Merge "Use keystone auth plugin"

2016-05-17 17:12:35 +00:00 · 2016-05-17 17:12:35 +00:00 · 11bcb88a2f
commit 11bcb88a2f
parent 245d40ea4b 8abb2c6a0b
3 changed files with 40 additions and 25 deletions
--- a/devstack/lib/barbican
+++ b/devstack/lib/barbican
@ -134,14 +134,20 @@ function configure_barbican {
    # Turn on the middleware
    iniset $BARBICAN_PASTE_CONF 'pipeline:barbican_api' pipeline 'barbican-api-keystone'

+    # Keystone complete URIs
+    KEYSTONE_AUTH_URI=${KEYSTONE_AUTH_PROTOCOL}://${KEYSTONE_AUTH_HOST}:${KEYSTONE_AUTH_PORT}/v3
+    KEYSTONE_SERVICE_URI=${KEYSTONE_SERVICE_PROTOCOL}://${KEYSTONE_SERVICE_HOST}:${KEYSTONE_SERVICE_PORT}/v3
+
    # Set the keystone parameters
-    iniset $BARBICAN_PASTE_CONF 'filter:keystone_authtoken' auth_protocol $KEYSTONE_AUTH_PROTOCOL
-    iniset $BARBICAN_PASTE_CONF 'filter:keystone_authtoken' auth_host $KEYSTONE_AUTH_HOST
-    iniset $BARBICAN_PASTE_CONF 'filter:keystone_authtoken' auth_port $KEYSTONE_AUTH_PORT
-    iniset $BARBICAN_PASTE_CONF 'filter:keystone_authtoken' admin_user barbican
-    iniset $BARBICAN_PASTE_CONF 'filter:keystone_authtoken' admin_password $SERVICE_PASSWORD
-    iniset $BARBICAN_PASTE_CONF 'filter:keystone_authtoken' admin_tenant_name $SERVICE_PROJECT_NAME
-    iniset $BARBICAN_PASTE_CONF 'filter:keystone_authtoken' signing_dir $BARBICAN_AUTH_CACHE_DIR
+    iniset $BARBICAN_PASTE_CONF 'filter:authtoken' auth_plugin password
+    iniset $BARBICAN_PASTE_CONF 'filter:authtoken' auth_url $KEYSTONE_AUTH_URI
+    iniset $BARBICAN_PASTE_CONF 'filter:authtoken' username barbican
+    iniset $BARBICAN_PASTE_CONF 'filter:authtoken' password $SERVICE_PASSWORD
+    iniset $BARBICAN_PASTE_CONF 'filter:authtoken' user_domain_id default
+    iniset $BARBICAN_PASTE_CONF 'filter:authtoken' project_name $SERVICE_PROJECT_NAME
+    iniset $BARBICAN_PASTE_CONF 'filter:authtoken' project_domain_id default
+    iniset $BARBICAN_PASTE_CONF 'filter:authtoken' auth_uri $KEYSTONE_SERVICE_URI
+    iniset $BARBICAN_PASTE_CONF 'filter:authtoken' signing_dir $BARBICAN_AUTH_CACHE_DIR
 }

 # init_barbican - Initialize etc.
--- a/doc/source/setup/keystone.rst
+++ b/doc/source/setup/keystone.rst
@ -27,26 +27,32 @@ the get version call.
 1. Turn off any active instances of Barbican
 2. Edit ``/etc/barbican/barbican-api-paste.ini``

-   1. Replace the ``barbican_api`` pipeline with an authenticated pipeline
+   1. Change the pipeline ``/v1`` value from unauthenticated ``barbican-api``
+      to the authenticated ``barbican-api-keystone``

    .. code-block:: ini

-        [pipeline:barbican_api]
-        pipeline = keystone_authtoken context apiapp
+        [composite:main]
+        use = egg:Paste#urlmap
+        /: barbican_version
+        /v1: barbican-api-keystone

-   2. Replace ``keystone_authtoken`` filter values to match your Keystone
+   2. Replace ``authtoken`` filter values to match your Keystone
      setup

    .. code-block:: ini

-       [filter:keystone_authtoken]
+       [filter:authtoken]
       paste.filter_factory = keystonemiddleware.auth_token:filter_factory
       signing_dir = /tmp/barbican/cache
-       identity_uri = http://{YOUR_KEYSTONE_ENDPOINT}:35357
-       admin_tenant_name = service
-       admin_user = {YOUR_KEYSTONE_USERNAME}
-       admin_password = {YOUR_KEYSTONE_PASSWORD}
-       auth_version = v2.0
+       auth_uri = http://{YOUR_KEYSTONE_ENDPOINT}:5000/v3
+       auth_url = http://{YOUR_KEYSTONE_ENDPOINT}:35357/v3
+       auth_plugin = password
+       username = {YOUR_KEYSTONE_USERNAME}
+       password = {YOUR_KEYSTONE_PASSWORD}
+       user_domain_id = {YOUR_KEYSTONE_USER_DOMAIN}
+       project_name = {YOUR_KEYSTONE_PROJECT}
+       project_domain_id = {YOUR_KEYSTONE_PROJECT_DOMAIN}

 3. Start Barbican ``{barbican_home}/bin/barbican.sh start``

--- a/etc/barbican/barbican-api-paste.ini
+++ b/etc/barbican/barbican-api-paste.ini
@ -18,11 +18,11 @@ pipeline = cors unauthenticated-context egg:Paste#cgitb egg:Paste#httpexceptions

 #Use this pipeline for keystone auth
 [pipeline:barbican-api-keystone]
-pipeline = cors keystone_authtoken context apiapp
+pipeline = cors authtoken context apiapp

 #Use this pipeline for keystone auth with audit feature
 [pipeline:barbican-api-keystone-audit]
-pipeline = keystone_authtoken context audit apiapp
+pipeline = authtoken context audit apiapp

 [app:apiapp]
 paste.app_factory = barbican.api.app:create_main_app
@ -43,14 +43,17 @@ paste.filter_factory = barbican.api.middleware.context:ContextMiddleware.factory
 paste.filter_factory = keystonemiddleware.audit:filter_factory
 audit_map_file = /etc/barbican/api_audit_map.conf

-[filter:keystone_authtoken]
+[filter:authtoken]
 paste.filter_factory = keystonemiddleware.auth_token:filter_factory
+auth_uri = http://localhost:5000/v3
+auth_plugin = password
 #need ability to re-auth a token, thus admin url
-identity_uri = http://localhost:35357
-admin_tenant_name = service
-admin_user = barbican
-admin_password = orange
-auth_version = v3.0
+auth_url = http://localhost:35357/v3
+username = barbican
+password = orange
+user_domain_id = default
+project_name = service
+project_domain_id = default
 #delay failing perhaps to log the unauthorized request in barbican ..
 #delay_auth_decision = true
 # signing_dir is configurable, but the default behavior of the authtoken