Merge "Authorized API Requests"

2015-12-04 18:39:03 +00:00 · 2015-12-04 18:39:03 +00:00 · 934b956393
commit 934b956393
parent 2ac5bfbf4f db58049e91
11 changed files with 81 additions and 52 deletions
--- a/doc/source/api/reference/certificates.rst
+++ b/doc/source/api/reference/certificates.rst
@ -106,7 +106,7 @@ see the :doc:`Certificate User's Guide <../userguide/certificates>`.
    POST /v1/orders
    Headers:
        Content-Type: application/json
-        X-Project-Id: {project_id}
+        X-Auth-Token: <token>
    Content:
    {
--- a/doc/source/api/reference/consumers.rst
+++ b/doc/source/api/reference/consumers.rst
@ -31,7 +31,7 @@ Request:
    GET {container_ref}/consumers
    Headers:
-        X-Project-Id: {project_id}
+        X-Auth-Token: <token>
 Response:
 *********
@ -74,7 +74,7 @@ Request:
    GET {container_ref}/consumers?limit=1&offset=1
    Headers:
-        X-Project-Id: {project_id}
+        X-Auth-Token: <token>
 .. code-block:: javascript
@ -156,7 +156,7 @@ Request:
    POST {container_ref}/consumers
    Headers:
-        X-Project-Id: {project_id}
+        X-Auth-Token: <token>
    Content:
    {
@ -238,7 +238,7 @@ Request:
    POST {container_ref}/consumers
    Headers:
-        X-Project-Id: {project_id}
+        X-Auth-Token: <token>
    Content:
    {
--- a/doc/source/api/reference/containers.rst
+++ b/doc/source/api/reference/containers.rst
@ -52,7 +52,7 @@ Request:
    GET /v1/containers
    Headers:
-        X-Project-Id: {project_id}
+        X-Auth-Token: <token>
 Request:
@ -118,7 +118,7 @@ Request:
    GET /v1/containers/{uuid}
    Headers:
-        X-Project-Id: {project_id}
+        X-Auth-Token: <token>
 Response:
 *********
@ -202,7 +202,7 @@ Request:
    POST /v1/containers
    Headers:
-        X-Project-Id: {project_id}
+        X-Auth-Token: <token>
    Content:
    {
@ -255,7 +255,7 @@ Request:
    DELETE /v1/containers/{container_uuid}
    Headers:
-        X-Project-Id: {project_id}
+        X-Auth-Token: <token>
 Response:
 *********
--- a/doc/source/api/reference/secrets.rst
+++ b/doc/source/api/reference/secrets.rst
@ -135,7 +135,7 @@ Request:
    POST /v1/secrets
    Headers:
        Content-Type: application/json
-        X-Project-Id: {project_id}
+        X-Auth-Token: <token>
    Content:
    {
@ -204,7 +204,7 @@ Metadata Request:
    GET /v1/secrets/{uuid}
    Headers:
        Accept: application/json
-        X-Project-Id: {project_id}
+        X-Auth-Token: <token>
 Metadata Response:
@ -238,7 +238,7 @@ Payload Request:
    GET /v1/secrets/{uuid}
    Headers:
        Accept: application/octet-stream
-        X-Project-Id: {project_id}
+        X-Auth-Token: <token>
 Payload Response:
@ -298,7 +298,7 @@ Request:
    PUT /v1/secrets/{uuid}
    Headers:
-        X-Project-Id: {project_id}
+        X-Auth-Token: <token>
        Content-Type: application/octet-stream
        Content-Encoding: base64
@ -339,7 +339,7 @@ Request:
    DELETE /v1/secrets/{uuid}
    Headers:
-        X-Project-Id: {project_id}
+        X-Auth-Token: <token>
 Response:
 *********
@ -380,7 +380,7 @@ Request:
    GET /v1/secrets/{uuid}/payload
    Headers:
        Accept: text/plain
-        X-Project-Id: {project_id}
+        X-Auth-Token: <token>
 Response:
 *********
--- a/doc/source/api/userguide/cas.rst
+++ b/doc/source/api/userguide/cas.rst
@ -35,7 +35,7 @@ resource:
 .. code-block:: bash
-    curl  -H 'content-type:application/json' -H 'X-Project-Id:12345' \
+    curl  -H "content-type:application/json" -H "X-Auth-Token: $TOKEN" \
        http://localhost:9311/v1/cas
 This should provide a response like the following:
@ -53,7 +53,7 @@ More details on each CA can be obtained by querying the specific CA:
 .. code-block:: bash
-    curl  -H 'content-type:application/json' -H 'X-Project-Id:12345' \
+    curl  -H "content-type:application/json" -H "X-Auth-Token: $TOKEN" \
        http://localhost:9311/v1/cas/3a2a533d-ed4d-4c68-a418-2ee79f4c9581
 The output shows the status of the CA and the plugin used to communicate with it:
@ -79,7 +79,7 @@ client), use the cacert sub-resource:
 .. code-block:: bash
-    curl  -H 'content-type:application/json' -H 'X-Project-Id:12345' \
+    curl  -H "content-type:application/json" -H "X-Auth-Token: $TOKEN" \
        http://localhost:9311/v1/cas/3a2a533d-ed4d-4c68-a418-2ee79f4c9581/cacert
 To get the PKCS#7 certificate chain (which contains the signing certificate and
@ -87,7 +87,7 @@ all intermediate certificates), use the intermediates sub-resource.
 .. code-block:: bash
-    curl  -H 'content-type:application/json' -H 'X-Project-Id:12345' \
+    curl  -H "content-type:application/json" -H "X-Auth-Token: $TOKEN" \
        http://localhost:9311/v1/cas/3a2a533d-ed4d-4c68-a418-2ee79f4c9581/intermediates
 .. _managing_project_cas:
@ -105,14 +105,14 @@ To add a CA to a particular project, a project administrator would do:
 .. code-block:: bash
-    curl  -X POST -H 'content-type:application/json' -H 'X-Project-Id:12345' \
+    curl  -X POST -H "content-type:application/json" -H "X-Auth-Token: $TOKEN" \
        http://localhost:9311/v1/cas/3a2a533d-ed4d-4c68-a418-2ee79f4c9581/add-to-project
 To remove the CA from the set of project CAs, a project administrator would do:
 .. code-block:: bash
-    curl  -X POST -H 'content-type:application/json' -H 'X-Project-Id:12345' \
+    curl  -X POST -H "content-type:application/json" -H "X-Auth-Token: $TOKEN" \
        http://localhost:9311/v1/cas/3a2a533d-ed4d-4c68-a418-2ee79f4c9581/remove-from-project
 The first CA added to the project will be designated as the preferred CA. This
@ -122,7 +122,7 @@ CA as the preferred CA as follows:
 .. code-block:: bash
-    curl  -X POST -H 'content-type:application/json' -H 'X-Project-Id:12345' \
+    curl  -X POST -H "content-type:application/json" -H "X-Auth-Token: $TOKEN" \
        http://localhost:9311/v1/cas/3a2a533d-ed4d-4c68-a418-2ee79f4c9581/set-preferred
 As a global administrator, it is possible to determine which projects a CA
@ -131,7 +131,7 @@ sub-resource:
 .. code-block:: bash
-    curl  -X GET -H 'content-type:application/json' -H 'X-Project-Id:12345' \
+    curl  -X GET -H "content-type:application/json" -H "X-Auth-Token: $TOKEN" \
        http://localhost:9311/v1/cas/3a2a533d-ed4d-4c68-a418-2ee79f4c9581/projects
 .. _setting_a_global_preferred_ca:
@ -149,7 +149,7 @@ To set a global preferred CA plugin, do:
 .. code-block:: bash
-    curl  -X POST -H 'content-type:application/json' -H 'X-Project-Id:12345' \
+    curl  -X POST -H "content-type:application/json" -H "X-Auth-Token: $TOKEN" \
        http://localhost:9311/v1/cas/3a2a533d-ed4d-4c68-a418-2ee79f4c9581/set-global-preferred
 .. _creating_a_subca:
@ -171,7 +171,7 @@ A subordinate CA can then be created as follows:
 .. code-block:: bash
-    curl -X POST -H 'content-type:application/json' -H 'X-Project-Id: 12345' -d '{
+    curl -X POST -H "content-type:application/json" -H "X-Auth-Token: $TOKEN" -d '{
         "parent_ca_ref": "http://localhost:9311/cas/422e6ad3-24ae-45e3-b165-4e9487cd0ded",
         "subject_dn": "cn=Subordinate CA Signing Certificate, o=example.com",
         'name': "Subordinate CA"
@ -202,5 +202,5 @@ follows:
 .. code-block:: bash
-    curl  -X DEL -H 'content-type:application/json' -H 'X-Project-Id:12345' \
+    curl  -X DEL -H "content-type:application/json" -H "X-Auth-Token: $TOKEN" \
        http://localhost:9311/v1/cas/3a2a533d-ed4d-4c68-a418-2ee79f4c9581
--- a/doc/source/api/userguide/certificates.rst
+++ b/doc/source/api/userguide/certificates.rst
@ -38,7 +38,7 @@ as shown below:
 .. code-block:: bash
-    curl -H 'content-type:application/json' -H 'X-Project-Id: 12345' \
+    curl -H "content-type:application/json" -H "X-Auth-Token: $TOKEN" \
        http://localhost:9311/v1/orders/df1d1a0f-8454-46ca-9287-c57ced0418e7
 .. code-block:: javascript
@ -67,7 +67,7 @@ Barbican).
 .. code-block:: bash
-     curl -H 'content-type:application/json' -H 'X-Project-Id: 12345' \
+     curl -H "content-type:application/json" -H "X-Auth-Token: $TOKEN" \
        http://localhost:9311/v1/containers/1e71dc2b-cf63-4aa4-91f7-41ea1a9e5493
 .. code-block:: javascript
@ -97,8 +97,8 @@ You can get the certificate itself by extracting the payload of the secret_ref p
 .. code-block:: bash
-    curl -H 'content-type:application/json' -H 'X-Project-Id: 12345' \
+    curl -H "content-type:application/json" -H "X-Auth-Token: $TOKEN" \
-        -H 'Accept:application/pkix-cert' \
+        -H "Accept:application/pkix-cert" \
        http://localhost:9311/v1/secrets/acd47891-9e72-4542-b9de-be66cc343610/payload
 .. code-block:: bash
@ -125,7 +125,7 @@ resource:
 .. code-block:: bash
-    curl  -H 'content-type:application/json' -H 'X-Project-Id:12345' \
+    curl  -H "content-type:application/json" -H "X-Auth-Token: $TOKEN" \
        http://localhost:9311/v1/cas
 This should provide a response like the following:
@ -138,7 +138,7 @@ More details on each CA can be obtained by querying the specific CA:
 .. code-block:: bash
-    curl  -H 'content-type:application/json' -H 'X-Project-Id:12345' \
+    curl  -H "content-type:application/json" -H "X-Auth-Token: $TOKEN" \
        http://localhost:9311/v1/cas/3a2a533d-ed4d-4c68-a418-2ee79f4c9581
 The output shows the status of the CA and the plugin used to communicate with it:
@ -195,7 +195,7 @@ into a JSON request for a Simple CMC Certificate order.
 .. code-block:: bash
-    curl -X POST -H 'content-type:application/json' -H 'X-Project-Id: 12345' -d '{
+    curl -X POST -H "content-type:application/json" -H "X-Auth-Token: $TOKEN" -d '{
         "type": "certificate",
         "meta": {
            "request_data": "LS0tLS1CRUdJT..... oK2Fkh6dXBTVC0tLS0tCg==",
@ -247,7 +247,7 @@ use this generated secret to create a Stored Key Order.
 .. code-block:: bash
-    curl -X POST -H 'content-type:application/json' -H 'X-Project-Id: 12345' -d '{
+    curl -X POST -H "content-type:application/json" -H "X-Auth-Token: $TOKEN" -d '{
        "type": "asymmetric",
        "meta": {
            "algorithm": "rsa",
@ -265,7 +265,7 @@ We can retrieve the reference to the container containing the RSA key pair from
 .. code-block:: bash
-    curl -H 'content-type:application/json' -H 'X-Project-Id: 12345' \
+    curl -H "content-type:application/json" -H "X-Auth-Token: $TOKEN" \
    http://localhost:9311/v1/orders/cb3c43d6-e30c-40c0-b28c-b0dd58a6209d
 .. code-block:: javascript
@ -287,7 +287,7 @@ Now that we have a reference to the container, we can create a stored-key reques
 .. code-block:: bash
-    curl -X POST -H 'content-type:application/json' -H 'X-Project-Id: 12345' -d '{
+    curl -X POST -H "content-type:application/json" -H "X-Auth-Token: $TOKEN" -d '{
        "type": "certificate",
        "meta": {
            "container_ref": "http://localhost:9311/v1/containers/1e71dc2b-cf63-4aa4-91f7-41ea1a9e5493",
@ -318,7 +318,7 @@ the response is an order reference.
 .. code-block:: bash
-    curl -X POST -H 'content-type:application/json' -H 'X-Project-Id: 12345' -d '{
+    curl -X POST -H "content-type:application/json" -H "X-Auth-Token: $TOKEN" -d '{
        "type": "certificate",
        "meta": {
            "request_data": "LS0tLS1CRUdJT..... oK2Fkh6dXBTVC0tLS0tCg==",
--- a/doc/source/api/userguide/consumers.rst
+++ b/doc/source/api/userguide/consumers.rst
@ -22,7 +22,7 @@ How to Create a Consumer
 .. code-block:: bash
-     curl -X POST -H 'X-Project-Id:12345' -H 'Content-Type: application/json' \
+     curl -X POST -H "X-Auth-Token: $TOKEN" -H "Content-Type: application/json" \
     -d '{"name": "consumername", "URL": "consumerURL"}' \
      http://localhost:9311/v1/containers/74bbd3fd-9ba8-42ee-b87e-2eecf10e47b9/consumers
@ -65,7 +65,7 @@ limit and offset query parameter.
 .. code-block:: bash
-    curl -H 'X-Project-Id:12345' \
+    curl -H "X-Auth-Token: $TOKEN" \
    http://192.168.99.100:9311/v1/containers/74bbd3fd-9ba8-42ee-b87e-2eecf10e47b9/consumers
 This will return the following response:
@ -94,7 +94,7 @@ the consumers for this container.
 .. code-block:: bash
-    curl -H 'X-Project-Id:12345' \
+    curl -H "X-Auth-Token: $TOKEN" \
    http://192.168.99.100:9311/v1/containers/74bbd3fd-9ba8-42ee-b87e-2eecf10e47b9/consumers?limit=1\&offset=1
 This will return the following response:
@ -125,7 +125,7 @@ URL which were used when the consumer was created.
 .. code-block:: bash
-    curl -X DELETE -H 'X-Project-Id:12345' -H 'Content-Type: application/json' \
+    curl -X DELETE -H "X-Auth-Token: $TOKEN" -H "Content-Type: application/json" \
     -d '{"name": "consumername", "URL": "consumerURL"}' \
      http://localhost:9311/v1/containers/74bbd3fd-9ba8-42ee-b87e-2eecf10e47b9/consumers
--- a/doc/source/api/userguide/containers.rst
+++ b/doc/source/api/userguide/containers.rst
@ -165,7 +165,7 @@ To create a generic container we must have a secret to store as well.
 .. code-block:: bash
-    curl -X POST -H 'X-Project-Id:12345' -H 'Content-Type:application/json' -d '{
+    curl -X POST -H "X-Auth-Token: $TOKEN" -H "Content-Type:application/json" -d '{
        "type": "generic",
        "name": "generic name",
        "secret_refs": [
@ -199,7 +199,7 @@ named private_key, private_key_passphrase, and intermediates.
 .. code-block:: bash
-    curl -X POST -H 'X-Project-Id:12345' -H 'Content-Type:application/json' -d '{
+    curl -X POST -H "X-Auth-Token: $TOKEN" -H "Content-Type:application/json" -d '{
        "type": "certificate",
        "name": "certificate container",
        "secret_refs": [
@ -245,7 +245,7 @@ to provide a secret named public_key, private_key, and private_key_passphrase.
 .. code-block:: bash
-    curl -X POST -H 'X-Project-Id:12345' -H 'Content-Type:application/json' -d '{
+    curl -X POST -H "X-Auth-Token: $TOKEN" -H "Content-Type:application/json" -d '{
        "type": "rsa",
        "name": "rsa container",
        "secret_refs": [
@ -283,7 +283,7 @@ To retrieve a container we must have a container reference.
 .. code-block:: bash
-    curl -X GET -H 'X-Project-Id:12345'  http://localhost:9311/v1/containers/49d3c5e9-80bb-47ec-8787-968bb500d76e
+    curl -X GET -H "X-Auth-Token: $TOKEN"  http://localhost:9311/v1/containers/49d3c5e9-80bb-47ec-8787-968bb500d76e
 This should provide a response as follows:
@ -317,7 +317,7 @@ To delete a container we must have a container reference.
 .. code-block:: bash
-    curl -X DELETE -H 'X-Project-Id:12345' http://localhost:9311/v1/containers/d1c23e06-476b-4684-be9f-8afbef42768d
+    curl -X DELETE -H "X-Auth-Token: $TOKEN" http://localhost:9311/v1/containers/d1c23e06-476b-4684-be9f-8afbef42768d
 No response will be provided. This is expected behavior! If you do receive a
 response, something went wrong and you will have to address that before
--- a/doc/source/api/userguide/secrets.rst
+++ b/doc/source/api/userguide/secrets.rst
@ -47,7 +47,7 @@ secrets you can view the :ref:`POST /v1/secrets <post_secrets>` section.
 .. code-block:: bash
-    curl -X POST -H 'content-type:application/json' -H 'X-Project-Id:12345' \
+    curl -X POST -H "content-type:application/json" -H "X-Auth-Token: $TOKEN" \
    -d '{"payload": "my-secret-here", "payload_content_type": "text/plain"}' \
    http://localhost:9311/v1/secrets
@ -72,7 +72,7 @@ data after the fact. In this example we will not provide a payload.
 .. code-block:: bash
-    curl -X POST -H 'content-type:application/json' -H 'X-Project-Id:12345' \
+    curl -X POST -H "content-type:application/json" -H "X-Auth-Token: $TOKEN" \
    -d '{}' http://localhost:9311/v1/secrets
 This should provide a response as follows:
@ -96,7 +96,7 @@ your own in order to update the secret.
 .. code-block:: bash
-    curl -X PUT -H 'content-type:text/plain' -H 'X-Project-Id:12345' \
+    curl -X PUT -H "content-type:text/plain" -H "X-Auth-Token: $TOKEN" \
    -d 'my-secret-here' \
    http://localhost:9311/v1/secrets/2a549393-0710-444b-8aa5-84cf0f85ea79
@ -115,7 +115,7 @@ provided via the initial creation (See :ref:`How to Create a Secret <create_secr
 .. code-block:: bash
-    curl -H 'Accept: text/plain' -H 'X-Project-Id:12345' \
+    curl -H "Accept: text/plain" -H "X-Auth-Token: $TOKEN" \
    http://localhost:9311/v1/secrets/2a549393-0710-444b-8aa5-84cf0f85ea79/payload
 This should provide a response as follows:
@ -134,7 +134,7 @@ the initial creation (See :ref:`How to Create a Secret <create_secret>`.)
 .. code-block:: bash
-    curl -X DELETE -H 'X-Project-Id:12345' \
+    curl -X DELETE -H "X-Auth-Token: $TOKEN" \
    http://localhost:9311/v1/secrets/2a549393-0710-444b-8aa5-84cf0f85ea79
 No response will be provided. This is expected behavior! If you do receive a
--- a/doc/source/setup/index.rst
+++ b/doc/source/setup/index.rst
@ -9,3 +9,4 @@ Setting up Barbican
   devstack
   certificate
   troubleshooting
   noauth
--- a/doc/source/setup/noauth.rst
+++ b/doc/source/setup/noauth.rst
@ -0,0 +1,28 @@
 No Auth Barbican
 ================
 Generally barbican can be configured to use keystone like every other OpenStack
 services for identity and access control. Sometimes it may be useful to run
 barbican without any authentication service for development purpose.
 By default, configuration in :file:`barbican-api-paste.ini` sets barbican
 without any authentication (no auth mode), for example:
 .. code-block:: ini
    # Use this pipeline for Barbican API - DEFAULT no authentication
    [pipeline:barbican_api]
    pipeline = unauthenticated-context apiapp
 With every OpenStack service integrated with keystone, its API requires access
 token to retireve certain information and validate user's information and
 prviledges. If you are running barbican in no auth mode, you have to specify
 project_id instead of an access token which was retrieved from the token
 instead. In case of API, replace ``'X-Auth-Token: $TOKEN'`` with
 ``'X-Project-Id: {project_id}'`` for every API request in :doc:`../api/index`.
 You can also find detailed explaination to run barbican client with an
 unauthenticated context
 `here <http://docs.openstack.org/developer/python-barbicanclient/authentication.html#unauthenticated-context>`_ and run barbican CLI in no auth mode
 `here <http://docs.openstack.org/developer/python-barbicanclient/authentication.html#no-auth-mode>`_.