一、开启SASL认证memcached服务的方式:
1. 在节点上安装memcached服务,yum list |grep memcached查找memcached安装包
yum install memcached.x86_64
ps -ef |grep memcached查看memcached服务是否开启
2. 查看sasl服务是否开启
rpm -qa |grep sasl
ps aux |grep saslauthd
yum search sasl
yum -y install cyrus-sasl.x86_64
yum -y install cyrus-sasl-plain.x86_64
3. 修改saslauthd的认证方式
vim /etc/sysconfig/saslauthd
MECH=shadow
重启
systemctl restart saslauthd
4. 添加认证名和密码
passwd memcached
密码为:Inspur1!
testsaslauthd -u memcached -p Inspur1!
5. 向saslauthd守护进程中添加memcached程序
/usr/bin/saslpasswd2 -a <服务名, e.g: memcached> -c <用户名, e.g: memcached>
#-a 后面的memcached是memcached程序,-c后面的memcached,是安装memcached之后生成的用户名,也可以用其他用户名
6. memcached添加sasl认证
/etc/sysconfig/memcached中添加-S的选项
二、认证需要的python库:
python-binary-memcached
uhashring
三、测试步骤:
import bmemcached
cl1 = bmemcached.Client(('100.7.50.28',),'memcached','Inspur1!')
cl1.set('key1','val1')
cl1.get('key1')
上面可以正常读写数据
四、系统测试步骤:
首先需要配置文件中改动:
[cache]
memcache_sasl_enable
memcache_usrname
memcache_password
[keystone_authtoken]
memcache_sasl_enable
memcache_usrname
memcache_password
1. node01 keystone容器中将00package文件中的文件配置一下, keystone.conf文件中的[cache]组进行配置,
IP设置为memcached监听的IP地址
2. 配置memcached 启动选项:/usr/bin/memcached -u root -m 64 -c 1024 -S -l 100.7.50.27,::1 -d -vv
3. 在keystone容器中运行demo代码,可以正常读写数据,并且可以看到memcached的log,是正常的
4. 重启keystone容器,看到memcached的log中有Invalid magic的错误信息
5. 修改keystone.conf文件中的[cache],
添加用户名和密码,可以看到memcached中log错误信息没有了!
出现authenticated() in cmd 0x00 is true的信息,说明是OK的!
五、系统调试记录:
问题1.
抛出异常:
bmemcached.exceptions.AuthenticationNotSupported
打印日志的地方:
vi /var/lib/kolla/venv/lib/python2.7/site-packages/keystonemiddleware/auth_token/_cache.py
def _get_cache_pool(self, cache):
self._LOG.error("jorhson keystonemiddleware arguments is: %s" % self._arguments)
vi /var/lib/kolla/venv/lib/python2.7/site-packages/oslo_cache/_bmemcache_pool.py
def __init__(self, urls, arguments, **kwargs):
# super() cannot be used here because Queue in stdlib is an
# old-style class
ConnectionPool.__init__(self, **kwargs)
self.urls = urls
self._username = arguments.pop('usrname')
self._password = arguments.pop('password')
self._arguments = {
'socket_timeout': arguments.get('socket_timeout', 3.0),
}
# NOTE(morganfainberg): The host objects expect an int for the
# deaduntil value. Initialize this at 0 for each host with 0 indicating
# the host is not dead.
self._hosts_deaduntil = [0] * len(urls)
LOG.info("jorhson _bmemcached: url = %s, usrname = %s, password = %s" % (self.urls, self._username, self._password))
在这里加打印信息,发现是ok的
020-07-31 17:45:03.829 28 ERROR keystonemiddleware.auth_token [- req-None - - - - -] jorhson keystonemiddleware arguments is: {'socket_timeout': 3, 'password': 'Inspur1!', 'dead_retry': 300, 'usrname': 'memcached', 'sasl_enable': True}
2020-07-31 17:45:03.842 28 INFO oslo.cache._bmemcache_pool [- req-None - - - - -] jorhson _bmemcached: url = ['100.7.50.28:11211'], usrname = memcached, password = Inspur1!
在不开启高级缓存功能的时候,打印的日志是:
2020-07-31 17:50:05.818 25 ERROR keystonemiddleware.auth_token [- req-None - - - - -] jorhson keystonemiddleware arguments is: {'socket_timeout': 3, 'password': 'Inspur1!', 'dead_retry': 300, 'usrname': 'memcached', 'sasl_enable': True}
查看python-binary-memcached代码发现,只支持PLAIN 模式认证模式的认证,需要安装下面的安装包
[root@node04 ~]# yum list |grep cyrus-sasl-plain*
cyrus-sasl-plain.i686 2.1.26-23.el7 base
cyrus-sasl-plain.x86_64 2.1.26-23.el7 base