rgw对接openstack barbican
http://docs.ceph.com/docs/master/radosgw/barbican/https://blog.csdn.net/happyteafriends/article/details/78551103https://blog.csdn.net/u011211976/article/details/78970642ceph.conf配置rgw_barbican_url = h
http://docs.ceph.com/docs/master/radosgw/barbican/
https://blog.csdn.net/happyteafriends/article/details/78551103
https://blog.csdn.net/u011211976/article/details/78970642
ceph.conf配置
rgw_barbican_url = http://100.75.0.19:9311
rgw_keystone_barbican_user = barbican
rgw_keystone_barbican_password = barbican
rgw_keystone_barbican_tenant = service
若使用的是v3 keystone,则需要以下配置替换rgw_keystone_barbican_tenant:
rgw_keystone_barbican_project = service
rgw_keystone_barbican_domain = default
rgw_crypt_s3_kms_encryption_keys =
testkey-1=6b+WOZ1T3cqZMxgThRcXAQBrS5mXKdDUphvpxptl9/4= #设置一个默认的密钥key
rgw_crypt_require_ssl = false #未使用https,设置为false
barbican部署
安装包
1.安装包:
yum install openstack-barbican
yum install python2-barbicanclient
创建新用户
1.创建一个user:
openstack user create --domain default --password-prompt barbican
3.关联user:
openstack role add --project service --user barbican admin
创建endpoint
3.创建barbican服务:
openstack service create --name "barbican" key-manager --description "Key Manager"
4.创建endpoint
openstack endpoint create --region RegionOne key-manager public http://100.75.0.19:9311
openstack endpoint create --region RegionOne key-manager internal http://100.75.0.19:9311
openstack endpoint create --region RegionOne key-manager admin http://100.75.0.19:9311
创建数据库
mysql -uroot -p
create database barbican;
GRANT ALL PRIVILEGES ON barbican.* TO 'barbican'@'localhost' IDENTIFIED BY 'rh123456';
GRANT ALL PRIVILEGES ON barbican.* TO 'barbican'@'%' IDENTIFIED BY 'rh123456';
barbican配置
barbican-functional.conf
设置身份验证的url为keystone的url地址:
barbican-api-paste.ini
[pipeline:barbican_api]
pipeline = cors authtoken context apiapp
barbican.conf
[DEFAULT]
host_href = http://100.75.0.19:9311
sql_connection = mysql+pymysql://barbican:rh123456@100.75.0.19:3306/barbican
log_file = /var/log/barbican/api.log
[oslo_messaging_rabbit]
amqp_durable_queues = False
rabbit_ha_queues = False
rabbit_port=5672
rabbit_host = 100.75.0.19
rabbit_userid = openstack
rabbit_password = rh123456
[keystone_authtoken]
auth_uri = http://100.75.0.19:5000
auth_url = http://100.75.0.19:35357
memcached_servers = 100.75.0.19:11211
auth_type = password
project_domain_name = default
user_domain_name = default
project_name = service
username = barbican
password = barbican
设置http
把barbican的启动放到http里,vim /etc/httpd/conf.d/wsgi-barbican.conf:
Listen 9311
<VirtualHost *:9311>
#ServerName server101.e3cloud.com
## Logging
<IfVersion >= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
ErrorLog /var/log/httpd/barbican_wsgi_main_error_ssl.log
LogLevel debug
ServerSignature Off
CustomLog /var/log/httpd/barbican_wsgi_main_access_ssl.log combined
WSGIApplicationGroup %{GLOBAL}
WSGIDaemonProcess barbican-api display-name=barbican-api group=barbican processes=2 threads=8 user=barbican
WSGIProcessGroup barbican-api
WSGIScriptAlias / /usr/lib/python2.7/site-packages/barbican/api/app.wsgi
WSGIPassAuthorization On
<Directory /usr/lib>
<IfVersion >= 2.4>
Require all granted
</IfVersion>
<IfVersion < 2.4>
Order allow,deny
Allow from all
</IfVersion>
</Directory>
</VirtualHost>
测试
1.获取barbican用户的token:
进入barbican用户权限下:source barbican-openrc.sh
获取token:openstack token issue
2.使用barbican用户通过barbican创建一个secret:
这里使用上述获得的token调用barbican api创建了一个名为my-key,payload = 6b+WOZ1T3cqZMxgThRcXAQBrS5mXKdDUphvpxptl9/4=的simple_crypto:
curl -X POST -H 'content-type:application/json' -H 'X-Auth-Token:gAAAAABdLpyXQIXpP3l1nkKeUMbdkzE_dz7YIuTGyFgng-BPfHYU3gZj82BITOPl-hAVKh7rPRb2lYmINoXTkwKVxeu-YBQgPXkAAhumwX53iaajU26eEQUp-PLwQwTaWDR4m2Xa-AQxzSN94qDKwguksetNpt5CI6Wzf10pSwbd45aCB6gZbKw' -d '{"name": "my-key","algorithm": "aes","bit_length": 256,"mode": "cbc","payload": "6b+WOZ1T3cqZMxgThRcXAQBrS5mXKdDUphvpxptl9/4=","payload_content_type": "application/octet-stream","payload_content_encoding": "base64"}' http://100.75.0.19:9311/v1/secrets
3.使用boto测试,把上文返回的Secret href里fdfc6228-787c-4cb7-94e1-e65a93dee712将作为key-id使用(ceph user无论是keystone或者rgw的创建的密钥都可以):
import os,sys
import boto.s3.connection
access_key = "e2dd89eb439b44d091eeecbb40926ab4"
secret_key = "6d6d2fb104de4d778563869dd27ac644"
bucket_name = "haj-b-1"
key_name = "file_encrypt_2"
file_name = "file_1"
conn = boto.connect_s3(
aws_access_key_id=access_key,
aws_secret_access_key=secret_key,
host= '100.75.0.21',
port=7480,
is_secure=False,
calling_format=boto.s3.connection.OrdinaryCallingFormat())
bucket = conn.get_bucket(bucket_name)
k = Key(bucket)
k.key = key_name
headers = {"x-amz-server-side-encryption":"aws:kms",
"x-amz-server-side-encryption-aws-kms-key-id": "fdfc6228-787c-4cb7-94e1-e65a93dee712"}
result = k.set_contents_from_filename(file_name, headers=headers)
1.上传成功
2.ceph端会存储x-amz-server-side-encryption-aws-kms-key-id值,用户下载文件时不需要带上encrytion的参数,如一般文件下载即可。
说明
1.必需保证rgw_keystone_barbican_user = barbican 用户有权限读所有用于rgw 加密的secret。
2.创建secret的入参有格式要求,参见ceph官网及aws官网说明
3.使用kms加密上传的文件,用户入参必需带上key-id
ceph代码分析
函数调用关系:
rgw_op.cc: void RGWPutObj::execute() --->
rgw_rest_s3.cc: int RGWPutObj_ObjStore_S3::get_encrypt_filter(.....) --->
rgw_crypt.cc: int rgw_s3_prepare_encrypt(.....)
若是客户端加密模式SSE-C-AES256:
1. 入参要求:x-amz-server-side-encryption-customer-algorithm = "AES256"
2. 若不是https传输方式,要求ceph配置参数rgw_crypt_require_ssl =False
3. x-amz-server-side-encryption-customer-key必需是base64 encoded,转码后有长度要求
4. x-amz-server-side-encryption-customer-key-md5必需是base64 encoded,转码后有长度要求
5. customer-key 和customer-key-md5若有值则需要符合特定hash算法
若是服务器端加密模式KMS:
1. 若不是https传输方式,要求ceph配置参数rgw_crypt_require_ssl =False
2. 入参要求x-amz-server-side-encryption = “aws:kms"
3. 入参x-amz-server-side-encryption-aws-kms-key-id 不能为空
4. 根据key-id找到actual_key,并校验actual_key满足格式/长度要求
(1) 若在ceph配置参数rgw_crypt_s3_kms_encryption_keys密钥对中找到key-id对应的actual_key,校验actual_key。
(2) 若找不到则连接keystone_barbican来找,首先通过keystone获取到rgw_keystone_barbican_project/rgw_keystone_barbican_user的token,接着到barbican读取key-id对应的actual_key,获取后校验参数。
若是自动加密模式RGW-AUTO:
1.要求ceph配置参数rgw_crypt_default_encryption_key 不为空,且满足格式/长度要求
更多推荐
所有评论(0)