OpenStack Queens : How to use Barbican2018/06/20 |
|
How to use the OpenStack Key Manager Service (Barbican).
This example is based on the emvironment like follows.
------------+---------------------------+---------------------------+------------
| | |
eth0|10.0.0.30 eth0|10.0.0.50 eth0|10.0.0.51
+-----------+-----------+ +-----------+-----------+ +-----------+-----------+
| [ Control Node ] | | [ Network Node ] | | [ Compute Node ] |
| | | | | |
| MariaDB RabbitMQ | | Cinder-Volume | | Libvirt |
| Memcached httpd | | L2 Agent | | Nova Compute |
| Keystone Glance | | L3 Agent | | Linux Bridge |
| Nova API | | Metadata Agent | | L2 Agent |
| Neutron Server | | | | |
| Metadata Agent | | | | |
| Cinder API | | | | |
| Barbican API | | | | |
+-----------------------+ +-----------------------+ +-----------------------+
|
| [1] | This is the basic usage of Barbican. |
|
# store a key : --name [key's name] --payload [key's data] root@dlp ~(keystone)# openstack secret store --name secret01 --payload secretkey +---------------+-----------------------------------------------------------------------+ | Field | Value | +---------------+-----------------------------------------------------------------------+ | Secret href | http://10.0.0.30:9311/v1/secrets/3ebe8b05-315a-405c-b0e8-6aac22f34f15 | | Name | secret01 | | Created | None | | Status | None | | Content types | None | | Algorithm | aes | | Bit length | 256 | | Secret type | opaque | | Mode | cbc | | Expiration | None | +---------------+-----------------------------------------------------------------------+ # show keys list root@dlp ~(keystone)# openstack secret list
+-----------------------------------------------------------------------+----------
| Secret href | Name
+-----------------------------------------------------------------------+----------
| http://10.0.0.30:9311/v1/secrets/3ebe8b05-315a-405c-b0e8-6aac22f34f15 | secret01
+-----------------------------------------------------------------------+----------
+---------------------------+--------+-----------------------------+-----------
| Created | Status | Content types | Algorithm
+---------------------------+--------+-----------------------------+-----------
| 2018-06-20T02:09:15+00:00 | ACTIVE | {u'default': u'text/plain'} | aes
+---------------------------+--------+-----------------------------+-----------
+------------+-------------+------+------------+
| Bit length | Secret type | Mode | Expiration |
+------------+-------------+------+------------+
| 256 | opaque | cbc | None |
+------------+-------------+------+------------+
# get metadata of a key root@dlp ~(keystone)# openstack secret get http://10.0.0.30:9311/v1/secrets/3ebe8b05-315a-405c-b0e8-6aac22f34f15
+---------------+-----------------------------------------------------------------------+
| Field | Value |
+---------------+-----------------------------------------------------------------------+
| Secret href | http://10.0.0.30:9311/v1/secrets/3ebe8b05-315a-405c-b0e8-6aac22f34f15 |
| Name | secret01 |
| Created | 2018-06-20T02:09:15+00:00 |
| Status | ACTIVE |
| Content types | {u'default': u'text/plain'} |
| Algorithm | aes |
| Bit length | 256 |
| Secret type | opaque |
| Mode | cbc |
| Expiration | None |
+---------------+-----------------------------------------------------------------------+
# get data of a key root@dlp ~(keystone)# openstack secret get http://10.0.0.30:9311/v1/secrets/3ebe8b05-315a-405c-b0e8-6aac22f34f15 --payload +---------+-----------+ | Field | Value | +---------+-----------+ | Payload | secretkey | +---------+-----------+ # generate and store a key root@dlp ~(keystone)# openstack secret order create --name secret02 --algorithm aes --bit-length 256 \ --mode cbc --payload-content-type application/octet-stream key +----------------+----------------------------------------------------------------------+ | Field | Value | +----------------+----------------------------------------------------------------------+ | Order href | http://10.0.0.30:9311/v1/orders/d6b596d4-d099-43d1-b416-59c86954a531 | | Type | Key | | Container href | N/A | | Secret href | None | | Created | None | | Status | None | | Error code | None | | Error message | None | +----------------+----------------------------------------------------------------------+ # show generated keys list root@dlp ~(keystone)# openstack secret order list +----------------------------------------------------------------------+------+---------------- | Order href | Type | Container href +----------------------------------------------------------------------+------+---------------- | http://10.0.0.30:9311/v1/orders/d6b596d4-d099-43d1-b416-59c86954a531 | Key | N/A +----------------------------------------------------------------------+------+---------------- +----------------------------------------------------------------------- | Secret href +----------------------------------------------------------------------- | http://10.0.0.30:9311/v1/secrets/2eefe0ea-602a-4a77-a1d9-f9affd954678 +----------------------------------------------------------------------- +---------------------------+--------+------------+---------------+ | Created | Status | Error code | Error message | +---------------------------+--------+------------+---------------+ | 2018-06-20T02:11:19+00:00 | ACTIVE | None | None | +---------------------------+--------+------------+---------------+ # show a generated key root@dlp ~(keystone)# openstack secret order get http://10.0.0.30:9311/v1/orders/d6b596d4-d099-43d1-b416-59c86954a531 +----------------+-----------------------------------------------------------------------+ | Field | Value | +----------------+-----------------------------------------------------------------------+ | Order href | http://10.0.0.30:9311/v1/orders/d6b596d4-d099-43d1-b416-59c86954a531 | | Type | Key | | Container href | N/A | | Secret href | http://10.0.0.30:9311/v1/secrets/2eefe0ea-602a-4a77-a1d9-f9affd954678 | | Created | 2018-06-20T02:11:19+00:00 | | Status | ACTIVE | | Error code | None | | Error message | None | +----------------+-----------------------------------------------------------------------+ # show metadata of a generated key root@dlp ~(keystone)# openstack secret get http://10.0.0.30:9311/v1/secrets/2eefe0ea-602a-4a77-a1d9-f9affd954678
+---------------+-----------------------------------------------------------------------+
| Field | Value |
+---------------+-----------------------------------------------------------------------+
| Secret href | http://10.0.0.30:9311/v1/secrets/2eefe0ea-602a-4a77-a1d9-f9affd954678 |
| Name | secret02 |
| Created | 2018-06-20T02:11:19+00:00 |
| Status | ACTIVE |
| Content types | {u'default': u'application/octet-stream'} |
| Algorithm | aes |
| Bit length | 256 |
| Secret type | symmetric |
| Mode | cbc |
| Expiration | None |
+---------------+-----------------------------------------------------------------------+
|
| Sponsored Link |