Commit Graph

80 Commits

Author SHA1 Message Date
Arun Kant
ce6336f393 User with creator role can delete his/her own secret and container
Modified policy and tests to verify this change.

As per this change, user with 'creator' role can delete a secret or
a container as long as that user has initially created that secret
or container.

There is still a difference between 'admin' role and 'creator' role
behavior around delete operation. With this change, users with 'creator'
role cannot delete any other user's secret/container in same project
while user with 'admin' role can do that.

Updated role docs to reflect this behavior.

Change-Id: I53e5529ed34ac4acc76348ca0431cb3de7934b6d
2016-07-25 13:42:01 -07:00
Pan
d8d178599a Code cleanup
Some cleanup on common usage and patterns

Change-Id: I55c002b38618ebde0a86ab47de1447d7d3a44327
2016-04-28 15:13:53 -04:00
Steve Martinelli
82a60ac231 migrate keystone_data to openstackclient
keystoneclient's CLI will be removed and this script won't work;
update the script to use openstackclient instead.

Change-Id: I6486396c83ee960a07c2d4e3b1a3b97e920e47fb
2016-04-20 15:16:52 +00:00
Douglas Mendizábal
d61113b4cd Delete deprecated barbican-all script
Change-Id: Idaa8d0983f899ce20e5210ed11b259e8851eeb55
2016-02-19 22:08:22 -06:00
Jenkins
7b0cce90a5 Merge "Correct a typo." 2016-01-21 03:20:20 +00:00
Ning Sun
1fe2102a9e Correct a typo.
Signed-off-by Ning Sun <ning.sun@intel.com>

Change-Id: I7f881e67229cef40404c87e01898a22ea95fbbf3
2016-01-19 22:45:04 -08:00
Jeff Feng
4026989fde Remove obsolete shell command files
bin/barbican-keystone-listener.sh
bin/barbican-worker

They have been moved to setup.cfg

Change-Id: I1e4c46dd266a947d10475f0028c3eed11373ba42
2015-12-03 13:26:54 -06:00
Thomas Dinkjian
ffcd649638 Move Key gen script to cmd folder
Moves the keygeneration script from bin to cmd folder.
This is preferred because other scripts for HSM interaction
such as the PKEK re-wrap are located here.

Change-Id: I731ec087e96114d00bd983edd60d2e1806399e16
2015-11-06 15:12:39 -06:00
Steve Heyman
546003b03c Fix spelling of HATEOAS
We've misspelled HATEOAS in several places.  This CR fixes those
misspellings.

Change-Id: I2daa92e8b6ba3a978bea47d81090e72918458634
2015-10-17 12:08:20 -05:00
Zhao Lei
edc2316712 Remove quotes from subshell call in bash script
Always no quotes for $() statement.

We don't need quotes to hold blanks in result:
 # i=$(echo 1 2 3)
 # echo $i
 1 2 3
 #

These quotes can make something wrong in some case:
 # i=$(echo '!')
 #
 # i="$(echo '!')"
 -bash: !: event not found
 #

No real problem for current code, only to use a better code style.

Change-Id: I865069a1aa0384d13feed7249cadb2f34b6cf99d
Signed-off-by: Zhao Lei <zhaolei@cn.fujitsu.com>
2015-09-23 18:45:40 +08:00
Amy Marrich
5696f5ef47 Removes pyenv from barbican.sh
pyenv no longer rehashed as part of the installation

Change-Id: Iae80d6342e7356f4fb949c4c10a048048d585351
Closes-Bug: #1459814
2015-09-02 17:58:54 -05:00
Dave McCowan
9614a0c45b Introduce the key-manager:service-admin role
In Barbican, the admin role specifies a user that has complete
authority over resources within a project.  An admin for one
project should not have access to resources in a different project.
A project admin should not be able to affect service-wide resources.

With the implementation of the quotas blueprint, there is a need for
a new limited purpose role.  This role will be able to manage project
quotas, but will not have access to projects' stored keys and secrets.

This change request proposes the new role ("key-manager:service-admin")
that can be used for this purpose.

The changes are implemented in the default policy and will
give this new role access to set, read, and delete project quotas.  It
will also have access to the resources and actions available to "all_users".
The default policy grants no other permissions to this role.

Partially-implements: blueprint quota-support-on-barbican-resources
Change-Id: I67be5de62b508fdc88f5d29e69bfa6341d0487d1
2015-08-17 23:55:44 -04:00
Lisa Clark
1533b68665 Removing Cloudkeep from comments
Cleaning up comments and removing Rackspace specific verbiage.

Change-Id: I36675fcc84908043f6c2182de2232fe0bdd15e33
2015-08-06 12:58:27 -04:00
Dave Walker (Daviey)
63102c02dc Drop file extensions for /usr/bin/*
Previously there were 4 python scripts being installed
into /usr/{local/}bin/ which contained the extension *.py.
There was also a developers script called barbican.sh
to create a developer's environment.

This change switches away from installing them as scripts,
preferring to use pbr's console_scripts entry point.  This
means that the scripts were moved to be part of a 'cmd'
module within the barbican module.

The barbican.sh script is also no longer installed as it
seems inappropriate to install this on consumers machines.

A few cosmetic changes were added to achieve pep8.

Change-Id: I452b56535ec18228060370be899af2a63d138472
Closes-Bug: 1454587
Signed-off-by: Dave Walker (Daviey) <email@daviey.com>
2015-07-03 00:46:35 +01:00
Jenkins
6eb6872e5f Merge "Change naming convention for Barbican config files" 2015-06-24 22:42:15 +00:00
Juan Antonio Osorio Robles
68111d771c Make db-manage script use same config file as barbican
Instead of having to specify the db-url every time we need to do a
migration, this CR enables the db-manage script to use the same config
file as barbican.

Change-Id: I2dd74b6af285119bfb7155925dbf6aa33d55bc46
2015-06-23 16:45:27 +03:00
Kevin Bishop
7232fb0bc7 Replace oslo incubator code with oslo_service
This is the last in a series of commits to replace our incubator
code with official oslo packages found on PyPI.

Change-Id: I8d40c855699b34bdb3f4ef0e6afd696705afe10a
Closes-Bug: 1463967
2015-06-22 21:22:32 +00:00
Amy Marrich
07d1a50de3 Change naming convention for Barbican config files
barbican-api.conf files renamed to barbican.conf
Updated references in code from barbican-api.conf to barbican.conf
Updated references in docs from barbican-api.conf to barbican.conf

Change-Id: I89c4c7fdf7fee2dd73e40bdba6052dcd5213d932
Closes-bug: #1459682
2015-06-09 11:04:56 -05:00
Jenkins
0b56a17d1a Merge "Adding a new script to generate mkek and hmac" 2015-06-05 00:07:58 +00:00
Chellygel
014c432ff9 Adding a new script to generate mkek and hmac
Shuffled a few items out of the pkcs11 module to allow
it to continue working as normal but also account for the
generation of mkek and hmac.

Change-Id: I811e9a8498087c33d8a59e85d71200e7eb27ae58
2015-06-03 18:17:24 -05:00
Kevin Bishop
5687cd9b93 Centralize Barbican API Config
This centralizes all config options into config.py,
eliminating a race condition where not all config options
from modules may have been registered by the time the
config file is parsed. Plugins are now provided a
separate config object, to which they can add their
own individual options before parsing the config file themselves.

Change-Id: I737bfe092ff71a1275f27de5b9328e9d23032a24
Closes-Bug: #1459448
2015-06-02 15:08:21 -05:00
Steve Heyman
5e82cbeaec Add more users/roles to secret/container RBAC tests
Completed the set of RBAC users by adding audit and
creator users for group b, then add those users to the
tests for secret and container GET tests.  This completes
the matrix of tests for secret and container GET.

Updated the scripts to ensure the users get setup
correctly in devstack and via keystone_data.sh.

Change-Id: Ib598cab8c36728f8ad91c940680e0cdfcfca5c2e
2015-05-22 16:07:16 -05:00
Dave McCowan
28135c1099 Add Multi-user support for Functional Tests
This commit adds the infrastructure for multi user testing.  It also adds
a small set of test cases that exercises RBAC policy for secret and
container reads.

Six users with four roles and two projects are added.
   In Project A: admin_a, creator_a, observer_a, auditor_a
   In Project B: admin_b, observer_b

Get Secrets and Get Containers are tested for each user.

Implements: blueprint add-run-as-for-functional-tests
Relates-to: blueprint multi-user-functional-tests

Change-Id: I65c820440c014301cfce90d360440d3e12e7ffba
2015-05-08 17:06:54 -04:00
Amy Marrich
39ea8464ba Remove deprecated references to admin endpoint.
Removes references to former Admin API port 9312

Removes references to adminurl for admin API endpoint

Removes references to barbican-admin.ini and barbican-admin-paste.ini and files

Change-Id: I7265952d2caf69c1ac322055127f3f84c80641c8
Closes-Bug: #1450277
2015-05-04 15:12:12 -05:00
werner mendizabal
fe365db0d6 Create Barbican python scripts for development.
This script does not require uwsgi and instead uses paste deploy to run Barbican.

Change-Id: I4a0148ad081fb8e238528af4eb54da8f0dfb037f
2015-04-09 15:25:27 +00:00
jfwood
b2fbda189f Add retry periodic task and worker-client logic
Added a new retry scheduler Oslo Server that executes the Oslo
periodic task process. This process invokes a retry method on a
configured periodic schedule. This process can in turn enqueue RPC
tasks via the same client interface that the API nodes use. Follow-on
CRs will utilize this periodic process to enqueue RPC tasks.

Implements: blueprint add-worker-retry-update-support
Change-Id: I8ba6dc57b015be16c78eef3ba949f336c60817f3
2015-03-20 16:51:09 -05:00
Juan Antonio Osorio Robles
fe2d52aa17 Use oslo_log in db-manage script
The barbican-db-manage.py script was failing due to the adoption of
oslo_log. This is now fixed.

Change-Id: I9d9645d1d2a708351fc66faafbb9cff177107901
2015-03-03 12:57:53 +02:00
Douglas Mendizabal
124d232e5c Remove version from endpoints in catalog
Remove the API version from the endpoints in the Keystone service
catalog.  The python-barbicanclient library expects the endpoint to not
include the version, and will add the version itself.  This is
recommended by the Keystone team as a better approach, since the service
catalog does not need to be updated in the event that a new API version
becomes available.

Change-Id: Ibb63113bcbd33d65c691cb242b5794b30114fb23
2015-02-27 11:26:10 -06:00
John Vrbanac
b20b70c173 Fixing logging import for barbican-worker.py
Change-Id: Idd0eda55f996200c4d3fe07243d45a7f5528f3bd
Closes-Bug: 1424299
2015-02-21 18:59:32 -06:00
Juan Antonio Osorio Robles
cb17fa6ad6 Drop old namespace for some oslo libraries
The oslo team has decided to drop the "oslo." namespacing as it was
causing a lot of trouble. So, as described [1], the namespace was
dropped in favor of the "oslo_" imports that will be used.

Note that oslo.messaging still doesn't have a release supporting their
switch to oslo_messaging, but it will come in their next release. So I
will do the switch when they have it ready.

[1] http://blog.nemebean.com/content/whys-and-hows-oslo-namespace-change

Change-Id: I4743598668d9dde540275911467b94386bad0983
2015-02-02 22:10:45 +02:00
Juan Antonio Osorio Robles
1379202618 Add 'current' option to the migration script
This is an initial implementation of the 'current' option, which
enables you to see the current revision that the database is in.

Change-Id: I9afdec83d4cc90ff3f8cdc2662fbbf73bfc0b90f
2015-01-28 17:08:37 +02:00
Juan Antonio Osorio Robles
978d745977 Add 'history' option to the migration script
This is an initial implementation of a 'history' option, which enables
you to see the available migration scripts and their appropriate
hashes. This is helpful when debugging migration errors, as it allows
you to easily get information about the scripts without having to see
the files (when using the verbose option).

Change-Id: Ib6bfa728689774586617180d3d43a493155ab0c2
2015-01-28 17:08:27 +02:00
Juan Antonio Osorio Robles
14765056fb Handle SystemExit properly in migration script
The migration script was catching all exceptions and using
log.exception in case there was any. The problem is, argparse raises a
SystemExit exception after printing the "help" with an exit code of 0.
This would eventually get caught as an exception. Being this an
exception, the logging would print the stack trace, which in the case
of a proper exit would be very confusing, as one might think there is
a problem, when there isn't.

This change now omits the logging if there as a system exit with a 0
or None code (Which is the default code if you call "sys.exit()").

Also, some pep8 issues were fixed here.

Change-Id: I300358e28b39a8a65d7b4253dcca975b46bf757c
2015-01-28 14:22:41 +02:00
jfwood
e73c83a210 Add I18n-related unit tests (Part 2)
This CR is the first of several dependent CRs that break up the overall
tests added via this abandoned CR:
https://review.openstack.org/#/c/139894
This CR moves the test_repositories.py module to a new 'repository'
package, in anticipation of more repository-related unit tests modules
in future CRs. This CR also refactors the model/repositories.py module
to make it a bit more testable.

Change-Id: I7c6a9b738b86c44031318e74048a1055da822230
2014-12-17 13:09:50 -06:00
jfwood
f29d08610d Update log messages to oslo.i18n
The OpenStack internationalization (i18n) system was moved from
oslo-incubator to the oslo.i18n library. This new library also has a
refined way to tag logging strings for translation as detailed in on
this page:
http://docs.openstack.org/developer/oslo.i18n/guidelines.html
This CR updates Barbican's logging text messages accordingly. A
separate CR will update the barbican/openstack package structure from
oslo-incubator to remove all references to the old i18n system.

Change-Id: Ibc2700324495d01c571343937a9d1771ba9e5b85
2014-12-07 19:04:46 -06:00
Douglas Mendizabal
8a1df28d6e Use "key-manager" for service type
Use "key-manager" as the service type for the Keystone catalog, as it is
a better description of the service, and is more in-line with with the
official program name "Key Management Service".

Change-Id: I1c76dc8e3817b790c9a082c50684af85a1107166
2014-11-11 17:23:35 -06:00
Christian Berendt
4c712f1fd0 Remove extraneous vim editor configuration comments
Change-Id: I5028a905849d5c9cca123951605a49092befc16a
Partial-Bug: #1229324
2014-10-08 23:03:03 +02:00
Arun Kant
758904848f Adding keystone notification listener support
Notification listener processes only keystone project delete events.
It uses keystone project id to identify if related barbican resources are there
and deletes that project related barbican resources.

10/07/2014: Keep resolving rebase conflicts as this change is pending for a while.
Modified listener transaction logic as per related recent change in barbican.
Fixed missing patcher stop in few places which was causing failure in new tests.

Implements: blueprint consume-keystone-events

Change-Id: Iba7d50eb222edd43352ef82f629df2b3187c76ec
2014-10-07 16:09:09 -07:00
jfwood
6b384e0830 Fix error in two-step secret PUT with base64
An attempt to PUT base64-encoded binary data as the 2nd step in storing
a secret resulted in a SQLAlchemy 'already attached in another session'
error with the secret model. This CR moves to the SQLAlchemy scoped
session which ensures one session per thread. This CR also adds a
simple 'smoke test' script that was used to exercise the API during the
development of this CR, and could be helpful for others looking for a
simple way to test and evaluate their local Barbican API instances.

Closes-Bug: #1374270
Change-Id: Ie50e5f03be7b9b12d82a285a71e2f1b5c2483ea0
2014-09-29 14:35:52 -05:00
John Vrbanac
6eb56cb62f Switch barbican.sh to use testr
Currently, the script attempts to run unittests through
nosetests instead of testr. Switching this to testr.

Change-Id: Iadfd19b24496f52afe0e0ca1b5be9a12a4cd2468
Closes-Bug: 1362714
2014-09-19 15:19:47 -05:00
jfwood
78dfbc6463 Add order plugin metadata entity and logic
To support certificate plugin workflows, plugins needs a means to persist
their state in between method invocations by Barbican core. This CR adds
that persistence feature, by adding a new SQLAlchemy model and migration file,
and a new repository.

Change-Id: Ic0f74d49ab8c97e5b15c61fbc8c64d00bd9c8b5e
Implements: blueprint add-ssl-ca-support
2014-08-22 16:38:06 -05:00
jfwood
f53e0137cb Update versionbuild script to handle setup.cfg version
The versionbump script used to supply a monotonically increasing version for
rpm packages was modified to supply a 'version=' attribute to setup.cfg, to
override the pbr-generated version. Unfortunately, this change breaks devstack
deployments. So the version attribute was added back to setup.cfg. Now
versionbump functionality needs to be reverted back to adding the timestamp to
the hard-coded version stamp, but with the more Pythonic mods suggested in the
previous CR.

Closes-Bug: #1358455
Change-Id: Icc5a6a4319ea4517f2812168f25840253eb50e28
2014-08-18 18:23:03 -05:00
jfwood
f7d240801c Replace hard-coded setup version setting
The pbr library is used to generate version numbers for Barbican, and
should typically do so by forming the version using the latest tag
(such as '2014.2.b2') as a base version, and then appending git commit
info if after the tag. However, if setup.cfg has a 'version' property
set, this overrides the base version essentially 'hard coding' it. This
CR removes that override and instead lets the versionbuild.py script,
used during deployment processing, generate this version override based
on the current PBR generated version with a timestamp injected into it.

Closes-Bug: #1349238
Change-Id: I32cf9b32265569c1e2ae182efa32a0d1449de15c
2014-08-11 13:36:17 -05:00
Arvind Tiwari
177d4499af Support for debug mode start in barbican
Closes-Bug: #1295903

Change-Id: I23b508a88f666009f77a3c021e2600a279068e4b
2014-04-14 09:53:22 -06:00
jfwood
b64228a945 Revive Alembic-based database migration logic.
Alembic migrations were introduced to Barbican a while ago but have not been
used recently. This CR revisits the migration logic and ensures that time-zero
database tables creation is distinguished from Alembic-base schema updates.
The associated database migration script is also revived, allowing for
schema migrations outside of the Barbican boot process.

Change-Id: I3e7fd7ac3f629da18329c22ad11cb9ccc1b7f9f9
Implements: blueprint db-revive-migrations
2014-03-25 11:04:08 -05:00
jfwood
21420f6c73 Add script to ensure semantic versions work with continuous build.
This module generates and inserts a patch component of the semantic version
stamp for Barbican, intended to ensure that a strictly monotonically increasing
version is produced for consecutive development releases. Some repositories
such as yum use this increasing semantic version to select the latest
package for installations.

This process may not be required if a bug in the 'pbr' library is fixed:
https://bugs.launchpad.net/pbr/+bug/1206730

Change-Id: I19623d76b161331c2033ea129e7f3f67518520fa
2014-02-12 17:40:09 -06:00
John Vrbanac
276c91e7e8 Switching to use VIRTUAL_ENV env variable
Attempts to use VIRTUAL_ENV by default. If it's not available then
the script attempts to use pyenv's prefix to retrieve the python
environment path.

Change-Id: I45597a8736ca70ae935da59b24eac4e5ff7d6091
2014-01-20 13:09:24 -06:00
chadlung
b9c21c6313 Updating copyright year
Change-Id: Id0af4153b1cb8b22ef8232e9b1769f3bbf33e965
2014-01-13 17:41:22 -06:00
jfwood
2fca4f68c3 Fix file copy bug with the barbican installer.
The barbican installer (in bin/barbican.sh) is not copying files correctly
to user's environments, which breaks the install. This commit fixes that
issue.

Change-Id: I5fad5332bd329a4ca13b5843127fd6dc033ad45f
2014-01-03 16:02:27 -06:00
John Vrbanac
9a6dc73405
Removing bin/versionrelease
* This no longer needed as pbr manages the version

Change-Id: Ie3ff02978577a0db3c07bf60ed19e838447ce30d
2014-01-02 20:41:41 -06:00