Modified policy and tests to verify this change.
As per this change, user with 'creator' role can delete a secret or
a container as long as that user has initially created that secret
or container.
There is still a difference between 'admin' role and 'creator' role
behavior around delete operation. With this change, users with 'creator'
role cannot delete any other user's secret/container in same project
while user with 'admin' role can do that.
Updated role docs to reflect this behavior.
Change-Id: I53e5529ed34ac4acc76348ca0431cb3de7934b6d
keystoneclient's CLI will be removed and this script won't work;
update the script to use openstackclient instead.
Change-Id: I6486396c83ee960a07c2d4e3b1a3b97e920e47fb
Moves the keygeneration script from bin to cmd folder.
This is preferred because other scripts for HSM interaction
such as the PKEK re-wrap are located here.
Change-Id: I731ec087e96114d00bd983edd60d2e1806399e16
Always no quotes for $() statement.
We don't need quotes to hold blanks in result:
# i=$(echo 1 2 3)
# echo $i
1 2 3
#
These quotes can make something wrong in some case:
# i=$(echo '!')
#
# i="$(echo '!')"
-bash: !: event not found
#
No real problem for current code, only to use a better code style.
Change-Id: I865069a1aa0384d13feed7249cadb2f34b6cf99d
Signed-off-by: Zhao Lei <zhaolei@cn.fujitsu.com>
In Barbican, the admin role specifies a user that has complete
authority over resources within a project. An admin for one
project should not have access to resources in a different project.
A project admin should not be able to affect service-wide resources.
With the implementation of the quotas blueprint, there is a need for
a new limited purpose role. This role will be able to manage project
quotas, but will not have access to projects' stored keys and secrets.
This change request proposes the new role ("key-manager:service-admin")
that can be used for this purpose.
The changes are implemented in the default policy and will
give this new role access to set, read, and delete project quotas. It
will also have access to the resources and actions available to "all_users".
The default policy grants no other permissions to this role.
Partially-implements: blueprint quota-support-on-barbican-resources
Change-Id: I67be5de62b508fdc88f5d29e69bfa6341d0487d1
Previously there were 4 python scripts being installed
into /usr/{local/}bin/ which contained the extension *.py.
There was also a developers script called barbican.sh
to create a developer's environment.
This change switches away from installing them as scripts,
preferring to use pbr's console_scripts entry point. This
means that the scripts were moved to be part of a 'cmd'
module within the barbican module.
The barbican.sh script is also no longer installed as it
seems inappropriate to install this on consumers machines.
A few cosmetic changes were added to achieve pep8.
Change-Id: I452b56535ec18228060370be899af2a63d138472
Closes-Bug: 1454587
Signed-off-by: Dave Walker (Daviey) <email@daviey.com>
Instead of having to specify the db-url every time we need to do a
migration, this CR enables the db-manage script to use the same config
file as barbican.
Change-Id: I2dd74b6af285119bfb7155925dbf6aa33d55bc46
This is the last in a series of commits to replace our incubator
code with official oslo packages found on PyPI.
Change-Id: I8d40c855699b34bdb3f4ef0e6afd696705afe10a
Closes-Bug: 1463967
barbican-api.conf files renamed to barbican.conf
Updated references in code from barbican-api.conf to barbican.conf
Updated references in docs from barbican-api.conf to barbican.conf
Change-Id: I89c4c7fdf7fee2dd73e40bdba6052dcd5213d932
Closes-bug: #1459682
Shuffled a few items out of the pkcs11 module to allow
it to continue working as normal but also account for the
generation of mkek and hmac.
Change-Id: I811e9a8498087c33d8a59e85d71200e7eb27ae58
This centralizes all config options into config.py,
eliminating a race condition where not all config options
from modules may have been registered by the time the
config file is parsed. Plugins are now provided a
separate config object, to which they can add their
own individual options before parsing the config file themselves.
Change-Id: I737bfe092ff71a1275f27de5b9328e9d23032a24
Closes-Bug: #1459448
Completed the set of RBAC users by adding audit and
creator users for group b, then add those users to the
tests for secret and container GET tests. This completes
the matrix of tests for secret and container GET.
Updated the scripts to ensure the users get setup
correctly in devstack and via keystone_data.sh.
Change-Id: Ib598cab8c36728f8ad91c940680e0cdfcfca5c2e
This commit adds the infrastructure for multi user testing. It also adds
a small set of test cases that exercises RBAC policy for secret and
container reads.
Six users with four roles and two projects are added.
In Project A: admin_a, creator_a, observer_a, auditor_a
In Project B: admin_b, observer_b
Get Secrets and Get Containers are tested for each user.
Implements: blueprint add-run-as-for-functional-tests
Relates-to: blueprint multi-user-functional-tests
Change-Id: I65c820440c014301cfce90d360440d3e12e7ffba
Removes references to former Admin API port 9312
Removes references to adminurl for admin API endpoint
Removes references to barbican-admin.ini and barbican-admin-paste.ini and files
Change-Id: I7265952d2caf69c1ac322055127f3f84c80641c8
Closes-Bug: #1450277
Added a new retry scheduler Oslo Server that executes the Oslo
periodic task process. This process invokes a retry method on a
configured periodic schedule. This process can in turn enqueue RPC
tasks via the same client interface that the API nodes use. Follow-on
CRs will utilize this periodic process to enqueue RPC tasks.
Implements: blueprint add-worker-retry-update-support
Change-Id: I8ba6dc57b015be16c78eef3ba949f336c60817f3
Remove the API version from the endpoints in the Keystone service
catalog. The python-barbicanclient library expects the endpoint to not
include the version, and will add the version itself. This is
recommended by the Keystone team as a better approach, since the service
catalog does not need to be updated in the event that a new API version
becomes available.
Change-Id: Ibb63113bcbd33d65c691cb242b5794b30114fb23
The oslo team has decided to drop the "oslo." namespacing as it was
causing a lot of trouble. So, as described [1], the namespace was
dropped in favor of the "oslo_" imports that will be used.
Note that oslo.messaging still doesn't have a release supporting their
switch to oslo_messaging, but it will come in their next release. So I
will do the switch when they have it ready.
[1] http://blog.nemebean.com/content/whys-and-hows-oslo-namespace-change
Change-Id: I4743598668d9dde540275911467b94386bad0983
This is an initial implementation of the 'current' option, which
enables you to see the current revision that the database is in.
Change-Id: I9afdec83d4cc90ff3f8cdc2662fbbf73bfc0b90f
This is an initial implementation of a 'history' option, which enables
you to see the available migration scripts and their appropriate
hashes. This is helpful when debugging migration errors, as it allows
you to easily get information about the scripts without having to see
the files (when using the verbose option).
Change-Id: Ib6bfa728689774586617180d3d43a493155ab0c2
The migration script was catching all exceptions and using
log.exception in case there was any. The problem is, argparse raises a
SystemExit exception after printing the "help" with an exit code of 0.
This would eventually get caught as an exception. Being this an
exception, the logging would print the stack trace, which in the case
of a proper exit would be very confusing, as one might think there is
a problem, when there isn't.
This change now omits the logging if there as a system exit with a 0
or None code (Which is the default code if you call "sys.exit()").
Also, some pep8 issues were fixed here.
Change-Id: I300358e28b39a8a65d7b4253dcca975b46bf757c
This CR is the first of several dependent CRs that break up the overall
tests added via this abandoned CR:
https://review.openstack.org/#/c/139894
This CR moves the test_repositories.py module to a new 'repository'
package, in anticipation of more repository-related unit tests modules
in future CRs. This CR also refactors the model/repositories.py module
to make it a bit more testable.
Change-Id: I7c6a9b738b86c44031318e74048a1055da822230
The OpenStack internationalization (i18n) system was moved from
oslo-incubator to the oslo.i18n library. This new library also has a
refined way to tag logging strings for translation as detailed in on
this page:
http://docs.openstack.org/developer/oslo.i18n/guidelines.html
This CR updates Barbican's logging text messages accordingly. A
separate CR will update the barbican/openstack package structure from
oslo-incubator to remove all references to the old i18n system.
Change-Id: Ibc2700324495d01c571343937a9d1771ba9e5b85
Use "key-manager" as the service type for the Keystone catalog, as it is
a better description of the service, and is more in-line with with the
official program name "Key Management Service".
Change-Id: I1c76dc8e3817b790c9a082c50684af85a1107166
Notification listener processes only keystone project delete events.
It uses keystone project id to identify if related barbican resources are there
and deletes that project related barbican resources.
10/07/2014: Keep resolving rebase conflicts as this change is pending for a while.
Modified listener transaction logic as per related recent change in barbican.
Fixed missing patcher stop in few places which was causing failure in new tests.
Implements: blueprint consume-keystone-events
Change-Id: Iba7d50eb222edd43352ef82f629df2b3187c76ec
An attempt to PUT base64-encoded binary data as the 2nd step in storing
a secret resulted in a SQLAlchemy 'already attached in another session'
error with the secret model. This CR moves to the SQLAlchemy scoped
session which ensures one session per thread. This CR also adds a
simple 'smoke test' script that was used to exercise the API during the
development of this CR, and could be helpful for others looking for a
simple way to test and evaluate their local Barbican API instances.
Closes-Bug: #1374270
Change-Id: Ie50e5f03be7b9b12d82a285a71e2f1b5c2483ea0
Currently, the script attempts to run unittests through
nosetests instead of testr. Switching this to testr.
Change-Id: Iadfd19b24496f52afe0e0ca1b5be9a12a4cd2468
Closes-Bug: 1362714
To support certificate plugin workflows, plugins needs a means to persist
their state in between method invocations by Barbican core. This CR adds
that persistence feature, by adding a new SQLAlchemy model and migration file,
and a new repository.
Change-Id: Ic0f74d49ab8c97e5b15c61fbc8c64d00bd9c8b5e
Implements: blueprint add-ssl-ca-support
The versionbump script used to supply a monotonically increasing version for
rpm packages was modified to supply a 'version=' attribute to setup.cfg, to
override the pbr-generated version. Unfortunately, this change breaks devstack
deployments. So the version attribute was added back to setup.cfg. Now
versionbump functionality needs to be reverted back to adding the timestamp to
the hard-coded version stamp, but with the more Pythonic mods suggested in the
previous CR.
Closes-Bug: #1358455
Change-Id: Icc5a6a4319ea4517f2812168f25840253eb50e28
The pbr library is used to generate version numbers for Barbican, and
should typically do so by forming the version using the latest tag
(such as '2014.2.b2') as a base version, and then appending git commit
info if after the tag. However, if setup.cfg has a 'version' property
set, this overrides the base version essentially 'hard coding' it. This
CR removes that override and instead lets the versionbuild.py script,
used during deployment processing, generate this version override based
on the current PBR generated version with a timestamp injected into it.
Closes-Bug: #1349238
Change-Id: I32cf9b32265569c1e2ae182efa32a0d1449de15c
Alembic migrations were introduced to Barbican a while ago but have not been
used recently. This CR revisits the migration logic and ensures that time-zero
database tables creation is distinguished from Alembic-base schema updates.
The associated database migration script is also revived, allowing for
schema migrations outside of the Barbican boot process.
Change-Id: I3e7fd7ac3f629da18329c22ad11cb9ccc1b7f9f9
Implements: blueprint db-revive-migrations
This module generates and inserts a patch component of the semantic version
stamp for Barbican, intended to ensure that a strictly monotonically increasing
version is produced for consecutive development releases. Some repositories
such as yum use this increasing semantic version to select the latest
package for installations.
This process may not be required if a bug in the 'pbr' library is fixed:
https://bugs.launchpad.net/pbr/+bug/1206730
Change-Id: I19623d76b161331c2033ea129e7f3f67518520fa
Attempts to use VIRTUAL_ENV by default. If it's not available then
the script attempts to use pyenv's prefix to retrieve the python
environment path.
Change-Id: I45597a8736ca70ae935da59b24eac4e5ff7d6091
The barbican installer (in bin/barbican.sh) is not copying files correctly
to user's environments, which breaks the install. This commit fixes that
issue.
Change-Id: I5fad5332bd329a4ca13b5843127fd6dc033ad45f