openstack
/
barbican
Code Issues Proposed changes

Merge "Use oslo-config-generator to generate barbican.conf.sample"

This commit is contained in:
Jenkins 2017-04-05 12:24:14 +00:00 committed by Gerrit Code Review
parent 4f8ee048ea 06b76aa6e8
commit 7991f8b485
19 changed files with 178 additions and 575 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -67,6 +67,8 @@ ChangeLog
# Rope
.ropeproject
# files created by oslo-config-generator
etc/barbican/barbican.conf.sample
# Files created by releasenotes build
releasenotes/build

104
barbican/common/config.py
View File

@ -44,27 +44,90 @@ context_opts = [
common_opts = [
cfg.IntOpt('max_allowed_request_size_in_bytes',
default=MAX_BYTES_REQUEST_INPUT_ACCEPTED),
default=MAX_BYTES_REQUEST_INPUT_ACCEPTED,
help=u._("Maximum allowed http request size against the "
"barbican-api.")),
cfg.IntOpt('max_allowed_secret_in_bytes',
default=DEFAULT_MAX_SECRET_BYTES),
default=DEFAULT_MAX_SECRET_BYTES,
help=u._("Maximum allowed secret size in bytes.")),
]
host_opts = [
cfg.StrOpt('host_href', default='http://localhost:9311'),
cfg.StrOpt('host_href', default='http://localhost:9311',
help=u._("Host name, for use in HATEOAS-style references Note: "
"Typically this would be the load balanced endpoint "
"that clients would use to communicate back with this "
"service. If a deployment wants to derive host from "
"wsgi request instead then make this blank. Blank is "
"needed to override default config value which is "
"'http://localhost:9311'")),
]
db_opts = [
cfg.StrOpt('sql_connection', secret=True),
cfg.IntOpt('sql_idle_timeout', default=3600),
cfg.IntOpt('sql_max_retries', default=60),
cfg.IntOpt('sql_retry_interval', default=1),
cfg.BoolOpt('db_auto_create', default=True),
cfg.IntOpt('max_limit_paging', default=100),
cfg.IntOpt('default_limit_paging', default=10),
cfg.StrOpt('sql_pool_class'),
cfg.BoolOpt('sql_pool_logging', default=False),
cfg.IntOpt('sql_pool_size'),
cfg.IntOpt('sql_pool_max_overflow'),
cfg.StrOpt('sql_connection',
default="sqlite:///barbican.sqlite",
secret=True,
help=u._("SQLAlchemy connection string for the reference "
"implementation registry server. Any valid "
"SQLAlchemy connection string is fine. See: "
"http://www.sqlalchemy.org/docs/05/reference/"
"sqlalchemy/connections.html#sqlalchemy."
"create_engine. Note: For absolute addresses, use "
"'////' slashes after 'sqlite:'.")),
cfg.IntOpt('sql_idle_timeout', default=3600,
help=u._("Period in seconds after which SQLAlchemy should "
"reestablish its connection to the database. MySQL "
"uses a default `wait_timeout` of 8 hours, after "
"which it will drop idle connections. This can result "
"in 'MySQL Gone Away' exceptions. If you notice this, "
"you can lower this value to ensure that SQLAlchemy "
"reconnects before MySQL can drop the connection.")),
cfg.IntOpt('sql_max_retries', default=60,
help=u._("Maximum number of database connection retries "
"during startup. Set to -1 to specify an infinite "
"retry count.")),
cfg.IntOpt('sql_retry_interval', default=1,
help=u._("Interval between retries of opening a SQL "
"connection.")),
cfg.BoolOpt('db_auto_create', default=True,
help=u._("Create the Barbican database on service startup.")),
cfg.IntOpt('max_limit_paging', default=100,
help=u._("Maximum page size for the 'limit' paging URL "
"parameter.")),
cfg.IntOpt('default_limit_paging', default=10,
help=u._("Default page size for the 'limit' paging URL "
"parameter.")),
cfg.StrOpt('sql_pool_class', default="QueuePool",
help=u._("Accepts a class imported from the sqlalchemy.pool "
"module, and handles the details of building the "
"pool for you. If commented out, SQLAlchemy will "
"select based on the database dialect. Other options "
"are QueuePool (for SQLAlchemy-managed connections) "
"and NullPool (to disabled SQLAlchemy management of "
"connections). See http://docs.sqlalchemy.org/en/"
"latest/core/pooling.html for more details")),
cfg.BoolOpt('sql_pool_logging', default=False,
help=u._("Show SQLAlchemy pool-related debugging output in "
"logs (sets DEBUG log level output) if specified.")),
cfg.IntOpt('sql_pool_size', default=5,
help=u._("Size of pool used by SQLAlchemy. This is the largest "
"number of connections that will be kept persistently "
"in the pool. Can be set to 0 to indicate no size "
"limit. To disable pooling, use a NullPool with "
"sql_pool_class instead. Comment out to allow "
"SQLAlchemy to select the default.")),
cfg.IntOpt('sql_pool_max_overflow', default=10,
help=u._("# The maximum overflow size of the pool used by "
"SQLAlchemy. When the number of checked-out "
"connections reaches the size set in sql_pool_size, "
"additional connections will be returned up to this "
"limit. It follows then that the total number of "
"simultaneous connections the pool will allow is "
"sql_pool_size + sql_pool_max_overflow. Can be set "
"to -1 to indicate no overflow limit, so no limit "
"will be placed on the total number of concurrent "
"connections. Comment out to allow SQLAlchemy to "
"select the default.")),
]
retry_opt_group = cfg.OptGroup(name='retry_scheduler',
@ -153,6 +216,19 @@ quota_opts = [
help=u._('Number of CAs allowed per project'))
]
def list_opts():
yield None, context_opts
yield None, common_opts
yield None, host_opts
yield None, db_opts
yield None, _options.eventlet_backdoor_opts
yield retry_opt_group, retry_opts
yield queue_opt_group, queue_opts
yield ks_queue_opt_group, ks_queue_opts
yield quota_opt_group, quota_opts
# Flag to indicate barbican configuration is already parsed once or not
_CONFIG_PARSED_ONCE = False

4
barbican/plugin/crypto/manager.py
View File

@ -50,6 +50,10 @@ config.parse_args(CONF)
config.set_module_config("crypto", CONF)
def list_opts():
yield crypto_opt_group, crypto_opts
class _CryptoPluginManager(named.NamedExtensionManager):
def __init__(self, conf=CONF, invoke_args=(), invoke_kwargs={}):
"""Crypto Plugin Manager

4
barbican/plugin/crypto/p11_crypto.py
View File

@ -78,6 +78,10 @@ CONF.register_opts(p11_crypto_plugin_opts, group=p11_crypto_plugin_group)
config.parse_args(CONF)
def list_opts():
yield p11_crypto_plugin_group, p11_crypto_plugin_opts
def json_dumps_compact(data):
return json.dumps(data, separators=(',', ':'))

4
barbican/plugin/crypto/simple_crypto.py
View File

@ -44,6 +44,10 @@ CONF.register_opts(simple_crypto_plugin_opts, group=simple_crypto_plugin_group)
config.parse_args(CONF)
def list_opts():
yield simple_crypto_plugin_group, simple_crypto_plugin_opts
class SimpleCryptoPlugin(c.CryptoPluginBase):
"""Insecure implementation of the crypto plugin."""

4
barbican/plugin/dogtag_config_opts.py
View File

@ -56,3 +56,7 @@ dogtag_plugin_opts = [
CONF.register_group(dogtag_plugin_group)
CONF.register_opts(dogtag_plugin_opts, group=dogtag_plugin_group)
config.parse_args(CONF)
def list_opts():
yield dogtag_plugin_group, dogtag_plugin_opts

5
barbican/plugin/interface/certificate_manager.py
View File

@ -60,6 +60,11 @@ CONF.register_opts(cert_opts, group=cert_opt_group)
config.parse_args(CONF)
def list_opts():
yield cert_opt_group, cert_opts
yield cert_event_opt_group, cert_event_opts
# Configuration for certificate eventing plugins:
DEFAULT_EVENT_PLUGIN_NAMESPACE = 'barbican.certificate.event.plugin'
DEFAULT_EVENT_PLUGINS = ['simple_certificate_event']

4
barbican/plugin/interface/secret_store.py
View File

@ -61,6 +61,10 @@ config.parse_args(CONF)
config.set_module_config("secretstore", CONF)
def list_opts():
yield store_opt_group, store_opts
class SecretStorePluginNotFound(exception.BarbicanHTTPException):
"""Raised when no plugins are installed."""

5
barbican/plugin/kmip_secret_store.py
View File

@ -86,6 +86,11 @@ CONF.register_group(kmip_opt_group)
CONF.register_opts(kmip_opts, group=kmip_opt_group)
config.parse_args(CONF)
def list_opts():
yield kmip_opt_group, kmip_opts
attribute_debug_msg = "Created attribute type %s with value %s"

4
barbican/plugin/snakeoil_ca.py
View File

@ -56,6 +56,10 @@ CONF.register_opts(snakeoil_ca_plugin_opts, group=snakeoil_ca_plugin_group)
config.parse_args(CONF)
def list_opts():
yield snakeoil_ca_plugin_group, snakeoil_ca_plugin_opts
def set_subject_X509Name(target, dn):
"""Set target X509Name object with parsed dn.

5
barbican/tests/model/repositories/test_repositories.py
View File

@ -261,7 +261,10 @@ class WhenTestingGetEnginePrivate(utils.BaseTestCase):
'connection',
pool_recycle=3600,
convert_unicode=True,
echo=False
echo=False,
poolclass=sqlalchemy.pool.QueuePool,
pool_size=repositories.CONF.sql_pool_size,
max_overflow=repositories.CONF.sql_pool_max_overflow
)
@mock.patch('barbican.model.repositories._create_engine')

1
bindep.txt
View File

@ -3,6 +3,7 @@
mozilla-nss-devel [platform:rpm]
nss-devel [platform:rpm]
libnss3-dev [platform:dpkg]
gettext [test]

1
devstack/lib/barbican
View File

@ -94,7 +94,6 @@ function configure_barbican {
sudo chown $USER $BARBICAN_CONF_DIR
# Copy the barbican config files to the config dir
cp $BARBICAN_DIR/etc/barbican/barbican.conf $BARBICAN_CONF_DIR
cp $BARBICAN_DIR/etc/barbican/barbican-api-paste.ini $BARBICAN_CONF_DIR
cp -R $BARBICAN_DIR/etc/barbican/vassals $BARBICAN_CONF_DIR

4
etc/barbican/README.barbican.conf.txt Normal file
View File

@ -0,0 +1,4 @@
To generate the sample barbican.conf file, run the following
command from the top level of the barbican directory:
tox -egenconfig

558
etc/barbican/barbican.conf
View File

@ -1,558 +0,0 @@
[DEFAULT]
# Show debugging output in logs (sets DEBUG log level output)
#debug = True
# Address to bind the API server
bind_host = 0.0.0.0
# Port to bind the API server to
bind_port = 9311
# Host name, for use in HATEOAS-style references
# Note: Typically this would be the load balanced endpoint that clients would use
# communicate back with this service.
# If a deployment wants to derive host from wsgi request instead then make this
# blank. Blank is needed to override default config value which is
# 'http://localhost:9311'.
host_href = http://localhost:9311
# Log to this file. Make sure you do not set the same log
# file for both the API and registry servers!
#log_file = /var/log/barbican/api.log
# Backlog requests when creating socket
backlog = 4096
# TCP_KEEPIDLE value in seconds when creating socket.
# Not supported on OS X.
#tcp_keepidle = 600
# Maximum allowed http request size against the barbican-api
max_allowed_secret_in_bytes = 10000
max_allowed_request_size_in_bytes = 1000000
# SQLAlchemy connection string for the reference implementation
# registry server. Any valid SQLAlchemy connection string is fine.
# See: http://www.sqlalchemy.org/docs/05/reference/sqlalchemy/connections.html#sqlalchemy.create_engine
# Uncomment this for local dev, putting db in project directory:
#sql_connection = sqlite:///barbican.sqlite
# Note: For absolute addresses, use '////' slashes after 'sqlite:'
# Uncomment for a more global development environment
sql_connection = sqlite:////var/lib/barbican/barbican.sqlite
# Period in seconds after which SQLAlchemy should reestablish its connection
# to the database.
#
# MySQL uses a default `wait_timeout` of 8 hours, after which it will drop
# idle connections. This can result in 'MySQL Gone Away' exceptions. If you
# notice this, you can lower this value to ensure that SQLAlchemy reconnects
# before MySQL can drop the connection.
sql_idle_timeout = 3600
# Accepts a class imported from the sqlalchemy.pool module, and handles the
# details of building the pool for you. If commented out, SQLAlchemy
# will select based on the database dialect. Other options are QueuePool
# (for SQLAlchemy-managed connections) and NullPool (to disabled SQLAlchemy
# management of connections).
# See http://docs.sqlalchemy.org/en/latest/core/pooling.html for more details.
#sql_pool_class = QueuePool
# Show SQLAlchemy pool-related debugging output in logs (sets DEBUG log level
# output) if specified.
#sql_pool_logging = True
# Size of pool used by SQLAlchemy. This is the largest number of connections
# that will be kept persistently in the pool. Can be set to 0 to indicate no
# size limit. To disable pooling, use a NullPool with sql_pool_class instead.
# Comment out to allow SQLAlchemy to select the default.
#sql_pool_size = 5
# The maximum overflow size of the pool used by SQLAlchemy. When the number of
# checked-out connections reaches the size set in sql_pool_size, additional
# connections will be returned up to this limit. It follows then that the
# total number of simultaneous connections the pool will allow is
# sql_pool_size + sql_pool_max_overflow. Can be set to -1 to indicate no
# overflow limit, so no limit will be placed on the total number of concurrent
# connections. Comment out to allow SQLAlchemy to select the default.
#sql_pool_max_overflow = 10
# Default page size for the 'limit' paging URL parameter.
default_limit_paging = 10
# Maximum page size for the 'limit' paging URL parameter.
max_limit_paging = 100
# Role used to identify an authenticated user as administrator
#admin_role = admin
# Allow unauthenticated users to access the API with read-only
# privileges. This only applies when using ContextMiddleware.
#allow_anonymous_access = False
# Allow access to version 1 of barbican api
#enable_v1_api = True
# Allow access to version 2 of barbican api
#enable_v2_api = True
# ================= SSL Options ===============================
# Certificate file to use when starting API server securely
#cert_file = /path/to/certfile
# Private key file to use when starting API server securely
#key_file = /path/to/keyfile
# CA certificate file to use to verify connecting clients
#ca_file = /path/to/cafile
# ================= Security Options ==========================
# AES key for encrypting store 'location' metadata, including
# -- if used -- Swift or S3 credentials
# Should be set to a random string of length 16, 24 or 32 bytes
#metadata_encryption_key = <16, 24 or 32 char registry metadata key>
# ================= Queue Options - oslo.messaging ==========================
[oslo_messaging_rabbit]
# Rabbit and HA configuration:
amqp_durable_queues = True
rabbit_userid=guest
rabbit_password=guest
rabbit_ha_queues = True
rabbit_port=5672
# For HA, specify queue nodes in cluster, comma delimited:
# For example: rabbit_hosts=192.168.50.8:5672, 192.168.50.9:5672
rabbit_hosts=localhost:5672
# For HA, specify queue nodes in cluster as 'user@host:5672', comma delimited, ending with '/offset':
# For example: transport_url = rabbit://guest@192.168.50.8:5672,guest@192.168.50.9:5672/
# DO NOT USE THIS, due to '# FIXME(markmc): support multiple hosts' in oslo/messaging/_drivers/amqpdriver.py
# transport_url = rabbit://guest@localhost:5672/
[oslo_messaging_notifications]
# oslo notification driver for sending audit events via audit middleware.
# Meaningful only when middleware is enabled in barbican paste ini file.
# This is oslo config MultiStrOpt so can be defined multiple times in case
# there is need to route audit event to messaging as well as log.
# driver = messagingv2
# driver = log
# ======== OpenStack policy - oslo_policy ===============
[oslo_policy]
# ======== OpenStack policy integration
# JSON file representing policy (string value)
policy_file=/etc/barbican/policy.json
# Rule checked when requested rule is not found (string value)
policy_default_rule=default
# ================= Queue Options - Application ==========================
[queue]
# Enable queuing asynchronous messaging.
# Set false to invoke worker tasks synchronously (i.e. no-queue standalone mode)
enable = False
# Namespace for the queue
namespace = 'barbican'
# Topic for the queue
topic = 'barbican.workers'
# Version for the task API
version = '1.1'
# Server name for RPC service
server_name = 'barbican.queue'
# Number of asynchronous worker processes.
# When greater than 1, then that many additional worker processes are
# created for asynchronous worker functionality.
asynchronous_workers = 1
# ================= Retry/Scheduler Options ==========================
[retry_scheduler]
# Seconds (float) to wait between starting retry scheduler
initial_delay_seconds = 10.0
# Seconds (float) to wait between starting retry scheduler
periodic_interval_max_seconds = 10.0
# ====================== Quota Options ===============================
[quotas]
# For each resource, the default maximum number that can be used for
# a project is set below. This value can be overridden for each
# project through the API. A negative value means no limit. A zero
# value effectively disables the resource.
# default number of secrets allowed per project
quota_secrets = -1
# default number of orders allowed per project
quota_orders = -1
# default number of containers allowed per project
quota_containers = -1
# default number of consumers allowed per project
quota_consumers = -1
# default number of CAs allowed per project
quota_cas = -1
# ================= Keystone Notification Options - Application ===============
[keystone_notifications]
# Keystone notification functionality uses transport related configuration
# from barbican common configuration as defined under
# 'Queue Options - oslo.messaging' comments.
# The HA related configuration is also shared with notification server.
# True enables keystone notification listener functionality.
enable = False
# The default exchange under which topics are scoped.
# May be overridden by an exchange name specified in the transport_url option.
control_exchange = 'openstack'
# Keystone notification queue topic name.
# This name needs to match one of values mentioned in Keystone deployment's
# 'notification_topics' configuration e.g.
# notification_topics=notifications, barbican_notifications
# Multiple servers may listen on a topic and messages will be dispatched to one
# of the servers in a round-robin fashion. That's why Barbican service should
# have its own dedicated notification queue so that it receives all of Keystone
# notifications.
topic = 'notifications'
# True enables requeue feature in case of notification processing error.
# Enable this only when underlying transport supports this feature.
allow_requeue = False
# Version of tasks invoked via notifications
version = '1.0'
# Define the number of max threads to be used for notification server
# processing functionality.
thread_pool_size = 10
# ================= Secret Store Plugin ===================
[secretstore]
namespace = barbican.secretstore.plugin
enabled_secretstore_plugins = store_crypto
# ================= Crypto plugin ===================
[crypto]
namespace = barbican.crypto.plugin
enabled_crypto_plugins = simple_crypto
[simple_crypto_plugin]
# the kek should be a 32-byte value which is base64 encoded
kek = 'YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoxMjM0NTY='
# User friendly plugin name
# plugin_name = 'Software Only Crypto'
[dogtag_plugin]
pem_path = '/etc/barbican/kra_admin_cert.pem'
dogtag_host = localhost
dogtag_port = 8443
nss_db_path = '/etc/barbican/alias'
nss_db_path_ca = '/etc/barbican/alias-ca'
nss_password = 'password123'
simple_cmc_profile = 'caOtherCert'
ca_expiration_time = 1
plugin_working_dir = '/etc/barbican/dogtag'
# User friendly plugin name
# plugin_name = 'Dogtag KRA'
[p11_crypto_plugin]
# Path to vendor PKCS11 library
library_path = '/usr/lib/libCryptoki2_64.so'
# Password to login to PKCS11 session
login = 'mypassword'
# Label to identify master KEK in the HSM (must not be the same as HMAC label)
mkek_label = 'an_mkek'
# Length in bytes of master KEK
mkek_length = 32
# Label to identify HMAC key in the HSM (must not be the same as MKEK label)
hmac_label = 'my_hmac_label'
# HSM Slot id (Should correspond to a configured PKCS11 slot). Default: 1
# slot_id = 1
# Enable Read/Write session with the HSM?
# rw_session = True
# Length of Project KEKs to create
# pkek_length = 32
# How long to cache unwrapped Project KEKs
# pkek_cache_ttl = 900
# Max number of items in pkek cache
# pkek_cache_limit = 100
# User friendly plugin name
# plugin_name = 'PKCS11 HSM'
# ================== KMIP plugin =====================
[kmip_plugin]
username = 'admin'
password = 'password'
host = localhost
port = 5696
keyfile = '/path/to/certs/cert.key'
certfile = '/path/to/certs/cert.crt'
ca_certs = '/path/to/certs/LocalCA.crt'
ssl_version = 'PROTOCOL_TLSv1_2'
pkcs1_only = False
plugin_name = 'KMIP HSM'
# ================= Certificate plugin ===================
# DEPRECATION WARNING: The Certificates Plugin has been deprecated
# and will be removed in the P release.
[certificate]
namespace = barbican.certificate.plugin
enabled_certificate_plugins = simple_certificate
enabled_certificate_plugins = snakeoil_ca
[certificate_event]
namespace = barbican.certificate.event.plugin
enabled_certificate_event_plugins = simple_certificate_event
[snakeoil_ca_plugin]
ca_cert_path = /etc/barbican/snakeoil-ca.crt
ca_cert_key_path = /etc/barbican/snakeoil-ca.key
ca_cert_chain_path = /etc/barbican/snakeoil-ca.chain
ca_cert_pkcs7_path = /etc/barbican/snakeoil-ca.p7b
subca_cert_key_directory=/etc/barbican/snakeoil-cas
# ========================================================
[cors]
#
# From oslo.middleware.cors
#
# Indicate whether this resource may be shared with the domain
# received in the requests "origin" header. (list value)
#allowed_origin = <None>
# Indicate that the actual request can include user credentials
# (boolean value)
#allow_credentials = true
# Indicate which headers are safe to expose to the API. Defaults to
# HTTP Simple Headers. (list value)
#expose_headers = X-Auth-Token, X-Openstack-Request-Id, X-Project-Id, X-Identity-Status, X-User-Id, X-Storage-Token, X-Domain-Id, X-User-Domain-Id, X-Project-Domain-Id, X-Roles
# Maximum cache age of CORS preflight requests. (integer value)
#max_age = 3600
# Indicate which methods can be used during the actual request. (list
# value)
#allow_methods = GET,PUT,POST,DELETE,PATCH
# Indicate which header field names may be used during the actual
# request. (list value)
#allow_headers = X-Auth-Token, X-Openstack-Request-Id, X-Project-Id, X-Identity-Status, X-User-Id, X-Storage-Token, X-Domain-Id, X-User-Domain-Id, X-Project-Domain-Id, X-Roles
[cors.subdomain]
#
# From oslo.middleware.cors
#
# Indicate whether this resource may be shared with the domain
# received in the requests "origin" header. (list value)
#allowed_origin = <None>
# Indicate that the actual request can include user credentials
# (boolean value)
#allow_credentials = true
# Indicate which headers are safe to expose to the API. Defaults to
# HTTP Simple Headers. (list value)
#expose_headers = X-Auth-Token, X-Openstack-Request-Id, X-Project-Id, X-Identity-Status, X-User-Id, X-Storage-Token, X-Domain-Id, X-User-Domain-Id, X-Project-Domain-Id, X-Roles
# Maximum cache age of CORS preflight requests. (integer value)
#max_age = 3600
# Indicate which methods can be used during the actual request. (list
# value)
#allow_methods = GET,PUT,POST,DELETE,PATCH
# Indicate which header field names may be used during the actual
# request. (list value)
#allow_headers = X-Auth-Token, X-Openstack-Request-Id, X-Project-Id, X-Identity-Status, X-User-Id, X-Storage-Token, X-Domain-Id, X-User-Domain-Id, X-Project-Domain-Id, X-Roles
[oslo_middleware]
#
# From oslo.middleware.http_proxy_to_wsgi
#
# Wether the application is behind a proxy or not. This determines if
# the middleware should parse the headers or not. (boolean value)
#enable_proxy_headers_parsing = false
[keystone_authtoken]
#
# From keystonemiddleware.auth_token
#
# Complete "public" Identity API endpoint. This endpoint should not be an
# "admin" endpoint, as it should be accessible by all end users. Unauthenticated
# clients are redirected to this endpoint to authenticate. Although this
# endpoint should ideally be unversioned, client support in the wild varies.
# If you're using a versioned v2 endpoint here, then this should *not* be the
# same endpoint the service user utilizes for validating tokens, because normal
# end users may not be able to reach that endpoint. (string value)
#auth_uri = <None>
# API version of the admin Identity API endpoint. (string value)
#auth_version = <None>
# Do not handle authorization requests within the middleware, but delegate the
# authorization decision to downstream WSGI components. (boolean value)
#delay_auth_decision = false
# Request timeout value for communicating with Identity API server. (integer
# value)
#http_connect_timeout = <None>
# How many times are we trying to reconnect when communicating with Identity API
# Server. (integer value)
#http_request_max_retries = 3
# Request environment key where the Swift cache object is stored. When
# auth_token middleware is deployed with a Swift cache, use this option to have
# the middleware share a caching backend with swift. Otherwise, use the
# ``memcached_servers`` option instead. (string value)
#cache = <None>
# Required if identity server requires client certificate (string value)
#certfile = <None>
# Required if identity server requires client certificate (string value)
#keyfile = <None>
# A PEM encoded Certificate Authority to use when verifying HTTPs connections.
# Defaults to system CAs. (string value)
#cafile = <None>
# Verify HTTPS connections. (boolean value)
#insecure = false
# The region in which the identity server can be found. (string value)
#region_name = <None>
# Directory used to cache files related to PKI tokens. (string value)
#signing_dir = <None>
# Optionally specify a list of memcached server(s) to use for caching. If left
# undefined, tokens will instead be cached in-process. (list value)
# Deprecated group/name - [keystone_authtoken]/memcache_servers
#memcached_servers = <None>
# In order to prevent excessive effort spent validating tokens, the middleware
# caches previously-seen tokens for a configurable duration (in seconds). Set to
# -1 to disable caching completely. (integer value)
#token_cache_time = 300
# Determines the frequency at which the list of revoked tokens is retrieved from
# the Identity service (in seconds). A high number of revocation events combined
# with a low cache duration may significantly reduce performance. Only valid for
# PKI tokens. (integer value)
#revocation_cache_time = 10
# (Optional) If defined, indicate whether token data should be authenticated or
# authenticated and encrypted. If MAC, token data is authenticated (with HMAC)
# in the cache. If ENCRYPT, token data is encrypted and authenticated in the
# cache. If the value is not one of these options or empty, auth_token will
# raise an exception on initialization. (string value)
# Allowed values: None, MAC, ENCRYPT
#memcache_security_strategy = None
# (Optional, mandatory if memcache_security_strategy is defined) This string is
# used for key derivation. (string value)
#memcache_secret_key = <None>
# (Optional) Number of seconds memcached server is considered dead before it is
# tried again. (integer value)
#memcache_pool_dead_retry = 300
# (Optional) Maximum total number of open connections to every memcached server.
# (integer value)
#memcache_pool_maxsize = 10
# (Optional) Socket timeout in seconds for communicating with a memcached
# server. (integer value)
#memcache_pool_socket_timeout = 3
# (Optional) Number of seconds a connection to memcached is held unused in the
# pool before it is closed. (integer value)
#memcache_pool_unused_timeout = 60
# (Optional) Number of seconds that an operation will wait to get a memcached
# client connection from the pool. (integer value)
#memcache_pool_conn_get_timeout = 10
# (Optional) Use the advanced (eventlet safe) memcached client pool. The
# advanced pool will only work under python 2.x. (boolean value)
#memcache_use_advanced_pool = false
# (Optional) Indicate whether to set the X-Service-Catalog header. If False,
# middleware will not ask for service catalog on token validation and will not
# set the X-Service-Catalog header. (boolean value)
#include_service_catalog = true
# Used to control the use and type of token binding. Can be set to: "disabled"
# to not check token binding. "permissive" (default) to validate binding
# information if the bind type is of a form known to the server and ignore it if
# not. "strict" like "permissive" but if the bind type is unknown the token will
# be rejected. "required" any form of token binding is needed to be allowed.
# Finally the name of a binding method that must be present in tokens. (string
# value)
#enforce_token_bind = permissive
# If true, the revocation list will be checked for cached tokens. This requires
# that PKI tokens are configured on the identity server. (boolean value)
#check_revocations_for_cached = false
# Hash algorithms to use for hashing PKI tokens. This may be a single algorithm
# or multiple. The algorithms are those supported by Python standard
# hashlib.new(). The hashes will be tried in the order given, so put the
# preferred one first for performance. The result of the first hash will be
# stored in the cache. This will typically be set to multiple values only while
# migrating from a less secure algorithm to a more secure one. Once all the old
# tokens are expired this option should be set to a single value for better
# performance. (list value)
#hash_algorithms = md5
# Authentication type to load (string value)
# Deprecated group/name - [keystone_authtoken]/auth_plugin
#auth_type = <None>
# Config Section from which to load plugin specific options (string value)
#auth_section = <None>

21
etc/oslo-config-generator/barbican.conf Normal file
View File

@ -0,0 +1,21 @@
[DEFAULT]
output_file = etc/barbican/barbican.conf.sample
namespace = barbican
namespace = barbican.certificate.plugin
namespace = barbican.certificate.plugin.snakeoil
namespace = barbican.common.config
namespace = barbican.plugin.crypto
namespace = barbican.plugin.crypto.p11
namespace = barbican.plugin.crypto.simple
namespace = barbican.plugin.dogtag
namespace = barbican.plugin.secret_store
namespace = barbican.plugin.secret_store.kmip
namespace = keystonemiddleware.auth_token
namespace = oslo.log
namespace = oslo.messaging
namespace = oslo.middleware.cors
namespace = oslo.middleware.http_proxy_to_wsgi
namespace = oslo.policy
namespace = oslo.service.periodic_task
namespace = oslo.service.sslutils
namespace = oslo.service.wsgi

4
releasenotes/notes/use_oslo_config_generator-f2a9be9e71d90b1f.yaml Normal file
View File

@ -0,0 +1,4 @@
---
other:
- oslo-config-generator is now used to generate a
barbican.conf.sample file

13
setup.cfg
View File

@ -53,7 +53,18 @@ barbican.certificate.event.plugin =
simple_certificate_event = barbican.plugin.simple_certificate_manager:SimpleCertificateEventPlugin
barbican.test.crypto.plugin =
test_crypto = barbican.tests.crypto.test_plugin:TestCryptoPlugin
oslo.config.opts =
barbican.common.config = barbican.common.config:list_opts
barbican.plugin.secret_store = barbican.plugin.interface.secret_store:list_opts
barbican.plugin.crypto = barbican.plugin.crypto.manager:list_opts
barbican.plugin.crypto.simple = barbican.plugin.crypto.simple_crypto:list_opts
barbican.plugin.dogtag_config_opts = barbican.plugin.dogtag:list_opts
barbican.plugin.crypto.p11 = barbican.plugin.crypto.p11_crypto:list_opts
barbican.plugin.secret_store.kmip = barbican.plugin.kmip_secret_store:list_opts
barbican.certificate.plugin = barbican.plugin.interface.certificate_manager:list_opts
barbican.certificate.plugin.snakeoil = barbican.plugin.snakeoil_ca:list_opts
oslo.config.opts.defaults =
barbican.common.config = barbican.common.config:set_middleware_defaults
[build_sphinx]
all_files = 1
build-dir = doc/build

6
tox.ini
View File

@ -10,6 +10,7 @@ deps = -r{toxinidir}/requirements.txt
-r{toxinidir}/test-requirements.txt
commands =
oslo-config-generator --config-file etc/oslo-config-generator/barbican.conf --output-file etc/barbican/barbican.conf
/usr/bin/find . -type f -name "*.py[c|o]" -delete
coverage erase
python setup.py testr --coverage --testr-args='{posargs}'
@ -35,6 +36,11 @@ commands =
# Run security linter
bandit -r barbican -x tests -n5
[testenv:genconfig]
whitelist_externals = bash
commands =
oslo-config-generator --config-file etc/oslo-config-generator/barbican.conf
[testenv:venv]
commands = {posargs}