openstack/barbican
Code Issues Proposed changes

Merge "Authorized API Requests"

Browse Source
This commit is contained in:
Jenkins 2015-12-04 18:39:03 +00:00 committed by Gerrit Code Review
commit 934b956393
11 changed files with 81 additions and 52 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
doc/source/api/reference/certificates.rst
View File

@ -106,7 +106,7 @@ see the :doc:`Certificate User's Guide <../userguide/certificates>`.
POST /v1/orders
Headers:
Content-Type: application/json
X-Project-Id: {project_id}
X-Auth-Token: <token>
Content:
{

8
doc/source/api/reference/consumers.rst
View File

@ -31,7 +31,7 @@ Request:
GET {container_ref}/consumers
Headers:
X-Project-Id: {project_id}
X-Auth-Token: <token>
Response:
*********
@ -74,7 +74,7 @@ Request:
GET {container_ref}/consumers?limit=1&offset=1
Headers:
X-Project-Id: {project_id}
X-Auth-Token: <token>
.. code-block:: javascript
@ -156,7 +156,7 @@ Request:
POST {container_ref}/consumers
Headers:
X-Project-Id: {project_id}
X-Auth-Token: <token>
Content:
{
@ -238,7 +238,7 @@ Request:
POST {container_ref}/consumers
Headers:
X-Project-Id: {project_id}
X-Auth-Token: <token>
Content:
{

8
doc/source/api/reference/containers.rst
View File

@ -52,7 +52,7 @@ Request:
GET /v1/containers
Headers:
X-Project-Id: {project_id}
X-Auth-Token: <token>
Request:
@ -118,7 +118,7 @@ Request:
GET /v1/containers/{uuid}
Headers:
X-Project-Id: {project_id}
X-Auth-Token: <token>
Response:
*********
@ -202,7 +202,7 @@ Request:
POST /v1/containers
Headers:
X-Project-Id: {project_id}
X-Auth-Token: <token>
Content:
{
@ -255,7 +255,7 @@ Request:
DELETE /v1/containers/{container_uuid}
Headers:
X-Project-Id: {project_id}
X-Auth-Token: <token>
Response:
*********

12
doc/source/api/reference/secrets.rst
View File

@ -135,7 +135,7 @@ Request:
POST /v1/secrets
Headers:
Content-Type: application/json
X-Project-Id: {project_id}
X-Auth-Token: <token>
Content:
{
@ -204,7 +204,7 @@ Metadata Request:
GET /v1/secrets/{uuid}
Headers:
Accept: application/json
X-Project-Id: {project_id}
X-Auth-Token: <token>
Metadata Response:
@ -238,7 +238,7 @@ Payload Request:
GET /v1/secrets/{uuid}
Headers:
Accept: application/octet-stream
X-Project-Id: {project_id}
X-Auth-Token: <token>
Payload Response:
@ -298,7 +298,7 @@ Request:
PUT /v1/secrets/{uuid}
Headers:
X-Project-Id: {project_id}
X-Auth-Token: <token>
Content-Type: application/octet-stream
Content-Encoding: base64
@ -339,7 +339,7 @@ Request:
DELETE /v1/secrets/{uuid}
Headers:
X-Project-Id: {project_id}
X-Auth-Token: <token>
Response:
*********
@ -380,7 +380,7 @@ Request:
GET /v1/secrets/{uuid}/payload
Headers:
Accept: text/plain
X-Project-Id: {project_id}
X-Auth-Token: <token>
Response:
*********

22
doc/source/api/userguide/cas.rst
View File

@ -35,7 +35,7 @@ resource:
.. code-block:: bash
curl -H 'content-type:application/json' -H 'X-Project-Id:12345' \
curl -H "content-type:application/json" -H "X-Auth-Token: $TOKEN" \
http://localhost:9311/v1/cas
This should provide a response like the following:
@ -53,7 +53,7 @@ More details on each CA can be obtained by querying the specific CA:
.. code-block:: bash
curl -H 'content-type:application/json' -H 'X-Project-Id:12345' \
curl -H "content-type:application/json" -H "X-Auth-Token: $TOKEN" \
http://localhost:9311/v1/cas/3a2a533d-ed4d-4c68-a418-2ee79f4c9581
The output shows the status of the CA and the plugin used to communicate with it:
@ -79,7 +79,7 @@ client), use the cacert sub-resource:
.. code-block:: bash
curl -H 'content-type:application/json' -H 'X-Project-Id:12345' \
curl -H "content-type:application/json" -H "X-Auth-Token: $TOKEN" \
http://localhost:9311/v1/cas/3a2a533d-ed4d-4c68-a418-2ee79f4c9581/cacert
To get the PKCS#7 certificate chain (which contains the signing certificate and
@ -87,7 +87,7 @@ all intermediate certificates), use the intermediates sub-resource.
.. code-block:: bash
curl -H 'content-type:application/json' -H 'X-Project-Id:12345' \
curl -H "content-type:application/json" -H "X-Auth-Token: $TOKEN" \
http://localhost:9311/v1/cas/3a2a533d-ed4d-4c68-a418-2ee79f4c9581/intermediates
.. _managing_project_cas:
@ -105,14 +105,14 @@ To add a CA to a particular project, a project administrator would do:
.. code-block:: bash
curl -X POST -H 'content-type:application/json' -H 'X-Project-Id:12345' \
curl -X POST -H "content-type:application/json" -H "X-Auth-Token: $TOKEN" \
http://localhost:9311/v1/cas/3a2a533d-ed4d-4c68-a418-2ee79f4c9581/add-to-project
To remove the CA from the set of project CAs, a project administrator would do:
.. code-block:: bash
curl -X POST -H 'content-type:application/json' -H 'X-Project-Id:12345' \
curl -X POST -H "content-type:application/json" -H "X-Auth-Token: $TOKEN" \
http://localhost:9311/v1/cas/3a2a533d-ed4d-4c68-a418-2ee79f4c9581/remove-from-project
The first CA added to the project will be designated as the preferred CA. This
@ -122,7 +122,7 @@ CA as the preferred CA as follows:
.. code-block:: bash
curl -X POST -H 'content-type:application/json' -H 'X-Project-Id:12345' \
curl -X POST -H "content-type:application/json" -H "X-Auth-Token: $TOKEN" \
http://localhost:9311/v1/cas/3a2a533d-ed4d-4c68-a418-2ee79f4c9581/set-preferred
As a global administrator, it is possible to determine which projects a CA
@ -131,7 +131,7 @@ sub-resource:
.. code-block:: bash
curl -X GET -H 'content-type:application/json' -H 'X-Project-Id:12345' \
curl -X GET -H "content-type:application/json" -H "X-Auth-Token: $TOKEN" \
http://localhost:9311/v1/cas/3a2a533d-ed4d-4c68-a418-2ee79f4c9581/projects
.. _setting_a_global_preferred_ca:
@ -149,7 +149,7 @@ To set a global preferred CA plugin, do:
.. code-block:: bash
curl -X POST -H 'content-type:application/json' -H 'X-Project-Id:12345' \
curl -X POST -H "content-type:application/json" -H "X-Auth-Token: $TOKEN" \
http://localhost:9311/v1/cas/3a2a533d-ed4d-4c68-a418-2ee79f4c9581/set-global-preferred
.. _creating_a_subca:
@ -171,7 +171,7 @@ A subordinate CA can then be created as follows:
.. code-block:: bash
curl -X POST -H 'content-type:application/json' -H 'X-Project-Id: 12345' -d '{
curl -X POST -H "content-type:application/json" -H "X-Auth-Token: $TOKEN" -d '{
"parent_ca_ref": "http://localhost:9311/cas/422e6ad3-24ae-45e3-b165-4e9487cd0ded",
"subject_dn": "cn=Subordinate CA Signing Certificate, o=example.com",
'name': "Subordinate CA"
@ -202,5 +202,5 @@ follows:
.. code-block:: bash
curl -X DEL -H 'content-type:application/json' -H 'X-Project-Id:12345' \
curl -X DEL -H "content-type:application/json" -H "X-Auth-Token: $TOKEN" \
http://localhost:9311/v1/cas/3a2a533d-ed4d-4c68-a418-2ee79f4c9581

22
doc/source/api/userguide/certificates.rst
View File

@ -38,7 +38,7 @@ as shown below:
.. code-block:: bash
curl -H 'content-type:application/json' -H 'X-Project-Id: 12345' \
curl -H "content-type:application/json" -H "X-Auth-Token: $TOKEN" \
http://localhost:9311/v1/orders/df1d1a0f-8454-46ca-9287-c57ced0418e7
.. code-block:: javascript
@ -67,7 +67,7 @@ Barbican).
.. code-block:: bash
curl -H 'content-type:application/json' -H 'X-Project-Id: 12345' \
curl -H "content-type:application/json" -H "X-Auth-Token: $TOKEN" \
http://localhost:9311/v1/containers/1e71dc2b-cf63-4aa4-91f7-41ea1a9e5493
.. code-block:: javascript
@ -97,8 +97,8 @@ You can get the certificate itself by extracting the payload of the secret_ref p
.. code-block:: bash
curl -H 'content-type:application/json' -H 'X-Project-Id: 12345' \
-H 'Accept:application/pkix-cert' \
curl -H "content-type:application/json" -H "X-Auth-Token: $TOKEN" \
-H "Accept:application/pkix-cert" \
http://localhost:9311/v1/secrets/acd47891-9e72-4542-b9de-be66cc343610/payload
.. code-block:: bash
@ -125,7 +125,7 @@ resource:
.. code-block:: bash
curl -H 'content-type:application/json' -H 'X-Project-Id:12345' \
curl -H "content-type:application/json" -H "X-Auth-Token: $TOKEN" \
http://localhost:9311/v1/cas
This should provide a response like the following:
@ -138,7 +138,7 @@ More details on each CA can be obtained by querying the specific CA:
.. code-block:: bash
curl -H 'content-type:application/json' -H 'X-Project-Id:12345' \
curl -H "content-type:application/json" -H "X-Auth-Token: $TOKEN" \
http://localhost:9311/v1/cas/3a2a533d-ed4d-4c68-a418-2ee79f4c9581
The output shows the status of the CA and the plugin used to communicate with it:
@ -195,7 +195,7 @@ into a JSON request for a Simple CMC Certificate order.
.. code-block:: bash
curl -X POST -H 'content-type:application/json' -H 'X-Project-Id: 12345' -d '{
curl -X POST -H "content-type:application/json" -H "X-Auth-Token: $TOKEN" -d '{
"type": "certificate",
"meta": {
"request_data": "LS0tLS1CRUdJT..... oK2Fkh6dXBTVC0tLS0tCg==",
@ -247,7 +247,7 @@ use this generated secret to create a Stored Key Order.
.. code-block:: bash
curl -X POST -H 'content-type:application/json' -H 'X-Project-Id: 12345' -d '{
curl -X POST -H "content-type:application/json" -H "X-Auth-Token: $TOKEN" -d '{
"type": "asymmetric",
"meta": {
"algorithm": "rsa",
@ -265,7 +265,7 @@ We can retrieve the reference to the container containing the RSA key pair from
.. code-block:: bash
curl -H 'content-type:application/json' -H 'X-Project-Id: 12345' \
curl -H "content-type:application/json" -H "X-Auth-Token: $TOKEN" \
http://localhost:9311/v1/orders/cb3c43d6-e30c-40c0-b28c-b0dd58a6209d
.. code-block:: javascript
@ -287,7 +287,7 @@ Now that we have a reference to the container, we can create a stored-key reques
.. code-block:: bash
curl -X POST -H 'content-type:application/json' -H 'X-Project-Id: 12345' -d '{
curl -X POST -H "content-type:application/json" -H "X-Auth-Token: $TOKEN" -d '{
"type": "certificate",
"meta": {
"container_ref": "http://localhost:9311/v1/containers/1e71dc2b-cf63-4aa4-91f7-41ea1a9e5493",
@ -318,7 +318,7 @@ the response is an order reference.
.. code-block:: bash
curl -X POST -H 'content-type:application/json' -H 'X-Project-Id: 12345' -d '{
curl -X POST -H "content-type:application/json" -H "X-Auth-Token: $TOKEN" -d '{
"type": "certificate",
"meta": {
"request_data": "LS0tLS1CRUdJT..... oK2Fkh6dXBTVC0tLS0tCg==",

10
doc/source/api/userguide/consumers.rst
View File

@ -22,7 +22,7 @@ How to Create a Consumer
.. code-block:: bash
curl -X POST -H 'X-Project-Id:12345' -H 'Content-Type: application/json' \
curl -X POST -H "X-Auth-Token: $TOKEN" -H "Content-Type: application/json" \
-d '{"name": "consumername", "URL": "consumerURL"}' \
http://localhost:9311/v1/containers/74bbd3fd-9ba8-42ee-b87e-2eecf10e47b9/consumers
@ -65,7 +65,7 @@ limit and offset query parameter.
.. code-block:: bash
curl -H 'X-Project-Id:12345' \
curl -H "X-Auth-Token: $TOKEN" \
http://192.168.99.100:9311/v1/containers/74bbd3fd-9ba8-42ee-b87e-2eecf10e47b9/consumers
This will return the following response:
@ -94,7 +94,7 @@ the consumers for this container.
.. code-block:: bash
curl -H 'X-Project-Id:12345' \
curl -H "X-Auth-Token: $TOKEN" \
http://192.168.99.100:9311/v1/containers/74bbd3fd-9ba8-42ee-b87e-2eecf10e47b9/consumers?limit=1\&offset=1
This will return the following response:
@ -125,7 +125,7 @@ URL which were used when the consumer was created.
.. code-block:: bash
curl -X DELETE -H 'X-Project-Id:12345' -H 'Content-Type: application/json' \
curl -X DELETE -H "X-Auth-Token: $TOKEN" -H "Content-Type: application/json" \
-d '{"name": "consumername", "URL": "consumerURL"}' \
http://localhost:9311/v1/containers/74bbd3fd-9ba8-42ee-b87e-2eecf10e47b9/consumers
@ -150,4 +150,4 @@ This will return the following response:
}
A successful delete will return an HTTP 200 OK. The response content will be the
container plus the consumer list, minus the consumer which was just deleted.
container plus the consumer list, minus the consumer which was just deleted.

10
doc/source/api/userguide/containers.rst
View File

@ -165,7 +165,7 @@ To create a generic container we must have a secret to store as well.
.. code-block:: bash
curl -X POST -H 'X-Project-Id:12345' -H 'Content-Type:application/json' -d '{
curl -X POST -H "X-Auth-Token: $TOKEN" -H "Content-Type:application/json" -d '{
"type": "generic",
"name": "generic name",
"secret_refs": [
@ -199,7 +199,7 @@ named private_key, private_key_passphrase, and intermediates.
.. code-block:: bash
curl -X POST -H 'X-Project-Id:12345' -H 'Content-Type:application/json' -d '{
curl -X POST -H "X-Auth-Token: $TOKEN" -H "Content-Type:application/json" -d '{
"type": "certificate",
"name": "certificate container",
"secret_refs": [
@ -245,7 +245,7 @@ to provide a secret named public_key, private_key, and private_key_passphrase.
.. code-block:: bash
curl -X POST -H 'X-Project-Id:12345' -H 'Content-Type:application/json' -d '{
curl -X POST -H "X-Auth-Token: $TOKEN" -H "Content-Type:application/json" -d '{
"type": "rsa",
"name": "rsa container",
"secret_refs": [
@ -283,7 +283,7 @@ To retrieve a container we must have a container reference.
.. code-block:: bash
curl -X GET -H 'X-Project-Id:12345' http://localhost:9311/v1/containers/49d3c5e9-80bb-47ec-8787-968bb500d76e
curl -X GET -H "X-Auth-Token: $TOKEN" http://localhost:9311/v1/containers/49d3c5e9-80bb-47ec-8787-968bb500d76e
This should provide a response as follows:
@ -317,7 +317,7 @@ To delete a container we must have a container reference.
.. code-block:: bash
curl -X DELETE -H 'X-Project-Id:12345' http://localhost:9311/v1/containers/d1c23e06-476b-4684-be9f-8afbef42768d
curl -X DELETE -H "X-Auth-Token: $TOKEN" http://localhost:9311/v1/containers/d1c23e06-476b-4684-be9f-8afbef42768d
No response will be provided. This is expected behavior! If you do receive a
response, something went wrong and you will have to address that before

10
doc/source/api/userguide/secrets.rst
View File

@ -47,7 +47,7 @@ secrets you can view the :ref:`POST /v1/secrets <post_secrets>` section.
.. code-block:: bash
curl -X POST -H 'content-type:application/json' -H 'X-Project-Id:12345' \
curl -X POST -H "content-type:application/json" -H "X-Auth-Token: $TOKEN" \
-d '{"payload": "my-secret-here", "payload_content_type": "text/plain"}' \
http://localhost:9311/v1/secrets
@ -72,7 +72,7 @@ data after the fact. In this example we will not provide a payload.
.. code-block:: bash
curl -X POST -H 'content-type:application/json' -H 'X-Project-Id:12345' \
curl -X POST -H "content-type:application/json" -H "X-Auth-Token: $TOKEN" \
-d '{}' http://localhost:9311/v1/secrets
This should provide a response as follows:
@ -96,7 +96,7 @@ your own in order to update the secret.
.. code-block:: bash
curl -X PUT -H 'content-type:text/plain' -H 'X-Project-Id:12345' \
curl -X PUT -H "content-type:text/plain" -H "X-Auth-Token: $TOKEN" \
-d 'my-secret-here' \
http://localhost:9311/v1/secrets/2a549393-0710-444b-8aa5-84cf0f85ea79
@ -115,7 +115,7 @@ provided via the initial creation (See :ref:`How to Create a Secret <create_secr
.. code-block:: bash
curl -H 'Accept: text/plain' -H 'X-Project-Id:12345' \
curl -H "Accept: text/plain" -H "X-Auth-Token: $TOKEN" \
http://localhost:9311/v1/secrets/2a549393-0710-444b-8aa5-84cf0f85ea79/payload
This should provide a response as follows:
@ -134,7 +134,7 @@ the initial creation (See :ref:`How to Create a Secret <create_secret>`.)
.. code-block:: bash
curl -X DELETE -H 'X-Project-Id:12345' \
curl -X DELETE -H "X-Auth-Token: $TOKEN" \
http://localhost:9311/v1/secrets/2a549393-0710-444b-8aa5-84cf0f85ea79
No response will be provided. This is expected behavior! If you do receive a

1
doc/source/setup/index.rst
View File

@ -9,3 +9,4 @@ Setting up Barbican
devstack
certificate
troubleshooting
noauth

28
doc/source/setup/noauth.rst Normal file
View File

@ -0,0 +1,28 @@
No Auth Barbican
================
Generally barbican can be configured to use keystone like every other OpenStack
services for identity and access control. Sometimes it may be useful to run
barbican without any authentication service for development purpose.
By default, configuration in :file:`barbican-api-paste.ini` sets barbican
without any authentication (no auth mode), for example:
.. code-block:: ini
# Use this pipeline for Barbican API - DEFAULT no authentication
[pipeline:barbican_api]
pipeline = unauthenticated-context apiapp
With every OpenStack service integrated with keystone, its API requires access
token to retireve certain information and validate user's information and
prviledges. If you are running barbican in no auth mode, you have to specify
project_id instead of an access token which was retrieved from the token
instead. In case of API, replace ``'X-Auth-Token: $TOKEN'`` with
``'X-Project-Id: {project_id}'`` for every API request in :doc:`../api/index`.
You can also find detailed explaination to run barbican client with an
unauthenticated context
`here <http://docs.openstack.org/developer/python-barbicanclient/authentication.html#unauthenticated-context>`_ and run barbican CLI in no auth mode
`here <http://docs.openstack.org/developer/python-barbicanclient/authentication.html#no-auth-mode>`_.