CentOS 7
Ads

OpenStack Ocata : How to use Barbican
2017/03/26
 
How to use the OpenStack Key Manager Service (Barbican).
This example is based on the emvironment like follows.
     ------------+--------------------------------+--------------------------------+------------
                 |                                |                                |
             eth0|10.0.0.30                   eth0|10.0.0.50                   eth0|10.0.0.51
     +-----------+-----------+        +-----------+-----------+        +-----------+-----------+
     |    [ Control Node ]   |        |    [ Storage Node ]   |        |    [ Compute Node ]   |
     |                       |        |                       |        |                       |
     |  MariaDB    RabbitMQ  |        |      Open vSwitch     |        |        Libvirt        |
     |  Memcached  httpd     |        |  L2,L3,Metadata Agent |        |      Nova Compute     |
     |  Keystone   Glance    |        |     Cinder-Volume     |        |      Open vSwitch     |
     |  Nova API             |        |                       |        |        L2 Agent       |
     |  Neutron Server       |        |                       |        |                       |
     |  Cinder API           |        |                       |        |                       |
     |  Barbican API         |        |                       |        |                       |
     +-----------------------+        +-----------------------+        +-----------------------+

[1] Here is the basic usage of Barbican.
# store a key : --name [key's name] --payload [key's data]

[root@dlp ~(keystone)]#
openstack secret store --name secret01 --payload secretkey

+---------------+-----------------------------------------------------------------------+
| Field         | Value                                                                 |
+---------------+-----------------------------------------------------------------------+
| Secret href   | http://10.0.0.30:9311/v1/secrets/8c564f29-d782-4677-bb8f-86d733f43e49 |
| Name          | secret01                                                              |
| Created       | None                                                                  |
| Status        | None                                                                  |
| Content types | None                                                                  |
| Algorithm     | aes                                                                   |
| Bit length    | 256                                                                   |
| Secret type   | opaque                                                                |
| Mode          | cbc                                                                   |
| Expiration    | None                                                                  |
+---------------+-----------------------------------------------------------------------+

# show key list

[root@dlp ~(keystone)]#
openstack secret list

+-----------------------------------------------------------------------+----------+---------------------------+
| Secret href                                                           | Name     | Created                   |
+-----------------------------------------------------------------------+----------+---------------------------+
| http://10.0.0.30:9311/v1/secrets/8c564f29-d782-4677-bb8f-86d733f43e49 | secret01 | 2017-03-28 01:03:53+00:00 |
+-----------------------------------------------------------------------+----------+---------------------------+
+--------+-----------------------------+-----------+------------+-------------+------+------------+
| Status | Content types               | Algorithm | Bit length | Secret type | Mode | Expiration |
+--------+-----------------------------+-----------+------------+-------------+------+------------+
| ACTIVE | {u'default': u'text/plain'} | aes       |        256 | opaque      | cbc  | None       |
+--------+-----------------------------+-----------+------------+-------------+------+------------+

# get metadata of a key

[root@dlp ~(keystone)]#
openstack secret get http://10.0.0.30:9311/v1/secrets/8c564f29-d782-4677-bb8f-86d733f43e49

+---------------+-----------------------------------------------------------------------+
| Field         | Value                                                                 |
+---------------+-----------------------------------------------------------------------+
| Secret href   | http://10.0.0.30:9311/v1/secrets/8c564f29-d782-4677-bb8f-86d733f43e49 |
| Name          | secret01                                                              |
| Created       | 2017-03-28 01:03:53+00:00                                             |
| Status        | ACTIVE                                                                |
| Content types | {u'default': u'text/plain'}                                           |
| Algorithm     | aes                                                                   |
| Bit length    | 256                                                                   |
| Secret type   | opaque                                                                |
| Mode          | cbc                                                                   |
| Expiration    | None                                                                  |
+---------------+-----------------------------------------------------------------------+

# get data of a key

[root@dlp ~(keystone)]#
openstack secret get http://10.0.0.30:9311/v1/secrets/8c564f29-d782-4677-bb8f-86d733f43e49 --payload

+---------+-----------+
| Field   | Value     |
+---------+-----------+
| Payload | secretkey |
+---------+-----------+

# generate and store a key

[root@dlp ~(keystone)]#
openstack secret order create --name secret02 --algorithm aes --bit-length 256 \
--mode cbc --payload-content-type application/octet-stream key

+----------------+----------------------------------------------------------------------+
| Field          | Value                                                                |
+----------------+----------------------------------------------------------------------+
| Order href     | http://10.0.0.30:9311/v1/orders/b767723d-881e-4749-8e73-7f67a95e90e8 |
| Type           | Key                                                                  |
| Container href | N/A                                                                  |
| Secret href    | None                                                                 |
| Created        | None                                                                 |
| Status         | None                                                                 |
| Error code     | None                                                                 |
| Error message  | None                                                                 |
+----------------+----------------------------------------------------------------------+

# show generated key list

[root@dlp ~(keystone)]#
openstack secret order list

+----------------------------------------------------------------------+------+----------------+
| Order href                                                           | Type | Container href |
+----------------------------------------------------------------------+------+----------------+
| http://10.0.0.30:9311/v1/orders/b767723d-881e-4749-8e73-7f67a95e90e8 | Key  | N/A            |
+----------------------------------------------------------------------+------+----------------+
+-----------------------------------------------------------------------+---------------------------+
| Secret href                                                           | Created                   |
+-----------------------------------------------------------------------+---------------------------+
| http://10.0.0.30:9311/v1/secrets/a7c940b9-4814-4504-90b9-aa764969447d | 2017-03-28 02:00:43+00:00 |
+-----------------------------------------------------------------------+---------------------------+
+--------+------------+---------------+
| Status | Error code | Error message |
+--------+------------+---------------+
| ACTIVE | None       | None          |
+--------+------------+---------------+

# show a generated key

[root@dlp ~(keystone)]#
openstack secret order get http://10.0.0.30:9311/v1/orders/b767723d-881e-4749-8e73-7f67a95e90e8

+----------------+-----------------------------------------------------------------------+
| Field          | Value                                                                 |
+----------------+-----------------------------------------------------------------------+
| Order href     | http://10.0.0.30:9311/v1/orders/b767723d-881e-4749-8e73-7f67a95e90e8  |
| Type           | Key                                                                   |
| Container href | N/A                                                                   |
| Secret href    | http://10.0.0.30:9311/v1/secrets/a7c940b9-4814-4504-90b9-aa764969447d |
| Created        | 2017-03-28 02:00:43+00:00                                             |
| Status         | ACTIVE                                                                |
| Error code     | None                                                                  |
| Error message  | None                                                                  |
+----------------+-----------------------------------------------------------------------+

# show metadata of a generated key

[root@dlp ~(keystone)]#
openstack secret get http://10.0.0.30:9311/v1/secrets/a7c940b9-4814-4504-90b9-aa764969447d

+---------------+-----------------------------------------------------------------------+
| Field         | Value                                                                 |
+---------------+-----------------------------------------------------------------------+
| Secret href   | http://10.0.0.30:9311/v1/secrets/a7c940b9-4814-4504-90b9-aa764969447d |
| Name          | secret02                                                              |
| Created       | 2017-03-28 02:00:43+00:00                                             |
| Status        | ACTIVE                                                                |
| Content types | {u'default': u'application/octet-stream'}                             |
| Algorithm     | aes                                                                   |
| Bit length    | 256                                                                   |
| Secret type   | symmetric                                                             |
| Mode          | cbc                                                                   |
| Expiration    | None                                                                  |
+---------------+-----------------------------------------------------------------------+
 
Tweet