CLI 使用¶
usage: barbican [--version] [-v] [--log-file LOG_FILE] [-q] [-h] [--debug]
[--no-auth] [--os-identity-api-version <identity-api-version>]
[--os-auth-url <auth-url>] [--os-username <auth-user-name>]
[--os-user-id <auth-user-id>] [--os-password <auth-password>]
[--os-user-domain-id <auth-user-domain-id>]
[--os-user-domain-name <auth-user-domain-name>]
[--os-tenant-name <auth-tenant-name>]
[--os-tenant-id <tenant-id>]
[--os-project-id <auth-project-id>]
[--os-project-name <auth-project-name>]
[--os-project-domain-id <auth-project-domain-id>]
[--os-project-domain-name <auth-project-domain-name>]
[--os-auth-token <auth-token>]
[--endpoint <barbican-url>] [--insecure]
[--os-cacert <ca-certificate>] [--os-cert <certificate>]
[--os-key <key>] [--timeout <seconds>]
以下示例假定凭据已保存到您的环境中。如果您没有将变量保存到环境中,或者希望使用与已定义不同的凭据,则可以将上述任何可选参数传递给 Barbican。
Barbican 接受一个位置参数 <entity>,用于指定您希望对 secret 或 order 进行操作。
密钥¶
$ barbican secret <action>
应紧随其后一个描述要执行的操作的子命令。子命令对于 secret 和 order 来说大部分是相同的,尽管一些可选参数仅适用于其中之一。
用户可以对 secret 执行的子命令操作是
secret consumer Allow operations with secret consumers.
secret delete Delete a secret by providing its URI.
secret get Retrieve a secret by providing its URI.
secret list List secrets.
secret store Store a secret in Barbican.
每个子命令接受一组不同的参数,并且帮助消息因子命令而异。下面可以看到 **get** 的帮助消息。
$ barbican help secret get
usage: barbican secret get [-h] [-f {json,shell,table,value,yaml}] [-c COLUMN]
[--max-width <integer>] [--fit-width]
[--print-empty] [--noindent] [--prefix PREFIX]
[--decrypt | --payload | --file <filename>]
[--payload_content_type PAYLOAD_CONTENT_TYPE]
URI
Retrieve a secret by providing its URI.
positional arguments:
URI The URI reference for the secret.
optional arguments:
-h, --help show this help message and exit
--decrypt, -d if specified, retrieve the unencrypted secret data.
--payload, -p if specified, retrieve the unencrypted secret data.
--file <filename>, -F <filename>
if specified, save the payload to a new file with the
given filename.
--payload_content_type PAYLOAD_CONTENT_TYPE, -t PAYLOAD_CONTENT_TYPE
the content type of the decrypted secret (default:
text/plain).
output formatters:
output formatter options
-f {shell,table,value}, --format {shell,table,value}
the output format, defaults to table
-c COLUMN, --column COLUMN
specify the column(s) to include, can be repeated
table formatter:
--max-width <integer>
Maximum display width, 0 to disable
shell formatter:
a format a UNIX shell can parse (variable="value")
--prefix PREFIX add a prefix to all variable names
Secret 创建¶
$ barbican secret store -n mysecretname -p 'my secret value'
+---------------+-----------------------------------------------------------------------+
| Field | Value |
+---------------+-----------------------------------------------------------------------+
| Secret href | https://:9311/v1/secrets/a70a45d8-4076-42a2-b111-8893d3b92a3e |
| Name | mysecretname |
| Created | None |
| Status | None |
| Content types | None |
| Algorithm | aes |
| Bit length | 256 |
| Mode | cbc |
| Expiration | None |
+---------------+-----------------------------------------------------------------------+
与其在命令行中使用 -p 或 --payload 选项以及 secret 的值,不如将 secret 的值存储在文件中。对于这种方法,可以使用 -F <filename> 或 --file <filename> 选项。
Secret 获取¶
$ barbican secret get https://:9311/v1/secrets/a70a45d8-4076-42a2-b111-8893d3b92a3e
+---------------+-----------------------------------------------------------------------+
| Field | Value |
+---------------+-----------------------------------------------------------------------+
| Secret href | https://:9311/v1/secrets/a70a45d8-4076-42a2-b111-8893d3b92a3e |
| Name | mysecretname |
| Created | 2015-04-16 20:36:40.334696+00:00 |
| Status | ACTIVE |
| Content types | {'default': 'application/octet-stream'} |
| Algorithm | aes |
| Bit length | 256 |
| Mode | cbc |
| Expiration | None |
+---------------+-----------------------------------------------------------------------+
为了仅检索 payload 的原始值,我们引入了 -p 或 --payload 选项,并与 -f value cliff 格式化选项配对。(--decrypt 选项将执行相同的操作;但是,它将被弃用)
$ barbican secret get https://:9311/v1/secrets/a70a45d8-4076-42a2-b111-8893d3b92a3e --payload -f value
my secret value
与其在命令行中使用 -p 或 --payload 选项以及返回到 stdout 的 secret 的值,不如将 secret 的值写入文件。对于这种方法,可以使用 -F <filename> 或 --file <filename> 选项。
Secret 删除¶
如果待删除的 secret 至少有一个 consumer,则只有在删除所有 consumer 之后,或者使用 –force 参数才能删除该 secret。
$ barbican secret delete https://:9311/v1/secrets/a70a45d8-4076-42a2-b111-8893d3b92a3e
$ barbican secret delete https://:9311/v1/secrets/0207414d-c23b-47f6-9cef-f44e907ac7a8
Secret has consumers! Remove them first or use the force parameter to delete it.
$ barbican secret delete --force https://:9311/v1/secrets/0207414d-c23b-47f6-9cef-f44e907ac7a8
Secret 更新¶
$ barbican secret update https://:9311/v1/secrets/a70a45d8-4076-42a2-b111-8893d3b92a3e ``my_payload``
为了更新 secret,它必须是在没有 payload 的情况下创建的。my_payload 将被添加为 secret 的 payload。
Secret 列表¶
$ barbican secret list
+-----------------------------------------------------------------------+------+----------------------------------+--------+-----------------------------------------+-----------+------------+------+------------+
| Secret href | Name | Created | Status | Content types | Algorithm | Bit length | Mode | Expiration |
+-----------------------------------------------------------------------+------+----------------------------------+--------+-----------------------------------------+-----------+------------+------+------------+
| https://:9311/v1/secrets/bb3d8c20-8ea5-4bfc-9645-c8da79c8b371 | None | 2015-04-15 20:37:37.501475+00:00 | ACTIVE | {'default': 'application/octet-stream'} | aes | 256 | cbc | None |
+-----------------------------------------------------------------------+------+----------------------------------+--------+-----------------------------------------+-----------+------------+------+------------+
Secret Consumers¶
$ barbican secret consumer <action>
应紧随其后一个描述要执行的操作的子命令。子命令与 container consumers 的子命令大部分相同,尽管一些可选参数可能不适用。
对于所有子命令,必须指定 secret URI。用户可以对 secret consumer 执行的子命令操作是
secret consumer create Create a secret consumer.
secret consumer delete Delete a secret consumer
secret consumer list List consumers of a secret.
下面可以看到 **list** 的帮助消息。
$ barbican help secret consumer list
usage: barbican secret consumer list [-h] [-f {csv,json,table,value,yaml}] [-c COLUMN]
[--quote {all,minimal,none,nonnumeric}] [--noindent]
[--max-width <integer>] [--fit-width] [--print-empty]
[--sort-column SORT_COLUMN]
[--sort-ascending | --sort-descending] [--limit LIMIT]
[--offset OFFSET]
URI
List consumers of a secret.
positional arguments:
URI The URI reference for the secret
optional arguments:
-h, --help show this help message and exit
--limit LIMIT, -l LIMIT
specify the limit to the number of items to list per page
(default: 10; maximum: 100)
--offset OFFSET, -o OFFSET
specify the page offset (default: 0)
output formatters:
output formatter options
-f {csv,json,table,value,yaml}, --format {csv,json,table,value,yaml}
the output format, defaults to table
-c COLUMN, --column COLUMN
specify the column(s) to include, can be repeated to show multiple columns
--sort-column SORT_COLUMN
specify the column(s) to sort the data (columns specified first have a
priority, non-existing columns are ignored), can be repeated
--sort-ascending sort the column(s) in ascending order
--sort-descending sort the column(s) in descending order
CSV Formatter:
--quote {all,minimal,none,nonnumeric}
when to include quotes, defaults to nonnumeric
json formatter:
--noindent whether to disable indenting the JSON
table formatter:
--max-width <integer>
Maximum display width, <1 to disable. You can also use the CLIFF_MAX_TERM_WIDTH
environment variable, but the parameter takes precedence.
--fit-width Fit the table to the display width. Implied if --max-width greater than 0.
Set the environment variable CLIFF_FIT_WIDTH=1 to always enable
--print-empty Print empty table if there is no data to show.
Secret Consumer 创建¶
$ barbican secret consumer create --service-type-name image \
--resource-type image \
--resource-id 123e4567-e89b-12d3-a456-426614174002 \
0207414d-c23b-47f6-9cef-f44e907ac7a8
Consumer 由三个属性(service、resource_type、resource_id)唯一定义。无法添加具有完全相同属性的第二个 consumer。如果尝试使用与现有 consumer 完全相同的三个属性创建新 consumer,CLI 将不会抛出任何错误消息。但是,新的 consumer 实际上不会被创建。
Secret Consumer 列表¶
$ barbican secret consumer list 0207414d-c23b-47f6-9cef-f44e907ac7a8
+--------------+---------------+--------------------------------------+---------------------+
| Service | Resource type | Resource id | Created |
+--------------+---------------+--------------------------------------+---------------------+
| image | image | 123e4567-e89b-12d3-a456-426614174002 | 2023-01-30T15:54:10 |
+--------------+---------------+--------------------------------------+---------------------+
Secret Consumer 删除¶
$ barbican secret consumer delete --service-type-name image \
--resource-type image \
--resource-id 123e4567-e89b-12d3-a456-426614174002 \
0207414d-c23b-47f6-9cef-f44e907ac7a8
要删除 secret consumer,必须提供所有三个属性。尝试删除不存在的 consumer 将导致 CLI 抛出以下错误消息:Not Found: Consumer not found.
ACL¶
$ barbican acl <action>
应紧随其后一个描述要执行的操作的子命令。子命令对于 secret 和 container ACL 来说大部分是相同的。
用户可以对 ACL 执行的子命令操作是
acl delete Delete ACLs for a secret or container as identified by its href.
acl get Retrieve ACLs for a secret or container by providing its href.
acl submit Submit ACL on a secret or container as identified by its href.
acl user add Add ACL users to a secret or container as identified by its href.
acl user remove Remove ACL users from a secret or container as identified by its href.
ACL **get** 或 **delete** 子命令仅接受 secret 或 container href。所有其他 ACL 命令需要额外的参数来指定 ACL 设置数据。请参阅两种情况下的帮助消息。所有 acl 操作都需要 secret ref 或 container ref。
$ barbican help acl get
usage: barbican acl get [-h] [-f {csv,table,value}] [-c COLUMN]
[--max-width <integer>]
[--quote {all,minimal,none,nonnumeric}]
URI
Retrieve ACLs for a secret or container by providing its href.
positional arguments:
URI The URI reference for the secret or container.
optional arguments:
-h, --help show this help message and exit
output formatters:
output formatter options
-f {csv,table,value}, --format {csv,table,value}
the output format, defaults to table
-c COLUMN, --column COLUMN
specify the column(s) to include, can be repeated
table formatter:
--max-width <integer>
Maximum display width, 0 to disable
CSV Formatter:
--quote {all,minimal,none,nonnumeric}
when to include quotes, defaults to nonnumeric
以下是 ACL 修改操作(例如 submit、add 或 remove)相关的命令行选项的摘录。
$ barbican help acl submit/user add/user remove
usage: barbican acl submit [-h] [-f {csv,table,value}] [-c COLUMN]
[--max-width <integer>]
[--quote {all,minimal,none,nonnumeric}]
[--user [USER]]
[--project-access | --no-project-access]
[--operation-type {read}]
URI
....
....
positional arguments:
URI The URI reference for the secret or container.
optional arguments:
-h, --help show this help message and exit
--user [USER], -u [USER]
Keystone userid(s) for ACL.
--project-access Flag to enable project access behavior.
--no-project-access Flag to disable project access behavior.
--operation-type {read}, -o {read}
Type of Barbican operation ACL is set for
....
....
注意
对于 operation-type 参数的默认值是“read”,因为这是 Barbican ACL API 当前唯一支持的操作。因此,可以在 CLI 调用中跳过此参数。
ACL 获取¶
要获取 secret 或 container 的完整 ACL 设置,请使用此 ACL 操作。
$ barbican acl get https://:9311/v1/secrets/7776adb8-e865-413c-8ccc-4f09c3fe0213
+----------------+----------------+--------------------------------------------------------------------------+----------------------------------+----------------------------------+---------------------------------------------------------------------------+
| Operation Type | Project Access | Users | Created | Updated | Secret ACL Ref |
+----------------+----------------+--------------------------------------------------------------------------+----------------------------------+----------------------------------+---------------------------------------------------------------------------+
| read | False | ['721e27b8505b499e8ab3b38154705b9e', '2d0ee7c681cc4549b6d76769c320d91f'] | 2015-07-21 17:52:01.729370+00:00 | 2015-07-28 02:08:02.455276+00:00 | https://:9311/v1/secrets/7776adb8-e865-413c-8ccc-4f09c3fe0213/acl |
+----------------+----------------+--------------------------------------------------------------------------+----------------------------------+----------------------------------+---------------------------------------------------------------------------+
$ barbican acl get https://:9311/v1/containers/83c302c7-86fe-4f07-a277-c4962f121f19
+----------------+----------------+--------------------------------------+----------------------------------+----------------------------------+------------------------------------------------------------------------------+
| Operation Type | Project Access | Users | Created | Updated | Container ACL Ref |
+----------------+----------------+--------------------------------------+----------------------------------+----------------------------------+------------------------------------------------------------------------------+
| read | False | ['2d0ee7c681cc4549b6d76769c320d91f'] | 2015-07-28 01:36:55.791381+00:00 | 2015-07-28 02:05:41.175386+00:00 | https://:9311/v1/containers/83c302c7-86fe-4f07-a277-c4962f121f19/acl |
+----------------+----------------+--------------------------------------+----------------------------------+----------------------------------+------------------------------------------------------------------------------+
需要 secret 或 container ref。如果缺少,将导致错误。
$ barbican acl get
usage: barbican acl get [-h] [-f {csv,table,value}] [-c COLUMN]
[--max-width <integer>]
[--quote {all,minimal,none,nonnumeric}]
URI
barbican acl get: error: too few arguments
ACL 提交¶
要提交 secret 或 container 的完整 ACL 设置,请使用此 ACL 操作。
$ barbican acl submit --user 2d0ee7c681cc4549b6d76769c320d91f --user 721e27b8505b499e8ab3b38154705b9e https://:9311/v1/secrets/7776adb8-e865-413c-8ccc-4f09c3fe0213
+----------------+----------------+--------------------------------------------------------------------------+----------------------------------+----------------------------------+---------------------------------------------------------------------------+
| Operation Type | Project Access | Users | Created | Updated | Secret ACL Ref |
+----------------+----------------+--------------------------------------------------------------------------+----------------------------------+----------------------------------+---------------------------------------------------------------------------+
| read | True | ['721e27b8505b499e8ab3b38154705b9e', '2d0ee7c681cc4549b6d76769c320d91f'] | 2015-07-21 17:52:01.729370+00:00 | 2015-08-12 09:53:20.225971+00:00 | https://:9311/v1/secrets/7776adb8-e865-413c-8ccc-4f09c3fe0213/acl |
+----------------+----------------+--------------------------------------------------------------------------+----------------------------------+----------------------------------+---------------------------------------------------------------------------+
如果缺少 user 参数或没有值,则将空列表传递给用户,并且可以使用这种方法删除现有的 ACL 用户。如果未提供项目访问参数,则默认启用项目访问。要禁用项目访问行为,只需传递 no-project-access 参数而没有值即可。
$ barbican acl submit --user --no-project-access https://:9311/v1/secrets/7776adb8-e865-413c-8ccc-4f09c3fe0213
+----------------+----------------+-------+----------------------------------+----------------------------------+---------------------------------------------------------------------------+
| Operation Type | Project Access | Users | Created | Updated | Secret ACL Ref |
+----------------+----------------+-------+----------------------------------+----------------------------------+---------------------------------------------------------------------------+
| read | False | [] | 2015-07-21 17:52:01.729370+00:00 | 2015-08-12 09:55:23.043433+00:00 | https://:9311/v1/secrets/7776adb8-e865-413c-8ccc-4f09c3fe0213/acl |
+----------------+----------------+-------+----------------------------------+----------------------------------+---------------------------------------------------------------------------+
$ barbican acl submit --user 2d0ee7c681cc4549b6d76769c320d91f --no-project-access https://:9311/v1/containers/83c302c7-86fe-4f07-a277-c4962f121f19
+----------------+----------------+--------------------------------------+----------------------------------+----------------------------------+------------------------------------------------------------------------------+
| Operation Type | Project Access | Users | Created | Updated | Container ACL Ref |
+----------------+----------------+--------------------------------------+----------------------------------+----------------------------------+------------------------------------------------------------------------------+
| read | False | ['2d0ee7c681cc4549b6d76769c320d91f'] | 2015-07-29 22:01:00.878270+00:00 | 2015-08-19 05:56:09.930302+00:00 | https://:9311/v1/containers/83c302c7-86fe-4f07-a277-c4962f121f19/acl |
+----------------+----------------+--------------------------------------+----------------------------------+----------------------------------+------------------------------------------------------------------------------+
当传递两个互斥标志时,将返回以下错误。
$ barbican acl submit --project-access --no-project-access https://:9311/v1/secrets/7776adb8-e865-413c-8ccc-4f09c3fe0213
usage: barbican acl submit [-h] [-f {csv,table,value}] [-c COLUMN]
[--max-width <integer>]
[--quote {all,minimal,none,nonnumeric}]
[--user [USER]]
[--project-access | --no-project-access]
[--operation-type {read}]
URI
barbican acl submit: error: argument --no-project-access: not allowed with argument --project-access
ACL 添加用户¶
要为 secret 或 container 添加 ACL 用户,请使用此 ACL 操作。
如果缺少 user 参数或没有值,则不会对 ACL 用户进行任何更改。如果未提供项目访问参数,则不会对现有的项目访问行为标志进行任何更改。
$ barbican acl user add --user c1d20e4b7e7d4917aee6f0832152269b https://:9311/v1/containers/83c302c7-86fe-4f07-a277-c4962f121f19
+----------------+----------------+--------------------------------------------------------------------------+----------------------------------+----------------------------------+------------------------------------------------------------------------------+
| Operation Type | Project Access | Users | Created | Updated | Container ACL Ref |
+----------------+----------------+--------------------------------------------------------------------------+----------------------------------+----------------------------------+------------------------------------------------------------------------------+
| read | False | ['2d0ee7c681cc4549b6d76769c320d91f', 'c1d20e4b7e7d4917aee6f0832152269b'] | 2015-07-29 22:01:00.878270+00:00 | 2015-08-12 10:08:19.129370+00:00 | https://:9311/v1/containers/83c302c7-86fe-4f07-a277-c4962f121f19/acl |
+----------------+----------------+--------------------------------------------------------------------------+----------------------------------+----------------------------------+------------------------------------------------------------------------------+
# Added 2 users for secret (084c2098-66db-4401-8348-d969be0eddaa) earlier via set action.
$ barbican acl user add --user --no-project-access https://:9311/v1/secrets/084c2098-66db-4401-8348-d969be0eddaa
+----------------+----------------+--------------------------------------------------------------------------+----------------------------------+----------------------------------+---------------------------------------------------------------------------+
| Operation Type | Project Access | Users | Created | Updated | Secret ACL Ref |
+----------------+----------------+--------------------------------------------------------------------------+----------------------------------+----------------------------------+---------------------------------------------------------------------------+
| read | False | ['721e27b8505b499e8ab3b38154705b9e', '2d0ee7c681cc4549b6d76769c320d91f'] | 2015-08-12 10:09:27.564371+00:00 | 2015-08-12 10:11:09.749980+00:00 | https://:9311/v1/secrets/084c2098-66db-4401-8348-d969be0eddaa/acl |
+----------------+----------------+--------------------------------------------------------------------------+----------------------------------+----------------------------------+---------------------------------------------------------------------------+
ACL 删除用户¶
要为 secret 或 container 删除 ACL 用户,请使用此 ACL 操作。
如果缺少 user 参数或没有值,则不会对 ACL 用户进行任何更改。如果未提供项目访问参数,则不会对现有的项目访问行为标志进行任何更改。
如果提供的 userid(s) 在 ACL 中不存在,则会被简单地忽略,并且只有现有的 userid(s) 才会被从 ACL 中删除。
$ barbican acl user remove --user 2d0ee7c681cc4549b6d76769c320d91f --user invalid_user_id https://:9311/v1/secrets/084c2098-66db-4401-8348-d969be0eddaa
+----------------+----------------+--------------------------------------+----------------------------------+----------------------------------+---------------------------------------------------------------------------+
| Operation Type | Project Access | Users | Created | Updated | Secret ACL Ref |
+----------------+----------------+--------------------------------------+----------------------------------+----------------------------------+---------------------------------------------------------------------------+
| read | False | ['721e27b8505b499e8ab3b38154705b9e'] | 2015-08-12 10:09:27.564371+00:00 | 2015-08-12 10:12:21.842888+00:00 | https://:9311/v1/secrets/084c2098-66db-4401-8348-d969be0eddaa/acl |
+----------------+----------------+--------------------------------------+----------------------------------+----------------------------------+---------------------------------------------------------------------------+
ACL 删除¶
要删除 secret 或 container 的现有 ACL 设置,请使用此 ACL 操作。
$ barbican acl delete https://:9311/v1/secrets/084c2098-66db-4401-8348-d969be0eddaa
$ barbican acl get https://:9311/v1/secrets/084c2098-66db-4401-8348-d969be0eddaa
+----------------+----------------+-------+---------+---------+---------------------------------------------------------------------------+
| Operation Type | Project Access | Users | Created | Updated | Secret ACL Ref |
+----------------+----------------+-------+---------+---------+---------------------------------------------------------------------------+
| read | True | [] | None | None | https://:9311/v1/secrets/084c2098-66db-4401-8348-d969be0eddaa/acl |
+----------------+----------------+-------+---------+---------+---------------------------------------------------------------------------+
