本篇要介紹如何將 Ceph RGW 與 OpenStack Barbican 進行整合,將使用者透過 Ceph Radosgw 上傳的檔案在 Server Site 進行 Server Side Encription - SSE(伺服器端加密),可以有效提升資料安全性,讓儲存在伺服器端的資料不再是明碼。但相對也存在一定的風險,若儲存在 OpenStack Barbican 的 Secret 刪除,則可能導致資料無法正常被解碼,因此讀者在使用上需特別注意。
前置條件
在虛擬機器或實體機器上已安裝 Ceph RGW, OpenStack Keystone 與 MariaDB
看到這裡讀者或許會想問,為什麼需要 OpenStack Keystone,因為 OpenStack 每個 component 在使用都需要透過 OpenStack Keystone 進行驗證,因此若僅需要使用 Ceph Object SSE 也需要安裝 OpenStack Keystone。
安裝 首先安裝 OpenStack Barbican 相關套件,本篇採用 OpenStack stein Version。
1 2 3 # yum install https://repos.fedorapeople.org/repos/openstack/openstack-queens/rdo-release-queens-1.noarch.rpm # yum -y update # yum install -y openstack-barbican-api python2-barbicanclient
配置 安裝完成後,進入資料庫建立 barbican 資料庫與使用者。
1 2 3 4 5 # mysql -u root -p $ CREATE DATABASE barbican; $ GRANT ALL PRIVILEGES ON barbican.* TO 'barbican'@'localhost' IDENTIFIED BY 'barbican'; $ GRANT ALL PRIVILEGES ON barbican.* TO 'barbican'@'%' IDENTIFIED BY 'barbican'; $ exit;
建立一個 barbican 使用者。
1 2 3 4 5 6 7 8 9 10 11 12 # openstack user create --domain default --password-prompt barbican +---------------------+----------------------------------+ | Field | Value | +---------------------+----------------------------------+ | domain_id | default | | enabled | True | | id | c33e4a4492944c278cd0f53791c98231 | | name | barbican | | options | {} | | password_expires_at | None | +---------------------+----------------------------------+
建立一個新的 project 並命名為 service。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 # openstack project create service +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | | | domain_id | default | | enabled | True | | id | 31a3464dcf244931883c317fef836bbc | | is_domain | False | | name | service | | parent_id | default | | tags | [] | +-------------+----------------------------------+
將 barbican User 指派為 service Project 的 admin Role。
1 # openstack role add --project service --user barbican admin
建立 barbican Service。
1 2 3 4 5 6 7 8 9 10 11 # openstack service create --name barbican --description "Key Manager" key-manager +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Key Manager | | enabled | True | | id | 018639d5972545b4b12406c23f9af2d9 | | name | barbican | | type | key-manager | +-------------+----------------------------------+
建立 barbican endpoints。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 # openstack endpoint create --region RegionOne key-manager public http://172.17.1.100:9311 +--------------+----------------------------------+ | Field | Value | +--------------+----------------------------------+ | enabled | True | | id | e08911cc96584d9c8b8cdba8d98288e9 | | interface | public | | region | RegionOne | | region_id | RegionOne | | service_id | 018639d5972545b4b12406c23f9af2d9 | | service_name | barbican | | service_type | key-manager | | url | http://172.17.1.100:9311 | +--------------+----------------------------------+ # openstack endpoint create --region RegionOne key-manager internal http://172.17.1.100:9311 +--------------+----------------------------------+ | Field | Value | +--------------+----------------------------------+ | enabled | True | | id | ab71ed47d2b241afa771551521b1341f | | interface | internal | | region | RegionOne | | region_id | RegionOne | | service_id | 018639d5972545b4b12406c23f9af2d9 | | service_name | barbican | | service_type | key-manager | | url | http://172.17.1.100:9311 | +--------------+----------------------------------+ # openstack endpoint create --region RegionOne key-manager admin http://172.17.1.100:9311 +--------------+----------------------------------+ | Field | Value | +--------------+----------------------------------+ | enabled | True | | id | bca4f788e5a6497aa314a810c637f545 | | interface | admin | | region | RegionOne | | region_id | RegionOne | | service_id | 018639d5972545b4b12406c23f9af2d9 | | service_name | barbican | | service_type | key-manager | | url | http://172.17.1.100:9311 | +--------------+----------------------------------+
接著,修改 /etc/barbican/barbican.conf。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 # vim /etc/barbican/barbican.conf [DEFAULT] ... sql_connection = mysql+pymysql://barbican:barbican@172.17.1.100/barbican ... [keystone_authtoken] ... www_authenticate_uri = http://172.17.1.100:5000 auth_url = http://172.17.1.100:5000 auth_type = password project_domain_name = default user_domain_name = default project_name = service username = barbican password = password
建立 OpenStack Barbican 相關資料表。
1 # su -s /bin/sh -c "barbican-manage db upgrade" barbican
建立 httpd 啟動 OpenStack Barbican 配置檔。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 # vim /etc/httpd/conf.d/wsgi-barbican.conf Listen 9311 <VirtualHost *:9311> ## Logging ErrorLog "/var/log/httpd/barbican_wsgi_main_error_ssl.log" LogLevel debug ServerSignature Off CustomLog "/var/log/httpd/barbican_wsgi_main_access_ssl.log" combined WSGIApplicationGroup %{GLOBAL} WSGIDaemonProcess barbican-api display-name=barbican-api group=barbican processes=2 threads=8 user=barbican WSGIProcessGroup barbican-api WSGIScriptAlias / "/usr/lib/python2.7/site-packages/barbican/api/app.wsgi" WSGIPassAuthorization On <Directory /usr/lib> <IfVersion >= 2.4> Require all granted </IfVersion> <IfVersion < 2.4> Order allow,deny Allow from all </IfVersion> </Directory> </VirtualHost>
啟動 OpenStack Barbican。
1 2 3 # systemctl enable httpd.service # systemctl restart httpd.service # systemctl status httpd.service
確認 Barbican Port 已啟動並佔用。
1 2 3 # netstat -ntlp | grep 9311 tcp6 0 0 :::9311 :::* LISTEN 5924/httpd
建立 OpenStack Barbican 環境變數檔。
1 2 3 4 5 6 7 8 9 # vim barbicanrc export OS_USERNAME=barbican export OS_PASSWORD=password export OS_PROJECT_NAME=service export OS_USER_DOMAIN_NAME=Default export OS_PROJECT_DOMAIN_NAME=Default export OS_AUTH_URL=http://172.17.1.100:5000/v3 export OS_IDENTITY_API_VERSION=3
利用 source 指令更新 OpenStack 環境變數
結果 建立第一把 KEM Key。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 # openstack secret store --name mysecret --payload YXN1c2FzdXNhc3VzYXN1c2FzdXNhc3VzYXN1c2FzdXM= --payload-content-type application/octet-stream --payload-content-encoding base64 --secret-type symmetric +---------------+-----------------------------------------------------------------------+ | Field | Value | +---------------+-----------------------------------------------------------------------+ | Secret href | http://localhost:9311/v1/secrets/309092d6-6def-4e8c-aad4-637fda3722ca | | Name | mysecret | | Created | None | | Status | None | | Content types | {u'default': u'application/octet-stream'} | | Algorithm | aes | | Bit length | 256 | | Secret type | symmetric | | Mode | cbc | | Expiration | None | +---------------+-----------------------------------------------------------------------+
確認當前已註冊的 Key。
1 2 3 4 5 6 7 # openstack secret list +-----------------------------------------------------------------------+----------+---------------------------+--------+-------------------------------------------+-----------+------------+-------------+------+------------+ | Secret href | Name | Created | Status | Content types | Algorithm | Bit length | Secret type | Mode | Expiration | +-----------------------------------------------------------------------+----------+---------------------------+--------+-------------------------------------------+-----------+------------+-------------+------+------------+ | http://localhost:9311/v1/secrets/309092d6-6def-4e8c-aad4-637fda3722ca | mysecret | 2020-06-20T14:16:58+00:00 | ACTIVE | {u'default': u'application/octet-stream'} | aes | 256 | symmetric | cbc | None | +-----------------------------------------------------------------------+----------+---------------------------+--------+-------------------------------------------+-----------+------------+-------------+------+------------+
若針對本篇教學有任何疑問或有敘述錯誤的地方,歡迎在底下留言討論唷~