红帽全球峰会第 5 章 保护多云对象网关
5.1. 更改默认帐户凭证以确保在 Multicloud 对象网关中提高安全性
使用命令行界面更改并轮转 Multicloud 对象网关(MCG)帐户凭证,以防止应用程序出现问题,并确保帐户安全性。
5.1.1. 重置 noobaa 帐户密码
先决条件
- 正在运行的 OpenShift Data Foundation 集群。
从客户门户网站下载 Multicloud Object Gateway (MCG)命令行界面二进制文件,并使其可执行。https://access.redhat.com/downloads/content/547/ver=4/rhel---9/4.16.0/x86_64/product-software
注意根据您的架构选择正确的产品变体。可用的平台包括 Linux (x86_64)、Windows 和 Mac OS。
流程
要重置 noobaa 帐户密码,请运行以下命令:
$ noobaa account passwd <noobaa_account_name> [options]$ noobaa account passwd FATA[0000] ❌ Missing expected arguments: <noobaa_account_name> Options: --new-password='': New Password for authentication - the best practice is to omit this flag, in that case the CLI will prompt to prompt and read it securely from the terminal to avoid leaking secrets in t he shell history --old-password='': Old Password for authentication - the best practice is to omit this flag, in that case the CLI will prompt to prompt and read it securely from the terminal to avoid leaking secrets in the shell history --retype-new-password='': Retype new Password for authentication - the best practice is to omit this flag, in that case the CLI will prompt to prompt and read it securely from the terminal to avoid leaking secrets in the shell history Usage: noobaa account passwd <noobaa-account-name> [flags] [options] Use "noobaa options" for a list of global command-line options (applies to all commands).Example:
$ noobaa account passwd admin@noobaa.io输出示例:
Enter old-password: [got 24 characters] Enter new-password: [got 7 characters] Enter retype-new-password: [got 7 characters] INFO[0017] ✅ Exists: Secret "noobaa-admin" INFO[0017] ✅ Exists: NooBaa "noobaa" INFO[0017] ✅ Exists: Service "noobaa-mgmt" INFO[0017] ✅ Exists: Secret "noobaa-operator" INFO[0017] ✅ Exists: Secret "noobaa-admin" INFO[0017] ✈️ RPC: account.reset_password() Request: {Email:admin@noobaa.io VerificationPassword:* Password:*} WARN[0017] RPC: GetConnection creating connection to wss://localhost:58460/rpc/ 0xc000402ae0 INFO[0017] RPC: Connecting websocket (0xc000402ae0) &{RPC:0xc000501a40 Address:wss://localhost:58460/rpc/ State:init WS:<nil> PendingRequests:map[] NextRequestID:0 Lock:{state:1 sema:0} ReconnectDelay:0s cancelPings:<nil>} INFO[0017] RPC: Connected websocket (0xc000402ae0) &{RPC:0xc000501a40 Address:wss://localhost:58460/rpc/ State:init WS:<nil> PendingRequests:map[] NextRequestID:0 Lock:{state:1 sema:0} ReconnectDelay:0s cancelPings:<nil>} INFO[0020] ✅ RPC: account.reset_password() Response OK: took 2907.1ms INFO[0020] ✅ Updated: "noobaa-admin" INFO[0020] ✅ Successfully reset the password for the account "admin@noobaa.io"重要要从终端访问 admin 帐户凭证,请运行
noobaa status命令:-------------------- - Mgmt Credentials - -------------------- email : admin@noobaa.io password : ***
5.1.2. 为帐户重新生成 S3 凭证
先决条件
- 正在运行的 OpenShift Data Foundation 集群。
从客户门户网站下载 Multicloud Object Gateway (MCG)命令行界面二进制文件,并使其可执行。https://access.redhat.com/downloads/content/547/ver=4/rhel---9/4.16.0/x86_64/product-software
注意根据您的架构选择正确的产品变体。可用的平台包括 Linux (x86_64)、Windows 和 Mac OS。
流程
获取帐户名称。
要列出帐户,请运行以下命令:
$ noobaa account list输出示例:
NAME ALLOWED_BUCKETS DEFAULT_RESOURCE PHASE AGE account-test [*] noobaa-default-backing-store Ready 14m17s test2 [first.bucket] noobaa-default-backing-store Ready 3m12s或者,从终端运行
oc get noobaaaccount命令:$ oc get noobaaaccount输出示例:
NAME PHASE AGE account-test Ready 15m test2 Ready 3m59s要重新生成 noobaa 帐户 S3 凭证,请运行以下命令:
$ noobaa account regenerate <noobaa_account_name> [options]$ noobaa account regenerate FATA[0000] ❌ Missing expected arguments: <noobaa-account-name> Usage: noobaa account regenerate <noobaa-account-name> [flags] [options] Use "noobaa options" for a list of global command-line options (applies to all commands).运行
noobaa account regenerate命令后,它会提示您一个警告,"This will invalidate all connections between S3 clients and NooBaa which are connected using the current credentials.",并要求确认:Example:
$ noobaa account regenerate account-test输出示例:
INFO[0000] You are about to regenerate an account's security credentials. INFO[0000] This will invalidate all connections between S3 clients and NooBaa which are connected using the current credentials. INFO[0000] are you sure? y/n批准后,它会重新生成凭证并最终打印它们:
INFO[0015] ✅ Exists: Secret "noobaa-account-account-test" Connection info: AWS_ACCESS_KEY_ID : *** AWS_SECRET_ACCESS_KEY : ***
5.1.3. 为 OBC 重新生成 S3 凭证
先决条件
- 正在运行的 OpenShift Data Foundation 集群。
从客户门户网站下载 Multicloud Object Gateway (MCG)命令行界面二进制文件,并使其可执行。https://access.redhat.com/downloads/content/547/ver=4/rhel---9/4.16.0/x86_64/product-software
注意根据您的架构选择正确的产品变体。可用的平台包括 Linux (x86_64)、Windows 和 Mac OS。
流程
要获取 OBC 名称,请运行以下命令:
$ noobaa obc list输出示例:
NAMESPACE NAME BUCKET-NAME STORAGE-CLASS BUCKET-CLASS PHASE default obc-test obc-test-35800e50-8978-461f-b7e0-7793080e26ba default.noobaa.io noobaa-default-bucket-class Bound或者,从终端运行
oc get obc命令:$ oc get obc输出示例:
NAME STORAGE-CLASS PHASE AGE obc-test default.noobaa.io Bound 38s要重新生成 noobaa OBC S3 凭证,请运行以下命令:
$ noobaa obc regenerate <bucket_claim_name> [options]$ noobaa obc regenerate FATA[0000] ❌ Missing expected arguments: <bucket-claim-name> Usage: noobaa obc regenerate <bucket-claim-name> [flags] [options] Use "noobaa options" for a list of global command-line options (applies to all commands).运行
noobaa obc regenerate命令后,它将提示警告,"This will invalidate all connections between the S3 clients and noobaa which are connected using the current credentials.",并要求确认:Example:
$ noobaa obc regenerate obc-test输出示例:
INFO[0000] You are about to regenerate an OBC's security credentials. INFO[0000] This will invalidate all connections between S3 clients and NooBaa which are connected using the current credentials. INFO[0000] are you sure? y/n批准后,它会重新生成凭证并最终打印它们:
INFO[0022] ✅ RPC: bucket.read_bucket() Response OK: took 95.4ms ObjectBucketClaim info: Phase : Bound ObjectBucketClaim : kubectl get -n default objectbucketclaim obc-test ConfigMap : kubectl get -n default configmap obc-test Secret : kubectl get -n default secret obc-test ObjectBucket : kubectl get objectbucket obc-default-obc-test StorageClass : kubectl get storageclass default.noobaa.io BucketClass : kubectl get -n default bucketclass noobaa-default-bucket-class Connection info: BUCKET_HOST : s3.default.svc BUCKET_NAME : obc-test-35800e50-8978-461f-b7e0-7793080e26ba BUCKET_PORT : 443 AWS_ACCESS_KEY_ID : *** AWS_SECRET_ACCESS_KEY : *** Shell commands: AWS S3 Alias : alias s3='AWS_ACCESS_KEY_ID=*** AWS_SECRET_ACCESS_KEY=*** aws s3 --no-verify-ssl --endpoint-url ***' Bucket status: Name : obc-test-35800e50-8978-461f-b7e0-7793080e26ba Type : REGULAR Mode : OPTIMAL ResiliencyStatus : OPTIMAL QuotaStatus : QUOTA_NOT_SET Num Objects : 0 Data Size : 0.000 B Data Size Reduced : 0.000 B Data Space Avail : 13.261 GB Num Objects Avail : 9007199254740991
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}