From 06b76aa6e86497ca9b54dd442126a82da103ce46 Mon Sep 17 00:00:00 2001 From: Thomas Bechtold Date: Mon, 11 Jul 2016 19:41:28 +0200 Subject: [PATCH] Use oslo-config-generator to generate barbican.conf.sample Currently etc/barbican/barbican.conf is maintained by hand and can not be regenerated based on the config settings defined in the code. A common pattern for OpenStack projects is to use oslo-config-generator for that task. Co-Authored-By: Randall Burt Depends-On: I90870dcb49cd96f6bf0fe353fa6e779ffd87a5af Closes-Bug: #1584789 Change-Id: I5f3dcd2fc982f1178ef7dd662c24d3166f91b266 --- .gitignore | 2 + barbican/common/config.py | 104 +++- barbican/plugin/crypto/manager.py | 4 + barbican/plugin/crypto/p11_crypto.py | 4 + barbican/plugin/crypto/simple_crypto.py | 4 + barbican/plugin/dogtag_config_opts.py | 4 + .../plugin/interface/certificate_manager.py | 5 + barbican/plugin/interface/secret_store.py | 4 + barbican/plugin/kmip_secret_store.py | 5 + barbican/plugin/snakeoil_ca.py | 4 + .../model/repositories/test_repositories.py | 5 +- bindep.txt | 1 + devstack/lib/barbican | 1 - etc/barbican/README.barbican.conf.txt | 4 + etc/barbican/barbican.conf | 558 ------------------ etc/oslo-config-generator/barbican.conf | 21 + ...slo_config_generator-f2a9be9e71d90b1f.yaml | 4 + setup.cfg | 13 +- tox.ini | 6 + 19 files changed, 178 insertions(+), 575 deletions(-) create mode 100644 etc/barbican/README.barbican.conf.txt delete mode 100644 etc/barbican/barbican.conf create mode 100644 etc/oslo-config-generator/barbican.conf create mode 100644 releasenotes/notes/use_oslo_config_generator-f2a9be9e71d90b1f.yaml diff --git a/.gitignore b/.gitignore index 8e9e02574..d918c172c 100644 --- a/.gitignore +++ b/.gitignore @@ -67,6 +67,8 @@ ChangeLog # Rope .ropeproject +# files created by oslo-config-generator +etc/barbican/barbican.conf.sample # Files created by releasenotes build releasenotes/build diff --git a/barbican/common/config.py b/barbican/common/config.py index fd189576e..6c3258dbf 100644 --- a/barbican/common/config.py +++ b/barbican/common/config.py @@ -44,27 +44,90 @@ context_opts = [ common_opts = [ cfg.IntOpt('max_allowed_request_size_in_bytes', - default=MAX_BYTES_REQUEST_INPUT_ACCEPTED), + default=MAX_BYTES_REQUEST_INPUT_ACCEPTED, + help=u._("Maximum allowed http request size against the " + "barbican-api.")), cfg.IntOpt('max_allowed_secret_in_bytes', - default=DEFAULT_MAX_SECRET_BYTES), + default=DEFAULT_MAX_SECRET_BYTES, + help=u._("Maximum allowed secret size in bytes.")), ] host_opts = [ - cfg.StrOpt('host_href', default='http://localhost:9311'), + cfg.StrOpt('host_href', default='http://localhost:9311', + help=u._("Host name, for use in HATEOAS-style references Note: " + "Typically this would be the load balanced endpoint " + "that clients would use to communicate back with this " + "service. If a deployment wants to derive host from " + "wsgi request instead then make this blank. Blank is " + "needed to override default config value which is " + "'http://localhost:9311'")), ] db_opts = [ - cfg.StrOpt('sql_connection', secret=True), - cfg.IntOpt('sql_idle_timeout', default=3600), - cfg.IntOpt('sql_max_retries', default=60), - cfg.IntOpt('sql_retry_interval', default=1), - cfg.BoolOpt('db_auto_create', default=True), - cfg.IntOpt('max_limit_paging', default=100), - cfg.IntOpt('default_limit_paging', default=10), - cfg.StrOpt('sql_pool_class'), - cfg.BoolOpt('sql_pool_logging', default=False), - cfg.IntOpt('sql_pool_size'), - cfg.IntOpt('sql_pool_max_overflow'), + cfg.StrOpt('sql_connection', + default="sqlite:///barbican.sqlite", + secret=True, + help=u._("SQLAlchemy connection string for the reference " + "implementation registry server. Any valid " + "SQLAlchemy connection string is fine. See: " + "http://www.sqlalchemy.org/docs/05/reference/" + "sqlalchemy/connections.html#sqlalchemy." + "create_engine. Note: For absolute addresses, use " + "'////' slashes after 'sqlite:'.")), + cfg.IntOpt('sql_idle_timeout', default=3600, + help=u._("Period in seconds after which SQLAlchemy should " + "reestablish its connection to the database. MySQL " + "uses a default `wait_timeout` of 8 hours, after " + "which it will drop idle connections. This can result " + "in 'MySQL Gone Away' exceptions. If you notice this, " + "you can lower this value to ensure that SQLAlchemy " + "reconnects before MySQL can drop the connection.")), + cfg.IntOpt('sql_max_retries', default=60, + help=u._("Maximum number of database connection retries " + "during startup. Set to -1 to specify an infinite " + "retry count.")), + cfg.IntOpt('sql_retry_interval', default=1, + help=u._("Interval between retries of opening a SQL " + "connection.")), + cfg.BoolOpt('db_auto_create', default=True, + help=u._("Create the Barbican database on service startup.")), + cfg.IntOpt('max_limit_paging', default=100, + help=u._("Maximum page size for the 'limit' paging URL " + "parameter.")), + cfg.IntOpt('default_limit_paging', default=10, + help=u._("Default page size for the 'limit' paging URL " + "parameter.")), + cfg.StrOpt('sql_pool_class', default="QueuePool", + help=u._("Accepts a class imported from the sqlalchemy.pool " + "module, and handles the details of building the " + "pool for you. If commented out, SQLAlchemy will " + "select based on the database dialect. Other options " + "are QueuePool (for SQLAlchemy-managed connections) " + "and NullPool (to disabled SQLAlchemy management of " + "connections). See http://docs.sqlalchemy.org/en/" + "latest/core/pooling.html for more details")), + cfg.BoolOpt('sql_pool_logging', default=False, + help=u._("Show SQLAlchemy pool-related debugging output in " + "logs (sets DEBUG log level output) if specified.")), + cfg.IntOpt('sql_pool_size', default=5, + help=u._("Size of pool used by SQLAlchemy. This is the largest " + "number of connections that will be kept persistently " + "in the pool. Can be set to 0 to indicate no size " + "limit. To disable pooling, use a NullPool with " + "sql_pool_class instead. Comment out to allow " + "SQLAlchemy to select the default.")), + cfg.IntOpt('sql_pool_max_overflow', default=10, + help=u._("# The maximum overflow size of the pool used by " + "SQLAlchemy. When the number of checked-out " + "connections reaches the size set in sql_pool_size, " + "additional connections will be returned up to this " + "limit. It follows then that the total number of " + "simultaneous connections the pool will allow is " + "sql_pool_size + sql_pool_max_overflow. Can be set " + "to -1 to indicate no overflow limit, so no limit " + "will be placed on the total number of concurrent " + "connections. Comment out to allow SQLAlchemy to " + "select the default.")), ] retry_opt_group = cfg.OptGroup(name='retry_scheduler', @@ -153,6 +216,19 @@ quota_opts = [ help=u._('Number of CAs allowed per project')) ] + +def list_opts(): + yield None, context_opts + yield None, common_opts + yield None, host_opts + yield None, db_opts + yield None, _options.eventlet_backdoor_opts + yield retry_opt_group, retry_opts + yield queue_opt_group, queue_opts + yield ks_queue_opt_group, ks_queue_opts + yield quota_opt_group, quota_opts + + # Flag to indicate barbican configuration is already parsed once or not _CONFIG_PARSED_ONCE = False diff --git a/barbican/plugin/crypto/manager.py b/barbican/plugin/crypto/manager.py index db24ebbbc..5c13deb53 100644 --- a/barbican/plugin/crypto/manager.py +++ b/barbican/plugin/crypto/manager.py @@ -50,6 +50,10 @@ config.parse_args(CONF) config.set_module_config("crypto", CONF) +def list_opts(): + yield crypto_opt_group, crypto_opts + + class _CryptoPluginManager(named.NamedExtensionManager): def __init__(self, conf=CONF, invoke_args=(), invoke_kwargs={}): """Crypto Plugin Manager diff --git a/barbican/plugin/crypto/p11_crypto.py b/barbican/plugin/crypto/p11_crypto.py index 34bd64d39..ff434bb3d 100644 --- a/barbican/plugin/crypto/p11_crypto.py +++ b/barbican/plugin/crypto/p11_crypto.py @@ -78,6 +78,10 @@ CONF.register_opts(p11_crypto_plugin_opts, group=p11_crypto_plugin_group) config.parse_args(CONF) +def list_opts(): + yield p11_crypto_plugin_group, p11_crypto_plugin_opts + + def json_dumps_compact(data): return json.dumps(data, separators=(',', ':')) diff --git a/barbican/plugin/crypto/simple_crypto.py b/barbican/plugin/crypto/simple_crypto.py index 262cc62fe..25c989a12 100644 --- a/barbican/plugin/crypto/simple_crypto.py +++ b/barbican/plugin/crypto/simple_crypto.py @@ -44,6 +44,10 @@ CONF.register_opts(simple_crypto_plugin_opts, group=simple_crypto_plugin_group) config.parse_args(CONF) +def list_opts(): + yield simple_crypto_plugin_group, simple_crypto_plugin_opts + + class SimpleCryptoPlugin(c.CryptoPluginBase): """Insecure implementation of the crypto plugin.""" diff --git a/barbican/plugin/dogtag_config_opts.py b/barbican/plugin/dogtag_config_opts.py index eb92e7e65..398d210b8 100644 --- a/barbican/plugin/dogtag_config_opts.py +++ b/barbican/plugin/dogtag_config_opts.py @@ -56,3 +56,7 @@ dogtag_plugin_opts = [ CONF.register_group(dogtag_plugin_group) CONF.register_opts(dogtag_plugin_opts, group=dogtag_plugin_group) config.parse_args(CONF) + + +def list_opts(): + yield dogtag_plugin_group, dogtag_plugin_opts diff --git a/barbican/plugin/interface/certificate_manager.py b/barbican/plugin/interface/certificate_manager.py index 53eea6285..3e5eb78dd 100644 --- a/barbican/plugin/interface/certificate_manager.py +++ b/barbican/plugin/interface/certificate_manager.py @@ -60,6 +60,11 @@ CONF.register_opts(cert_opts, group=cert_opt_group) config.parse_args(CONF) +def list_opts(): + yield cert_opt_group, cert_opts + yield cert_event_opt_group, cert_event_opts + + # Configuration for certificate eventing plugins: DEFAULT_EVENT_PLUGIN_NAMESPACE = 'barbican.certificate.event.plugin' DEFAULT_EVENT_PLUGINS = ['simple_certificate_event'] diff --git a/barbican/plugin/interface/secret_store.py b/barbican/plugin/interface/secret_store.py index 179ae2b12..a886d60b5 100644 --- a/barbican/plugin/interface/secret_store.py +++ b/barbican/plugin/interface/secret_store.py @@ -61,6 +61,10 @@ config.parse_args(CONF) config.set_module_config("secretstore", CONF) +def list_opts(): + yield store_opt_group, store_opts + + class SecretStorePluginNotFound(exception.BarbicanHTTPException): """Raised when no plugins are installed.""" diff --git a/barbican/plugin/kmip_secret_store.py b/barbican/plugin/kmip_secret_store.py index 7f3034d41..dec1e0dbf 100644 --- a/barbican/plugin/kmip_secret_store.py +++ b/barbican/plugin/kmip_secret_store.py @@ -86,6 +86,11 @@ CONF.register_group(kmip_opt_group) CONF.register_opts(kmip_opts, group=kmip_opt_group) config.parse_args(CONF) + +def list_opts(): + yield kmip_opt_group, kmip_opts + + attribute_debug_msg = "Created attribute type %s with value %s" diff --git a/barbican/plugin/snakeoil_ca.py b/barbican/plugin/snakeoil_ca.py index c30842dcc..70fde78e9 100644 --- a/barbican/plugin/snakeoil_ca.py +++ b/barbican/plugin/snakeoil_ca.py @@ -56,6 +56,10 @@ CONF.register_opts(snakeoil_ca_plugin_opts, group=snakeoil_ca_plugin_group) config.parse_args(CONF) +def list_opts(): + yield snakeoil_ca_plugin_group, snakeoil_ca_plugin_opts + + def set_subject_X509Name(target, dn): """Set target X509Name object with parsed dn. diff --git a/barbican/tests/model/repositories/test_repositories.py b/barbican/tests/model/repositories/test_repositories.py index d32ebfe65..167048d23 100644 --- a/barbican/tests/model/repositories/test_repositories.py +++ b/barbican/tests/model/repositories/test_repositories.py @@ -272,7 +272,10 @@ class WhenTestingGetEnginePrivate(utils.BaseTestCase): 'connection', pool_recycle=3600, convert_unicode=True, - echo=False + echo=False, + poolclass=sqlalchemy.pool.QueuePool, + pool_size=repositories.CONF.sql_pool_size, + max_overflow=repositories.CONF.sql_pool_max_overflow ) @mock.patch('barbican.model.repositories._create_engine') diff --git a/bindep.txt b/bindep.txt index 84dad497a..1489b6578 100644 --- a/bindep.txt +++ b/bindep.txt @@ -3,6 +3,7 @@ mozilla-nss-devel [platform:rpm] nss-devel [platform:rpm] +libnss3-dev [platform:dpkg] gettext [test] diff --git a/devstack/lib/barbican b/devstack/lib/barbican index ac00fba85..03314fcd7 100644 --- a/devstack/lib/barbican +++ b/devstack/lib/barbican @@ -94,7 +94,6 @@ function configure_barbican { sudo chown $USER $BARBICAN_CONF_DIR # Copy the barbican config files to the config dir - cp $BARBICAN_DIR/etc/barbican/barbican.conf $BARBICAN_CONF_DIR cp $BARBICAN_DIR/etc/barbican/barbican-api-paste.ini $BARBICAN_CONF_DIR cp -R $BARBICAN_DIR/etc/barbican/vassals $BARBICAN_CONF_DIR diff --git a/etc/barbican/README.barbican.conf.txt b/etc/barbican/README.barbican.conf.txt new file mode 100644 index 000000000..95755f5f5 --- /dev/null +++ b/etc/barbican/README.barbican.conf.txt @@ -0,0 +1,4 @@ +To generate the sample barbican.conf file, run the following +command from the top level of the barbican directory: + +tox -egenconfig diff --git a/etc/barbican/barbican.conf b/etc/barbican/barbican.conf deleted file mode 100644 index 8a3a3163d..000000000 --- a/etc/barbican/barbican.conf +++ /dev/null @@ -1,558 +0,0 @@ -[DEFAULT] -# Show debugging output in logs (sets DEBUG log level output) -#debug = True - -# Address to bind the API server -bind_host = 0.0.0.0 - -# Port to bind the API server to -bind_port = 9311 - -# Host name, for use in HATEOAS-style references -# Note: Typically this would be the load balanced endpoint that clients would use -# communicate back with this service. -# If a deployment wants to derive host from wsgi request instead then make this -# blank. Blank is needed to override default config value which is -# 'http://localhost:9311'. -host_href = http://localhost:9311 - -# Log to this file. Make sure you do not set the same log -# file for both the API and registry servers! -#log_file = /var/log/barbican/api.log - -# Backlog requests when creating socket -backlog = 4096 - -# TCP_KEEPIDLE value in seconds when creating socket. -# Not supported on OS X. -#tcp_keepidle = 600 - -# Maximum allowed http request size against the barbican-api -max_allowed_secret_in_bytes = 10000 -max_allowed_request_size_in_bytes = 1000000 - -# SQLAlchemy connection string for the reference implementation -# registry server. Any valid SQLAlchemy connection string is fine. -# See: http://www.sqlalchemy.org/docs/05/reference/sqlalchemy/connections.html#sqlalchemy.create_engine -# Uncomment this for local dev, putting db in project directory: -#sql_connection = sqlite:///barbican.sqlite -# Note: For absolute addresses, use '////' slashes after 'sqlite:' -# Uncomment for a more global development environment -sql_connection = sqlite:////var/lib/barbican/barbican.sqlite - -# Period in seconds after which SQLAlchemy should reestablish its connection -# to the database. -# -# MySQL uses a default `wait_timeout` of 8 hours, after which it will drop -# idle connections. This can result in 'MySQL Gone Away' exceptions. If you -# notice this, you can lower this value to ensure that SQLAlchemy reconnects -# before MySQL can drop the connection. -sql_idle_timeout = 3600 - -# Accepts a class imported from the sqlalchemy.pool module, and handles the -# details of building the pool for you. If commented out, SQLAlchemy -# will select based on the database dialect. Other options are QueuePool -# (for SQLAlchemy-managed connections) and NullPool (to disabled SQLAlchemy -# management of connections). -# See http://docs.sqlalchemy.org/en/latest/core/pooling.html for more details. -#sql_pool_class = QueuePool - -# Show SQLAlchemy pool-related debugging output in logs (sets DEBUG log level -# output) if specified. -#sql_pool_logging = True - -# Size of pool used by SQLAlchemy. This is the largest number of connections -# that will be kept persistently in the pool. Can be set to 0 to indicate no -# size limit. To disable pooling, use a NullPool with sql_pool_class instead. -# Comment out to allow SQLAlchemy to select the default. -#sql_pool_size = 5 - -# The maximum overflow size of the pool used by SQLAlchemy. When the number of -# checked-out connections reaches the size set in sql_pool_size, additional -# connections will be returned up to this limit. It follows then that the -# total number of simultaneous connections the pool will allow is -# sql_pool_size + sql_pool_max_overflow. Can be set to -1 to indicate no -# overflow limit, so no limit will be placed on the total number of concurrent -# connections. Comment out to allow SQLAlchemy to select the default. -#sql_pool_max_overflow = 10 - -# Default page size for the 'limit' paging URL parameter. -default_limit_paging = 10 - -# Maximum page size for the 'limit' paging URL parameter. -max_limit_paging = 100 - -# Role used to identify an authenticated user as administrator -#admin_role = admin - -# Allow unauthenticated users to access the API with read-only -# privileges. This only applies when using ContextMiddleware. -#allow_anonymous_access = False - -# Allow access to version 1 of barbican api -#enable_v1_api = True - -# Allow access to version 2 of barbican api -#enable_v2_api = True - -# ================= SSL Options =============================== - -# Certificate file to use when starting API server securely -#cert_file = /path/to/certfile - -# Private key file to use when starting API server securely -#key_file = /path/to/keyfile - -# CA certificate file to use to verify connecting clients -#ca_file = /path/to/cafile - -# ================= Security Options ========================== - -# AES key for encrypting store 'location' metadata, including -# -- if used -- Swift or S3 credentials -# Should be set to a random string of length 16, 24 or 32 bytes -#metadata_encryption_key = <16, 24 or 32 char registry metadata key> - -# ================= Queue Options - oslo.messaging ========================== - -[oslo_messaging_rabbit] - -# Rabbit and HA configuration: -amqp_durable_queues = True -rabbit_userid=guest -rabbit_password=guest -rabbit_ha_queues = True -rabbit_port=5672 - -# For HA, specify queue nodes in cluster, comma delimited: -# For example: rabbit_hosts=192.168.50.8:5672, 192.168.50.9:5672 -rabbit_hosts=localhost:5672 - -# For HA, specify queue nodes in cluster as 'user@host:5672', comma delimited, ending with '/offset': -# For example: transport_url = rabbit://guest@192.168.50.8:5672,guest@192.168.50.9:5672/ -# DO NOT USE THIS, due to '# FIXME(markmc): support multiple hosts' in oslo/messaging/_drivers/amqpdriver.py -# transport_url = rabbit://guest@localhost:5672/ - - -[oslo_messaging_notifications] -# oslo notification driver for sending audit events via audit middleware. -# Meaningful only when middleware is enabled in barbican paste ini file. -# This is oslo config MultiStrOpt so can be defined multiple times in case -# there is need to route audit event to messaging as well as log. -# driver = messagingv2 -# driver = log - - -# ======== OpenStack policy - oslo_policy =============== - -[oslo_policy] - -# ======== OpenStack policy integration -# JSON file representing policy (string value) -policy_file=/etc/barbican/policy.json - -# Rule checked when requested rule is not found (string value) -policy_default_rule=default - - -# ================= Queue Options - Application ========================== - -[queue] -# Enable queuing asynchronous messaging. -# Set false to invoke worker tasks synchronously (i.e. no-queue standalone mode) -enable = False - -# Namespace for the queue -namespace = 'barbican' - -# Topic for the queue -topic = 'barbican.workers' - -# Version for the task API -version = '1.1' - -# Server name for RPC service -server_name = 'barbican.queue' - -# Number of asynchronous worker processes. -# When greater than 1, then that many additional worker processes are -# created for asynchronous worker functionality. -asynchronous_workers = 1 - -# ================= Retry/Scheduler Options ========================== - -[retry_scheduler] -# Seconds (float) to wait between starting retry scheduler -initial_delay_seconds = 10.0 - -# Seconds (float) to wait between starting retry scheduler -periodic_interval_max_seconds = 10.0 - - -# ====================== Quota Options =============================== - -[quotas] -# For each resource, the default maximum number that can be used for -# a project is set below. This value can be overridden for each -# project through the API. A negative value means no limit. A zero -# value effectively disables the resource. - -# default number of secrets allowed per project -quota_secrets = -1 - -# default number of orders allowed per project -quota_orders = -1 - -# default number of containers allowed per project -quota_containers = -1 - -# default number of consumers allowed per project -quota_consumers = -1 - -# default number of CAs allowed per project -quota_cas = -1 - -# ================= Keystone Notification Options - Application =============== - -[keystone_notifications] - -# Keystone notification functionality uses transport related configuration -# from barbican common configuration as defined under -# 'Queue Options - oslo.messaging' comments. -# The HA related configuration is also shared with notification server. - -# True enables keystone notification listener functionality. -enable = False - -# The default exchange under which topics are scoped. -# May be overridden by an exchange name specified in the transport_url option. -control_exchange = 'openstack' - -# Keystone notification queue topic name. -# This name needs to match one of values mentioned in Keystone deployment's -# 'notification_topics' configuration e.g. -# notification_topics=notifications, barbican_notifications -# Multiple servers may listen on a topic and messages will be dispatched to one -# of the servers in a round-robin fashion. That's why Barbican service should -# have its own dedicated notification queue so that it receives all of Keystone -# notifications. -topic = 'notifications' - -# True enables requeue feature in case of notification processing error. -# Enable this only when underlying transport supports this feature. -allow_requeue = False - -# Version of tasks invoked via notifications -version = '1.0' - -# Define the number of max threads to be used for notification server -# processing functionality. -thread_pool_size = 10 - -# ================= Secret Store Plugin =================== -[secretstore] -namespace = barbican.secretstore.plugin -enabled_secretstore_plugins = store_crypto - -# ================= Crypto plugin =================== -[crypto] -namespace = barbican.crypto.plugin -enabled_crypto_plugins = simple_crypto - -[simple_crypto_plugin] -# the kek should be a 32-byte value which is base64 encoded -kek = 'YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoxMjM0NTY=' - -# User friendly plugin name -# plugin_name = 'Software Only Crypto' - -[dogtag_plugin] -pem_path = '/etc/barbican/kra_admin_cert.pem' -dogtag_host = localhost -dogtag_port = 8443 -nss_db_path = '/etc/barbican/alias' -nss_db_path_ca = '/etc/barbican/alias-ca' -nss_password = 'password123' -simple_cmc_profile = 'caOtherCert' -ca_expiration_time = 1 -plugin_working_dir = '/etc/barbican/dogtag' - -# User friendly plugin name -# plugin_name = 'Dogtag KRA' - - -[p11_crypto_plugin] -# Path to vendor PKCS11 library -library_path = '/usr/lib/libCryptoki2_64.so' -# Password to login to PKCS11 session -login = 'mypassword' -# Label to identify master KEK in the HSM (must not be the same as HMAC label) -mkek_label = 'an_mkek' -# Length in bytes of master KEK -mkek_length = 32 -# Label to identify HMAC key in the HSM (must not be the same as MKEK label) -hmac_label = 'my_hmac_label' -# HSM Slot id (Should correspond to a configured PKCS11 slot). Default: 1 -# slot_id = 1 -# Enable Read/Write session with the HSM? -# rw_session = True -# Length of Project KEKs to create -# pkek_length = 32 -# How long to cache unwrapped Project KEKs -# pkek_cache_ttl = 900 -# Max number of items in pkek cache -# pkek_cache_limit = 100 - -# User friendly plugin name -# plugin_name = 'PKCS11 HSM' - - -# ================== KMIP plugin ===================== -[kmip_plugin] -username = 'admin' -password = 'password' -host = localhost -port = 5696 -keyfile = '/path/to/certs/cert.key' -certfile = '/path/to/certs/cert.crt' -ca_certs = '/path/to/certs/LocalCA.crt' -ssl_version = 'PROTOCOL_TLSv1_2' -pkcs1_only = False -plugin_name = 'KMIP HSM' - - -# ================= Certificate plugin =================== - -# DEPRECATION WARNING: The Certificates Plugin has been deprecated -# and will be removed in the P release. - -[certificate] -namespace = barbican.certificate.plugin -enabled_certificate_plugins = simple_certificate -enabled_certificate_plugins = snakeoil_ca - -[certificate_event] -namespace = barbican.certificate.event.plugin -enabled_certificate_event_plugins = simple_certificate_event - -[snakeoil_ca_plugin] -ca_cert_path = /etc/barbican/snakeoil-ca.crt -ca_cert_key_path = /etc/barbican/snakeoil-ca.key -ca_cert_chain_path = /etc/barbican/snakeoil-ca.chain -ca_cert_pkcs7_path = /etc/barbican/snakeoil-ca.p7b -subca_cert_key_directory=/etc/barbican/snakeoil-cas - -# ======================================================== - -[cors] - -# -# From oslo.middleware.cors -# - -# Indicate whether this resource may be shared with the domain -# received in the requests "origin" header. (list value) -#allowed_origin = - -# Indicate that the actual request can include user credentials -# (boolean value) -#allow_credentials = true - -# Indicate which headers are safe to expose to the API. Defaults to -# HTTP Simple Headers. (list value) -#expose_headers = X-Auth-Token, X-Openstack-Request-Id, X-Project-Id, X-Identity-Status, X-User-Id, X-Storage-Token, X-Domain-Id, X-User-Domain-Id, X-Project-Domain-Id, X-Roles - -# Maximum cache age of CORS preflight requests. (integer value) -#max_age = 3600 - -# Indicate which methods can be used during the actual request. (list -# value) -#allow_methods = GET,PUT,POST,DELETE,PATCH - -# Indicate which header field names may be used during the actual -# request. (list value) -#allow_headers = X-Auth-Token, X-Openstack-Request-Id, X-Project-Id, X-Identity-Status, X-User-Id, X-Storage-Token, X-Domain-Id, X-User-Domain-Id, X-Project-Domain-Id, X-Roles - - -[cors.subdomain] - -# -# From oslo.middleware.cors -# - -# Indicate whether this resource may be shared with the domain -# received in the requests "origin" header. (list value) -#allowed_origin = - -# Indicate that the actual request can include user credentials -# (boolean value) -#allow_credentials = true - -# Indicate which headers are safe to expose to the API. Defaults to -# HTTP Simple Headers. (list value) -#expose_headers = X-Auth-Token, X-Openstack-Request-Id, X-Project-Id, X-Identity-Status, X-User-Id, X-Storage-Token, X-Domain-Id, X-User-Domain-Id, X-Project-Domain-Id, X-Roles - -# Maximum cache age of CORS preflight requests. (integer value) -#max_age = 3600 - -# Indicate which methods can be used during the actual request. (list -# value) -#allow_methods = GET,PUT,POST,DELETE,PATCH - -# Indicate which header field names may be used during the actual -# request. (list value) -#allow_headers = X-Auth-Token, X-Openstack-Request-Id, X-Project-Id, X-Identity-Status, X-User-Id, X-Storage-Token, X-Domain-Id, X-User-Domain-Id, X-Project-Domain-Id, X-Roles - - -[oslo_middleware] - -# -# From oslo.middleware.http_proxy_to_wsgi -# - -# Wether the application is behind a proxy or not. This determines if -# the middleware should parse the headers or not. (boolean value) -#enable_proxy_headers_parsing = false - - -[keystone_authtoken] - -# -# From keystonemiddleware.auth_token -# - -# Complete "public" Identity API endpoint. This endpoint should not be an -# "admin" endpoint, as it should be accessible by all end users. Unauthenticated -# clients are redirected to this endpoint to authenticate. Although this -# endpoint should ideally be unversioned, client support in the wild varies. -# If you're using a versioned v2 endpoint here, then this should *not* be the -# same endpoint the service user utilizes for validating tokens, because normal -# end users may not be able to reach that endpoint. (string value) -#auth_uri = - -# API version of the admin Identity API endpoint. (string value) -#auth_version = - -# Do not handle authorization requests within the middleware, but delegate the -# authorization decision to downstream WSGI components. (boolean value) -#delay_auth_decision = false - -# Request timeout value for communicating with Identity API server. (integer -# value) -#http_connect_timeout = - -# How many times are we trying to reconnect when communicating with Identity API -# Server. (integer value) -#http_request_max_retries = 3 - -# Request environment key where the Swift cache object is stored. When -# auth_token middleware is deployed with a Swift cache, use this option to have -# the middleware share a caching backend with swift. Otherwise, use the -# ``memcached_servers`` option instead. (string value) -#cache = - -# Required if identity server requires client certificate (string value) -#certfile = - -# Required if identity server requires client certificate (string value) -#keyfile = - -# A PEM encoded Certificate Authority to use when verifying HTTPs connections. -# Defaults to system CAs. (string value) -#cafile = - -# Verify HTTPS connections. (boolean value) -#insecure = false - -# The region in which the identity server can be found. (string value) -#region_name = - -# Directory used to cache files related to PKI tokens. (string value) -#signing_dir = - -# Optionally specify a list of memcached server(s) to use for caching. If left -# undefined, tokens will instead be cached in-process. (list value) -# Deprecated group/name - [keystone_authtoken]/memcache_servers -#memcached_servers = - -# In order to prevent excessive effort spent validating tokens, the middleware -# caches previously-seen tokens for a configurable duration (in seconds). Set to -# -1 to disable caching completely. (integer value) -#token_cache_time = 300 - -# Determines the frequency at which the list of revoked tokens is retrieved from -# the Identity service (in seconds). A high number of revocation events combined -# with a low cache duration may significantly reduce performance. Only valid for -# PKI tokens. (integer value) -#revocation_cache_time = 10 - -# (Optional) If defined, indicate whether token data should be authenticated or -# authenticated and encrypted. If MAC, token data is authenticated (with HMAC) -# in the cache. If ENCRYPT, token data is encrypted and authenticated in the -# cache. If the value is not one of these options or empty, auth_token will -# raise an exception on initialization. (string value) -# Allowed values: None, MAC, ENCRYPT -#memcache_security_strategy = None - -# (Optional, mandatory if memcache_security_strategy is defined) This string is -# used for key derivation. (string value) -#memcache_secret_key = - -# (Optional) Number of seconds memcached server is considered dead before it is -# tried again. (integer value) -#memcache_pool_dead_retry = 300 - -# (Optional) Maximum total number of open connections to every memcached server. -# (integer value) -#memcache_pool_maxsize = 10 - -# (Optional) Socket timeout in seconds for communicating with a memcached -# server. (integer value) -#memcache_pool_socket_timeout = 3 - -# (Optional) Number of seconds a connection to memcached is held unused in the -# pool before it is closed. (integer value) -#memcache_pool_unused_timeout = 60 - -# (Optional) Number of seconds that an operation will wait to get a memcached -# client connection from the pool. (integer value) -#memcache_pool_conn_get_timeout = 10 - -# (Optional) Use the advanced (eventlet safe) memcached client pool. The -# advanced pool will only work under python 2.x. (boolean value) -#memcache_use_advanced_pool = false - -# (Optional) Indicate whether to set the X-Service-Catalog header. If False, -# middleware will not ask for service catalog on token validation and will not -# set the X-Service-Catalog header. (boolean value) -#include_service_catalog = true - -# Used to control the use and type of token binding. Can be set to: "disabled" -# to not check token binding. "permissive" (default) to validate binding -# information if the bind type is of a form known to the server and ignore it if -# not. "strict" like "permissive" but if the bind type is unknown the token will -# be rejected. "required" any form of token binding is needed to be allowed. -# Finally the name of a binding method that must be present in tokens. (string -# value) -#enforce_token_bind = permissive - -# If true, the revocation list will be checked for cached tokens. This requires -# that PKI tokens are configured on the identity server. (boolean value) -#check_revocations_for_cached = false - -# Hash algorithms to use for hashing PKI tokens. This may be a single algorithm -# or multiple. The algorithms are those supported by Python standard -# hashlib.new(). The hashes will be tried in the order given, so put the -# preferred one first for performance. The result of the first hash will be -# stored in the cache. This will typically be set to multiple values only while -# migrating from a less secure algorithm to a more secure one. Once all the old -# tokens are expired this option should be set to a single value for better -# performance. (list value) -#hash_algorithms = md5 - -# Authentication type to load (string value) -# Deprecated group/name - [keystone_authtoken]/auth_plugin -#auth_type = - -# Config Section from which to load plugin specific options (string value) -#auth_section = diff --git a/etc/oslo-config-generator/barbican.conf b/etc/oslo-config-generator/barbican.conf new file mode 100644 index 000000000..466924f67 --- /dev/null +++ b/etc/oslo-config-generator/barbican.conf @@ -0,0 +1,21 @@ +[DEFAULT] +output_file = etc/barbican/barbican.conf.sample +namespace = barbican +namespace = barbican.certificate.plugin +namespace = barbican.certificate.plugin.snakeoil +namespace = barbican.common.config +namespace = barbican.plugin.crypto +namespace = barbican.plugin.crypto.p11 +namespace = barbican.plugin.crypto.simple +namespace = barbican.plugin.dogtag +namespace = barbican.plugin.secret_store +namespace = barbican.plugin.secret_store.kmip +namespace = keystonemiddleware.auth_token +namespace = oslo.log +namespace = oslo.messaging +namespace = oslo.middleware.cors +namespace = oslo.middleware.http_proxy_to_wsgi +namespace = oslo.policy +namespace = oslo.service.periodic_task +namespace = oslo.service.sslutils +namespace = oslo.service.wsgi diff --git a/releasenotes/notes/use_oslo_config_generator-f2a9be9e71d90b1f.yaml b/releasenotes/notes/use_oslo_config_generator-f2a9be9e71d90b1f.yaml new file mode 100644 index 000000000..9a6f712e7 --- /dev/null +++ b/releasenotes/notes/use_oslo_config_generator-f2a9be9e71d90b1f.yaml @@ -0,0 +1,4 @@ +--- +other: + - oslo-config-generator is now used to generate a + barbican.conf.sample file diff --git a/setup.cfg b/setup.cfg index 63fb28b22..5164f6184 100644 --- a/setup.cfg +++ b/setup.cfg @@ -53,7 +53,18 @@ barbican.certificate.event.plugin = simple_certificate_event = barbican.plugin.simple_certificate_manager:SimpleCertificateEventPlugin barbican.test.crypto.plugin = test_crypto = barbican.tests.crypto.test_plugin:TestCryptoPlugin - +oslo.config.opts = + barbican.common.config = barbican.common.config:list_opts + barbican.plugin.secret_store = barbican.plugin.interface.secret_store:list_opts + barbican.plugin.crypto = barbican.plugin.crypto.manager:list_opts + barbican.plugin.crypto.simple = barbican.plugin.crypto.simple_crypto:list_opts + barbican.plugin.dogtag_config_opts = barbican.plugin.dogtag:list_opts + barbican.plugin.crypto.p11 = barbican.plugin.crypto.p11_crypto:list_opts + barbican.plugin.secret_store.kmip = barbican.plugin.kmip_secret_store:list_opts + barbican.certificate.plugin = barbican.plugin.interface.certificate_manager:list_opts + barbican.certificate.plugin.snakeoil = barbican.plugin.snakeoil_ca:list_opts +oslo.config.opts.defaults = + barbican.common.config = barbican.common.config:set_middleware_defaults [build_sphinx] all_files = 1 build-dir = doc/build diff --git a/tox.ini b/tox.ini index f2c62fcce..36f9d1882 100644 --- a/tox.ini +++ b/tox.ini @@ -10,6 +10,7 @@ deps = -r{toxinidir}/requirements.txt -r{toxinidir}/test-requirements.txt commands = + oslo-config-generator --config-file etc/oslo-config-generator/barbican.conf --output-file etc/barbican/barbican.conf /usr/bin/find . -type f -name "*.py[c|o]" -delete coverage erase python setup.py testr --coverage --testr-args='{posargs}' @@ -35,6 +36,11 @@ commands = # Run security linter bandit -r barbican -x tests -n5 +[testenv:genconfig] +whitelist_externals = bash +commands = + oslo-config-generator --config-file etc/oslo-config-generator/barbican.conf + [testenv:venv] commands = {posargs}