openstack/barbican
Code Issues Proposed changes

Update devstack plugin for Secure RBAC

Browse Source 
This patch refactors the devstack plugin to separate the legacy (now
deprecated) RBAC settings from the Secure RBAC (new default) settings.

The legacy policies can still be deployed by setting
ENFORCE_SCOPE=False.

Change-Id: Idec818e43016402de0188cf5ade032a1aee638ff
This commit is contained in:
Douglas Mendizábal 2024-02-16 10:59:11 -05:00
parent 5a458ecc98
commit 8f92d6f508
5 changed files with 108 additions and 87 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
.zuul.yaml
View File

@ -113,6 +113,13 @@
tempest_test_regex: '\[.*\bsmoke\b.*\]|^(barbican_tempest_plugin.tests)'
tox_envlist: all
- job:
name: octavia-v2-dsvm-tls-barbican-secure-rbac
parent: octavia-v2-dsvm-tls-barbican
vars:
devstack_localrc:
ENFORCE_SCOPE: True
- project:
queue: barbican
templates:
@ -134,6 +141,7 @@
- barbican-tox-functional-fips:
voting: false
- octavia-v2-dsvm-tls-barbican
- octavia-v2-dsvm-tls-barbican-secure-rbac
- barbican-tox-py310-with-sqlalchemy-2x
gate:
jobs:

124
devstack/lib/barbican
View File

@ -1,6 +1,7 @@
#!/usr/bin/env bash
# Install and start **Barbican** service
# lib/barbican
# Functions to control the configuration and operation of **Barbican**
# To enable a minimal set of Barbican features, add the following to localrc:
# enable_service barbican-svc barbican-retry barbican-keystone-listener
@ -87,6 +88,21 @@ function configure_barbicanclient {
setup_dev_lib "python-barbicanclient"
}
# Set the correct config options in Nova, Cinder and Glance
function configure_core_services {
if is_service_enabled n-cpu; then
iniset $NOVA_CONF key_manager backend 'barbican'
fi
if is_service_enabled c-vol; then
iniset $CINDER_CONF key_manager backend 'barbican'
fi
if is_service_enabled g-api; then
iniset $GLANCE_API_CONF key_manager backend 'barbican'
fi
}
# configure_dogtag_plugin - Change config to use dogtag plugin
function configure_dogtag_plugin {
sudo openssl pkcs12 -in /root/.dogtag/pki-tomcat/ca_admin_cert.p12 -passin pass:PASSWORD -out $BARBICAN_CONF_DIR/kra_admin_cert.pem -nodes
@ -169,6 +185,10 @@ function configure_barbican {
# Enable the keystone listener
iniset $BARBICAN_CONF keystone_notifications enable True
iniset $BARBICAN_CONF keystone_notifications control_exchange 'keystone'
# Set the Secure RBAC options
iniset $BARBICAN_CONF oslo_policy enforce_scope $BARBICAN_ENFORCE_SCOPE
iniset $BARBICAN_CONF oslo_policy enforce_new_defaults $BARBICAN_ENFORCE_SCOPE
}
# init_barbican - Initialize etc.
@ -234,17 +254,52 @@ function get_id {
echo `"$@" | awk '/ id / { print $4 }'`
}
# create_barbican_accounts() - Sets up required keystone accounts
function create_barbican_accounts {
#
# Setup Default Admin User
#
SERVICE_PROJECT=$(openstack project list | awk "/ $SERVICE_PROJECT_NAME / { print \$2 }")
ADMIN_ROLE=$(openstack role list | awk "/ admin / { print \$2 }")
# create barbican service user
# the "admin" role is created by the keystone bootstrap process so we
# just reference it here.
local admin_role="admin"
create_service_user barbican $admin_role
}
create_service_user barbican $ADMIN_ROLE
#
# Setup Default service-admin User
#
# create_barbican_endpoints() - Sets up keystone endpoints for the barbican
# service.
function create_barbican_endpoints {
BARBICAN_SERVICE=$(get_or_create_service \
"barbican" \
"key-manager" \
"Barbican Key Manager Service")
# create all 3 endpoints (public, admin, internal)
get_or_create_endpoint \
"$BARBICAN_SERVICE" \
"RegionOne" \
"$SERVICE_PROTOCOL://$SERVICE_HOST/key-manager" \
"$SERVICE_PROTOCOL://$SERVICE_HOST/key-manager" \
"$SERVICE_PROTOCOL://$SERVICE_HOST/key-manager"
}
# create_deprecated_rbac_accounts() - Sets up rbac accounts for the deprecated
# legacy policies. Required wieh BARBICAN_ENABLE_SCOPE=False. The following
# accounts will be created:
#
# +---------------------+---------------------------+-----------+
# | user | role | project |
# +---------------------+---------------------------+-----------+
# | service-admin | key-manager:service-admin | service |
# | project_a_admin | admin | project_a |
# | project_a_creator | creator | project_a |
# | project_a_creator_2 | creator | project_a |
# | project_a_observer | observer | project_a |
# | project_a_auditor | audit | project_a |
# | project_b_admin | admin | project_b |
# | project_b_creator | creator | project_b |
# | project_b_observer | observer | project_b |
# | project_b_auditor | audit | project_b |
# +---------------------+---------------------------+-----------+
#
function create_deprecated_rbac_accounts {
# Set up the system-admin
SERVICE_ADMIN=$(get_or_create_user \
"service-admin" \
"$SERVICE_PASSWORD" \
@ -254,10 +309,9 @@ function create_barbican_accounts {
get_or_add_user_project_role \
"$SERVICE_ADMIN_ROLE" \
"$SERVICE_ADMIN" \
"$SERVICE_PROJECT"
#
# Setup RBAC User Projects and Roles
#
"$SERVICE_PROJECT_NAME"
# Set up legacy RBAC User Projects and Roles
PASSWORD="barbican"
PROJECT_A_ID=$(get_or_create_project "project_a" "default")
PROJECT_B_ID=$(get_or_create_project "project_b" "default")
@ -265,100 +319,62 @@ function create_barbican_accounts {
ROLE_CREATOR_ID=$(get_or_create_role "creator")
ROLE_OBSERVER_ID=$(get_or_create_role "observer")
ROLE_AUDIT_ID=$(get_or_create_role "audit")
#
# Setup RBAC Admin of Project A
#
USER_ID=$(get_or_create_user \
"project_a_admin" \
"$PASSWORD" \
"default" \
"admin_a@example.net")
get_or_add_user_project_role "$ROLE_ADMIN_ID" "$USER_ID" "$PROJECT_A_ID"
#
# Setup RBAC Creator of Project A
#
USER_ID=$(get_or_create_user \
"project_a_creator" \
"$PASSWORD" \
"default" \
"creator_a@example.net")
get_or_add_user_project_role "$ROLE_CREATOR_ID" "$USER_ID" "$PROJECT_A_ID"
# Adding second creator user in project_a
USER_ID=$(get_or_create_user \
"project_a_creator_2" \
"$PASSWORD" \
"default" \
"creator2_a@example.net")
get_or_add_user_project_role "$ROLE_CREATOR_ID" "$USER_ID" "$PROJECT_A_ID"
#
# Setup RBAC Observer of Project A
#
USER_ID=$(get_or_create_user \
"project_a_observer" \
"$PASSWORD" \
"default" \
"observer_a@example.net")
get_or_add_user_project_role "$ROLE_OBSERVER_ID" "$USER_ID" "$PROJECT_A_ID"
#
# Setup RBAC Auditor of Project A
#
USER_ID=$(get_or_create_user \
"project_a_auditor" \
"$PASSWORD" \
"default" \
"auditor_a@example.net")
get_or_add_user_project_role "$ROLE_AUDIT_ID" "$USER_ID" "$PROJECT_A_ID"
#
# Setup RBAC Admin of Project B
#
USER_ID=$(get_or_create_user \
"project_b_admin" \
"$PASSWORD" \
"default" \
"admin_b@example.net")
get_or_add_user_project_role "$ROLE_ADMIN_ID" "$USER_ID" "$PROJECT_B_ID"
#
# Setup RBAC Creator of Project B
#
USER_ID=$(get_or_create_user \
"project_b_creator" \
"$PASSWORD" \
"default" \
"creator_b@example.net")
get_or_add_user_project_role "$ROLE_CREATOR_ID" "$USER_ID" "$PROJECT_B_ID"
#
# Setup RBAC Observer of Project B
#
USER_ID=$(get_or_create_user \
"project_b_observer" \
"$PASSWORD" \
"default" \
"observer_b@example.net")
get_or_add_user_project_role "$ROLE_OBSERVER_ID" "$USER_ID" "$PROJECT_B_ID"
#
# Setup RBAC auditor of Project B
#
USER_ID=$(get_or_create_user \
"project_b_auditor" \
"$PASSWORD" \
"default" \
"auditor_b@example.net")
get_or_add_user_project_role "$ROLE_AUDIT_ID" "$USER_ID" "$PROJECT_B_ID"
#
# Setup Barbican Endpoint
#
BARBICAN_SERVICE=$(get_or_create_service \
"barbican" \
"key-manager" \
"Barbican Service")
# This creates all 3 endpoints (public, admin, internal)
get_or_create_endpoint \
"$BARBICAN_SERVICE" \
"RegionOne" \
"$SERVICE_PROTOCOL://$SERVICE_HOST/key-manager" \
"$SERVICE_PROTOCOL://$SERVICE_HOST/key-manager" \
"$SERVICE_PROTOCOL://$SERVICE_HOST/key-manager"
}
# PyKMIP functions

16
devstack/lib/tempest Normal file
View File

@ -0,0 +1,16 @@
function configure_barbican_tempest() {
iniset $TEMPEST_CONFIG service_available barbican True
iniset $TEMPEST_CONFIG enforce_scope barbican $BARBICAN_ENFORCE_SCOPE
if [[ "$BARBICAN_ENFORCE_SCOPE" == "False" ]]; then
# NOTE: legacy policies require the "creator" role
roles="$(iniget $TEMPEST_CONFIG auth tempest_roles)"
if [[ -z $roles ]]; then
roles="creator"
else
roles="$roles,creator"
fi
iniset $TEMPEST_CONFIG auth tempest_roles $roles
fi
}

44
devstack/plugin.sh
View File

@ -1,23 +1,11 @@
# Configure the needed tempest options
function configure_barbican_tempest() {
iniset $TEMPEST_CONFIG service_available barbican True
roles="$(iniget $TEMPEST_CONFIG auth tempest_roles)"
if [[ -z $roles ]]; then
roles="creator"
else
roles="$roles,creator"
fi
iniset $TEMPEST_CONFIG auth tempest_roles $roles
iniset $TEMPEST_CONFIG service_available barbican True
}
# For more information on Devstack plugins, including a more detailed
# explanation on when the different steps are executed please see:
# https://docs.openstack.org/devstack/latest/plugins.html
BARBICAN_PLUGIN=$DEST/barbican/devstack
source $BARBICAN_PLUGIN/lib/barbican
# check for service enabled
if is_service_enabled barbican; then
if [[ "$1" == "source" || "`type -t install_barbican`" != 'function' ]]; then
# Initial source
source $BARBICAN_DIR/devstack/lib/barbican
fi
if [[ "$1" == "stack" && "$2" == "install" ]]; then
echo_summary "Installing Barbican"
stack_install_service barbican
@ -55,6 +43,10 @@ if is_service_enabled barbican; then
if is_service_enabled key; then
create_barbican_accounts
create_barbican_endpoints
if [[ "$BARBICAN_ENFORCE_SCOPE" == "False" ]]; then
create_deprecated_rbac_accounts
fi
fi
elif [[ "$1" == "stack" && "$2" == "extra" ]]; then
echo_summary "Initializing Barbican"
@ -67,6 +59,7 @@ if is_service_enabled barbican; then
elif [[ "$1" == "stack" && "$2" == "test-config" ]]; then
if is_service_enabled tempest; then
echo_summary "Configuring Tempest options for Barbican"
source $BARBICAN_PLUGIN/lib/tempest
configure_barbican_tempest
fi
fi
@ -79,18 +72,3 @@ if is_service_enabled barbican; then
cleanup_barbican
fi
fi
# Set the correct config options in Nova, Cinder and Glance
function configure_core_services {
if is_service_enabled n-cpu; then
iniset $NOVA_CONF key_manager backend 'barbican'
fi
if is_service_enabled c-vol; then
iniset $CINDER_CONF key_manager backend 'barbican'
fi
if is_service_enabled g-api; then
iniset $GLANCE_API_CONF key_manager backend 'barbican'
fi
}

3
devstack/settings
View File

@ -41,4 +41,7 @@ GITREPO["barbican-tempest-plugin"]=${BARBICANTEMPEST_REPO:-${GIT_BASE}/openstack
GITBRANCH["barbican-tempest-plugin"]=${BARBICANTEMPEST_BRANCH:-master}
GITDIR["barbican-tempest-plugin"]=$DEST/barbican-tempest-plugin
# Secure RBAC
BARBICAN_ENFORCE_SCOPE=$(trueorfalse True ENFORCE_SCOPE)
enable_service barbican