Default to Keystone authentication

This configures Barbican to use Keystone authentication by
default and updates documentation accordingly.

Change-Id: Ie0a1995b971371d18238138575629eeee1a36392
Closes-Bug: #1595428

doc/source/setup/keystone.rst

@@ -3,13 +3,15 @@ Using Keystone Middleware with Barbican
 
 Prerequisites
 --------------
-To enable Keystone integration with Barbican you'll need a relatively
-current version of Keystone. If you don't have an instance of Keystone
-available, you can use one of the following ways to setup your own.
+To enable Keystone integration with Barbican you'll need a relatively current
+version of Keystone. It is sufficient if you are installing an OpenStack cloud
+where all services including Keystone and Barbican are from the same release.
+If you don't have an instance of Keystone available, you can use one of the
+following ways to setup your own.
 
  #. `Simple Dockerized Keystone`_
  #. `Installing Keystone`_
- #. Devstack
+ #. An OpenStack cloud with Keystone (Devstack in the simplest case)
 
 .. _Simple Dockerized Keystone: https://registry.hub.docker.com/u/
                                 jmvrbanac/simple-keystone/
@@ -27,8 +29,10 @@ the get version call.
 1. Turn off any active instances of Barbican
 2. Edit ``/etc/barbican/barbican-api-paste.ini``
 
-   1. Change the pipeline ``/v1`` value from unauthenticated ``barbican-api``
-      to the authenticated ``barbican-api-keystone``
+   1. Change the pipeline ``/v1`` value from unauthenticated ``barbican_api``
+      to the authenticated ``barbican-api-keystone``. This step will not be
+      necessary on barbican from OpenStack Newton or higher, since barbican
+      will default to using Keystone authentication as of OpenStack Newton.
 
     .. code-block:: ini
 
@@ -44,15 +48,36 @@ the get version call.
 
        [filter:authtoken]
        paste.filter_factory = keystonemiddleware.auth_token:filter_factory
-       signing_dir = /tmp/barbican/cache
-       auth_uri = http://{YOUR_KEYSTONE_ENDPOINT}:5000/v3
-       auth_url = http://{YOUR_KEYSTONE_ENDPOINT}:35357/v3
        auth_plugin = password
        username = {YOUR_KEYSTONE_USERNAME}
        password = {YOUR_KEYSTONE_PASSWORD}
        user_domain_id = {YOUR_KEYSTONE_USER_DOMAIN}
        project_name = {YOUR_KEYSTONE_PROJECT}
        project_domain_id = {YOUR_KEYSTONE_PROJECT_DOMAIN}
+       auth_uri = http://{YOUR_KEYSTONE_ENDPOINT}:5000/v3
+       auth_url = http://{YOUR_KEYSTONE_ENDPOINT}:35357/v3
+
+    Alternatively, you can shorten this to
+
+    .. code-block:: ini
+
+       [filter:authtoken]
+       paste.filter_factory = keystonemiddleware.auth_token:filter_factory
+
+    and store Barbican's Keystone credentials in the ``[keystone_authtoken]``
+    section of ``/etc/barbican/barbican.conf``
+
+    .. code-block:: ini
+
+      [keystone_authtoken]
+      auth_plugin = password
+      username = {YOUR_KEYSTONE_USERNAME}
+      password = {YOUR_KEYSTONE_PASSWORD}
+      user_domain_id = {YOUR_KEYSTONE_USER_DOMAIN}
+      project_name = {YOUR_KEYSTONE_PROJECT}
+      project_domain_id = {YOUR_KEYSTONE_PROJECT_DOMAIN}
+      auth_uri = http://{YOUR_KEYSTONE_ENDPOINT}:5000/v3
+      auth_url = http://{YOUR_KEYSTONE_ENDPOINT}:35357/v3
 
 3. Start Barbican ``{barbican_home}/bin/barbican.sh start``
 

doc/source/setup/noauth.rst

@@ -1,19 +1,35 @@
-No Auth Barbican
+No Auth barbican
 ================
 
-Generally barbican can be configured to use keystone like every other OpenStack
-services for identity and access control. Sometimes it may be useful to run
-barbican without any authentication service for development purpose.
+As of OpenStack Newton, barbican will default to using Keystone like every
+other OpenStack service for identity and access control. Nonetheless, sometimes
+it may be useful to run barbican without any authentication service for
+development purposes.
 
-By default, configuration in :file:`barbican-api-paste.ini` sets barbican
-without any authentication (no auth mode), for example:
+To this end, `barbican-api-paste.ini` contains a filter pipeline
+without any authentication (no auth mode):
 
 .. code-block:: ini
 
-    # Use this pipeline for Barbican API - DEFAULT no authentication
+    # Use this pipeline for barbican API - DEFAULT no authentication
     [pipeline:barbican_api]
     pipeline = unauthenticated-context apiapp
 
+To enable this pipe line proceed as follows:
+
+1. Turn off any active instances of barbican
+
+2. Edit ``/etc/barbican/barbican-api-paste.ini``
+
+   Change the pipeline ``/v1`` value from authenticated ``barbican-api-keystone``
+   to the unauthenticated ``barbican_api``
+
+   .. code-block:: ini
+
+           [composite:main]
+           use = egg:Paste#urlmap
+           /: barbican_version
+           /v1: barbican_api
 
 With every OpenStack service integrated with keystone, its API requires access
 token to retireve certain information and validate user's information and

etc/barbican/barbican-api-paste.ini

@@ -1,7 +1,7 @@
 [composite:main]
 use = egg:Paste#urlmap
 /: barbican_version
-/v1: barbican_api
+/v1: barbican-api-keystone
 
 # Use this pipeline for Barbican API - versions no authentication
 [pipeline:barbican_version]