本章將示範如何為你的備份用戶在 OpenStack 上啟用 SSL 連線。
如果你未曾接觸過 OpenStack,你應該先參考他們在 http://docs.openstack.org/ 的常規設置文檔。
如果你已經有一個正在運行的 OpenStack,你可以按照我們的步驟來啟用 SSL 連線。
這是在下列實例中使用的 OpenStack 版本:
這是在下列實例中使用的值:
注: Keystone admin 令牌的值可以在 Keystone 配置文件 /etc/keystone/keystone.conf 中的變量名 "admin_token" 找到。
請在安裝一個租戶(項目),用戶,角色和存儲配額等之前把下列的變量在 bash 配置文件及 proxy-server.conf 中的過濾器配置好。
步驟 1: 在 .bash_profile 中添加環境變量
例如 (/root/.bash_profile)---------------------------------------------------------------------------------------------------- : : 修剪 : : export OS_USERNAME=admin export OS_PASSWORD=admin export OS_TENANT_NAME=mybackup export OS_AUTH_URL=https://10.7.54.7:5000/v2.0 export OS_SERVICE_ENDPOINT=https://10.7.54.7:35357/v2.0 export OS_SERVICE_TOKEN=7b05dab9722d44e7b9a82dc0d1ff74ea : : 修剪 : : ----------------------------------------------------------------------------------------------------
請重新登錄,配置文件方能生效。
注: OS_SERVICE_TOKEN 的值可以在 Keystone 配置文件 /etc/keystone/keystone.conf 中的變量名 "admin_token" 找到。
編輯文件 /etc/keystone/keystone.conf 來設置 SSL 證書。
假設你已把有效的證書放置在
/etc/keystone/ssl_cert.pem
/etc/keystone/ssl_key.pem
/etc/keystone/cacert.pem
而
ssl_cert.pem 是公開金鑰文件,
ssl_key.pem 是私密金鑰文件,及
cacert.pem 是 CA Root 根憑證文件。
因為由各 CA 頒發的證書的格式可能不同,請查閱你的 CA 有關正確的證書鏈指令。
例如 (/etc/swift/proxy-server.conf)---------------------------------------------------------------------------------------------------- : : : 修剪 : : : [ssl] enable = True certfile = /etc/keystone/ssl_cert.pem keyfile = /etc/keystone/ssl_key.pem ca_certs = /etc/keystone/cacert.pem : : : 修剪 : : : ----------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------- [root@os ~]# service openstack-keystone restart Stopping keystone: [ OK ] Starting keystone: [ OK ] [root@os ~]# ----------------------------------------------------------------------------------------------------
如果這是一個不可信的 SSL 證書,需要使用 '--insecure' 選項。
例如---------------------------------------------------------------------------------------------------- [root@os ~]# keystone --insecure service-list WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored). +----------------------------------+------------+--------------+--------------------------------+ | id | name | type | description | +----------------------------------+------------+--------------+--------------------------------+ | 5f805cc7df2a43eb90db6fe11ed682f6 | ceilometer | metering | Openstack Metering Service | | 3134116675a8420a88ef01cdcb0c8728 | cinder | volume | Cinder Service | | b703b91737954d01a2d180f6c3d575ba | cinder_v2 | volumev2 | Cinder Service v2 | | cc787cf0258e46d6a342e1502e7bf6be | glance | image | Openstack Image Service | | b3af7d0a95d34aa7883629df7a7f7f56 | keystone | identity | OpenStack Identity Service | | 10f1a022ada246138aba5834e3622a91 | neutron | network | Neutron Networking Service | | 218b5356d65e4d8382297f72d65c8bbb | nova | compute | Openstack Compute Service | | a809ad43f380400cb55ff2520bb27ab0 | nova_ec2 | ec2 | EC2 Service | | 8b517bd82d4345c895384f9596a29880 | swift | object-store | Openstack Object-Store Service | | 11882e74696547b0ba1e4d276074ae37 | swift_s3 | s3 | Openstack S3 Service | +----------------------------------+------------+--------------+--------------------------------+ [root@os ~]# ----------------------------------------------------------------------------------------------------
swift id 是以粗體顯示。
---------------------------------------------------------------------------------------------------- [root@os ~]# keystone --insecure endpoint-list WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored). +----------------------------------+-----------+--- ---+----------------------------------+ | id | region | .......修剪........ | service_id | +----------------------------------+-----------+--- ---+----------------------------------+ | 00a39b6e21a24562b470b61a1b82902d | RegionOne | h )s | 218b5356d65e4d8382297f72d65c8bbb | | 047f9c3dd19743e280a553d8a34a9202 | RegionOne | .......修剪........ | 10f1a022ada246138aba5834e3622a91 | | 2b89407a81574b2c8f0fdef9eefc507a | RegionOne | | 5f805cc7df2a43eb90db6fe11ed682f6 | | 47b6d5974d744c21a04b6ca2781f57a0 | RegionOne | )s | b703b91737954d01a2d180f6c3d575ba | | 485ba5a748fc4f1e865d08774fae8ff7 | RegionOne | | b3af7d0a95d34aa7883629df7a7f7f56 | | 90bb1d878b7045f086e2ada7ce853308 | RegionOne | ht .......修剪........ )s | 3134116675a8420a88ef01cdcb0c8728 | | 9ac0472cb48f49b3b44cb4e3365be01a | RegionOne | | 11882e74696547b0ba1e4d276074ae37 | | a1af6685d3e04e5fa7b71f6c244f1393 | RegionOne | ht | 8b517bd82d4345c895384f9596a29880 | | a9b9c9fbef6a44669788c1946a3c8e48 | RegionOne | | cc787cf0258e46d6a342e1502e7bf6be | | c370061d0cc64386a470a5a0fb01e424 | RegionOne | .......修剪........ n | a809ad43f380400cb55ff2520bb27ab0 | +----------------------------------+-----------+--- ---+----------------------------------+ [root@os ~]# ----------------------------------------------------------------------------------------------------
從 service_id=8b517bd82d4345c895384f9596a29880,查找對應的端點 swift 服務。
根據 id a1af6685d3e04e5fa7b71f6c244f1393 ,在同一行可發現 swift 服務的服務端點並把它刪除。
例如---------------------------------------------------------------------------------------------------- [root@os ~]# keystone --insecure endpoint-delete a1af6685d3e04e5fa7b71f6c244f1393 WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored). Endpoint has been deleted. [root@os ~]# ----------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------- [root@os ~]# keystone --insecure endpoint-create --region RegionOne --service-id=8b517bd82d4345c895384f9596a29880 --publicurl 'https://10.7.54.7:8080/v1/AUTH_%(tenant_id)s' --adminurl 'https://10.7.54.7:8080/v1' --internalurl ' https://10.7.54.7:8080/v1/AUTH_%(tenant_id)s' WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored). +-------------+----------------------------------------------+ | Property | Value | +-------------+----------------------------------------------+ | adminurl | https://10.7.54.7:8080/v1 | | id | fb937c038fd34724bd7415fff3ee7736 | | internalurl | https://10.7.54.7:8080/v1/AUTH_%(tenant_id)s | | publicurl | https://10.7.54.7:8080/v1/AUTH_%(tenant_id)s | | region | RegionOne | | service_id | 8b517bd82d4345c895384f9596a29880 | +-------------+----------------------------------------------+ [root@os ~]# ----------------------------------------------------------------------------------------------------
在 proxy-server.conf 中編輯文件,添加在下面以 紅色 的例子。
假設你已把有效的證書放置在
/etc/swift/ssl_cert.pem
/etc/swift/ssl_key.pem
而
ssl_cert.pem 是公開金鑰文件,及
ssl_key.pem 是私密金鑰文件。
因為由各 CA 頒發的證書的格式可能不同,請查閱你的 CA 有關正確的證書鏈指令。
例如 (/etc/swift/proxy-server.conf)---------------------------------------------------------------------------------------------------- # This file is managed by puppet. Do not edit # [DEFAULT] bind_port = 8080 bind_ip = 10.7.54.7 : : : 修剪 : : : cert_file = /etc/swift/ssl_cert.pem key_file = /etc/swift/ssl_key.pem : : : 修剪 : : : [filter:authtoken] : : : 修剪 : : : auth_protocol = https auth_uri = https://10.7.54.7:5000 insecure = true ----------------------------------------------------------------------------------------------------
修改配置文件 /etc/swift/proxy-server.conf 後 ,重新啟動 swift 相關的服務。
例如---------------------------------------------------------------------------------------------------- [root@os ~]# swift-init main restart Signal proxy-server pid: 17166 signal: 15 Signal container-server pid: 17167 signal: 15 Signal account-server pid: 17168 signal: 15 Signal object-server pid: 17169 signal: 15 object-server (17169) appears to have stopped container-server (17167) appears to have stopped account-server (17168) appears to have stopped proxy-server (17166) appears to have stopped Starting proxy-server...(/etc/swift/proxy-server.conf) Starting container-server...(/etc/swift/container-server.conf) Starting account-server...(/etc/swift/account-server.conf) Starting object-server...(/etc/swift/object-server.conf) WARNING: SSL should only be enabled for testing purposes. Use external SSL termination for a production deployment. [root@os ~]# ----------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------- [root@os ~]# swift --insecure stat Account: AUTH_49f2482ecff9431bae1d32fa2a004026 Containers: 8 Objects: 480 Bytes: 189030388 Meta Quota-Bytes: 10737418240 X-Timestamp: 1412574345.10669 Content-Type: text/plain; charset=utf-8 Accept-Ranges: bytes [root@os ~]# ----------------------------------------------------------------------------------------------------