|
本文介绍在Linux上安装和配置OpenStack Barbican密钥管理器服务(Barbican Key Manager)的方法。
前言 Barbican是用于OpenStack的REST API,旨在提供对密码和X.509证书等机密信息的安全管理、配置和存储。Barbican项目旨在对所有环境都有用,包括大型临时云。在本文中,我们将在OpenStack上执行Barbican Key Manager Service的安装和配置。 设置先决条件: 开始进行此安装之前,需要满足一些关键的先决条件: 1、有效的OpenStack Controller节点安装(Keystone服务、RabbitMQ、Memcache、MariaDB等)。 2、已配置的OpenStack客户端命令行工具。参考在Linux系统上安装和配置OpenStack Client(客户端)的方法。 3、为您将要使用的发行版配置的OpenStack存储库。 我正在OpenStack Victoria版本上执行此设置。我正在使用的操作系统是CentOS 8。
步骤1:创建Barbican Keystone用户、服务和服务条目 通过运行以下命令来获取服务项目: $ openstack project list
将Barbican的用户添加到OpenStack控制节点上的Keystone: $ openstack user create --domain default --project services --password aa18be88b3bd4e1b barbican
将创建的barbican用户添加到管理员角色: $ openstack role add --project services --user barbican admin 使用以下命令为Barbican创建服务条目: $ openstack service create --name barbican --description "OpenStack Key Manager" key-manager
在创建所有必需的端点之前,将Barbican API Host保存到变量(通常是Controller节点): export controller=controllerip #example: export controller=192.168.30.11 然后继续创建API端点。 创建外部API端点: $ openstack endpoint create --region RegionOne key-manager public http://$controller:9311
创建一个内部端点: $ openstack endpoint create --region RegionOne key-manager internal http://$controller:9311
创建管理端点: $ openstack endpoint create --region RegionOne key-manager admin http://$controller:9311
步骤2:为Barbican配置数据库 登录到MariaDB根用户shell: $ mysql -u root -p 创建数据库barbican和具有授予的权限的用户: create database barbican; grant all privileges on barbican.* to barbican@'localhost' identified by '97e0b4b47ae44d5d'; grant all privileges on barbican.* to barbican@'%' identified by '97e0b4b47ae44d5d'; flush privileges; \q 测试与数据库的连接性: $ mysql -u barbican -p Enter password: Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 725850 Server version: 10.3.28-MariaDB MariaDB Server Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MariaDB [(none)]>
步骤3:安装和配置Barbican Key Manager服务 安装Barbican软件包: sudo yum -y install openstack-barbican 备份Barbican的默认配置文件: sudo mv /etc/barbican/barbican.conf /etc/barbican/barbican.conf.orig 创建新的配置文件: sudo vim /etc/barbican/barbican.conf 如下配置,同时相应地替换变量: [DEFAULT] #API settings bind_host = 0.0.0.0 bind_port = 9311 host_href = http://controllerip:9311 log_file = /var/log/barbican/api.log #Database connection sql_connection=mysql+pymysql://barbican:dbpassword@controllerip/barbican #RabbitMQ connection transport_url = rabbit://guest:guest@controllerip:5672/ [oslo_policy] policy_file = /etc/barbican/policy.json policy_default_rule = default [secretstore] namespace = barbican.secretstore.plugin enabled_secretstore_plugins = store_crypto [crypto] namespace = barbican.crypto.plugin enabled_crypto_plugins = simple_crypto [simple_crypto_plugin] kek = 'dGhpcnR5X3R3b19ieXRlX2tleWJsYWhibGFoYmxhaGg' # Keystone Authentication [keystone_authtoken] www_authenticate_uri = http://136.243.137.217:5000 auth_url = http://controllerip:5000 memcached_servers = controllerip:11211 auth_type = password project_domain_name = default user_domain_name = default project_name = services #project name where keystone user is located username = barbican #username as created in step 1 password = barbicanuserpassword #password set while creating keystone user 正确设置文件权限: sudo chmod 644 /etc/barbican/barbican.conf 使用以下命令执行数据库迁移: $ su -s /bin/bash barbican -c "barbican-manage db upgrade" 215 80247 INFO alembic.runtime.migration [-] Context impl MySQLImpl. 215 80247 INFO alembic.runtime.migration [-] Will assume non-transactional DDL. 219 80247 INFO alembic.runtime.migration [-] Running upgrade -> 39cf2e645cba, Ocata rebase 412 80247 INFO alembic.runtime.migration [-] Running upgrade 39cf2e645cba -> 0f8c192a061f, Add Secret Consumers table 启动并启用barbican服务: sudo systemctl enable --now openstack-barbican-api 检查服务状态,它应该显示正在运行: $ systemctl status openstack-barbican-api -l openstack-barbican-api.service - Openstack Barbican API server Loaded: loaded (/usr/lib/systemd/system/openstack-barbican-api.service; enabled; vendor preset: disabled) Active: active (running) 如果正在运行防火墙服务,请打开所需的端口: sudo firewall-cmd --add-port=9311/tcp --permanent sudo firewall-cmd --reload 在Barbican服务上创建测试密码: $ openstack secret store --name mysecret --payload mysecretkey
确认secret创建: $ openstack secret list 印有secret的href可以在以后获取键值: $ openstack secret get http://controllerip:9311/v1/secrets/47a212f2-015f-4d90-a58b-f5d0404a8d14 --payload
注:以上就是如何在OpenStack云平台上安装和配置Barbican Key Management Service的全部内容。
相关主题 |
