Merge "Use keystone auth plugin"

This commit is contained in:
Jenkins 2016-05-17 17:12:35 +00:00 committed by Gerrit Code Review
commit 11bcb88a2f
3 changed files with 40 additions and 25 deletions

View File

@ -134,14 +134,20 @@ function configure_barbican {
# Turn on the middleware
iniset $BARBICAN_PASTE_CONF 'pipeline:barbican_api' pipeline 'barbican-api-keystone'
# Keystone complete URIs
KEYSTONE_AUTH_URI=${KEYSTONE_AUTH_PROTOCOL}://${KEYSTONE_AUTH_HOST}:${KEYSTONE_AUTH_PORT}/v3
KEYSTONE_SERVICE_URI=${KEYSTONE_SERVICE_PROTOCOL}://${KEYSTONE_SERVICE_HOST}:${KEYSTONE_SERVICE_PORT}/v3
# Set the keystone parameters
iniset $BARBICAN_PASTE_CONF 'filter:keystone_authtoken' auth_protocol $KEYSTONE_AUTH_PROTOCOL
iniset $BARBICAN_PASTE_CONF 'filter:keystone_authtoken' auth_host $KEYSTONE_AUTH_HOST
iniset $BARBICAN_PASTE_CONF 'filter:keystone_authtoken' auth_port $KEYSTONE_AUTH_PORT
iniset $BARBICAN_PASTE_CONF 'filter:keystone_authtoken' admin_user barbican
iniset $BARBICAN_PASTE_CONF 'filter:keystone_authtoken' admin_password $SERVICE_PASSWORD
iniset $BARBICAN_PASTE_CONF 'filter:keystone_authtoken' admin_tenant_name $SERVICE_PROJECT_NAME
iniset $BARBICAN_PASTE_CONF 'filter:keystone_authtoken' signing_dir $BARBICAN_AUTH_CACHE_DIR
iniset $BARBICAN_PASTE_CONF 'filter:authtoken' auth_plugin password
iniset $BARBICAN_PASTE_CONF 'filter:authtoken' auth_url $KEYSTONE_AUTH_URI
iniset $BARBICAN_PASTE_CONF 'filter:authtoken' username barbican
iniset $BARBICAN_PASTE_CONF 'filter:authtoken' password $SERVICE_PASSWORD
iniset $BARBICAN_PASTE_CONF 'filter:authtoken' user_domain_id default
iniset $BARBICAN_PASTE_CONF 'filter:authtoken' project_name $SERVICE_PROJECT_NAME
iniset $BARBICAN_PASTE_CONF 'filter:authtoken' project_domain_id default
iniset $BARBICAN_PASTE_CONF 'filter:authtoken' auth_uri $KEYSTONE_SERVICE_URI
iniset $BARBICAN_PASTE_CONF 'filter:authtoken' signing_dir $BARBICAN_AUTH_CACHE_DIR
}
# init_barbican - Initialize etc.

View File

@ -27,26 +27,32 @@ the get version call.
1. Turn off any active instances of Barbican
2. Edit ``/etc/barbican/barbican-api-paste.ini``
1. Replace the ``barbican_api`` pipeline with an authenticated pipeline
1. Change the pipeline ``/v1`` value from unauthenticated ``barbican-api``
to the authenticated ``barbican-api-keystone``
.. code-block:: ini
[pipeline:barbican_api]
pipeline = keystone_authtoken context apiapp
[composite:main]
use = egg:Paste#urlmap
/: barbican_version
/v1: barbican-api-keystone
2. Replace ``keystone_authtoken`` filter values to match your Keystone
2. Replace ``authtoken`` filter values to match your Keystone
setup
.. code-block:: ini
[filter:keystone_authtoken]
[filter:authtoken]
paste.filter_factory = keystonemiddleware.auth_token:filter_factory
signing_dir = /tmp/barbican/cache
identity_uri = http://{YOUR_KEYSTONE_ENDPOINT}:35357
admin_tenant_name = service
admin_user = {YOUR_KEYSTONE_USERNAME}
admin_password = {YOUR_KEYSTONE_PASSWORD}
auth_version = v2.0
auth_uri = http://{YOUR_KEYSTONE_ENDPOINT}:5000/v3
auth_url = http://{YOUR_KEYSTONE_ENDPOINT}:35357/v3
auth_plugin = password
username = {YOUR_KEYSTONE_USERNAME}
password = {YOUR_KEYSTONE_PASSWORD}
user_domain_id = {YOUR_KEYSTONE_USER_DOMAIN}
project_name = {YOUR_KEYSTONE_PROJECT}
project_domain_id = {YOUR_KEYSTONE_PROJECT_DOMAIN}
3. Start Barbican ``{barbican_home}/bin/barbican.sh start``

View File

@ -18,11 +18,11 @@ pipeline = cors unauthenticated-context egg:Paste#cgitb egg:Paste#httpexceptions
#Use this pipeline for keystone auth
[pipeline:barbican-api-keystone]
pipeline = cors keystone_authtoken context apiapp
pipeline = cors authtoken context apiapp
#Use this pipeline for keystone auth with audit feature
[pipeline:barbican-api-keystone-audit]
pipeline = keystone_authtoken context audit apiapp
pipeline = authtoken context audit apiapp
[app:apiapp]
paste.app_factory = barbican.api.app:create_main_app
@ -43,14 +43,17 @@ paste.filter_factory = barbican.api.middleware.context:ContextMiddleware.factory
paste.filter_factory = keystonemiddleware.audit:filter_factory
audit_map_file = /etc/barbican/api_audit_map.conf
[filter:keystone_authtoken]
[filter:authtoken]
paste.filter_factory = keystonemiddleware.auth_token:filter_factory
auth_uri = http://localhost:5000/v3
auth_plugin = password
#need ability to re-auth a token, thus admin url
identity_uri = http://localhost:35357
admin_tenant_name = service
admin_user = barbican
admin_password = orange
auth_version = v3.0
auth_url = http://localhost:35357/v3
username = barbican
password = orange
user_domain_id = default
project_name = service
project_domain_id = default
#delay failing perhaps to log the unauthorized request in barbican ..
#delay_auth_decision = true
# signing_dir is configurable, but the default behavior of the authtoken