystone)> openstack user create --domain default --project service --password qwer1234 barbican
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| default_project_id | b470c69e28db47cdbfc81e06cc67f627 |
| domain_id | default |
| enabled | True |
| id | bc85b317bd7c4cc1a4d5aee81c383421 |
| name | barbican |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+
$ controller ~(keystone)> openstack role add --project service --user barbican admin
$ controller ~(keystone)> openstack service create --name barbican --description "OpenStack Key Manager" key-manager
-------------------------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | OpenStack Key Manager |
| enabled | True |
| id | ec2cbdda740a4887b5737fe885b4b86e |
| name | barbican |
| type | key-manager |
+-------------+----------------------------------+
$ controller ~(keystone)> openstack endpoint create --region RegionOne key-manager public http://controller:9311
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | 3254f8ccb5894560ab3dea0268dddd03 |
| interface | public |
| region | RegionOne |
| region_id | RegionOne |
| service_id | ec2cbdda740a4887b5737fe885b4b86e |
| service_name | barbican |
| service_type | key-manager |
| url | http://controller:9311 |
+--------------+----------------------------------+
$ controller ~(keystone)> openstack endpoint create --region RegionOne key-manager internal http://controller:9311
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | 37a440f72212422ca7c590e322afe56c |
| interface | internal |
| region | RegionOne |
| region_id | RegionOne |
| service_id | ec2cbdda740a4887b5737fe885b4b86e |
| service_name | barbican |
| service_type | key-manager |
| url | http://controller:9311 |
+--------------+----------------------------------+
$ controller ~(keystone)> openstack endpoint create --region RegionOne key-manager admin http://controller:9311
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | 2ad3a9aabcb840cc832470039ee37b00 |
| interface | admin |
| region | RegionOne |
| region_id | RegionOne |
| service_id | ec2cbdda740a4887b5737fe885b4b86e |
| service_name | barbican |
| service_type | key-manager |
| url | http://controller:9311 |
+--------------+----------------------------------+
Barbican 유저의 DB를 생성합니다.
$ controller> mysql -u root -p
$ MariaDB> create database barbican;
$ MariaDB> grant all privileges on barbican.* to barbican@'localhost' identified by 'qwer1234';
$ MariaDB> grant all privileges on barbican.* to barbican@'%' identified by 'qwer1234';
$ MariaDB> flush privileges;
$ MariaDB> exit;
contoller node Barbican 설치
$ controller ~(keystone)> dnf --enablerepo=centos-openstack-ussuri,powertools,epel -y install openstack-barbican
# Barbucan 서비스 및 관련 모듈을 설치합니다.
$ controller ~(keystone)> vi /etc/barbican/barbican.conf
[DEFAULT]
bind_host = 0.0.0.0
bind_port = 9311
host_href = http://controller:9311
log_file = /var/log/barbican/api.log
sql_connection = mysql+pymysql://barbican:qwer1234@controller/barbican
transport_url = rabbit://openstack:qwer1234@controller
[oslo_policy]
policy_file = /etc/barbican/policy.json
policy_default_rule = default
[secretstore]
namespace = barbican.secretstore.plugin
enabled_secretstore_plugins = store_crypto
[crypto]
namespace = barbican.crypto.plugin
enabled_crypto_plugins = simple_crypto
[simple_crypto_plugin]
kek = 'YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoxMjM0NTY='
[keystone_authtoken]
www_authenticate_uri = http://controller:5000
auth_url = http://controller:5000
memcached_servers = controller:11211
auth_type = password
project_domain_name = default
user_domain_name = default
project_name = service
username = barbican
password = qwer1234
$ controller ~(keystone)> su -s /bin/bash barbican -c "barbican-manage db upgrade"
$ controller ~(keystone)> systemctl enable --now openstack-barbican-api
# Barbican 서비스를 DB에 임포트 시킨 후, 서비스를 등록합니다.
$ controller ~(keystone)> firewall-cmd --add-port=9311/tcp --permanent
$ controller ~(keystone)> firewall-cmd --reload
# 방화벽을 설정합니다.
확인
$ controller ~(keystone)> openstack secret store --name secret01 --payload secretkey
+---------------+------------------------------------------------------------------------+
| Field | Value |
+---------------+------------------------------------------------------------------------+
| Secret href | http://controller:9311/v1/secrets/86cbaa20-0cb9-479f-82ed-80a02f34b83d |
| Name | secret01 |
| Created | None |
| Status | None |
| Content types | None |
| Algorithm | aes |
| Bit length | 256 |
| Secret type | opaque |
| Mode | cbc |
| Expiration | None |
+---------------+------------------------------------------------------------------------+
$ controller ~(keystone)> openstack secret list
+------------------------------------------------------------------------+----------+---------------------------+--------+---------------------------+-----------+------------+-------------+------+------------+
| Secret href | Name | Created | Status | Content types | Algorithm | Bit length | Secret type | Mode | Expiration |
+------------------------------------------------------------------------+----------+---------------------------+--------+---------------------------+-----------+------------+-------------+------+------------+
| http://controller:9311/v1/secrets/86cbaa20-0cb9-479f-82ed-80a02f34b83d | secret01 | 2020-08-16T09:00:00+00:00 | ACTIVE | {'default': 'text/plain'} | aes | 256 | opaque | cbc | None |
+------------------------------------------------------------------------+----------+---------------------------+--------+---------------------------+-----------+------------+-------------+------+------------+
$ controller ~(keystone)> openstack secret get http://controller:9311/v1/secrets/86cbaa20-0cb9-479f-82ed-80a02f34b83d
+---------------+------------------------------------------------------------------------+
| Field | Value |
+---------------+------------------------------------------------------------------------+
| Secret href | http://controller:9311/v1/secrets/86cbaa20-0cb9-479f-82ed-80a02f34b83d |
| Name | secret01 |
| Created | 2020-08-16T09:00:00+00:00 |
| Status | ACTIVE |
| Content types | {'default': 'text/plain'} |
| Algorithm | aes |
| Bit length | 256 |
| Secret type | opaque |
| Mode | cbc |
| Expiration | None |
+---------------+------------------------------------------------------------------------+
# get 뒤에는 키 생성시 생성되는 값을 입력해주셔야 됩니다 !
$ controller ~(keystone)> openstack secret get http://controller:9311/v1/secrets/86cbaa20-0cb9-479f-82ed-80a02f34b83d --payload
+---------+-----------+
| Field | Value |
+---------+-----------+
| Payload | secretkey |
+---------+-----------+
$ controller ~(keystone)> openstack secret order create --name secret02 --algorithm aes --bit-length 256 --mode cbc --payload-content-type application/octet-stream key
+----------------+-----------------------------------------------------------------------+
| Field | Value |
+----------------+-----------------------------------------------------------------------+
| Order href | http://controller:9311/v1/orders/ffe9a05e-db5e-4b7d-8b5a-86f1349863c3 |
| Type | Key |
| Container href | N/A |
| Secret href | None |
| Created | None |
| Status | None |
| Error code | None |
| Error message | None |
+----------------+-----------------------------------------------------------------------+
$ controller ~(keystone)> openstack secret order list
+-----------------------------------------------------------------------+------+----------------+------------------------------------------------------------------------+---------------------------+--------+------------+---------------+
| Order href | Type | Container href | Secret href | Created | Status | Error code | Error message |
+-----------------------------------------------------------------------+------+----------------+------------------------------------------------------------------------+---------------------------+--------+------------+---------------+
| http://controller:9311/v1/orders/ffe9a05e-db5e-4b7d-8b5a-86f1349863c3 | Key | N/A | http://controller:9311/v1/secrets/4c3e2e5b-3585-44ae-901a-25dee6ede5a7 | 2020-08-16T09:08:06+00:00 | ACTIVE | None | None |
+-----------------------------------------------------------------------+------+----------------+------------------------------------------------------------------------+---------------------------+--------+------------+---------------+
$ controller ~(keystone)> openstack secret order get http://controller:9311/v1/orders/ffe9a05e-db5e-4B7D-8B5A-86f1349863c3
+----------------+------------------------------------------------------------------------+
| Field | Value |
+----------------+------------------------------------------------------------------------+
| Order href | http://controller:9311/v1/orders/ffe9a05e-db5e-4b7d-8b5a-86f1349863c3 |
| Type | Key |
| Container href | N/A |
| Secret href | http://controller:9311/v1/secrets/4c3e2e5b-3585-44ae-901a-25dee6ede5a7 |
| Created | 2020-08-16T09:08:06+00:00 |
| Status | ACTIVE |
| Error code | None |
| Error message | None |
+----------------+------------------------------------------------------------------------+
# get 뒤에는 키 생성시 생성되는 값을 입력해주셔야 됩니다 !
$ controller ~(keystone)> openstack secret get http://controller:9311/v1/secrets/4c3e2e5b-3585-44ae-901a-25dee6ede5a7
+---------------+------------------------------------------------------------------------+
| Field | Value |
+---------------+------------------------------------------------------------------------+
| Secret href | http://controller:9311/v1/secrets/4c3e2e5b-3585-44ae-901a-25dee6ede5a7 |
| Name | secret02 |
| Created | 2020-08-16T09:08:06+00:00 |
| Status | ACTIVE |
| Content types | {'default': 'application/octet-stream'} |
| Algorithm | aes |
| Bit length | 256 |
| Secret type | symmetric |
| Mode | cbc |
| Expiration | None |
+---------------+------------------------------------------------------------------------+
# get 뒤에는 키 생성시 생성되는 값을 입력해주셔야 됩니다 !
마지막 수정일자