openstack pike 버전 barbican 키 매니저 서비스 설치

| 2018년 1월 30일 | 0 Comments

db 생성


root@controller:~# mysql
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 18617
Server version: 10.0.33-MariaDB-0ubuntu0.16.04.1 Ubuntu 16.04

Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> CREATE DATABASE barbican;
Query OK, 1 row affected (0.00 sec)

MariaDB [(none)]> GRANT ALL PRIVILEGES ON barbican.* TO 'barbican'@'localhost' \
    ->   IDENTIFIED BY '{패스워드}';
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> GRANT ALL PRIVILEGES ON barbican.* TO 'barbican'@'%' \
    ->   IDENTIFIED BY '{패스워드}';
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> Bye

user, role, endpoint 생성


root@controller:~# source jyh_env/admin_openrc 

root@controller:~# openstack user create --domain default --password {패스워드} barbican
+---------------------+----------------------------------+
| Field               | Value                            |
+---------------------+----------------------------------+
| domain_id           | default                          |
| enabled             | True                             |
| id                  | b76f07f91dd44384a4e4c0f354ecf30e |
| name                | barbican                         |
| options             | {}                               |
| password_expires_at | None                             |
+---------------------+----------------------------------+

root@controller:~# openstack role add --project service --user barbican admin

root@controller:~# openstack role create creator
+-----------+----------------------------------+
| Field     | Value                            |
+-----------+----------------------------------+
| domain_id | None                             |
| id        | 110b754c59ad417aa9549f9a0d5b3d26 |
| name      | creator                          |
+-----------+----------------------------------+

root@controller:~# openstack role add --project service --user barbican creator

root@controller:~# openstack service create --name barbican --description "Key Manager" key-manager
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | Key Manager                      |
| enabled     | True                             |
| id          | 6fc870c6e4344b478402933df1d4d3b6 |
| name        | barbican                         |
| type        | key-manager                      |
+-------------+----------------------------------+

root@controller:~# openstack region list
+--------+---------------+-------------+
| Region | Parent Region | Description |
+--------+---------------+-------------+
| jyh    | None          |             |
+--------+---------------+-------------+

root@controller:~# openstack endpoint create --region jyh \
> key-manager public http://controller:9311
+--------------+----------------------------------+
| Field        | Value                            |
+--------------+----------------------------------+
| enabled      | True                             |
| id           | 841ccdf216b942568cea9438f169997b |
| interface    | public                           |
| region       | jyh                              |
| region_id    | jyh                              |
| service_id   | 6fc870c6e4344b478402933df1d4d3b6 |
| service_name | barbican                         |
| service_type | key-manager                      |
| url          | http://controller:9311           |
+--------------+----------------------------------+

root@controller:~# openstack endpoint create --region jyh key-manager internal http://controller:9311
+--------------+----------------------------------+
| Field        | Value                            |
+--------------+----------------------------------+
| enabled      | True                             |
| id           | 49ec16a747b544c8a1a8bebd62b613ae |
| interface    | internal                         |
| region       | jyh                              |
| region_id    | jyh                              |
| service_id   | 6fc870c6e4344b478402933df1d4d3b6 |
| service_name | barbican                         |
| service_type | key-manager                      |
| url          | http://controller:9311           |
+--------------+----------------------------------+

root@controller:~# openstack endpoint create --region jyh key-manager admin http://controller:9311
+--------------+----------------------------------+
| Field        | Value                            |
+--------------+----------------------------------+
| enabled      | True                             |
| id           | cac195208eab42b88f7e8d557ee83e80 |
| interface    | admin                            |
| region       | jyh                              |
| region_id    | jyh                              |
| service_id   | 6fc870c6e4344b478402933df1d4d3b6 |
| service_name | barbican                         |
| service_type | key-manager                      |
| url          | http://controller:9311           |
+--------------+----------------------------------+

패키지 설치


root@controller:~# apt install barbican-api barbican-keystone-listener barbican-worker
패키지 목록을 읽는 중입니다... 완료
의존성 트리를 만드는 중입니다       
상태 정보를 읽는 중입니다... 완료
The following additional packages will be installed:
  barbican-common python-barbican python-ldap
제안하는 패키지:
  python-pykmip python-ldap-doc
다음 새 패키지를 설치할 것입니다:
  barbican-api barbican-common barbican-keystone-listener barbican-worker python-barbican python-ldap
0개 업그레이드, 6개 새로 설치, 0개 제거 및 10개 업그레이드 안 함.
359 k바이트 아카이브를 받아야 합니다.
이 작업 후 2,742 k바이트의 디스크 공간을 더 사용하게 됩니다.
계속 하시겠습니까? [Y/n] y

설정 파일 수정


root@controller:~# cp /etc/barbican/barbican.conf /etc/barbican/barbican.conf_ori

root@controller:~# egrep -v "^#|^$" /etc/barbican/barbican.conf
[DEFAULT]
sql_connection = mysql+pymysql://barbican:{패스워드}@controller/barbican
transport_url = rabbit://openstack:{패스워드}@controller

[keystone_authtoken]
auth_uri = http://controller:5000
auth_url = http://controller:35357
memcached_servers = controller:11211
auth_type = password
project_domain_name = default
user_domain_name = default
project_name = service
username = barbican
password = {패스워드}

db 테이블 생성


root@controller:~# su -s /bin/sh -c "barbican-manage db upgrade" barbican
2018-01-24 13:09:05.352 19367 WARNING oslo_db.sqlalchemy.engines [-] MySQL SQL mode is '', consider enabling TRADITIONAL or STRICT_ALL_TABLES: Empty
2018-01-24 13:09:05.354 19367 INFO alembic.runtime.migration [-] Context impl MySQLImpl.
2018-01-24 13:09:05.355 19367 INFO alembic.runtime.migration [-] Will assume non-transactional DDL.
2018-01-24 13:09:05.395 19367 INFO alembic.runtime.migration [-] Running upgrade  -> 1a0c2cdafb38, create test table
2018-01-24 13:09:05.398 19367 INFO alembic.runtime.migration [-] Running upgrade 1a0c2cdafb38 -> juno, juno_initial
2018-01-24 13:09:05.814 19367 INFO alembic.runtime.migration [-] Running upgrade juno -> 13d127569afa, create_secret_store_metadata_table
2018-01-24 13:09:05.848 19367 INFO alembic.runtime.migration [-] Running upgrade 13d127569afa -> 1e86c18af2dd, add new columns type meta containerId
2018-01-24 13:09:06.008 19367 INFO alembic.runtime.migration [-] Running upgrade 1e86c18af2dd -> cd4106a1a0, add-cert-to-container-type
2018-01-24 13:09:06.015 19367 INFO alembic.runtime.migration [-] Running upgrade cd4106a1a0 -> 47b69e523451, Made plugin names in kek datum non nullable
..
..
2018-01-24 13:09:10.653 19367 INFO alembic.runtime.migration [-] Running upgrade d2780d5aa510 -> 39cf2e645cba, Model for multiple backend support
/usr/lib/python2.7/dist-packages/pymysql/cursors.py:166: Warning: (1831, u'Duplicate index `ix_project_secret_store_project_id`. This is deprecated and will be disallowed in a future release.')

서비스 재시작


root@controller:~# systemctl restart barbican-keystone-listener.service barbican-worker.service 

root@controller:~# service apache2 restart 

root@controller:~# telnet localhost 9311
Trying ::1...
Connected to localhost.
Escape character is '^]'.
^]
telnet> quit
Connection closed.

root@controller:~# telnet localhost 9312
Trying ::1...
Connected to localhost.
Escape character is '^]'.
^]
telnet> quit
Connection closed.

root@controller:~# ls /etc/apache2/conf-available/barbican-api.conf 
/etc/apache2/conf-available/barbican-api.conf

Secret Store Back-ends 설정


root@controller:~# vi /etc/barbican/barbican.conf
[DEFAULT]
sql_connection = mysql+pymysql://barbican:{패스워드}@controller/barbican
transport_url = rabbit://openstack:{패스워드}@controller

[crypto]
enabled_crypto_plugins = simple_crypto

[keystone_authtoken]
auth_uri = http://controller:5000
auth_url = http://controller:35357
memcached_servers = controller:11211
auth_type = password
project_domain_name = default
user_domain_name = default
project_name = service
username = barbican
password = {패스워드}

[secretstore]
namespace = barbican.secretstore.plugin
enabled_secretstore_plugins = store_crypto

[simple_crypto_plugin]
kek = 'YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoxMjM0NTY='

확인


root@controller:~# openstack secret store --name mysecret --payload j4=]d21
+---------------+-----------------------------------------------------------------------+
| Field         | Value                                                                 |
+---------------+-----------------------------------------------------------------------+
| Secret href   | http://localhost:9311/v1/secrets/6ac43731-02d2-4c7a-ac06-03692cb50f1f |
| Name          | mysecret                                                              |
| Created       | None                                                                  |
| Status        | None                                                                  |
| Content types | None                                                                  |
| Algorithm     | aes                                                                   |
| Bit length    | 256                                                                   |
| Secret type   | opaque                                                                |
| Mode          | cbc                                                                   |
| Expiration    | None                                                                  |
+---------------+-----------------------------------------------------------------------+

root@controller:~# openstack secret get http://localhost:9311/v1/secrets/6ac43731-02d2-4c7a-ac06-03692cb50f1f
+---------------+-----------------------------------------------------------------------+
| Field         | Value                                                                 |
+---------------+-----------------------------------------------------------------------+
| Secret href   | http://localhost:9311/v1/secrets/6ac43731-02d2-4c7a-ac06-03692cb50f1f |
| Name          | mysecret                                                              |
| Created       | 2018-01-25 05:43:53+00:00                                             |
| Status        | ACTIVE                                                                |
| Content types | {u'default': u'text/plain'}                                           |
| Algorithm     | aes                                                                   |
| Bit length    | 256                                                                   |
| Secret type   | opaque                                                                |
| Mode          | cbc                                                                   |
| Expiration    | None                                                                  |
+---------------+-----------------------------------------------------------------------+

root@controller:~# openstack secret get http://localhost:9311/v1/secrets/6ac43731-02d2-4c7a-ac06-03692cb50f1f --payload
+---------+---------+
| Field   | Value   |
+---------+---------+
| Payload | j4=]d21 |
+---------+---------+

Category: 솔루션/IT기타

장영호

About the Author ()