Cloud
湯糰出人意料
度量標準由 Ceilometer 等通過 Telemetry 收集,並最終發送到 Gnocchi,但 Gnocchi 不允許使用者使用命令,例如
gnocchi metric list
或gnocchi resource list
同時使用等於 keystone 或 noauth 的 auth 方法。所以我嘗試通過使用更簡單的命令來解決問題,只是為了獲取狀態 -
gnocchi status
。不同的“AUTH_MODE”
在 gnocchi.conf 中使用不同的身份驗證方法時,結果
gnocchi status
如下所示:auth_mode = 基本
(gnocchi) status +--------------------------------------------------+-------+ | Field | Value | +--------------------------------------------------+-------+ | storage/number of metric having measures to | 13 | | process | | | storage/total number of measures to process | 444 | +--------------------------------------------------+-------+
auth_mode = noauth
(gnocchi) status Forbidden (HTTP 403)
auth_mode = 基石
(gnocchi) status The request you have made requires authentication. (HTTP 401)
$$ keyston-authtoken $$在 gnocchi.conf 中
[keystone_authtoken] auth_type = password auth_url = http://mng-kh-lab-ctrl-vip-01.ocloud.ir:5000/v3 auth_uri = http://mng-kh-lab-ctrl-vip-01.ocloud.ir:35357 memcached_servers = mng-kh-lab-ctrl-01.ocloud.ir:11211,mng-kh-lab-ctrl-02.ocloud.ir:11211 project_domain_name = default user_domain_name = default project_name = service username = gnocchi password = 123456 interface = internalURL region_name = Region_KH_LA
不同 auth_modes 上的 TCPDUMP
基本的 :
2017-06-17 14:21:34.196634 IP (tos 0x0, ttl 64, id 27634, offset 0, flags [DF], proto TCP (6), length 300) 127.0.0.1.31132 > 127.0.0.1.8041: Flags [P.], cksum 0xff20 (incorrect -> 0x9dcd), seq 1:261, ack 1, win 256, length 260 E..,k.@.@...........y..iUT ...3.P.... ..GET /v1/status?details=False HTTP/1.1 Host: localhost:8041 Connection: keep-alive Accept-Encoding: gzip, deflate Accept: application/json, */* User-Agent: gnocchi keystoneauth1/2.20.0 python-requests/2.10.0 CPython/2.7.5 Authorization: basic YWRtaW46 2017-06-17 14:21:34.211613 IP (tos 0x0, ttl 64, id 20934, offset 0, flags [DF], proto TCP (6), length 334) 127.0.0.1.8041 > 127.0.0.1.31132: Flags [P.], cksum 0xff42 (incorrect -> 0x4673), seq 1:295, ack 261, win 258, length 294 E..NQ.@.@............iy...3.UT .P....B..HTTP/1.1 200 OK Date: Sat, 17 Jun 2017 09:51:34 GMT Server: Apache/2.4.6 (CentOS) mod_wsgi/3.4 Python/2.7.5 Content-Length: 58 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/json; charset=UTF-8
無授權:
2017-06-17 14:23:54.901584 IP (tos 0x0, ttl 64, id 27048, offset 0, flags [DF], proto TCP (6), length 300) 127.0.0.1.31150 > 127.0.0.1.8041: Flags [P.], cksum 0xff20 (incorrect -> 0xa6a5), seq 1:261, ack 1, win 256, length 260 E..,i.@.@..!........y..i......_.P.... ..GET /v1/status?details=False HTTP/1.1 Host: localhost:8041 Connection: keep-alive Accept-Encoding: gzip, deflate Accept: application/json, */* User-Agent: gnocchi keystoneauth1/2.20.0 python-requests/2.10.0 CPython/2.7.5 Authorization: basic YWRtaW46 2017-06-17 14:23:54.906964 IP (tos 0x0, ttl 64, id 55179, offset 0, flags [DF], proto TCP (6), length 337) 127.0.0.1.8041 > 127.0.0.1.31150: Flags [P.], cksum 0xff45 (incorrect -> 0x8ca6), seq 1:298, ack 261, win 258, length 297 E..Q..@.@.d..........iy..._.....P....E..HTTP/1.1 403 Forbidden Date: Sat, 17 Jun 2017 09:53:54 GMT Server: Apache/2.4.6 (CentOS) mod_wsgi/3.4 Python/2.7.5 Content-Length: 54 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/json; charset=UTF-8
基石:
2017-06-17 14:25:20.801850 IP (tos 0x0, ttl 64, id 7904, offset 0, flags [DF], proto TCP (6), length 300) 127.0.0.1.31196 > 127.0.0.1.8041: Flags [P.], cksum 0xff20 (incorrect -> 0x2217), seq 1:261, ack 1, win 256, length 260 E..,..@.@...........y..i7..IZ...P.... ..GET /v1/status?details=False HTTP/1.1 Host: localhost:8041 Connection: keep-alive Accept-Encoding: gzip, deflate Accept: application/json, */* User-Agent: gnocchi keystoneauth1/2.20.0 python-requests/2.10.0 CPython/2.7.5 Authorization: basic YWRtaW46 2017-06-17 14:25:20.804490 IP (tos 0x0, ttl 64, id 14196, offset 0, flags [DF], proto TCP (6), length 444) 127.0.0.1.8041 > 127.0.0.1.31196: Flags [P.], cksum 0xffb0 (incorrect -> 0x4c7a), seq 1:405, ack 261, win 258, length 404 E...7t@.@............iy.Z...7..MP.......HTTP/1.1 401 Unauthorized Date: Sat, 17 Jun 2017 09:55:20 GMT Server: Apache/2.4.6 (CentOS) mod_wsgi/3.4 Python/2.7.5 WWW-Authenticate: Keystone uri='https://127.0.0.1:35357' Content-Length: 114 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/json
奇怪的是,在所有不同的方法中,發送的請求都使用基本的 YWRtaW46進行授權。
奇怪的是,在所有不同的方法中,發送的請求都使用基本的 YWRtaW46 進行授權。
這並不奇怪:客戶端的預設設置是使用基本身份驗證。如果您沒有為客戶端提供正確的身份驗證機制。嘗試這樣做:
export OS_AUTH_TYPE=password
這樣 Keystone 就被用作身份驗證。