Use keystone auth plugin

keystonemiddleware admin settings are deprecated
so we should stop using them in favor of a keystone
auth plugin. This patch updates the config file
to use keystone API v3 by default.

Change-Id: I9d10ac29ab33cbdd845573106960e5f181afdb69
Closes-Bug: 1579801

devstack/lib/barbican

@@ -134,14 +134,20 @@ function configure_barbican {
     # Turn on the middleware
     iniset $BARBICAN_PASTE_CONF 'pipeline:barbican_api' pipeline 'barbican-api-keystone'
 
+    # Keystone complete URIs
+    KEYSTONE_AUTH_URI=${KEYSTONE_AUTH_PROTOCOL}://${KEYSTONE_AUTH_HOST}:${KEYSTONE_AUTH_PORT}/v3
+    KEYSTONE_SERVICE_URI=${KEYSTONE_SERVICE_PROTOCOL}://${KEYSTONE_SERVICE_HOST}:${KEYSTONE_SERVICE_PORT}/v3
+
     # Set the keystone parameters
-    iniset $BARBICAN_PASTE_CONF 'filter:keystone_authtoken' auth_protocol $KEYSTONE_AUTH_PROTOCOL
-    iniset $BARBICAN_PASTE_CONF 'filter:keystone_authtoken' auth_host $KEYSTONE_AUTH_HOST
-    iniset $BARBICAN_PASTE_CONF 'filter:keystone_authtoken' auth_port $KEYSTONE_AUTH_PORT
-    iniset $BARBICAN_PASTE_CONF 'filter:keystone_authtoken' admin_user barbican
-    iniset $BARBICAN_PASTE_CONF 'filter:keystone_authtoken' admin_password $SERVICE_PASSWORD
-    iniset $BARBICAN_PASTE_CONF 'filter:keystone_authtoken' admin_tenant_name $SERVICE_PROJECT_NAME
-    iniset $BARBICAN_PASTE_CONF 'filter:keystone_authtoken' signing_dir $BARBICAN_AUTH_CACHE_DIR
+    iniset $BARBICAN_PASTE_CONF 'filter:authtoken' auth_plugin password
+    iniset $BARBICAN_PASTE_CONF 'filter:authtoken' auth_url $KEYSTONE_AUTH_URI
+    iniset $BARBICAN_PASTE_CONF 'filter:authtoken' username barbican
+    iniset $BARBICAN_PASTE_CONF 'filter:authtoken' password $SERVICE_PASSWORD
+    iniset $BARBICAN_PASTE_CONF 'filter:authtoken' user_domain_id default
+    iniset $BARBICAN_PASTE_CONF 'filter:authtoken' project_name $SERVICE_PROJECT_NAME
+    iniset $BARBICAN_PASTE_CONF 'filter:authtoken' project_domain_id default
+    iniset $BARBICAN_PASTE_CONF 'filter:authtoken' auth_uri $KEYSTONE_SERVICE_URI
+    iniset $BARBICAN_PASTE_CONF 'filter:authtoken' signing_dir $BARBICAN_AUTH_CACHE_DIR
 }
 
 # init_barbican - Initialize etc.

doc/source/setup/keystone.rst

@@ -27,26 +27,32 @@ the get version call.
 1. Turn off any active instances of Barbican
 2. Edit ``/etc/barbican/barbican-api-paste.ini``
 
-   1. Replace the ``barbican_api`` pipeline with an authenticated pipeline
+   1. Change the pipeline ``/v1`` value from unauthenticated ``barbican-api``
+      to the authenticated ``barbican-api-keystone``
 
     .. code-block:: ini
 
-        [pipeline:barbican_api]
-        pipeline = keystone_authtoken context apiapp
+        [composite:main]
+        use = egg:Paste#urlmap
+        /: barbican_version
+        /v1: barbican-api-keystone
 
-   2. Replace ``keystone_authtoken`` filter values to match your Keystone
+   2. Replace ``authtoken`` filter values to match your Keystone
       setup
 
     .. code-block:: ini
 
-       [filter:keystone_authtoken]
+       [filter:authtoken]
        paste.filter_factory = keystonemiddleware.auth_token:filter_factory
        signing_dir = /tmp/barbican/cache
-       identity_uri = http://{YOUR_KEYSTONE_ENDPOINT}:35357
-       admin_tenant_name = service
-       admin_user = {YOUR_KEYSTONE_USERNAME}
-       admin_password = {YOUR_KEYSTONE_PASSWORD}
-       auth_version = v2.0
+       auth_uri = http://{YOUR_KEYSTONE_ENDPOINT}:5000/v3
+       auth_url = http://{YOUR_KEYSTONE_ENDPOINT}:35357/v3
+       auth_plugin = password
+       username = {YOUR_KEYSTONE_USERNAME}
+       password = {YOUR_KEYSTONE_PASSWORD}
+       user_domain_id = {YOUR_KEYSTONE_USER_DOMAIN}
+       project_name = {YOUR_KEYSTONE_PROJECT}
+       project_domain_id = {YOUR_KEYSTONE_PROJECT_DOMAIN}
 
 3. Start Barbican ``{barbican_home}/bin/barbican.sh start``
 

etc/barbican/barbican-api-paste.ini

@@ -18,11 +18,11 @@ pipeline = cors unauthenticated-context egg:Paste#cgitb egg:Paste#httpexceptions
 
 #Use this pipeline for keystone auth
 [pipeline:barbican-api-keystone]
-pipeline = cors keystone_authtoken context apiapp
+pipeline = cors authtoken context apiapp
 
 #Use this pipeline for keystone auth with audit feature
 [pipeline:barbican-api-keystone-audit]
-pipeline = keystone_authtoken context audit apiapp
+pipeline = authtoken context audit apiapp
 
 [app:apiapp]
 paste.app_factory = barbican.api.app:create_main_app
@@ -43,14 +43,17 @@ paste.filter_factory = barbican.api.middleware.context:ContextMiddleware.factory
 paste.filter_factory = keystonemiddleware.audit:filter_factory
 audit_map_file = /etc/barbican/api_audit_map.conf
 
-[filter:keystone_authtoken]
+[filter:authtoken]
 paste.filter_factory = keystonemiddleware.auth_token:filter_factory
+auth_uri = http://localhost:5000/v3
+auth_plugin = password
 #need ability to re-auth a token, thus admin url
-identity_uri = http://localhost:35357
-admin_tenant_name = service
-admin_user = barbican
-admin_password = orange
-auth_version = v3.0
+auth_url = http://localhost:35357/v3
+username = barbican
+password = orange
+user_domain_id = default
+project_name = service
+project_domain_id = default
 #delay failing perhaps to log the unauthorized request in barbican ..
 #delay_auth_decision = true
 # signing_dir is configurable, but the default behavior of the authtoken