如何使Riak2.0安全与协同工作?
如何使Riak2.0安全与协同工作?
提问于 2014-05-30 12:52:07
Riak2.0安装在Ubuntu14.04上,设置为默认设置
Riak客户端来自dev分支:https://github.com/basho/riak-python-client/tree/feature/bch/security
我所做的步骤:
1.保障安全:
> riak-admin security enable2.检查情况:
> riak-admin security status
> Enabled3.添加示例用户、组并应用一些基本权限。
4.总体而言,情况如下:
用户:
riak-admin security print-users
+----------+---------------+----------------------------------------+------------------------------+
| username | member of | password | options |
+----------+---------------+----------------------------------------+------------------------------+
| user_sec | group_sec |ce055fe0a2d621a650c293a56996ee504054ea1d| [] |
+----------+---------------+----------------------------------------+------------------------------+用户授权:
riak-admin security print-grants user_sec
Inherited permissions (user/user_sec)
+--------------------+----------+----------+----------------------------------------+
| group | type | bucket | grants |
+--------------------+----------+----------+----------------------------------------+
| group_sec | default | * | riak_kv.get |
| group_sec |bucket_sec| * | riak_kv.get |
+--------------------+----------+----------+----------------------------------------+
Cumulative permissions (user/user_sec)
+----------+----------+----------------------------------------+
| type | bucket | grants |
+----------+----------+----------------------------------------+
| default | * | riak_kv.get |
|bucket_sec| * | riak_kv.get |
+----------+----------+----------------------------------------+资料来源:
riak-admin security print-sources
+--------------------+------------+----------+----------+
| users | cidr | source | options |
+--------------------+------------+----------+----------+
| user_sec | 0.0.0.0/32 | password | [] |
| user_sec |127.0.0.1/32| trust | [] |
+--------------------+------------+----------+----------+我尝试运行的简单python脚本(在运行Riak的同一主机上):
import riak
from riak.security import SecurityCreds
pbc_port = 8002
riak_host = "127.0.0.1"
creds = riak.security.SecurityCreds('user_sec', 'secure_password')
riak_client = riak.RiakClient(pb_port=pbc_port, host=riak_host, protocol='pbc', security_creds=creds)
bucket = riak_client.bucket('test')
data = bucket.get("42")
print data.data我得到的堆栈跟踪: python riak_test.py
Traceback (most recent call last):
File "riak_test.py", line 8, in <module>
data = bucket.get("42")
File "/usr/local/lib/python2.7/dist-packages/riak/bucket.py", line 214, in get
return obj.reload(r=r, pr=pr, timeout=timeout)
File "/usr/local/lib/python2.7/dist-packages/riak/riak_object.py", line 307, in reload
self.client.get(self, r=r, pr=pr, timeout=timeout)
File "/usr/local/lib/python2.7/dist-packages/riak/client/transport.py", line 184, in wrapper
return self._with_retries(pool, thunk)
File "/usr/local/lib/python2.7/dist-packages/riak/client/transport.py", line 126, in _with_retries
return fn(transport)
File "/usr/local/lib/python2.7/dist-packages/riak/client/transport.py", line 182, in thunk
return fn(self, transport, *args, **kwargs)
File "/usr/local/lib/python2.7/dist-packages/riak/client/operations.py", line 382, in get
return transport.get(robj, r=r, pr=pr, timeout=timeout)
File "/usr/local/lib/python2.7/dist-packages/riak/transports/pbc/transport.py", line 148, in get
if self.quorum_controls() and pr:
File "/usr/local/lib/python2.7/dist-packages/riak/transports/feature_detect.py", line 102, in quorum_controls
return self.server_version >= versions[1]
File "/usr/local/lib/python2.7/dist-packages/riak/util.py", line 148, in __get__
value = self.fget(obj)
File "/usr/local/lib/python2.7/dist-packages/riak/transports/feature_detect.py", line 189, in server_version
return LooseVersion(self._server_version())
File "/usr/local/lib/python2.7/dist-packages/riak/transports/pbc/transport.py", line 101, in _server_version
return self.get_server_info()['server_version']
File "/usr/local/lib/python2.7/dist-packages/riak/transports/pbc/transport.py", line 119, in get_server_info
expect=MSG_CODE_GET_SERVER_INFO_RESP)
File "/usr/local/lib/python2.7/dist-packages/riak/transports/pbc/connection.py", line 51, in _request
return self._recv_msg(expect)
File "/usr/local/lib/python2.7/dist-packages/riak/transports/pbc/connection.py", line 137, in _recv_msg
raise RiakError(err.errmsg)
riak.RiakError: 'Security is enabled, please STARTTLS first'当安全被禁用时,相同的脚本运行得非常好:
python riak_test.py
{u'question': u"what's the sense of universe?"}我还尝试使用这个工具:https://github.com/basho-labs/riak-ruby-ca生成示例证书,并在riak.conf中设置它们:
grep ssl /etc/riak/riak.conf
## with the ssl config variable, for example:
ssl.certfile = $(platform_etc_dir)/server.crt
## Default key location for https can be overridden with the ssl
ssl.keyfile = $(platform_etc_dir)/server.key
## with the ssl config variable, for example:
ssl.cacertfile = $(platform_etc_dir)/ca.crt并在python脚本中使用ca.crt:
creds = riak.security.SecurityCreds('user_sec', 'secure_password', 'ca.crt')它并没有改变什么。我还是得到了同样的例外。我想这个问题可能是微不足道的,但我现在还没有任何线索。
更新:
我用错了对词名。以前很少有人提交:security_creds,,现在它叫做:credentials.当我在脚本中修复这个问题时,SSL握手被初始化了。接下来的异常是由错误的SecurityCreds初始化引起的。构造函数使用的是命名的params,因此它应该是:
creds = riak.security.SecurityCreds(username='user_sec', password='secure_password', cacert_file='ca.crt')握手是初始化的,但是这个命令失败了:
ssl_socket.do_handshake()来自riak/transport.pbc/connection.py(第134行)
我得到了这两个错误(随机):
File "/home/gta/riak-python-client/riak/transports/pbc/connection.py", line 77, in _init_security
self._ssl_handshake()
File "/home/gta/riak-python-client/riak/transports/pbc/connection.py", line 145, in _ssl_handshake
raise e
OpenSSL.SSL.SysCallError: (104, 'ECONNRESET')
File "/home/gta/riak-python-client/riak/transports/pbc/connection.py", line 77, in _init_security
self._ssl_handshake()
File "/home/gta/riak-python-client/riak/transports/pbc/connection.py", line 145, in _ssl_handshake
raise e
OpenSSL.SSL.SysCallError: (-1, 'Unexpected EOF')我还观察到了riak日志(/var/log/riak/error.log)中的错误:
2014-06-02 15:09:33.954 [error] <0.1995.1> gen_fsm <0.1995.1> in state wait_for_tls terminated with reason: {error,{startls_failed,{certfile,badarg}}}
2014-06-02 15:09:33.955 [error] <0.1995.1> CRASH REPORT Process <0.1995.1> with 0 neighbours exited with reason: {error,{startls_failed,{certfile,badarg}}} in gen_fsm:terminate/7 line 622
2014-06-02 15:09:33.955 [error] <0.28750.0> Supervisor riak_api_pb_sup had child undefined started with {riak_api_pb_server,start_link,undefined} at <0.1995.1> exit with reason {error,{startls_failed,{certfile,badarg}}} in context child_terminated这种情况发生在两种方法中: cacert (ca.crt)和client cert (client.crt)/key (client.key)。我尝试了各种不同的键组合:
- 来自测试/资源的密钥
- 用riak-ruby-ca脚本生成的键
- 在测试/资源中使用
make生成密钥 - 从pyOpenSSL用助手脚本生成的密钥
- 他们中的...none为我工作
我用的是riak_2.0.0beta1-1_amd64.deb
回答 2
Stack Overflow用户
回答已采纳
发布于 2014-06-04 06:23:38
我终于让它起作用了。我必须要做的事情:
- 将Erlang升级到版本16 (从源代码构建)
- 拉近里亚克的最新消息来源
- 从源头构建Riak
- 再读一遍(更仔细地)这一段:http://docs.basho.com/riak/2.0.0beta1/ops/running/security-sources/#Certificate-based-Authentication
- 设置用户(记住:如果您想使用Brett的证书进行测试,那么可能需要添加名为“certuser”的用户)
- 在riak.config中设置证书(我使用了布雷特的示例证书,来自/test/resources)
似乎在Beta1构建中不完全支持安全特性。
Stack Overflow用户
发布于 2014-05-31 00:38:37
感谢您的热情测试!您所提取的分支是一项未经评审的工作正在进行中,我今天添加了一些更新。
我将再次尝试使用最新的2.0.0测试版和对这个分支所做的更改。在riak/tests/resources中有一些测试证书,这对于开始测试您的配置非常有用。
您现在也需要命名您的cacert参数,因为已经添加了其他几个选项。
基本的设置看起来相当不错。试试最新的,让我知道它是如何为你工作的。
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/23955110
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号