指标由 Ceilometer 等设备的遥测收集,最后发送给 Gnocchi,但 Gnocchi 不允许用户在使用等于 keystone 或 noauth 的身份验证方法时使用诸如gnocchi metric list或之类的命令。gnocchi resource list
因此,我尝试使用一个更简单的命令来获取状态以解决问题gnocchi status。
不同的“AUTH_MODE”
在 gnocchi.conf 中使用不同的身份验证方法时,结果gnocchi status将如下所示:
auth_mode = basic
(gnocchi) status
+--------------------------------------------------+-------+
| Field | Value |
+--------------------------------------------------+-------+
| storage/number of metric having measures to | 13 |
| process | |
| storage/total number of measures to process | 444 |
+--------------------------------------------------+-------+
auth_mode = noauth
(gnocchi) status
Forbidden (HTTP 403)
auth_mode = keystone
(gnocchi) status
The request you have made requires authentication. (HTTP 401)
gnocchi.conf 中的 [keyston-authtoken]
[keystone_authtoken]
auth_type = password
auth_url = http://mng-kh-lab-ctrl-vip-01.ocloud.ir:5000/v3
auth_uri = http://mng-kh-lab-ctrl-vip-01.ocloud.ir:35357
memcached_servers = mng-kh-lab-ctrl-01.ocloud.ir:11211,mng-kh-lab-ctrl-02.ocloud.ir:11211
project_domain_name = default
user_domain_name = default
project_name = service
username = gnocchi
password = 123456
interface = internalURL
region_name = Region_KH_LA
不同 auth_mode 上的 TCPDUMP
基本的 :
2017-06-17 14:21:34.196634 IP (tos 0x0, ttl 64, id 27634, offset 0, flags [DF], proto TCP (6), length 300)
127.0.0.1.31132 > 127.0.0.1.8041: Flags [P.], cksum 0xff20 (incorrect -> 0x9dcd), seq 1:261, ack 1, win 256, length 260
E..,k.@[email protected] ...3.P.... ..GET /v1/status?details=False HTTP/1.1
Host: localhost:8041
Connection: keep-alive
Accept-Encoding: gzip, deflate
Accept: application/json, */*
User-Agent: gnocchi keystoneauth1/2.20.0 python-requests/2.10.0 CPython/2.7.5
Authorization: basic YWRtaW46
2017-06-17 14:21:34.211613 IP (tos 0x0, ttl 64, id 20934, offset 0, flags [DF], proto TCP (6), length 334)
127.0.0.1.8041 > 127.0.0.1.31132: Flags [P.], cksum 0xff42 (incorrect -> 0x4673), seq 1:295, ack 261, win 258, length 294
E..NQ.@[email protected]
.P....B..HTTP/1.1 200 OK
Date: Sat, 17 Jun 2017 09:51:34 GMT
Server: Apache/2.4.6 (CentOS) mod_wsgi/3.4 Python/2.7.5
Content-Length: 58
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/json; charset=UTF-8
无授权:
2017-06-17 14:23:54.901584 IP (tos 0x0, ttl 64, id 27048, offset 0, flags [DF], proto TCP (6), length 300)
127.0.0.1.31150 > 127.0.0.1.8041: Flags [P.], cksum 0xff20 (incorrect -> 0xa6a5), seq 1:261, ack 1, win 256, length 260
E..,i.@.@..!........y..i......_.P.... ..GET /v1/status?details=False HTTP/1.1
Host: localhost:8041
Connection: keep-alive
Accept-Encoding: gzip, deflate
Accept: application/json, */*
User-Agent: gnocchi keystoneauth1/2.20.0 python-requests/2.10.0 CPython/2.7.5
Authorization: basic YWRtaW46
2017-06-17 14:23:54.906964 IP (tos 0x0, ttl 64, id 55179, offset 0, flags [DF], proto TCP (6), length 337)
127.0.0.1.8041 > 127.0.0.1.31150: Flags [P.], cksum 0xff45 (incorrect -> 0x8ca6), seq 1:298, ack 261, win 258, length 297
E..Q..@[email protected]..._.....P....E..HTTP/1.1 403 Forbidden
Date: Sat, 17 Jun 2017 09:53:54 GMT
Server: Apache/2.4.6 (CentOS) mod_wsgi/3.4 Python/2.7.5
Content-Length: 54
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/json; charset=UTF-8
基石:
2017-06-17 14:25:20.801850 IP (tos 0x0, ttl 64, id 7904, offset 0, flags [DF], proto TCP (6), length 300)
127.0.0.1.31196 > 127.0.0.1.8041: Flags [P.], cksum 0xff20 (incorrect -> 0x2217), seq 1:261, ack 1, win 256, length 260
E..,..@[email protected].... ..GET /v1/status?details=False HTTP/1.1
Host: localhost:8041
Connection: keep-alive
Accept-Encoding: gzip, deflate
Accept: application/json, */*
User-Agent: gnocchi keystoneauth1/2.20.0 python-requests/2.10.0 CPython/2.7.5
Authorization: basic YWRtaW46
2017-06-17 14:25:20.804490 IP (tos 0x0, ttl 64, id 14196, offset 0, flags [DF], proto TCP (6), length 444)
127.0.0.1.8041 > 127.0.0.1.31196: Flags [P.], cksum 0xffb0 (incorrect -> 0x4c7a), seq 1:405, ack 261, win 258, length 404
E...7t@[email protected]/1.1 401 Unauthorized
Date: Sat, 17 Jun 2017 09:55:20 GMT
Server: Apache/2.4.6 (CentOS) mod_wsgi/3.4 Python/2.7.5
WWW-Authenticate: Keystone uri='https://127.0.0.1:35357'
Content-Length: 114
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/json
在所有不同的方法中,发送的请求都是使用基本 YWRtaW46以获得其授权。
答案1
在所有不同的方法中,发送的请求都使用基本的 YWRtaW46 进行授权,这真的很奇怪。
这并不奇怪:客户端默认使用基本身份验证。如果您没有为客户端提供正确的身份验证机制。请尝试执行以下操作:
export OS_AUTH_TYPE=password
这样就可以使用 Keystone 作为身份验证。