Barbican服务介绍
Key Manager 服务 (barbican) 提供机密数据的安全存储、配置和管理。这包括密钥材料,例如对称密钥、非对称密钥、证书和原始二进制数据。
Barbican 是 OpenStack 的key管理组件,定位在提供 REST API 来安全存储、提供和管理“秘密”。
Barbican最常用的功能是作为OpenStack环境中的密钥生成器,为各种加解密操作提供支持;同时,Barbican还可以保存OpenStack环境中的用户机密数据。
控制节点安装服务
[root@controller ~]# iaas-install-barbican.sh
使用Barbican服务
[root@controller ~]# openstack secret store --name secret01 --payload secretkey
+---------------+-----------------------------------------------------------------------+
| Field | Value |
+---------------+-----------------------------------------------------------------------+
| Secret href | http://localhost:9311/v1/secrets/0c75b604-1cae-4172-b632-b769f1d649e3 |
| Name | secret01 |
| Created | None |
| Status | None |
| Content types | None |
| Algorithm | aes |
| Bit length | 256 |
| Secret type | opaque |
| Mode | cbc |
| Expiration | None |
+---------------+-----------------------------------------------------------------------+
[root@controller ~]# openstack secret list
+-----------------------------------------------------------------------+----------+---------------------------+--------+-----------------------------+-----------+------------+-------------+------+------------+
| Secret href | Name | Created | Status | Content types | Algorithm | Bit length | Secret type | Mode | Expiration |
+-----------------------------------------------------------------------+----------+---------------------------+--------+-----------------------------+-----------+------------+-------------+------+------------+
| http://localhost:9311/v1/secrets/0c75b604-1cae-4172-b632-b769f1d649e3 | secret01 | 2022-05-07T11:52:35+00:00 | ACTIVE | {u'default': u'text/plain'} | aes | 256 | opaque | cbc | None |
+-----------------------------------------------------------------------+----------+---------------------------+--------+-----------------------------+-----------+------------+-------------+------+------------+
[root@controller ~]# openstack secret get http://localhost:9311/v1/secrets/0c75b604-1cae-4172-b632-b769f1d649e3
+---------------+-----------------------------------------------------------------------+
| Field | Value |
+---------------+-----------------------------------------------------------------------+
| Secret href | http://localhost:9311/v1/secrets/0c75b604-1cae-4172-b632-b769f1d649e3 |
| Name | secret01 |
| Created | 2022-05-07T11:52:35+00:00 |
| Status | ACTIVE |
| Content types | {u'default': u'text/plain'} |
| Algorithm | aes |
| Bit length | 256 |
| Secret type | opaque |
| Mode | cbc |
| Expiration | None |
+---------------+-----------------------------------------------------------------------+
[root@controller ~]# openstack secret get http://localhost:9311/v1/secrets/0c75b604-1cae-4172-b632-b769f1d649e3 --payload
+---------+-----------+
| Field | Value |
+---------+-----------+
| Payload | secretkey |
+---------+-----------+
[root@controller ~]# openstack secret order create --name secret02 --algorithm aes --bit-length 256 --mode cbc --payload-content-type application/octet-stream key
+----------------+----------------------------------------------------------------------+
| Field | Value |
+----------------+----------------------------------------------------------------------+
| Order href | http://localhost:9311/v1/orders/a8f2d133-c089-496b-ace3-3a9f540205b1 |
| Type | Key |
| Container href | N/A |
| Secret href | None |
| Created | None |
| Status | None |
| Error code | None |
| Error message | None |
+----------------+----------------------------------------------------------------------+
[root@controller ~]# openstack secret order list
+----------------------------------------------------------------------+------+----------------+-----------------------------------------------------------------------+---------------------------+--------+------------+---------------+
| Order href | Type | Container href | Secret href | Created | Status | Error code | Error message |
+----------------------------------------------------------------------+------+----------------+-----------------------------------------------------------------------+---------------------------+--------+------------+---------------+
| http://localhost:9311/v1/orders/a8f2d133-c089-496b-ace3-3a9f540205b1 | Key | N/A | http://localhost:9311/v1/secrets/3a22d487-c7c9-49f6-9f0c-6c282fd8878a | 2022-05-07T12:00:52+00:00 | ACTIVE | None | None |
+----------------------------------------------------------------------+------+----------------+-----------------------------------------------------------------------+---------------------------+--------+------------+---------------+
[root@controller ~]# openstack secret order get http://localhost:9311/v1/orders/a8f2d133-c089-496b-ace3-3a9f540205b1
+----------------+-----------------------------------------------------------------------+
| Field | Value |
+----------------+-----------------------------------------------------------------------+
| Order href | http://localhost:9311/v1/orders/a8f2d133-c089-496b-ace3-3a9f540205b1 |
| Type | Key |
| Container href | N/A |
| Secret href | http://localhost:9311/v1/secrets/3a22d487-c7c9-49f6-9f0c-6c282fd8878a |
| Created | 2022-05-07T12:00:52+00:00 |
| Status | ACTIVE |
| Error code | None |
| Error message | None |
+----------------+-----------------------------------------------------------------------+
[root@controller ~]# openstack secret get http://localhost:9311/v1/secrets/3a22d487-c7c9-49f6-9f0c-6c282fd8878a
+---------------+-----------------------------------------------------------------------+
| Field | Value |
+---------------+-----------------------------------------------------------------------+
| Secret href | http://localhost:9311/v1/secrets/3a22d487-c7c9-49f6-9f0c-6c282fd8878a |
| Name | secret02 |
| Created | 2022-05-07T12:00:52+00:00 |
| Status | ACTIVE |
| Content types | {u'default': u'application/octet-stream'} |
| Algorithm | aes |
| Bit length | 256 |
| Secret type | symmetric |
| Mode | cbc |
| Expiration | None |
+---------------+-----------------------------------------------------------------------+
注意查看获取的地址,secret herf 和order herf 不要弄错,上述实验中,只对应熟悉barbican密钥服务所使用的环境操作