部署 Openstack Havana – 5 注册 Swift 到 Keystone (SSL)
这篇基本上就是给脑残客户准备的了,一般人估计也用不上。
keystone.conf
修改 /etc/keystone/keystone.conf
找到 [SSL] 的部分,把注释符 # 删掉,并且做些许修改,如下:
[ssl] enable = True certfile = /etc/keystone/ssl/certs/ssl_cert.pem keyfile = /etc/keystone/ssl/private/ssl_key.pem ca_certs = /etc/keystone/ssl/certs/cacert.pem ca_key = /etc/keystone/ssl/private/cakey.pem key_size = 1024 valid_days = 3650 cert_required = False cert_subject = /C=US/ST=Unset/L=Unset/O=Unset/CN=[YOUR_IP_ADDRESS]
生成 ssl 认证凭证
$ sudo keystone-manage ssl_setup --keystone-user keystone --keystone-group keystone
重启 Keystone 服务
$ sudo service mysql restart
proxy-server.conf
SSL 后 http 已然是行不通了,需要修改 Swift 配置里的 authtoken 认证协议。
修改 /etc/swift/proxy-server.conf
把 auth_protocol 从 http 改为 https
把 auth_protocol 从 http 改为 https
auth_protocol=https
修改 ~/.bashrc
相应的,环境变量里的 SERVICE_ENDPOINT 也要改为 httpsexport SERVICE_ENDPOINT=https://[YOUR_IP_ADDRESS]:35357/v2.0
重新加载
. ~/.bashrc
测试
用 curl 随便 list 一下用户,试试看 SSL key 能不能用$ sudo curl -i -X GET https://[YOUR_IP_ADDRESS]:35357/v2.0/users -H "User-Agent: python-keystoneclient" -H "X-Auth-Token: ADMIN" -v --cacert /etc/keystone/ssl/certs/cacert.pem
* About to connect() to 10.5.52.242 port 35357 (#0)
* Trying 10.5.52.242...
* Adding handle: conn: 0x2556c30
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x2556c30) send_pipe: 1, recv_pipe: 0
* Connected to 10.5.52.242 (10.5.52.242) port 35357 (#0)
* successfully set certificate verify locations:
* CAfile: /etc/keystone/ssl/certs/cacert.pem
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using AES256-SHA
* Server certificate:
* subject: C=US; ST=Unset; O=Unset; CN=10.5.52.242
* start date: 2013-10-30 22:00:47 GMT
* expire date: 2023-10-28 22:00:47 GMT
* common name: 10.5.52.242 (matched)
* issuer: C=US; ST=Unset; L=Unset; O=Unset; CN=10.5.52.242
* SSL certificate verify ok.
> GET /v2.0/users HTTP/1.1
> Host: 10.5.52.242:35357
> Accept: */*
> User-Agent: python-keystoneclient
> X-Auth-Token: ADMIN
>
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Vary: X-Auth-Token
Vary: X-Auth-Token
< Content-Type: application/json
Content-Type: application/json
< Content-Length: 152
Content-Length: 152
< Date: Wed, 30 Oct 2013 22:13:01 GMT
Date: Wed, 30 Oct 2013 22:13:01 GMT
<
* Connection #0 to host 10.5.52.242 left intact
{"users": [{"name": "admin", "id": "19ae15e12f1c4c0fb02ee21afe121088", "enabled": true, "email": null, "tenantId": "3e8d46120c4e4233be3cc323d8547743"}]}
不错,SSL Key 管用。
瞅瞅 Swift 的状态
$ sudo swift --os-cacert=/etc/keystone/ssl/certs/cacert.pem -V 2 -A https://[YOUR_IP_ADDRESS]:5000/v2.0 -U admin:admin -K admin stat
Account: AUTH_3e8d46120c4e4233be3cc323d8547743
Containers: 3
Objects: 2
Bytes: 170256
Accept-Ranges: bytes
X-Timestamp: 1383169592.40993
Content-Type: text/plain; charset=utf-8
建个 bucket
$ sudo swift --os-cacert=/etc/keystone/ssl/certs/cacert.pem -V 2 -A https://[YOUR_IP_ADDRESS]:5000/v2.0 -U admin:admin -K admin post bar
list 一下 bucket
$ sudo swift --os-cacert=/etc/keystone/ssl/certs/cacert.pem -V 2 -A https://[YOUR_IP_ADDRESS]:5000/v2.0 -U admin:admin -K admin list bar
上传个文件
$ sudo swift --os-cacert=/etc/keystone/ssl/certs/cacert.pem -V 2 -A https://[YOUR_IP_ADDRESS]:5000/v2.0 -U admin:admin -K admin upload bar /bin/rm
list 一下 bucket 里的文件
$ sudo swift --os-cacert=/etc/keystone/ssl/certs/cacert.pem -V 2 -A https://[YOUR_IP_ADDRESS]:5000/v2.0 -U admin:admin -K admin list bar bin/rm
没有评论:
发表评论