Created
October 28, 2016 15:40
-
-
Save alistairncoles/b2ffdedefca9e64ef11e446fca556230 to your computer and use it in GitHub Desktop.
notes for installing barbican and setting up barbican as a service with endpoint in keystone
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[1] http://docs.openstack.org/developer/barbican/setup/dev.html | |
Following [1]: | |
git clone barbican | |
rsync to anc dir | |
make /etc/barbican and /var/lib/barbican as described in [1] (these seem to be required even when running in a venv, otherwise I see "BarbicanException: No SQL connection configured") | |
create a virtualenv using tox -e venv | |
source .tox/venv/bin/activate | |
cd .tox/venv | |
cp -r ../../etc/barbican ./etc | |
modify ./etc/barbican-api-paste.ini to use keystone according to http://docs.openstack.org/developer/barbican/setup/keystone.html using params from swift proxy-server.conf authtoken section | |
run barbican in venv working dir using ../../bin/barbican-api | |
so that the modified conf in ./etc/barbican is used (although /etc/barbican is also required, see above) | |
then: | |
source swift keystone credentials | |
use swift auth to get a token | |
$ curl -v -H 'X-Auth-Token: 9bc379dff10d4be8a0a222a16a2b77bf' -H 'Accept: application/json' http://localhost:9311/v1/secrets | |
* Hostname was NOT found in DNS cache | |
* Trying 127.0.0.1... | |
* Connected to localhost (127.0.0.1) port 9311 (#0) | |
> GET /v1/secrets HTTP/1.1 | |
> User-Agent: curl/7.35.0 | |
> Host: localhost:9311 | |
> X-Auth-Token: 9bc379dff10d4be8a0a222a16a2b77bf | |
> Accept: application/json | |
> | |
* HTTP 1.0, assume close after body | |
< HTTP/1.0 200 OK | |
< Server: PasteWSGIServer/0.5 Python/2.7.6 | |
< Date: Tue, 04 Oct 2016 13:23:39 GMT | |
< Content-Length: 27 | |
< Content-Type: application/json; charset=UTF-8 | |
< x-openstack-request-id: req-edc5911b-be35-4725-bf90-1d2d5d2a2fb2 | |
< | |
* Closing connection 0 | |
{"secrets": [], "total": 0} | |
Create a secret for swift root encryption key: | |
anc@anc-vm-10:~/openstack/barbican$ curl -X POST -H "content-type:application/json" -H "X-Auth-Token: 055d7c46a171472f9d676031f52b8eb8" http://localhost:9311/v1/secrets -d '{"payload": "jitMBmcV1hq/3GZNMliYyUWjpHgc7QWPlGf1RN+NBYc=", "payload_content_type": "text/plain", "name": "swift_root_secret", "secret_type": "opaque", "algorithm": "aes", "bit_length": 256, "mode": "cbc"}' | |
{"secret_ref": "http://localhost:9311/v1/secrets/41d01a02-f25a-41ae-a03c-082e31fb7f46"} | |
Retrieve the secret: | |
anc@anc-vm-10:~/openstack/barbican$ curl -v -H 'X-Auth-Token: 055d7c46a171472f9d676031f52b8eb8' -H 'Accept: text/plain' http://localhost:9311/v1/secrets/41d01a02-f25a-41ae-a03c-082e31fb7f46/payload | |
* Hostname was NOT found in DNS cache | |
* Trying 127.0.0.1... | |
* Connected to localhost (127.0.0.1) port 9311 (#0) | |
> GET /v1/secrets/41d01a02-f25a-41ae-a03c-082e31fb7f46/payload HTTP/1.1 | |
> User-Agent: curl/7.35.0 | |
> Host: localhost:9311 | |
> X-Auth-Token: 055d7c46a171472f9d676031f52b8eb8 | |
> Accept: text/plain | |
> | |
* HTTP 1.0, assume close after body | |
< HTTP/1.0 200 OK | |
< Server: PasteWSGIServer/0.5 Python/2.7.6 | |
< Date: Tue, 04 Oct 2016 14:09:26 GMT | |
< Content-Length: 44 | |
< Content-Type: text/plain; charset=UTF-8 | |
< x-openstack-request-id: req-685e084c-e0bd-4323-b858-ece7e411f3fb | |
< | |
* Closing connection 0 | |
jitMBmcV1hq/3GZNMliYyUWjpHgc7QWPlGf1RN+NBYc=anc | |
sudo pip install python-openstackclient | |
anc@u134:~$ openstack --os-auth-url=http://localhost:5000 --os-identity-api-version=3 --os-username=admin --os-project-name=admin --os-password=admin | |
(openstack) service create --name barbican key-manager | |
+---------+----------------------------------+ | |
| Field | Value | | |
+---------+----------------------------------+ | |
| enabled | True | | |
| id | 12b74fb5ffde45af9c5e432567d74294 | | |
| name | barbican | | |
| type | key-manager | | |
+---------+----------------------------------+ | |
(openstack) endpoint create barbican public http://localhost:9311/v1 | |
+--------------+----------------------------------+ | |
| Field | Value | | |
+--------------+----------------------------------+ | |
| enabled | True | | |
| id | 541d4830f8ad44e1afdc75b0f9dad0e9 | | |
| interface | public | | |
| region | None | | |
| region_id | None | | |
| service_id | 12b74fb5ffde45af9c5e432567d74294 | | |
| service_name | barbican | | |
| service_type | key-manager | | |
| url | http://localhost:9311/v1 | | |
+--------------+----------------------------------+ | |
(openstack) endpoint create barbican internal http://localhost:9311/v1 | |
+--------------+----------------------------------+ | |
| Field | Value | | |
+--------------+----------------------------------+ | |
| enabled | True | | |
| id | fe651c75cc594338af6d24e2558fc963 | | |
| interface | internal | | |
| region | None | | |
| region_id | None | | |
| service_id | 12b74fb5ffde45af9c5e432567d74294 | | |
| service_name | barbican | | |
| service_type | key-manager | | |
| url | http://localhost:9311/v1 | | |
+--------------+----------------------------------+ | |
(openstack) endpoint create barbican admin http://localhost:9311/v1 | |
+--------------+----------------------------------+ | |
| Field | Value | | |
+--------------+----------------------------------+ | |
| enabled | True | | |
| id | 705bba62184d4e39820eb12df68086b1 | | |
| interface | admin | | |
| region | None | | |
| region_id | None | | |
| service_id | 12b74fb5ffde45af9c5e432567d74294 | | |
| service_name | barbican | | |
| service_type | key-manager | | |
| url | http://localhost:9311/v1 | | |
+--------------+----------------------------------+ | |
sudo pip install python-barbicanclient | |
As swift user on service project: | |
$ openstack --os-auth-url=http://localhost:5000 --os-identity-api-version=3 --os-username=swift --os-project-name=service --os-password=swiftpass | |
(openstack) secret store --name=swift_root_secret --payload=foo --secret-type=opaque --payload-content-type="text/plain" --algorithm=aes --mode=cbc --bit-length=256 | |
Failed to contact the endpoint at http://localhost:9311/v1 for discovery. Fallback to using that endpoint as the base url. | |
+---------------+-----------------------------------------------------------------------+ | |
| Field | Value | | |
+---------------+-----------------------------------------------------------------------+ | |
| Secret href | http://localhost:9311/v1/secrets/b4c6d774-dbc1-48fc-a899-fd1c4aefa63b | | |
| Name | swift_root_secret | | |
| Created | None | | |
| Status | None | | |
| Content types | {u'default': u'text/plain'} | | |
| Algorithm | aes | | |
| Bit length | 256 | | |
| Secret type | opaque | | |
| Mode | cbc | | |
| Expiration | None | | |
+---------------+-----------------------------------------------------------------------+ | |
Get the secret back (note use --payload to see secret itself)... | |
$ openstack --os-auth-url=http://localhost:5000 --os-identity-api-version=3 --os-username=swift --os-project-name=service --os-password=swiftpass secret get http://localhost:9311/v1/secrets/b4c6d774-dbc1-48fc-a899-fd1c4aefa63b --payload | |
+---------+-------+ | |
| Field | Value | | |
+---------+-------+ | |
| Payload | foo | | |
+---------+-------+ | |
BUT any user with admin role on service project can do same... | |
$ openstack --os-auth-url=http://localhost:5000 --os-identity-api-version=3 --os-username=barbican --os-project-name=service --os-password=barbicanpass secret get http://localhost:9311/v1/secrets/b4c6d774-dbc1-48fc-a899-fd1c4aefa63b --payload | |
+---------+-------+ | |
| Field | Value | | |
+---------+-------+ | |
| Payload | foo | | |
+---------+-------+ | |
So, create a separate project for storing our secret for swift...and give swift user admin role on that project... | |
$ openstack --os-auth-url=http://localhost:5000 --os-identity-api-version=3 --os-username=admin --os-project-name=admin --os-password=admin | |
(openstack) project create swift_secret | |
+-------------+----------------------------------+ | |
| Field | Value | | |
+-------------+----------------------------------+ | |
| description | | | |
| domain_id | default | | |
| enabled | True | | |
| id | dc200cabc47b4e2bab3fa8ec86f7d5c5 | | |
| name | swift_secret | | |
| parent_id | None | | |
+-------------+----------------------------------+ | |
(openstack) role list | |
+----------------------------------+---------------+ | |
| ID | Name | | |
+----------------------------------+---------------+ | |
| 9fe2ff9ee4384b1894a90878d3e92bab | _member_ | | |
| 9a6bf3f1f88042f7a6a77d9e84e7bd4d | admin | | |
| 8a625dff026b462abadadbc220f66935 | operator | | |
| 2e8fdc3f5372401f8ec1fadcdd961f43 | ResellerAdmin | | |
| 5453e61703b34bac98068d1306c7ea2a | admin | | |
| 587f0885f6174436bd1cd5b0862324b2 | swiftoperator | | |
| 6a6fc2e007bc4870941e84bcfc44899c | readonly | | |
| 7326688dddfd465ea66a9ad49643953a | service | | |
+----------------------------------+---------------+ | |
(openstack) role add --user swift --project swift_secret 9a6bf3f1f88042f7a6a77d9e84e7bd4d | |
Now as swift user on project swift_secret, create a root secret: | |
$ openstack --os-auth-url=http://localhost:5000 --os-identity-api-version=3 --os-username=swift --os-project-name=swift_secret --os-password=swiftpass | |
(openstack) secret store --name=swift_root_secret --payload="IZPad6qa5LH/Z6uFJ/Li3apGQoiqm4syZzXBEWjsXt0=" --secret-type=opaque --payload-content-type="text/plain" --algorithm=aes --mode=cbc --bit-length=256 | |
Failed to contact the endpoint at http://localhost:9311/v1 for discovery. Fallback to using that endpoint as the base url. | |
+---------------+-----------------------------------------------------------------------+ | |
| Field | Value | | |
+---------------+-----------------------------------------------------------------------+ | |
| Secret href | http://localhost:9311/v1/secrets/6e710f26-d0f9-43d3-8418-975bb5843546 | | |
| Name | swift_root_secret | | |
| Created | None | | |
| Status | None | | |
| Content types | {u'default': u'text/plain'} | | |
| Algorithm | aes | | |
| Bit length | 256 | | |
| Secret type | opaque | | |
| Mode | cbc | | |
| Expiration | None | | |
+---------------+-----------------------------------------------------------------------+ | |
Get it back: | |
(openstack) secret get --payload http://localhost:9311/v1/secrets/6e710f26-d0f9-43d3-8418-975bb5843546 | |
+---------+----------------------------------------------+ | |
| Field | Value | | |
+---------+----------------------------------------------+ | |
| Payload | IZPad6qa5LH/Z6uFJ/Li3apGQoiqm4syZzXBEWjsXt0= | | |
+---------+----------------------------------------------+ | |
Other user cannot get it: | |
$ openstack --os-auth-url=http://localhost:5000 --os-identity-api-version=3 --os-username=barbican --os-project-name=swift_secret --os-password=barbicanpass secret get --payload http://localhost:9311/v1/secrets/6e710f26-d0f9-43d3-8418-975bb5843546 | |
User 1aa3e4d5483a43a2b4dba190d549ead0 has no access to project dc200cabc47b4e2bab3fa8ec86f7d5c5 (Disable debug mode to suppress these details.) (HTTP 401) (Request-ID: req-eb6c351f-38e4-4996-ae43-bbc79da5945c) | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment