openstack
/
barbican
Code Issues Proposed changes

Update devstack plugin for Secure RBAC 

This patch refactors the devstack plugin to separate the legacy (now
deprecated) RBAC settings from the Secure RBAC (new default) settings.

The legacy policies can still be deployed by setting
ENFORCE_SCOPE=False.

Change-Id: Idec818e43016402de0188cf5ade032a1aee638ff
This commit is contained in:
Douglas Mendizábal 2024-02-16 10:59:11 -05:00
parent 5a458ecc98
commit 8f92d6f508
5 changed files with 108 additions and 87 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
.zuul.yaml
View File

@ -113,6 +113,13 @@
tempest_test_regex: '\[.*\bsmoke\b.*\]|^(barbican_tempest_plugin.tests)' tempest_test_regex: '\[.*\bsmoke\b.*\]|^(barbican_tempest_plugin.tests)'
tox_envlist: all tox_envlist: all
- job:
name: octavia-v2-dsvm-tls-barbican-secure-rbac
parent: octavia-v2-dsvm-tls-barbican
vars:
devstack_localrc:
ENFORCE_SCOPE: True
- project: - project:
queue: barbican queue: barbican
templates: templates:
@ -134,6 +141,7 @@
- barbican-tox-functional-fips: - barbican-tox-functional-fips:
voting: false voting: false
- octavia-v2-dsvm-tls-barbican - octavia-v2-dsvm-tls-barbican
- octavia-v2-dsvm-tls-barbican-secure-rbac
- barbican-tox-py310-with-sqlalchemy-2x - barbican-tox-py310-with-sqlalchemy-2x
gate: gate:
jobs: jobs:

124
devstack/lib/barbican
View File

@ -1,6 +1,7 @@
#!/usr/bin/env bash #!/usr/bin/env bash
# Install and start **Barbican** service # lib/barbican
# Functions to control the configuration and operation of **Barbican**
# To enable a minimal set of Barbican features, add the following to localrc: # To enable a minimal set of Barbican features, add the following to localrc:
# enable_service barbican-svc barbican-retry barbican-keystone-listener # enable_service barbican-svc barbican-retry barbican-keystone-listener
@ -87,6 +88,21 @@ function configure_barbicanclient {
setup_dev_lib "python-barbicanclient" setup_dev_lib "python-barbicanclient"
} }
# Set the correct config options in Nova, Cinder and Glance
function configure_core_services {
if is_service_enabled n-cpu; then
iniset $NOVA_CONF key_manager backend 'barbican'
fi
if is_service_enabled c-vol; then
iniset $CINDER_CONF key_manager backend 'barbican'
fi
if is_service_enabled g-api; then
iniset $GLANCE_API_CONF key_manager backend 'barbican'
fi
}
# configure_dogtag_plugin - Change config to use dogtag plugin # configure_dogtag_plugin - Change config to use dogtag plugin
function configure_dogtag_plugin { function configure_dogtag_plugin {
sudo openssl pkcs12 -in /root/.dogtag/pki-tomcat/ca_admin_cert.p12 -passin pass:PASSWORD -out $BARBICAN_CONF_DIR/kra_admin_cert.pem -nodes sudo openssl pkcs12 -in /root/.dogtag/pki-tomcat/ca_admin_cert.p12 -passin pass:PASSWORD -out $BARBICAN_CONF_DIR/kra_admin_cert.pem -nodes
@ -169,6 +185,10 @@ function configure_barbican {
# Enable the keystone listener # Enable the keystone listener
iniset $BARBICAN_CONF keystone_notifications enable True iniset $BARBICAN_CONF keystone_notifications enable True
iniset $BARBICAN_CONF keystone_notifications control_exchange 'keystone' iniset $BARBICAN_CONF keystone_notifications control_exchange 'keystone'
# Set the Secure RBAC options
iniset $BARBICAN_CONF oslo_policy enforce_scope $BARBICAN_ENFORCE_SCOPE
iniset $BARBICAN_CONF oslo_policy enforce_new_defaults $BARBICAN_ENFORCE_SCOPE
} }
# init_barbican - Initialize etc. # init_barbican - Initialize etc.
@ -234,17 +254,52 @@ function get_id {
echo `"$@" | awk '/ id / { print $4 }'` echo `"$@" | awk '/ id / { print $4 }'`
} }
# create_barbican_accounts() - Sets up required keystone accounts
function create_barbican_accounts { function create_barbican_accounts {
# # create barbican service user
# Setup Default Admin User # the "admin" role is created by the keystone bootstrap process so we
# # just reference it here.
SERVICE_PROJECT=$(openstack project list | awk "/ $SERVICE_PROJECT_NAME / { print \$2 }") local admin_role="admin"
ADMIN_ROLE=$(openstack role list | awk "/ admin / { print \$2 }") create_service_user barbican $admin_role
}
create_service_user barbican $ADMIN_ROLE # create_barbican_endpoints() - Sets up keystone endpoints for the barbican
# # service.
# Setup Default service-admin User function create_barbican_endpoints {
# BARBICAN_SERVICE=$(get_or_create_service \
"barbican" \
"key-manager" \
"Barbican Key Manager Service")
# create all 3 endpoints (public, admin, internal)
get_or_create_endpoint \
"$BARBICAN_SERVICE" \
"RegionOne" \
"$SERVICE_PROTOCOL://$SERVICE_HOST/key-manager" \
"$SERVICE_PROTOCOL://$SERVICE_HOST/key-manager" \
"$SERVICE_PROTOCOL://$SERVICE_HOST/key-manager"
}
# create_deprecated_rbac_accounts() - Sets up rbac accounts for the deprecated
# legacy policies. Required wieh BARBICAN_ENABLE_SCOPE=False. The following
# accounts will be created:
#
# +---------------------+---------------------------+-----------+
# | user | role | project |
# +---------------------+---------------------------+-----------+
# | service-admin | key-manager:service-admin | service |
# | project_a_admin | admin | project_a |
# | project_a_creator | creator | project_a |
# | project_a_creator_2 | creator | project_a |
# | project_a_observer | observer | project_a |
# | project_a_auditor | audit | project_a |
# | project_b_admin | admin | project_b |
# | project_b_creator | creator | project_b |
# | project_b_observer | observer | project_b |
# | project_b_auditor | audit | project_b |
# +---------------------+---------------------------+-----------+
#
function create_deprecated_rbac_accounts {
# Set up the system-admin
SERVICE_ADMIN=$(get_or_create_user \ SERVICE_ADMIN=$(get_or_create_user \
"service-admin" \ "service-admin" \
"$SERVICE_PASSWORD" \ "$SERVICE_PASSWORD" \
@ -254,10 +309,9 @@ function create_barbican_accounts {
get_or_add_user_project_role \ get_or_add_user_project_role \
"$SERVICE_ADMIN_ROLE" \ "$SERVICE_ADMIN_ROLE" \
"$SERVICE_ADMIN" \ "$SERVICE_ADMIN" \
"$SERVICE_PROJECT" "$SERVICE_PROJECT_NAME"
#
# Setup RBAC User Projects and Roles # Set up legacy RBAC User Projects and Roles
#
PASSWORD="barbican" PASSWORD="barbican"
PROJECT_A_ID=$(get_or_create_project "project_a" "default") PROJECT_A_ID=$(get_or_create_project "project_a" "default")
PROJECT_B_ID=$(get_or_create_project "project_b" "default") PROJECT_B_ID=$(get_or_create_project "project_b" "default")
@ -265,100 +319,62 @@ function create_barbican_accounts {
ROLE_CREATOR_ID=$(get_or_create_role "creator") ROLE_CREATOR_ID=$(get_or_create_role "creator")
ROLE_OBSERVER_ID=$(get_or_create_role "observer") ROLE_OBSERVER_ID=$(get_or_create_role "observer")
ROLE_AUDIT_ID=$(get_or_create_role "audit") ROLE_AUDIT_ID=$(get_or_create_role "audit")
#
# Setup RBAC Admin of Project A
#
USER_ID=$(get_or_create_user \ USER_ID=$(get_or_create_user \
"project_a_admin" \ "project_a_admin" \
"$PASSWORD" \ "$PASSWORD" \
"default" \ "default" \
"admin_a@example.net") "admin_a@example.net")
get_or_add_user_project_role "$ROLE_ADMIN_ID" "$USER_ID" "$PROJECT_A_ID" get_or_add_user_project_role "$ROLE_ADMIN_ID" "$USER_ID" "$PROJECT_A_ID"
#
# Setup RBAC Creator of Project A
#
USER_ID=$(get_or_create_user \ USER_ID=$(get_or_create_user \
"project_a_creator" \ "project_a_creator" \
"$PASSWORD" \ "$PASSWORD" \
"default" \ "default" \
"creator_a@example.net") "creator_a@example.net")
get_or_add_user_project_role "$ROLE_CREATOR_ID" "$USER_ID" "$PROJECT_A_ID" get_or_add_user_project_role "$ROLE_CREATOR_ID" "$USER_ID" "$PROJECT_A_ID"
# Adding second creator user in project_a
USER_ID=$(get_or_create_user \ USER_ID=$(get_or_create_user \
"project_a_creator_2" \ "project_a_creator_2" \
"$PASSWORD" \ "$PASSWORD" \
"default" \ "default" \
"creator2_a@example.net") "creator2_a@example.net")
get_or_add_user_project_role "$ROLE_CREATOR_ID" "$USER_ID" "$PROJECT_A_ID" get_or_add_user_project_role "$ROLE_CREATOR_ID" "$USER_ID" "$PROJECT_A_ID"
#
# Setup RBAC Observer of Project A
#
USER_ID=$(get_or_create_user \ USER_ID=$(get_or_create_user \
"project_a_observer" \ "project_a_observer" \
"$PASSWORD" \ "$PASSWORD" \
"default" \ "default" \
"observer_a@example.net") "observer_a@example.net")
get_or_add_user_project_role "$ROLE_OBSERVER_ID" "$USER_ID" "$PROJECT_A_ID" get_or_add_user_project_role "$ROLE_OBSERVER_ID" "$USER_ID" "$PROJECT_A_ID"
#
# Setup RBAC Auditor of Project A
#
USER_ID=$(get_or_create_user \ USER_ID=$(get_or_create_user \
"project_a_auditor" \ "project_a_auditor" \
"$PASSWORD" \ "$PASSWORD" \
"default" \ "default" \
"auditor_a@example.net") "auditor_a@example.net")
get_or_add_user_project_role "$ROLE_AUDIT_ID" "$USER_ID" "$PROJECT_A_ID" get_or_add_user_project_role "$ROLE_AUDIT_ID" "$USER_ID" "$PROJECT_A_ID"
#
# Setup RBAC Admin of Project B
#
USER_ID=$(get_or_create_user \ USER_ID=$(get_or_create_user \
"project_b_admin" \ "project_b_admin" \
"$PASSWORD" \ "$PASSWORD" \
"default" \ "default" \
"admin_b@example.net") "admin_b@example.net")
get_or_add_user_project_role "$ROLE_ADMIN_ID" "$USER_ID" "$PROJECT_B_ID" get_or_add_user_project_role "$ROLE_ADMIN_ID" "$USER_ID" "$PROJECT_B_ID"
#
# Setup RBAC Creator of Project B
#
USER_ID=$(get_or_create_user \ USER_ID=$(get_or_create_user \
"project_b_creator" \ "project_b_creator" \
"$PASSWORD" \ "$PASSWORD" \
"default" \ "default" \
"creator_b@example.net") "creator_b@example.net")
get_or_add_user_project_role "$ROLE_CREATOR_ID" "$USER_ID" "$PROJECT_B_ID" get_or_add_user_project_role "$ROLE_CREATOR_ID" "$USER_ID" "$PROJECT_B_ID"
#
# Setup RBAC Observer of Project B
#
USER_ID=$(get_or_create_user \ USER_ID=$(get_or_create_user \
"project_b_observer" \ "project_b_observer" \
"$PASSWORD" \ "$PASSWORD" \
"default" \ "default" \
"observer_b@example.net") "observer_b@example.net")
get_or_add_user_project_role "$ROLE_OBSERVER_ID" "$USER_ID" "$PROJECT_B_ID" get_or_add_user_project_role "$ROLE_OBSERVER_ID" "$USER_ID" "$PROJECT_B_ID"
#
# Setup RBAC auditor of Project B
#
USER_ID=$(get_or_create_user \ USER_ID=$(get_or_create_user \
"project_b_auditor" \ "project_b_auditor" \
"$PASSWORD" \ "$PASSWORD" \
"default" \ "default" \
"auditor_b@example.net") "auditor_b@example.net")
get_or_add_user_project_role "$ROLE_AUDIT_ID" "$USER_ID" "$PROJECT_B_ID" get_or_add_user_project_role "$ROLE_AUDIT_ID" "$USER_ID" "$PROJECT_B_ID"
#
# Setup Barbican Endpoint
#
BARBICAN_SERVICE=$(get_or_create_service \
"barbican" \
"key-manager" \
"Barbican Service")
# This creates all 3 endpoints (public, admin, internal)
get_or_create_endpoint \
"$BARBICAN_SERVICE" \
"RegionOne" \
"$SERVICE_PROTOCOL://$SERVICE_HOST/key-manager" \
"$SERVICE_PROTOCOL://$SERVICE_HOST/key-manager" \
"$SERVICE_PROTOCOL://$SERVICE_HOST/key-manager"
} }
# PyKMIP functions # PyKMIP functions

16
devstack/lib/tempest Normal file
View File

@ -0,0 +1,16 @@
function configure_barbican_tempest() {
iniset $TEMPEST_CONFIG service_available barbican True
iniset $TEMPEST_CONFIG enforce_scope barbican $BARBICAN_ENFORCE_SCOPE
if [[ "$BARBICAN_ENFORCE_SCOPE" == "False" ]]; then
# NOTE: legacy policies require the "creator" role
roles="$(iniget $TEMPEST_CONFIG auth tempest_roles)"
if [[ -z $roles ]]; then
roles="creator"
else
roles="$roles,creator"
fi
iniset $TEMPEST_CONFIG auth tempest_roles $roles
fi
}

44
devstack/plugin.sh
View File

@ -1,23 +1,11 @@
# Configure the needed tempest options # For more information on Devstack plugins, including a more detailed
function configure_barbican_tempest() { # explanation on when the different steps are executed please see:
iniset $TEMPEST_CONFIG service_available barbican True # https://docs.openstack.org/devstack/latest/plugins.html
roles="$(iniget $TEMPEST_CONFIG auth tempest_roles)"
if [[ -z $roles ]]; then BARBICAN_PLUGIN=$DEST/barbican/devstack
roles="creator" source $BARBICAN_PLUGIN/lib/barbican
else
roles="$roles,creator"
fi
iniset $TEMPEST_CONFIG auth tempest_roles $roles
iniset $TEMPEST_CONFIG service_available barbican True
}
# check for service enabled
if is_service_enabled barbican; then if is_service_enabled barbican; then
if [[ "$1" == "source" || "`type -t install_barbican`" != 'function' ]]; then
# Initial source
source $BARBICAN_DIR/devstack/lib/barbican
fi
if [[ "$1" == "stack" && "$2" == "install" ]]; then if [[ "$1" == "stack" && "$2" == "install" ]]; then
echo_summary "Installing Barbican" echo_summary "Installing Barbican"
stack_install_service barbican stack_install_service barbican
@ -55,6 +43,10 @@ if is_service_enabled barbican; then
if is_service_enabled key; then if is_service_enabled key; then
create_barbican_accounts create_barbican_accounts
create_barbican_endpoints
if [[ "$BARBICAN_ENFORCE_SCOPE" == "False" ]]; then
create_deprecated_rbac_accounts
fi
fi fi
elif [[ "$1" == "stack" && "$2" == "extra" ]]; then elif [[ "$1" == "stack" && "$2" == "extra" ]]; then
echo_summary "Initializing Barbican" echo_summary "Initializing Barbican"
@ -67,6 +59,7 @@ if is_service_enabled barbican; then
elif [[ "$1" == "stack" && "$2" == "test-config" ]]; then elif [[ "$1" == "stack" && "$2" == "test-config" ]]; then
if is_service_enabled tempest; then if is_service_enabled tempest; then
echo_summary "Configuring Tempest options for Barbican" echo_summary "Configuring Tempest options for Barbican"
source $BARBICAN_PLUGIN/lib/tempest
configure_barbican_tempest configure_barbican_tempest
fi fi
fi fi
@ -79,18 +72,3 @@ if is_service_enabled barbican; then
cleanup_barbican cleanup_barbican
fi fi
fi fi
# Set the correct config options in Nova, Cinder and Glance
function configure_core_services {
if is_service_enabled n-cpu; then
iniset $NOVA_CONF key_manager backend 'barbican'
fi
if is_service_enabled c-vol; then
iniset $CINDER_CONF key_manager backend 'barbican'
fi
if is_service_enabled g-api; then
iniset $GLANCE_API_CONF key_manager backend 'barbican'
fi
}

3
devstack/settings
View File

@ -41,4 +41,7 @@ GITREPO["barbican-tempest-plugin"]=${BARBICANTEMPEST_REPO:-${GIT_BASE}/openstack
GITBRANCH["barbican-tempest-plugin"]=${BARBICANTEMPEST_BRANCH:-master} GITBRANCH["barbican-tempest-plugin"]=${BARBICANTEMPEST_BRANCH:-master}
GITDIR["barbican-tempest-plugin"]=$DEST/barbican-tempest-plugin GITDIR["barbican-tempest-plugin"]=$DEST/barbican-tempest-plugin
# Secure RBAC
BARBICAN_ENFORCE_SCOPE=$(trueorfalse True ENFORCE_SCOPE)
enable_service barbican enable_service barbican