【问题标题】:How to get Riak 2.0 security working with riak-python-client?如何让 Riak 2.0 安全性与 riak-python-client 一起工作?
【发布时间】:2014-05-30 12:52:07
【问题描述】:

Riak 2.0 以默认设置安装在 Ubuntu 14.04 上

Riak python 客户端取自 dev 分支:https://github.com/basho/riak-python-client/tree/feature/bch/security

我做的步骤:

1.启用安全性:

> riak-admin security enable

2.查看状态:

> riak-admin security status
> Enabled

3.添加示例用户、组并应用一些基本权限

4.总体如下:

用户:

riak-admin security print-users

+----------+---------------+----------------------------------------+------------------------------+
| username |   member of   |                password                |           options            |
+----------+---------------+----------------------------------------+------------------------------+
| user_sec |   group_sec   |ce055fe0a2d621a650c293a56996ee504054ea1d|              []              |
+----------+---------------+----------------------------------------+------------------------------+

用户授权:

riak-admin security print-grants user_sec
Inherited permissions (user/user_sec)

+--------------------+----------+----------+----------------------------------------+
|       group        |   type   |  bucket  |                 grants                 |
+--------------------+----------+----------+----------------------------------------+
|     group_sec      | default  |    *     |              riak_kv.get               |
|     group_sec      |bucket_sec|    *     |              riak_kv.get               |
+--------------------+----------+----------+----------------------------------------+

Cumulative permissions (user/user_sec)

+----------+----------+----------------------------------------+
|   type   |  bucket  |                 grants                 |
+----------+----------+----------------------------------------+
| default  |    *     |              riak_kv.get               |
|bucket_sec|    *     |              riak_kv.get               |
+----------+----------+----------------------------------------+

授权来源:

riak-admin security print-sources

+--------------------+------------+----------+----------+
|       users        |    cidr    |  source  | options  |
+--------------------+------------+----------+----------+
|      user_sec      | 0.0.0.0/32 | password |    []    |
|      user_sec      |127.0.0.1/32|  trust   |    []    |
+--------------------+------------+----------+----------+

我尝试运行的简单 python 脚本(在运行 Riak 的同一主机上):

import riak
from riak.security import SecurityCreds
pbc_port = 8002
riak_host = "127.0.0.1"
creds = riak.security.SecurityCreds('user_sec', 'secure_password')
riak_client = riak.RiakClient(pb_port=pbc_port, host=riak_host, protocol='pbc', security_creds=creds)
bucket = riak_client.bucket('test')
data = bucket.get("42")
print data.data

我得到的堆栈跟踪: python riak_test.py

Traceback (most recent call last):
  File "riak_test.py", line 8, in <module>
    data = bucket.get("42")
  File "/usr/local/lib/python2.7/dist-packages/riak/bucket.py", line 214, in get
    return obj.reload(r=r, pr=pr, timeout=timeout)
  File "/usr/local/lib/python2.7/dist-packages/riak/riak_object.py", line 307, in reload
    self.client.get(self, r=r, pr=pr, timeout=timeout)
  File "/usr/local/lib/python2.7/dist-packages/riak/client/transport.py", line 184, in wrapper
    return self._with_retries(pool, thunk)
  File "/usr/local/lib/python2.7/dist-packages/riak/client/transport.py", line 126, in _with_retries
    return fn(transport)
  File "/usr/local/lib/python2.7/dist-packages/riak/client/transport.py", line 182, in thunk
    return fn(self, transport, *args, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/riak/client/operations.py", line 382, in get
    return transport.get(robj, r=r, pr=pr, timeout=timeout)
  File "/usr/local/lib/python2.7/dist-packages/riak/transports/pbc/transport.py", line 148, in get
    if self.quorum_controls() and pr:
  File "/usr/local/lib/python2.7/dist-packages/riak/transports/feature_detect.py", line 102, in quorum_controls
    return self.server_version >= versions[1]
  File "/usr/local/lib/python2.7/dist-packages/riak/util.py", line 148, in __get__
    value = self.fget(obj)
  File "/usr/local/lib/python2.7/dist-packages/riak/transports/feature_detect.py", line 189, in server_version
    return LooseVersion(self._server_version())
  File "/usr/local/lib/python2.7/dist-packages/riak/transports/pbc/transport.py", line 101, in _server_version
    return self.get_server_info()['server_version']
  File "/usr/local/lib/python2.7/dist-packages/riak/transports/pbc/transport.py", line 119, in get_server_info
    expect=MSG_CODE_GET_SERVER_INFO_RESP)
  File "/usr/local/lib/python2.7/dist-packages/riak/transports/pbc/connection.py", line 51, in _request
    return self._recv_msg(expect)
  File "/usr/local/lib/python2.7/dist-packages/riak/transports/pbc/connection.py", line 137, in _recv_msg
    raise RiakError(err.errmsg)
riak.RiakError: 'Security is enabled, please STARTTLS first'

当禁用安全性时,相同的脚本可以正常工作:

python riak_test.py
{u'question': u"what's the sense of universe?"}

我还尝试使用此工具生成示例证书:https://github.com/basho-labs/riak-ruby-ca 并将它们设置在 riak.conf 中:

grep ssl /etc/riak/riak.conf
## with the ssl config variable, for example:
ssl.certfile = $(platform_etc_dir)/server.crt
## Default key location for https can be overridden with the ssl
ssl.keyfile = $(platform_etc_dir)/server.key
## with the ssl config variable, for example:
ssl.cacertfile = $(platform_etc_dir)/ca.crt

并在 python 脚本中使用 ca.crt:

creds = riak.security.SecurityCreds('user_sec', 'secure_password', 'ca.crt')

它没有改变任何东西。我仍然遇到同样的异常。我想这个问题可能是微不足道的,但我现在没有任何线索。

更新:

我使用了错误的参数名称。很少提交之前它是:security_creds,现在它被称为:credentials。 当我在脚本中修复此问题时,SSL 握手已初始化。然后下一个异常是由错误的 SecurityCreds 初始化引起的。构造函数使用命名参数,所以它应该是:

creds = riak.security.SecurityCreds(username='user_sec', password='secure_password', cacert_file='ca.crt')

握手已初始化,但在此命令上失败:

ssl_socket.do_handshake()

来自 riak/transport/pbc/connection.py(第 134 行)

我收到这 2 个错误(随机):

    File "/home/gta/riak-python-client/riak/transports/pbc/connection.py", line 77, in _init_security
    self._ssl_handshake()
  File "/home/gta/riak-python-client/riak/transports/pbc/connection.py", line 145, in _ssl_handshake
    raise e
OpenSSL.SSL.SysCallError: (104, 'ECONNRESET')


    File "/home/gta/riak-python-client/riak/transports/pbc/connection.py", line 77, in _init_security
    self._ssl_handshake()
  File "/home/gta/riak-python-client/riak/transports/pbc/connection.py", line 145, in _ssl_handshake
    raise e
OpenSSL.SSL.SysCallError: (-1, 'Unexpected EOF')

我还在 Riak 的日志 (/var/log/riak/error.log) 中观察到错误:

2014-06-02 15:09:33.954 [error] <0.1995.1> gen_fsm <0.1995.1> in state wait_for_tls terminated with reason: {error,{startls_failed,{certfile,badarg}}}
2014-06-02 15:09:33.955 [error] <0.1995.1> CRASH REPORT Process <0.1995.1> with 0 neighbours exited with reason: {error,{startls_failed,{certfile,badarg}}} in gen_fsm:terminate/7 line 622
2014-06-02 15:09:33.955 [error] <0.28750.0> Supervisor riak_api_pb_sup had child undefined started with {riak_api_pb_server,start_link,undefined} at <0.1995.1> exit with reason {error,{startls_failed,{certfile,badarg}}} in context child_terminated

这两种方法都会发生这种情况:cacert (ca.crt) 和客户端证书 (client.crt)/key (client.key)。我尝试了各种组合键:

  • 来自测试/资源的键

  • 使用 riak-ruby-ca 脚本生成的密钥

  • 在测试/资源中使用make 生成的密钥

  • 使用 pyOpenSSL 的帮助脚本生成的密钥

  • ...它们都不适合我

我正在使用 riak_2.0.0beta1-1_amd64.deb

【问题讨论】:

  • python 客户端是否支持协议缓冲区的 TLS?如果你使用protocol='https' 有什么不同吗?
  • @Joe,https 不是有效值。仅支持“pbc”和“http”。

标签: python security ssl-certificate riak


【解决方案1】:

感谢您的热情测试!您提取的分支是一项未经审查的工作,我今天添加了一些更新。

我会再次尝试使用最新的 2.0.0 测试版和对此分支所做的更改。 riak/tests/resources 中有一些测试证书,可用于开始测试您的配置。

您现在也需要命名您的 cacert 参数,因为已经添加了几个其他选项。

基本设置看起来不错。试试最新的,让我知道它对你有什么作用。

【讨论】:

  • 嗨,布雷特,你能看看我问题的更新部分吗?我提供了一些关于我今天面临的问题的新信息。
  • @przmk 有几件事:该二进制文件是针对 12.04LTS IIRC 构建的,因此您的里程数会有所不同。此外,自 Beta 1 以来,情况发生了变化,例如向 advanced.config 添加条目的需要已被删除。你有哪个版本的 OpenSSL?如果您运行的是 14.04LTS,我怀疑您是最新的,但请确保您已更新您的发行版。您是否有能力或有兴趣构建自己的 Riak Beta?
  • 好消息!看起来我们现在有一个 Trusty Tahr Beta 5 版本! s3.amazonaws.com/builds.basho.com/riak/develop/2.0.0beta5/…
  • 最初我用 OpenSSL 和 pyOpenSSL 搞砸了一些东西。我的 SSL.py 缺少客户端所需的一些东西。当我手动重新安装以下两者时它开始工作:OpenSSL 和 pyOpenSSL。
  • 很高兴你终于成功了,@przmk!如果您还有其他问题,请随时使用 riak-user 邮件列表:lists.basho.com/mailman/listinfo/riak-users_lists.basho.com
【解决方案2】:

我终于让它工作了。我必须做的事情:

  1. 将 Erlang 升级到版本 16(从源代码构建)
  2. 拉取最新Riak的源码
  3. 从源代码构建 Riak
  4. 再次阅读(更仔细地)这段:http://docs.basho.com/riak/2.0.0beta1/ops/running/security-sources/#Certificate-based-Authentication
  5. 设置用户(请记住:如果您想使用 Brett 的证书进行测试,那么您可能需要添加名为“certuser”的用户)
  6. 在 riak.config 中设置证书(我使用了来自 /tests/resources 的 Brett 示例证书)

Beta1 版本似乎不完全支持安全功能

【讨论】:

    猜你喜欢
    • 1970-01-01
    • 1970-01-01
    • 1970-01-01
    • 1970-01-01
    • 1970-01-01
    • 1970-01-01
    • 1970-01-01
    • 1970-01-01
    • 1970-01-01
    相关资源
    最近更新 更多