diff --git a/devstack/lib/barbican b/devstack/lib/barbican index 798743fb2..6373e1d28 100644 --- a/devstack/lib/barbican +++ b/devstack/lib/barbican @@ -134,14 +134,20 @@ function configure_barbican { # Turn on the middleware iniset $BARBICAN_PASTE_CONF 'pipeline:barbican_api' pipeline 'barbican-api-keystone' + # Keystone complete URIs + KEYSTONE_AUTH_URI=${KEYSTONE_AUTH_PROTOCOL}://${KEYSTONE_AUTH_HOST}:${KEYSTONE_AUTH_PORT}/v3 + KEYSTONE_SERVICE_URI=${KEYSTONE_SERVICE_PROTOCOL}://${KEYSTONE_SERVICE_HOST}:${KEYSTONE_SERVICE_PORT}/v3 + # Set the keystone parameters - iniset $BARBICAN_PASTE_CONF 'filter:keystone_authtoken' auth_protocol $KEYSTONE_AUTH_PROTOCOL - iniset $BARBICAN_PASTE_CONF 'filter:keystone_authtoken' auth_host $KEYSTONE_AUTH_HOST - iniset $BARBICAN_PASTE_CONF 'filter:keystone_authtoken' auth_port $KEYSTONE_AUTH_PORT - iniset $BARBICAN_PASTE_CONF 'filter:keystone_authtoken' admin_user barbican - iniset $BARBICAN_PASTE_CONF 'filter:keystone_authtoken' admin_password $SERVICE_PASSWORD - iniset $BARBICAN_PASTE_CONF 'filter:keystone_authtoken' admin_tenant_name $SERVICE_PROJECT_NAME - iniset $BARBICAN_PASTE_CONF 'filter:keystone_authtoken' signing_dir $BARBICAN_AUTH_CACHE_DIR + iniset $BARBICAN_PASTE_CONF 'filter:authtoken' auth_plugin password + iniset $BARBICAN_PASTE_CONF 'filter:authtoken' auth_url $KEYSTONE_AUTH_URI + iniset $BARBICAN_PASTE_CONF 'filter:authtoken' username barbican + iniset $BARBICAN_PASTE_CONF 'filter:authtoken' password $SERVICE_PASSWORD + iniset $BARBICAN_PASTE_CONF 'filter:authtoken' user_domain_id default + iniset $BARBICAN_PASTE_CONF 'filter:authtoken' project_name $SERVICE_PROJECT_NAME + iniset $BARBICAN_PASTE_CONF 'filter:authtoken' project_domain_id default + iniset $BARBICAN_PASTE_CONF 'filter:authtoken' auth_uri $KEYSTONE_SERVICE_URI + iniset $BARBICAN_PASTE_CONF 'filter:authtoken' signing_dir $BARBICAN_AUTH_CACHE_DIR } # init_barbican - Initialize etc. diff --git a/doc/source/setup/keystone.rst b/doc/source/setup/keystone.rst index 1caf03fd2..57f0fe9d0 100644 --- a/doc/source/setup/keystone.rst +++ b/doc/source/setup/keystone.rst @@ -27,26 +27,32 @@ the get version call. 1. Turn off any active instances of Barbican 2. Edit ``/etc/barbican/barbican-api-paste.ini`` - 1. Replace the ``barbican_api`` pipeline with an authenticated pipeline + 1. Change the pipeline ``/v1`` value from unauthenticated ``barbican-api`` + to the authenticated ``barbican-api-keystone`` .. code-block:: ini - [pipeline:barbican_api] - pipeline = keystone_authtoken context apiapp + [composite:main] + use = egg:Paste#urlmap + /: barbican_version + /v1: barbican-api-keystone - 2. Replace ``keystone_authtoken`` filter values to match your Keystone + 2. Replace ``authtoken`` filter values to match your Keystone setup .. code-block:: ini - [filter:keystone_authtoken] + [filter:authtoken] paste.filter_factory = keystonemiddleware.auth_token:filter_factory signing_dir = /tmp/barbican/cache - identity_uri = http://{YOUR_KEYSTONE_ENDPOINT}:35357 - admin_tenant_name = service - admin_user = {YOUR_KEYSTONE_USERNAME} - admin_password = {YOUR_KEYSTONE_PASSWORD} - auth_version = v2.0 + auth_uri = http://{YOUR_KEYSTONE_ENDPOINT}:5000/v3 + auth_url = http://{YOUR_KEYSTONE_ENDPOINT}:35357/v3 + auth_plugin = password + username = {YOUR_KEYSTONE_USERNAME} + password = {YOUR_KEYSTONE_PASSWORD} + user_domain_id = {YOUR_KEYSTONE_USER_DOMAIN} + project_name = {YOUR_KEYSTONE_PROJECT} + project_domain_id = {YOUR_KEYSTONE_PROJECT_DOMAIN} 3. Start Barbican ``{barbican_home}/bin/barbican.sh start`` diff --git a/etc/barbican/barbican-api-paste.ini b/etc/barbican/barbican-api-paste.ini index f039a75ca..01ddecce8 100644 --- a/etc/barbican/barbican-api-paste.ini +++ b/etc/barbican/barbican-api-paste.ini @@ -18,11 +18,11 @@ pipeline = cors unauthenticated-context egg:Paste#cgitb egg:Paste#httpexceptions #Use this pipeline for keystone auth [pipeline:barbican-api-keystone] -pipeline = cors keystone_authtoken context apiapp +pipeline = cors authtoken context apiapp #Use this pipeline for keystone auth with audit feature [pipeline:barbican-api-keystone-audit] -pipeline = keystone_authtoken context audit apiapp +pipeline = authtoken context audit apiapp [app:apiapp] paste.app_factory = barbican.api.app:create_main_app @@ -43,14 +43,17 @@ paste.filter_factory = barbican.api.middleware.context:ContextMiddleware.factory paste.filter_factory = keystonemiddleware.audit:filter_factory audit_map_file = /etc/barbican/api_audit_map.conf -[filter:keystone_authtoken] +[filter:authtoken] paste.filter_factory = keystonemiddleware.auth_token:filter_factory +auth_uri = http://localhost:5000/v3 +auth_plugin = password #need ability to re-auth a token, thus admin url -identity_uri = http://localhost:35357 -admin_tenant_name = service -admin_user = barbican -admin_password = orange -auth_version = v3.0 +auth_url = http://localhost:35357/v3 +username = barbican +password = orange +user_domain_id = default +project_name = service +project_domain_id = default #delay failing perhaps to log the unauthorized request in barbican .. #delay_auth_decision = true # signing_dir is configurable, but the default behavior of the authtoken