-
-
Save alistairncoles/88044939197875d227556a5c676ad6ac to your computer and use it in GitHub Desktop.
setup a pykmip service for swift
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env bash | |
# change as appropriate | |
USER=swift | |
GROUP=swift | |
PYKMIP_DIR=/etc/pykmip | |
PYKMIP_VENV_DIR=./pykmip_venv | |
echo " | |
We need to interactively generate some certificates... | |
" | |
sudo mkdir -p ${PYKMIP_DIR}/certs | |
sudo chown ${USER} ${PYKMIP_DIR} | |
sudo chgrp ${GROUP} ${PYKMIP_DIR} | |
sudo openssl genrsa -out ${PYKMIP_DIR}/certs/MyRootCA.key 2048 | |
sudo openssl req -x509 -new -nodes -key ${PYKMIP_DIR}/certs/MyRootCA.key -sha256 -days 1024 -out ${PYKMIP_DIR}/certs/MyRootCA.pem | |
sudo openssl genrsa -out ${PYKMIP_DIR}/certs/MyClient1.key 2048 | |
sudo openssl req -new -key ${PYKMIP_DIR}/certs/MyClient1.key -out ${PYKMIP_DIR}/certs/MyClient1.csr | |
sudo openssl x509 -req -in ${PYKMIP_DIR}/certs/MyClient1.csr -CA ${PYKMIP_DIR}/certs/MyRootCA.pem -CAkey ${PYKMIP_DIR}/certs/MyRootCA.key -CAcreateserial -out ${PYKMIP_DIR}/certs/MyClient1.pem -days 1024 -sha256 | |
echo "Writing ${PYKMIP_DIR}/server.conf" | |
echo " | |
[server] | |
hostname=127.0.0.1 | |
port=5696 | |
certificate_path=/etc/pykmip/certs/MyRootCA.pem | |
key_path=/etc/pykmip/certs/MyRootCA.key | |
ca_path=/etc/pykmip/certs/MyRootCA.pem | |
auth_suite=Basic | |
policy_path=/etc/pykmip/server_policy | |
enable_tls_client_auth=False | |
tls_cipher_suites= | |
TLS_RSA_WITH_AES_128_CBC_SHA256 | |
TLS_RSA_WITH_AES_256_CBC_SHA256 | |
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 | |
logging_level=DEBUG | |
" > ${PYKMIP_DIR}/server.conf | |
echo "Writing ${PYKMIP_DIR}/pykmip.conf" | |
echo " | |
[client] | |
host=127.0.0.1 | |
port=5696 | |
certfile=/etc/pykmip/certs/MyClient1.pem | |
keyfile=/etc/pykmip/certs/MyClient1.key | |
ca_certs=/etc/pykmip/certs/MyRootCA.pem | |
cert_reqs=CERT_REQUIRED | |
ssl_version=PROTOCOL_SSLv23 | |
do_handshake_on_connect=True | |
suppress_ragged_eofs=True | |
username=example_username | |
password=password | |
" > ${PYKMIP_DIR}/pykmip.conf | |
echo "Creating a virtualenv in ${PYKMIP_VENV_DIR}" | |
virtualenv ${PYKMIP_VENV_DIR} | |
source ${PYKMIP_VENV_DIR}/bin/activate | |
pip install requests | |
pip install pykmip | |
# run the pykmip server in background | |
# NOTE: this should NEVER be used as a production KMIP service! | |
mkdir -p ${PYKMIP_DIR}/server_policy | |
sudo mkdir -p /var/log/pykmip | |
sudo chown ${USER} /var/log/pykmip | |
sudo chgrp ${GROUP} /var/log/pykmip | |
python ${PYKMIP_VENV_DIR}/lib/python2.7/site-packages/kmip/services/server/server.py & | |
echo "PyKMIP server is running" | |
sleep 1 | |
# create an AES-256 symmetric key | |
# expect output similar to : | |
# 2018-06-20 15:21:37,286 - demo - INFO - Successfully created symmetric key with ID: 1 | |
echo "Creating a key..." | |
python ${PYKMIP_VENV_DIR}/lib/python2.7/site-packages/kmip/demos/pie/create.py --password whatever -a AES -l 256 | |
echo "Fetching a key..." | |
# verify the key can be fetched | |
# expect an output similar to: | |
# 2018-06-20 15:22:07,499 - demo - INFO - Successfully retrieved secret with ID: 2 | |
# 2018-06-20 15:22:07,499 - demo - INFO - Secret data: 54283fb6767dff6c5d2256a5dfa1494cbe69dc6b41547a70cc3461958218d26b | |
python ${PYKMIP_VENV_DIR}/lib/python2.7/site-packages/kmip/demos/pie/get.py -i 1 | |
echo " | |
NB assuming the created key has ID 1. If getting the key failed then maybe it has a different id. | |
If not then you'll need to edit /etc/swift/kmip_keymaster.conf. " | |
echo " | |
[kmip_keymaster] | |
key_id = 1 | |
host = 127.0.0.1 | |
port = 5696 | |
certfile = ${PYKMIP_DIR}/certs/MyClient1.pem | |
keyfile = ${PYKMIP_DIR}/certs/MyClient1.key | |
ca_certs = ${PYKMIP_DIR}/certs/MyRootCA.pem | |
username = swift | |
password = ignored | |
" > /etc/swift/kmip_keymaster.conf | |
echo " | |
You need to edit /etc/swift/proxy-server.conf: | |
Add 'kmip_keymaster encryption' to the proxy pipeline i.e.: | |
.... kmip_keymaster encryption proxy-logging proxy-server | |
Add a kmip_keymaster filter section: | |
[filter:kmip_keymaster] | |
use = egg:swift#kmip_keymaster | |
keymaster_config_path = /etc/swift/kmip_keymaster.conf | |
" | |
echo " | |
Ensure swift is installed with kmip_keymaster extra dependencies e.g. in swift root dir: | |
sudo pip install -e .[kmip_keymaster]" | |
echo " | |
Restart the proxy server and check proxy log for 'Loaded secret id 1' message" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment