CentOS Stream 9
Sponsored Link

OpenStack Bobcat : How to use Barbican2023/10/25

 
This is how to use OpenStack Key Manager Service (Barbican).
This example is based on the environment like follows.
------------+--------------------------+--------------------------+------------
            |                          |                          |
        eth0|10.0.0.30             eth0|10.0.0.50             eth0|10.0.0.51
+-----------+-----------+  +-----------+-----------+  +-----------+-----------+
|   [ dlp.srv.world ]   |  | [ network.srv.world ] |  |  [ node01.srv.world ] |
|     (Control Node)    |  |     (Network Node)    |  |     (Compute Node)    |
|                       |  |                       |  |                       |
|  MariaDB    RabbitMQ  |  |      Open vSwitch     |  |        Libvirt        |
|  Memcached  Nginx     |  |     Neutron Server    |  |      Nova Compute     |
|  Keystone   httpd     |  |      OVN-Northd       |  |      Open vSwitch     |
|  Glance     Nova API  |  |  Nginx  iSCSI Target  |  |   OVN Metadata Agent  |
|  Cinder API           |  |     Cinder Volume     |  |     OVN-Controller    |
|  Barbican API         |  |    Heat API/Engine    |  |                       |
+-----------------------+  +-----------------------+  +-----------------------+

[1] This is the basic usage of Barbican.
# store a key : --name [key's name] --payload [key's data]

[root@dlp ~(keystone)]#
openstack secret store --name secret01 --payload secretkey

+---------------+----------------------------------------------------------------------------+
| Field         | Value                                                                      |
+---------------+----------------------------------------------------------------------------+
| Secret href   | https://dlp.srv.world:9311/v1/secrets/b9ee28e4-82ef-42c5-8ea2-75f05e0b42f5 |
| Name          | secret01                                                                   |
| Created       | None                                                                       |
| Status        | None                                                                       |
| Content types | None                                                                       |
| Algorithm     | aes                                                                        |
| Bit length    | 256                                                                        |
| Secret type   | opaque                                                                     |
| Mode          | cbc                                                                        |
| Expiration    | None                                                                       |
+---------------+----------------------------------------------------------------------------+

# show keys list

[root@dlp ~(keystone)]#
openstack secret list

+----------------------------------------------------------------------------+----------+---------------------------
| Secret href                                                                | Name     | Created                   
+----------------------------------------------------------------------------+----------+---------------------------
| https://dlp.srv.world:9311/v1/secrets/b9ee28e4-82ef-42c5-8ea2-75f05e0b42f5 | secret01 | 2023-10-25T04:32:26+00:00 
+----------------------------------------------------------------------------+----------+---------------------------
+--------+-----------------------------------------+-----------+------------+-------------+------+------------+
| Status | Content types                           | Algorithm | Bit length | Secret type | Mode | Expiration |
+--------+-----------------------------------------+-----------+------------+-------------+------+------------+
| ACTIVE | {'default': 'application/octet-stream'} | aes       |        256 | opaque      | cbc  | None       |
+--------+-----------------------------------------+-----------+------------+-------------+------+------------+

# get metadata of a key

[root@dlp ~(keystone)]#
openstack secret get https://dlp.srv.world:9311/v1/secrets/b9ee28e4-82ef-42c5-8ea2-75f05e0b42f5

+---------------+----------------------------------------------------------------------------+
| Field         | Value                                                                      |
+---------------+----------------------------------------------------------------------------+
| Secret href   | https://dlp.srv.world:9311/v1/secrets/b9ee28e4-82ef-42c5-8ea2-75f05e0b42f5 |
| Name          | secret01                                                                   |
| Created       | 2023-10-25T04:32:26+00:00                                                  |
| Status        | ACTIVE                                                                     |
| Content types | {'default': 'application/octet-stream'}                                    |
| Algorithm     | aes                                                                        |
| Bit length    | 256                                                                        |
| Secret type   | opaque                                                                     |
| Mode          | cbc                                                                        |
| Expiration    | None                                                                       |
+---------------+----------------------------------------------------------------------------+

# get data of a key

[root@dlp ~(keystone)]#
openstack secret get https://dlp.srv.world:9311/v1/secrets/b9ee28e4-82ef-42c5-8ea2-75f05e0b42f5 --payload

+---------+-----------+
| Field   | Value     |
+---------+-----------+
| Payload | secretkey |
+---------+-----------+

# for the case of generating and storing a key

[root@dlp ~(keystone)]#
openstack secret order create --name secret02 --algorithm aes --bit-length 256 \
--mode cbc --payload-content-type application/octet-stream key

+----------------+---------------------------------------------------------------------------+
| Field          | Value                                                                     |
+----------------+---------------------------------------------------------------------------+
| Order href     | https://dlp.srv.world:9311/v1/orders/54d5c1b7-764b-4ac7-9bc5-4cd980df0185 |
| Type           | Key                                                                       |
| Container href | N/A                                                                       |
| Secret href    | None                                                                      |
| Created        | None                                                                      |
| Status         | None                                                                      |
| Error code     | None                                                                      |
| Error message  | None                                                                      |
+----------------+---------------------------------------------------------------------------+

# show generated keys list

[root@dlp ~(keystone)]#
openstack secret order list

+---------------------------------------------------------------------------+------+----------------
| Order href                                                                | Type | Container href 
+---------------------------------------------------------------------------+------+----------------
| https://dlp.srv.world:9311/v1/orders/54d5c1b7-764b-4ac7-9bc5-4cd980df0185 | Key  | N/A            
+---------------------------------------------------------------------------+------+----------------
+----------------------------------------------------------------------------+---------------------------+--------+------------+---------------+
| Secret href                                                                | Created                   | Status | Error code | Error message |
+----------------------------------------------------------------------------+---------------------------+--------+------------+---------------+
| https://dlp.srv.world:9311/v1/secrets/4cf1b537-cc48-46d0-9518-070f7955a60b | 2023-10-25T04:34:23+00:00 | ACTIVE | None       | None          |
+----------------------------------------------------------------------------+---------------------------+--------+------------+---------------+

# show a generated key

[root@dlp ~(keystone)]#
openstack secret order get https://dlp.srv.world:9311/v1/orders/54d5c1b7-764b-4ac7-9bc5-4cd980df0185

+----------------+----------------------------------------------------------------------------+
| Field          | Value                                                                      |
+----------------+----------------------------------------------------------------------------+
| Order href     | https://dlp.srv.world:9311/v1/orders/54d5c1b7-764b-4ac7-9bc5-4cd980df0185  |
| Type           | Key                                                                        |
| Container href | N/A                                                                        |
| Secret href    | https://dlp.srv.world:9311/v1/secrets/4cf1b537-cc48-46d0-9518-070f7955a60b |
| Created        | 2023-10-25T04:34:23+00:00                                                  |
| Status         | ACTIVE                                                                     |
| Error code     | None                                                                       |
| Error message  | None                                                                       |
+----------------+----------------------------------------------------------------------------+

# show metadata of a generated key

[root@dlp ~(keystone)]#
openstack secret get https://dlp.srv.world:9311/v1/secrets/4cf1b537-cc48-46d0-9518-070f7955a60b

+---------------+----------------------------------------------------------------------------+
| Field         | Value                                                                      |
+---------------+----------------------------------------------------------------------------+
| Secret href   | https://dlp.srv.world:9311/v1/secrets/4cf1b537-cc48-46d0-9518-070f7955a60b |
| Name          | secret02                                                                   |
| Created       | 2023-10-25T04:34:23+00:00                                                  |
| Status        | ACTIVE                                                                     |
| Content types | {'default': 'application/octet-stream'}                                    |
| Algorithm     | aes                                                                        |
| Bit length    | 256                                                                        |
| Secret type   | symmetric                                                                  |
| Mode          | cbc                                                                        |
| Expiration    | None                                                                       |
+---------------+----------------------------------------------------------------------------+
Matched Content