Cloud

湯糰出人意料

  • September 1, 2017

度量標準由 Ceilometer 等通過 Telemetry 收集,並最終發送到 Gnocchi,但 Gnocchi 不允許使用者使用命令,例如gnocchi metric listgnocchi resource list同時使用等於 keystone 或 noauth 的 auth 方法。

所以我嘗試通過使用更簡單的命令來解決問題,只是為了獲取狀態 - gnocchi status

不同的“AUTH_MODE”

在 gnocchi.conf 中使用不同的身份驗證方法時,結果gnocchi status如下所示:

auth_mode = 基本

(gnocchi) status

+--------------------------------------------------+-------+
| Field                                            | Value |
+--------------------------------------------------+-------+
| storage/number of metric having measures to      | 13    |
| process                                          |       |
| storage/total number of measures to process      | 444   |
+--------------------------------------------------+-------+

auth_mode = noauth

(gnocchi) status

Forbidden (HTTP 403)

auth_mode = 基石

(gnocchi) status

The request you have made requires authentication. (HTTP 401)

$$ keyston-authtoken $$在 gnocchi.conf 中

[keystone_authtoken]

auth_type = password
auth_url = http://mng-kh-lab-ctrl-vip-01.ocloud.ir:5000/v3
auth_uri = http://mng-kh-lab-ctrl-vip-01.ocloud.ir:35357
memcached_servers = mng-kh-lab-ctrl-01.ocloud.ir:11211,mng-kh-lab-ctrl-02.ocloud.ir:11211
project_domain_name = default
user_domain_name = default
project_name = service
username = gnocchi
password = 123456
interface = internalURL
region_name = Region_KH_LA

不同 auth_modes 上的 TCPDUMP

基本的 :

2017-06-17 14:21:34.196634 IP (tos 0x0, ttl 64, id 27634, offset 0, flags [DF], proto TCP (6), length 300)
   127.0.0.1.31132 > 127.0.0.1.8041: Flags [P.], cksum 0xff20 (incorrect -> 0x9dcd), seq 1:261, ack 1, win 256, length 260
E..,k.@.@...........y..iUT      ...3.P.... ..GET /v1/status?details=False HTTP/1.1
Host: localhost:8041
Connection: keep-alive
Accept-Encoding: gzip, deflate
Accept: application/json, */*
User-Agent: gnocchi keystoneauth1/2.20.0 python-requests/2.10.0 CPython/2.7.5
Authorization: basic YWRtaW46

2017-06-17 14:21:34.211613 IP (tos 0x0, ttl 64, id 20934, offset 0, flags [DF], proto TCP (6), length 334)
   127.0.0.1.8041 > 127.0.0.1.31132: Flags [P.], cksum 0xff42 (incorrect -> 0x4673), seq 1:295, ack 261, win 258, length 294
E..NQ.@.@............iy...3.UT
.P....B..HTTP/1.1 200 OK
Date: Sat, 17 Jun 2017 09:51:34 GMT
Server: Apache/2.4.6 (CentOS) mod_wsgi/3.4 Python/2.7.5
Content-Length: 58
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/json; charset=UTF-8

無授權:

2017-06-17 14:23:54.901584 IP (tos 0x0, ttl 64, id 27048, offset 0, flags [DF], proto TCP (6), length 300)
   127.0.0.1.31150 > 127.0.0.1.8041: Flags [P.], cksum 0xff20 (incorrect -> 0xa6a5), seq 1:261, ack 1, win 256, length 260
E..,i.@.@..!........y..i......_.P.... ..GET /v1/status?details=False HTTP/1.1
Host: localhost:8041
Connection: keep-alive
Accept-Encoding: gzip, deflate
Accept: application/json, */*
User-Agent: gnocchi keystoneauth1/2.20.0 python-requests/2.10.0 CPython/2.7.5
Authorization: basic YWRtaW46

2017-06-17 14:23:54.906964 IP (tos 0x0, ttl 64, id 55179, offset 0, flags [DF], proto TCP (6), length 337)
   127.0.0.1.8041 > 127.0.0.1.31150: Flags [P.], cksum 0xff45 (incorrect -> 0x8ca6), seq 1:298, ack 261, win 258, length 297
E..Q..@.@.d..........iy..._.....P....E..HTTP/1.1 403 Forbidden
Date: Sat, 17 Jun 2017 09:53:54 GMT
Server: Apache/2.4.6 (CentOS) mod_wsgi/3.4 Python/2.7.5
Content-Length: 54
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/json; charset=UTF-8

基石:

2017-06-17 14:25:20.801850 IP (tos 0x0, ttl 64, id 7904, offset 0, flags [DF], proto TCP (6), length 300)
   127.0.0.1.31196 > 127.0.0.1.8041: Flags [P.], cksum 0xff20 (incorrect -> 0x2217), seq 1:261, ack 1, win 256, length 260
E..,..@.@...........y..i7..IZ...P.... ..GET /v1/status?details=False HTTP/1.1
Host: localhost:8041
Connection: keep-alive
Accept-Encoding: gzip, deflate
Accept: application/json, */*
User-Agent: gnocchi keystoneauth1/2.20.0 python-requests/2.10.0 CPython/2.7.5
Authorization: basic YWRtaW46

2017-06-17 14:25:20.804490 IP (tos 0x0, ttl 64, id 14196, offset 0, flags [DF], proto TCP (6), length 444)
   127.0.0.1.8041 > 127.0.0.1.31196: Flags [P.], cksum 0xffb0 (incorrect -> 0x4c7a), seq 1:405, ack 261, win 258, length 404
E...7t@.@............iy.Z...7..MP.......HTTP/1.1 401 Unauthorized
Date: Sat, 17 Jun 2017 09:55:20 GMT
Server: Apache/2.4.6 (CentOS) mod_wsgi/3.4 Python/2.7.5
WWW-Authenticate: Keystone uri='https://127.0.0.1:35357'
Content-Length: 114
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/json

奇怪的是,在所有不同的方法中,發送的請求都使用基本的 YWRtaW46進行授權。

奇怪的是,在所有不同的方法中,發送的請求都使用基本的 YWRtaW46 進行授權。

這並不奇怪:客戶端的預設設置是使用基本身份驗證。如果您沒有為客戶端提供正確的身份驗證機制。嘗試這樣做:

export OS_AUTH_TYPE=password

這樣 Keystone 就被用作身份驗證。

引用自:https://serverfault.com/questions/856375