From edb2c18be6c001782bc0cea84048a8bb15846491 Mon Sep 17 00:00:00 2001 From: Ade Lee Date: Wed, 17 Aug 2016 00:38:00 -0400 Subject: [PATCH] Add install guide Install Guides are maintained within the project and are linked to the official docs. This commit adds the framework and some initial content. Change-Id: Iff18f0e866d95ff4b8b490511c2acf3209690b69 --- install-guide/source/barbican-backend.rst | 174 ++++++++++ install-guide/source/common_configure.rst | 92 ++++++ install-guide/source/common_prerequisites.rst | 87 +++++ install-guide/source/conf.py | 302 ++++++++++++++++++ install-guide/source/get_started.rst | 10 + install-guide/source/index.rst | 16 + install-guide/source/install-obs.rst | 34 ++ install-guide/source/install-rdo.rst | 62 ++++ install-guide/source/install-ubuntu.rst | 31 ++ install-guide/source/install.rst | 25 ++ install-guide/source/next-steps.rst | 10 + install-guide/source/verify.rst | 24 ++ tox.ini | 3 + 13 files changed, 870 insertions(+) create mode 100644 install-guide/source/barbican-backend.rst create mode 100644 install-guide/source/common_configure.rst create mode 100644 install-guide/source/common_prerequisites.rst create mode 100644 install-guide/source/conf.py create mode 100644 install-guide/source/get_started.rst create mode 100644 install-guide/source/index.rst create mode 100644 install-guide/source/install-obs.rst create mode 100644 install-guide/source/install-rdo.rst create mode 100644 install-guide/source/install-ubuntu.rst create mode 100644 install-guide/source/install.rst create mode 100644 install-guide/source/next-steps.rst create mode 100644 install-guide/source/verify.rst diff --git a/install-guide/source/barbican-backend.rst b/install-guide/source/barbican-backend.rst new file mode 100644 index 000000000..55358f7e9 --- /dev/null +++ b/install-guide/source/barbican-backend.rst @@ -0,0 +1,174 @@ +.. _barbican_backend: + +Secret Store Back-ends +~~~~~~~~~~~~~~~~~~~~~~ + +The Key Manager service has a plugin architecture that allows the deployer to +store secrets in one or more secret stores. Secret stores can be software-based +such as a software token, or hardware devices such as a hardware security +module (HSM). + +This section describes the plugins that are currently available +and how they might be configured. + +Crypto Plugins +-------------- + +These types of plugins store secrets as encrypted blobs within the +Barbican database. The plugin is invoked to encrypt the secret on secret +storage, and decrypt the secret on secret retrieval. + +To enable these plugins, add ``store_crypto`` to the list of enabled +secret store plugins in the ``[secret_store]`` section of +``/etc/barbican/barbican.conf`` : + + .. code-block:: ini + + [secretstore] + namespace = barbican.secretstore.plugin + enabled_secretstore_plugins = store_crypto + +There are two flavors of storage plugins currently available: the Simple +Crypto plugin and the PKCS#11 crypto plugin. + +Simple Crypto Plugin +^^^^^^^^^^^^^^^^^^^^ + +This crypto plugin is configured by default in barbican.conf. This plugin +is completely insecure and is only suitable for development testing. + +.. warning:: + + THIS PLUGIN IS NOT SUITABLE FOR PRODUCTION DEPLOYMENTS. + +This plugin uses single symmetric key (kek - or 'key encryption key') +- which is stored in plain text in the ``barbican.conf`` file to encrypt +and decrypt all secrets. + +The configuration for this plugin in ``barbican.conf`` is as follows: + + .. code-block:: ini + + # ================= Secret Store Plugin =================== + [secretstore] + .. + enabled_secretstore_plugins = store_crypto + + # ================= Crypto plugin =================== + [crypto] + .. + enabled_crypto_plugins = simple_crypto + + [simple_crypto_plugin] + # the kek should be a 32-byte value which is base64 encoded + kek = 'YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoxMjM0NTY=' + +PKCS#11 Crypto Plugin +^^^^^^^^^^^^^^^^^^^^^ + +This crypto plugin can be used to interface with a Hardware Security Module (HSM) +using the PKCS#11 protocol. + +Secrets are encrypted (and decrypted on retrieval) by a project specific +Key Encryption Key (KEK), which resides in the HSM. + +The configuration for this plugin in ``barbican.conf`` with settings shown for +use with a SafeNet HSM is as follows: + + .. code-block:: ini + + # ================= Secret Store Plugin =================== + [secretstore] + .. + enabled_secretstore_plugins = store_crypto + + [p11_crypto_plugin] + # Path to vendor PKCS11 library + library_path = '/usr/lib/libCryptoki2_64.so' + # Password to login to PKCS11 session + login = 'mypassword' + # Label to identify master KEK in the HSM (must not be the same as HMAC label) + mkek_label = 'an_mkek' + # Length in bytes of master KEK + mkek_length = 32 + # Label to identify HMAC key in the HSM (must not be the same as MKEK label) + hmac_label = 'my_hmac_label' + # HSM Slot id (Should correspond to a configured PKCS11 slot). Default: 1 + # slot_id = 1 + # Enable Read/Write session with the HSM? + # rw_session = True + # Length of Project KEKs to create + # pkek_length = 32 + # How long to cache unwrapped Project KEKs + # pkek_cache_ttl = 900 + # Max number of items in pkek cache + # pkek_cache_limit = 100 + +KMIP Plugin +----------- + +This secret store plugin is used to communicate with a KMIP device. +The secret is securely stored in the KMIP device directly, rather than in the +Barbican database. The Barbican database maintains a reference to the +secret's location for later retrieval. + +The plugin can be configured to authenticate to the KMIP device using either +a username and password, or using a client certificate. + +The configuration for this plugin in ``barbican.conf`` is as follows: + + .. code-block:: ini + + [secretstore] + .. + enabled_secretstore_plugins = kmip_crypto + + [kmip_plugin] + username = 'admin' + password = 'password' + host = localhost + port = 5696 + keyfile = '/path/to/certs/cert.key' + certfile = '/path/to/certs/cert.crt' + ca_certs = '/path/to/certs/LocalCA.crt' + +Dogtag Plugin +------------- + +Dogtag is the upstream project corresponding to the Red Hat Certificate System. +a robust, full-featured PKI solution that contains a Certificate Manager (CA) +and a Key Recovery Authority (KRA) which is used to securely store secrets. + +The KRA stores secrets as encrypted blobs in its internal database, with the +master encryption keys being stored either in a software-based NSS security +database, or in a Hardware Security Module (HSM). + +Note that the software-based NSS database configuration provides a secure option for +those deployments that do not require or cannot afford an HSM. This is the only +current plugin to provide this option. + +The KRA communicates with HSMs using PKCS#11. For a list of certified HSMs, +see the latest `release notes `_. Dogtag and the KRA meet all the relevant Common Criteria and FIPS specifications. + +The KRA is a component of FreeIPA. Therefore, it is possible to configure the plugin +with a FreeIPA server. More detailed instructions on how to set up Barbican with FreeIPA +are provided `here `_. + +The plugin communicates with the KRA using a client certificate for a trusted KRA agent. +That certificate is stored in an NSS database as well as a PEM file as seen in the +configuration below. + +The configuration for this plugin in ``barbican.conf`` is as follows: + + .. code-block:: ini + + [secretstore] + .. + enabled_secretstore_plugins = dogtag_crypto + + [dogtag_plugin] + pem_path = '/etc/barbican/kra_admin_cert.pem' + dogtag_host = localhost + dogtag_port = 8443 + nss_db_path = '/etc/barbican/alias' + nss_password = 'password123' diff --git a/install-guide/source/common_configure.rst b/install-guide/source/common_configure.rst new file mode 100644 index 000000000..cfaf8c44e --- /dev/null +++ b/install-guide/source/common_configure.rst @@ -0,0 +1,92 @@ +2. Edit the ``/etc/barbican/barbican.conf`` file and complete the following + actions: + + * In the ``[database]`` section, configure database access: + + .. code-block:: none + + [database] + ... + connection = mysql+pymysql://barbican:BARBICAN_DBPASS@controller/barbican + + Replace ``BARBICAN_DBPASS`` with the password you chose for the + Key Manager service database. + + * In the ``[DEFAULT]`` and ``[oslo_messaging_rabbit]`` sections, + configure ``RabbitMQ`` message queue access: + + .. code-block:: ini + + [DEFAULT] + ... + rpc_backend = rabbit + + [oslo_messaging_rabbit] + ... + rabbit_host = controller + rabbit_userid = openstack + rabbit_password = RABBIT_PASS + + Replace ``RABBIT_PASS`` with the password you chose for the + ``openstack`` account in ``RabbitMQ``. + + * In the ``[keystone_authtoken]`` section, configure Identity + service access: + + .. code-block:: ini + + [keystone_authtoken] + ... + auth_uri = http://controller:5000 + auth_url = http://controller:35357 + memcached_servers = controller:11211 + auth_type = password + project_domain_name = default + user_domain_name = default + project_name = service + username = barbican + password = BARBICAN_PASS + + Replace ``BARBICAN_PASS`` with the password you chose for the + ``barbican`` user in the Identity service. + + .. note:: + + Comment out or remove any other options in the + ``[keystone_authtoken]`` section. + +#. Edit the ``/etc/barbican/barbican-api-paste.ini`` file and complete the + following actions: + + * In the ``[pipeline:barbican_api]`` section, configure the pipeline to + use the Identity Service auth token. + + .. code-block:: ini + + [pipeline:barbican_api] + pipeline = cors authtoken context apiapp + +#. Populate the Key Manager service database: + + The Key Manager service database will be automatically populated + when the service is first started. To prevent this, and run the + database sync manually, edit the ``/etc/barbican/barbican.conf`` file + and set db_auto_create in the ``[DEFAULT]`` section to False. + + Then populate the database as below: + + .. code-block:: console + + $ su -s /bin/sh -c "barbican-manage db_sync" barbican + + .. note:: + + Ignore any deprecation messages in this output. + +#. Barbican has a plugin architecture which allows the deployer to store secrets in + a number of different back-end secret stores. By default, Barbican is configured to + store secrets in a basic file-based keystore. This key store is NOT safe for + production use. + + For a list of supported plugins and detailed instructions on how to configure them, + see :ref:`barbican_backend` diff --git a/install-guide/source/common_prerequisites.rst b/install-guide/source/common_prerequisites.rst new file mode 100644 index 000000000..132273da6 --- /dev/null +++ b/install-guide/source/common_prerequisites.rst @@ -0,0 +1,87 @@ +Prerequisites +------------- + +Before you install and configure the Key Manager service, +you must create a database, service credentials, and API endpoints. + +#. To create the database, complete these steps: + + * Use the database access client to connect to the database + server as the ``root`` user: + + .. code-block:: console + + $ mysql -u root -p + + * Create the ``barbican`` database: + + .. code-block:: mysql + + CREATE DATABASE barbican; + + * Grant proper access to the ``barbican`` database: + + .. code-block:: mysql + + GRANT ALL PRIVILEGES ON barbican.* TO 'barbican'@'localhost' \ + IDENTIFIED BY 'BARBICAN_DBPASS'; + GRANT ALL PRIVILEGES ON barbican.* TO 'barbican'@'%' \ + IDENTIFIED BY 'BARBICAN_DBPASS'; + + Replace ``BARBICAN_DBPASS`` with a suitable password. + + * Exit the database access client. + + .. code-block:: mysql + + exit; + +#. Source the ``admin`` credentials to gain access to + admin-only CLI commands: + + .. code-block:: console + + $ source admin-openrc + +#. To create the service credentials, complete these steps: + + * Create the ``barbican`` user: + + .. code-block:: console + + $ openstack user create --domain default --password-prompt barbican + + * Add the ``admin`` role to the ``barbican`` user: + + .. code-block:: console + + $ openstack role add --project service --user barbican admin + + * Create the ``creator`` role: + + .. code-block:: console + + $ openstack role create creator + + * Add the ``creator`` role to the ``barbican`` user: + + .. code-block:: console + + $ openstack role add --project service --user barbican creator + + * Create the barbican service entities: + + .. code-block:: console + + $ openstack service create --name barbican --description "Key Manager" key-manager + +#. Create the Key Manager service API endpoints: + + .. code-block:: console + + $ openstack endpoint create --region RegionOne \ + key-manager public http://controller:9311/v1/%\(tenant_id\)s + $ openstack endpoint create --region RegionOne \ + key-manager internal http://controller:9311/v1/%\(tenant_id\)s + $ openstack endpoint create --region RegionOne \ + key-manager admin http://controller:9311/v1/%\(tenant_id\)s diff --git a/install-guide/source/conf.py b/install-guide/source/conf.py new file mode 100644 index 000000000..51c57f29c --- /dev/null +++ b/install-guide/source/conf.py @@ -0,0 +1,302 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# This file is execfile()d with the current directory set to its +# containing dir. +# +# Note that not all possible configuration values are present in this +# autogenerated file. +# +# All configuration values have a default; values that are commented out +# serve to show the default. + +import os +# import sys + + +import openstackdocstheme + +# If extensions (or modules to document with autodoc) are in another directory, +# add these directories to sys.path here. If the directory is relative to the +# documentation root, use os.path.abspath to make it absolute, like shown here. +# sys.path.insert(0, os.path.abspath('.')) + +# -- General configuration ------------------------------------------------ + +# If your documentation needs a minimal Sphinx version, state it here. +# needs_sphinx = '1.0' + +# Add any Sphinx extension module names here, as strings. They can be +# extensions coming with Sphinx (named 'sphinx.ext.*') or your custom +# ones. +# TODO(ajaeger): enable PDF building, for example add 'rst2pdf.pdfbuilder' +# extensions = + +# Add any paths that contain templates here, relative to this directory. +# templates_path = ['_templates'] + +# The suffix of source filenames. +source_suffix = '.rst' + +# The encoding of source files. +# source_encoding = 'utf-8-sig' + +# The master toctree document. +master_doc = 'index' + +# General information about the project. +project = u'Installation Guide for Key Manager Service' +bug_tag = u'install-guide' +copyright = u'2016, OpenStack contributors' + +# The version info for the project you're documenting, acts as replacement for +# |version| and |release|, also used in various other places throughout the +# built documents. +# +# The short X.Y version. +version = '0.1' +# The full version, including alpha/beta/rc tags. +release = '0.1' + +# A few variables have to be set for the log-a-bug feature. +# giturl: The location of conf.py on Git. Must be set manually. +# gitsha: The SHA checksum of the bug description. Automatically +# extracted from git log. +# bug_tag: Tag for categorizing the bug. Must be set manually. +# These variables are passed to the logabug code via html_context. +giturl = (u'http://git.openstack.org/cgit/openstack/barbican/' + 'tree/install-guide/source') +git_cmd = "/usr/bin/git log | head -n1 | cut -f2 -d' '" +gitsha = os.popen(git_cmd).read().strip('\n') +html_context = {"gitsha": gitsha, "bug_tag": bug_tag, + "giturl": giturl, + "bug_project": "barbican"} + +# The language for content autogenerated by Sphinx. Refer to documentation +# for a list of supported languages. +# language = None + +# There are two options for replacing |today|: either, you set today to some +# non-false value, then it is used: +# today = '' +# Else, today_fmt is used as the format for a strftime call. +# today_fmt = '%B %d, %Y' + +# List of patterns, relative to source directory, that match files and +# directories to ignore when looking for source files. +exclude_patterns = ["common_prerequisites.rst", "common_configure.rst"] + +# The reST default role (used for this markup: `text`) to use for all +# documents. +# default_role = None + +# If true, '()' will be appended to :func: etc. cross-reference text. +# add_function_parentheses = True + +# If true, the current module name will be prepended to all description +# unit titles (such as .. function::). +# add_module_names = True + +# If true, sectionauthor and moduleauthor directives will be shown in the +# output. They are ignored by default. +# show_authors = False + +# The name of the Pygments (syntax highlighting) style to use. +pygments_style = 'sphinx' + +# A list of ignored prefixes for module index sorting. +# modindex_common_prefix = [] + +# If true, keep warnings as "system message" paragraphs in the built documents. +# keep_warnings = False + + +# -- Options for HTML output ---------------------------------------------- + +# The theme to use for HTML and HTML Help pages. See the documentation for +# a list of builtin themes. +html_theme = 'openstackdocs' + +# Theme options are theme-specific and customize the look and feel of a theme +# further. For a list of options available for each theme, see the +# documentation. +# html_theme_options = {} + +# Add any paths that contain custom themes here, relative to this directory. +html_theme_path = [openstackdocstheme.get_html_theme_path()] + +# The name for this set of Sphinx documents. If None, it defaults to +# " v documentation". +# html_title = None + +# A shorter title for the navigation bar. Default is the same as html_title. +# html_short_title = None + +# The name of an image file (relative to this directory) to place at the top +# of the sidebar. +# html_logo = None + +# The name of an image file (within the static path) to use as favicon of the +# docs. This file should be a Windows icon file (.ico) being 16x16 or 32x32 +# pixels large. +# html_favicon = None + +# Add any paths that contain custom static files (such as style sheets) here, +# relative to this directory. They are copied after the builtin static files, +# so a file named "default.css" will overwrite the builtin "default.css". +# html_static_path = [] + +# Add any extra paths that contain custom files (such as robots.txt or +# .htaccess) here, relative to this directory. These files are copied +# directly to the root of the documentation. +# html_extra_path = [] + +# If not '', a 'Last updated on:' timestamp is inserted at every page bottom, +# using the given strftime format. +# So that we can enable "log-a-bug" links from each output HTML page, this +# variable must be set to a format that includes year, month, day, hours and +# minutes. +html_last_updated_fmt = '%Y-%m-%d %H:%M' + + +# If true, SmartyPants will be used to convert quotes and dashes to +# typographically correct entities. +# html_use_smartypants = True + +# Custom sidebar templates, maps document names to template names. +# html_sidebars = {} + +# Additional templates that should be rendered to pages, maps page names to +# template names. +# html_additional_pages = {} + +# If false, no module index is generated. +# html_domain_indices = True + +# If false, no index is generated. +html_use_index = False + +# If true, the index is split into individual pages for each letter. +# html_split_index = False + +# If true, links to the reST sources are added to the pages. +html_show_sourcelink = False + +# If true, "Created using Sphinx" is shown in the HTML footer. Default is True. +# html_show_sphinx = True + +# If true, "(C) Copyright ..." is shown in the HTML footer. Default is True. +# html_show_copyright = True + +# If true, an OpenSearch description file will be output, and all pages will +# contain a tag referring to it. The value of this option must be the +# base URL from which the finished HTML is served. +# html_use_opensearch = '' + +# This is the file name suffix for HTML files (e.g. ".xhtml"). +# html_file_suffix = None + +# Output file base name for HTML help builder. +htmlhelp_basename = 'install-guide' + +# If true, publish source files +html_copy_source = False + +# -- Options for LaTeX output --------------------------------------------- + +latex_elements = { + # The paper size ('letterpaper' or 'a4paper'). + # 'papersize': 'letterpaper', + + # The font size ('10pt', '11pt' or '12pt'). + # 'pointsize': '10pt', + + # Additional stuff for the LaTeX preamble. + # 'preamble': '', +} + +# Grouping the document tree into LaTeX files. List of tuples +# (source start file, target name, title, +# author, documentclass [howto, manual, or own class]). +latex_documents = [ + ('index', 'InstallGuide.tex', u'Install Guide', + u'OpenStack contributors', 'manual'), +] + +# The name of an image file (relative to this directory) to place at the top of +# the title page. +# latex_logo = None + +# For "manual" documents, if this is true, then toplevel headings are parts, +# not chapters. +# latex_use_parts = False + +# If true, show page references after internal links. +# latex_show_pagerefs = False + +# If true, show URL addresses after external links. +# latex_show_urls = False + +# Documents to append as an appendix to all manuals. +# latex_appendices = [] + +# If false, no module index is generated. +# latex_domain_indices = True + + +# -- Options for manual page output --------------------------------------- + +# One entry per manual page. List of tuples +# (source start file, name, description, authors, manual section). +man_pages = [ + ('index', 'installguide', u'Install Guide', + [u'OpenStack contributors'], 1) +] + +# If true, show URL addresses after external links. +# man_show_urls = False + + +# -- Options for Texinfo output ------------------------------------------- + +# Grouping the document tree into Texinfo files. List of tuples +# (source start file, target name, title, author, +# dir menu entry, description, category) +texinfo_documents = [ + ('index', 'InstallGuide', u'Install Guide', + u'OpenStack contributors', 'InstallGuide', + 'This guide shows OpenStack end users how to install ' + 'an OpenStack cloud.', 'Miscellaneous'), +] + +# Documents to append as an appendix to all manuals. +# texinfo_appendices = [] + +# If false, no module index is generated. +# texinfo_domain_indices = True + +# How to display URL addresses: 'footnote', 'no', or 'inline'. +# texinfo_show_urls = 'footnote' + +# If true, do not generate a @detailmenu in the "Top" node's menu. +# texinfo_no_detailmenu = False + +# -- Options for Internationalization output ------------------------------ +locale_dirs = ['locale/'] + +# -- Options for PDF output -------------------------------------------------- + +pdf_documents = [ + ('index', u'InstallGuide', u'Install Guide', + u'OpenStack contributors') +] diff --git a/install-guide/source/get_started.rst b/install-guide/source/get_started.rst new file mode 100644 index 000000000..e1c8ee5c1 --- /dev/null +++ b/install-guide/source/get_started.rst @@ -0,0 +1,10 @@ +============================ +Key Manager service overview +============================ + +The Key Manager service provides... + +The Key Manager service consists of the following components: + +``barbican-api`` service + Accepts and responds to end user compute API calls... diff --git a/install-guide/source/index.rst b/install-guide/source/index.rst new file mode 100644 index 000000000..722e7d1cc --- /dev/null +++ b/install-guide/source/index.rst @@ -0,0 +1,16 @@ +===================== +Key Manager service +===================== + +.. toctree:: + :maxdepth: 2 + + get_started.rst + install.rst + verify.rst + next-steps.rst + +The Key Manager service (barbican) provides... + +This chapter assumes a working setup of OpenStack following the +`OpenStack Installation Tutorial `_. diff --git a/install-guide/source/install-obs.rst b/install-guide/source/install-obs.rst new file mode 100644 index 000000000..3921cdcd1 --- /dev/null +++ b/install-guide/source/install-obs.rst @@ -0,0 +1,34 @@ +.. _install-obs: + + +Install and configure for openSUSE and SUSE Linux Enterprise +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +This section describes how to install and configure the Key Manager service +for openSUSE Leap 42.1 and SUSE Linux Enterprise Server 12 SP1. + +.. include:: common_prerequisites.rst + +Install and configure components +-------------------------------- + +#. Install the packages: + + .. code-block:: console + + # zypper --quiet --non-interactive install + +.. include:: common_configure.rst + + +Finalize installation +--------------------- + +Start the Key Manager services and configure them to start when +the system boots: + +.. code-block:: console + + # systemctl enable openstack-barbican-api.service + + # systemctl start openstack-barbican-api.service diff --git a/install-guide/source/install-rdo.rst b/install-guide/source/install-rdo.rst new file mode 100644 index 000000000..9f8e7ffc2 --- /dev/null +++ b/install-guide/source/install-rdo.rst @@ -0,0 +1,62 @@ +.. _install-rdo: + +Install and configure for Red Hat Enterprise Linux and CentOS +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + +This section describes how to install and configure the Key Manager service +for Red Hat Enterprise Linux 7 and CentOS 7. + +.. include:: common_prerequisites.rst + +Install and configure components +-------------------------------- + +#. Install the packages: + + .. code-block:: console + + # yum install openstack-barbican-api + +.. include:: common_configure.rst + +Finalize installation +--------------------- + +#. Create the ``/etc/httpd/conf.d/wsgi-barbican.conf`` file with the following content: + + .. code-block:: apache + + + ServerName controller + + ## Vhost docroot + DocumentRoot "/var/www/cgi-bin/barbican" + + ## Directories, there should at least be a declaration for /var/www/cgi-bin/barbican + + + Options Indexes FollowSymLinks MultiViews + AllowOverride None + Require all granted + + + ## Logging + ErrorLog "/var/log/httpd/barbican_wsgi_main_error_ssl.log" + LogLevel debug + ServerSignature Off + CustomLog "/var/log/httpd/barbican_wsgi_main_access_ssl.log" combined + + WSGIApplicationGroup %{GLOBAL} + WSGIDaemonProcess barbican-api display-name=barbican-api group=barbican processes=2 threads=8 user=barbican + WSGIProcessGroup barbican-api + WSGIScriptAlias / "/var/www/cgi-bin/barbican/main" + WSGIPassAuthorization On + + +#. Start the Apache HTTP service and configure it to start when the system boots: + + .. code-block:: console + + # systemctl enable httpd.service + # systemctl start httpd.service diff --git a/install-guide/source/install-ubuntu.rst b/install-guide/source/install-ubuntu.rst new file mode 100644 index 000000000..144034d5d --- /dev/null +++ b/install-guide/source/install-ubuntu.rst @@ -0,0 +1,31 @@ +.. _install-ubuntu: + +Install and configure for Ubuntu +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +This section describes how to install and configure the Key Manager +service for Ubuntu 14.04 (LTS). + +.. include:: common_prerequisites.rst + +Install and configure components +-------------------------------- + +#. Install the packages: + + .. code-block:: console + + # apt-get update + + # apt-get install + +.. include:: common_configure.rst + +Finalize installation +--------------------- + +Restart the Key Manager services: + +.. code-block:: console + + # service openstack-barbican-api restart diff --git a/install-guide/source/install.rst b/install-guide/source/install.rst new file mode 100644 index 000000000..1eb565b55 --- /dev/null +++ b/install-guide/source/install.rst @@ -0,0 +1,25 @@ +.. _install: + +Install and configure +~~~~~~~~~~~~~~~~~~~~~ + +This section describes how to install and configure the +Key Manager service, code-named barbican, on the controller node. + +This section assumes that you already have a working OpenStack +environment with at least the Identity Service (keystone) installed. + +For simplicity, this configuration stores secrets on the local +file system. + +Note that installation and configuration vary by distribution. + +.. toctree:: + :maxdepth: 2 + + install-obs.rst + install-rdo.rst + install-ubuntu.rst + barbican-backend.rst + + diff --git a/install-guide/source/next-steps.rst b/install-guide/source/next-steps.rst new file mode 100644 index 000000000..71e75ed21 --- /dev/null +++ b/install-guide/source/next-steps.rst @@ -0,0 +1,10 @@ +.. _next-steps: + +Next steps +~~~~~~~~~~ + +Your OpenStack environment now includes the barbican service. + +To add additional services, see +docs.openstack.org/draft/install-guides/index.html . + diff --git a/install-guide/source/verify.rst b/install-guide/source/verify.rst new file mode 100644 index 000000000..7a8b2df1b --- /dev/null +++ b/install-guide/source/verify.rst @@ -0,0 +1,24 @@ +.. _verify: + +Verify operation +~~~~~~~~~~~~~~~~ + +Verify operation of the Key Manager service. + +.. note:: + + Perform these commands on the controller node. + +#. Source the ``admin`` project credentials to gain access to + admin-only CLI commands: + + .. code-block:: console + + $ . admin-openrc + +#. List service components to verify successful launch and registration + of each process: + + .. code-block:: console + + $ openstack key manager service list diff --git a/tox.ini b/tox.ini index fad95b367..be578bf3a 100644 --- a/tox.ini +++ b/tox.ini @@ -76,3 +76,6 @@ exclude = .git,.idea,.tox,bin,dist,debian,rpmbuild,tools,*.egg-info,*.eggs,*open [testenv:bandit] deps = -r{toxinidir}/test-requirements.txt commands = bandit -r barbican -x tests -n5 + +[testenv:install-guide] +commands = sphinx-build -a -E -W -d install-guide/build/doctrees -b html install-guide/source install-guide/build/html