Red Hat Summit 红帽全球峰会支持控制台(Console)开发人员开始试用联系人

此内容没有您所选择的语言版本。

Chapter 1. Deploy Fernet on the Overcloud

This chapter describes how to configure your Overcloud to use the Fernet token provider.

  • Key Management - This example uses keystone-manage to generate the overcloud Fernet keys on the undercloud. These keys will not actually be used by the Undercloud since it is configured to use the UUID token format by default. If you do configure the undercloud to use the Fernet token format after following the procedure in this document, it will use the same keys as the overcloud (which may not be desirable).
  • Swift Artifacts - This implementation uses Heat swift artifacts, which puts a copy of the Fernet key directory on every node in your deployment (not just the Controller node). You will need to consider whether this outcome is acceptable for your deployment requirements.

1.1. Prepare the Fernet Keys
复制链接

This section generates the Fernet keys on the undercloud, and uploads them into swift.

1. On the undercloud node, use keystone_manage to generate Fernet keys: 

$ . ~/stackrc
$ sudo keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
Copy to Clipboard Toggle word wrap

2. Create a tar file containing the Fernet keys: 

$ sudo tar -zcf keystone-fernet-keys.tar.gz -P /etc/keystone/fernet-keys
Copy to Clipboard Toggle word wrap
Note

the keys in the controller nodes should not be changed manually. All controller nodes should have the exact same set of Fernet keys, otherwise a token generated by one controller won’t be accepted by the others.

3. Upload the Fernet keys as swift artifacts: 

$ upload-swift-artifacts -f keystone-fernet-keys.tar.gz
Copy to Clipboard Toggle word wrap

1.2. Configure the Overcloud to use Fernet
复制链接

This section creates a YAML file that configures keystone to use fernet as the token provider. This setting is then applied to your existing overcloud in a later step.

1. Create a file named fernet.yaml that contains the required token_provider setting: 

parameter_defaults:
  controllerExtraConfig:
    keystone::token_provider: 'fernet'
Copy to Clipboard Toggle word wrap

2. Deploy the overcloud, including the fernet.yaml file that was created in the previous step. For example: 

source /home/stack/stackrc
openstack overcloud deploy --templates -e /home/stack/fernet.yaml
Copy to Clipboard Toggle word wrap
Note

If re-deploying the overcloud in the future, you will need to ensure that you still include fernet.yaml, to prevent the token provider from being re-configured to use a different format.

The process may take some time to complete.

1.3. Review the Fernet Deployment
复制链接

Review the overcloud controller configuration to confirm that the process was successful:

1. Retrieve the IP address of the controller node: 

$ openstack server list
+--------------------------------------+-------------------------+--------+---------------------+
| ID                                   | Name                    | Status | Networks            |
+--------------------------------------+-------------------------+--------+---------------------+
| 756fbd73-e47b-46e6-959c-e24d7fb71328 | overcloud-controller-0  | ACTIVE | ctlplane=192.0.2.16 |
| 62b869df-1203-4d58-8e45-fac6cd4cfbee | overcloud-novacompute-0 | ACTIVE | ctlplane=192.0.2.8  |
+--------------------------------------+-------------------------+--------+---------------------+
Copy to Clipboard Toggle word wrap

2. SSH to the controller: 

$ ssh heat-admin@192.0.2.16
Last login: Tue Sep  6 00:09:59 2016 from 192.0.2.1
Copy to Clipboard Toggle word wrap

3. Retrieve the values of the token driver and provider settings: 

$ sudo crudini --get /etc/keystone/keystone.conf token driver
sql
$ sudo crudini --get /etc/keystone/keystone.conf token provider
fernet
Copy to Clipboard Toggle word wrap

4. Test the Fernet provider: 

$ openstack token issue
WARNING: openstackclient.common.utils is deprecated and will be removed after Jun 2017. Please use osc_lib.utils
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires | 2016-09-20 05:26:17+00:00 |
| id | gAAAAABX4LppE8vaiFZ992eah2i3edpO1aDFxlKZq6a_RJzxUx56QVKORrmW0-oZK3-Xuu2wcnpYq_eek2SGLz250eLpZOzxKBR0GsoMfxJU8mEFF8NzfLNcbuS-iz7SV-N1re3XEywSDG90JcgwjQfXW-8jtCm-n3LL5IaZexAYIw059T_-cd8 |
| project_id | 26156621d0d54fc39bf3adb98e63b63d |
| user_id | 397daf32cadd490a8f3ac23a626ac06c |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
Copy to Clipboard Toggle word wrap

The result should include the long Fernet token. This token will still be shorter in length than the PKI token.

Note

The keys used to sign tokens are now available in the undercloud’s swift. The keys should remain in swift in case you need to deploy a new controller, however, you can delete them using the swift command, if needed: 

swift delete overcloud-artifacts keystone-fernet-keys.tar.gz
Copy to Clipboard Toggle word wrap
Red Hat logoGithubredditYoutubeTwitter

学习

尝试、购买和销售

社区

关于红帽文档

通过我们的产品和服务,以及可以信赖的内容,帮助红帽用户创新并实现他们的目标。 了解我们当前的更新.

让开源更具包容性

红帽致力于替换我们的代码、文档和 Web 属性中存在问题的语言。欲了解更多详情,请参阅红帽博客.

關於紅帽

我们提供强化的解决方案,使企业能够更轻松地跨平台和环境(从核心数据中心到网络边缘)工作。

Theme

© 2026 Red Hat返回顶部