Commit Graph

14 Commits

Author SHA1 Message Date
Jeremy Liu
9ac0a0910e Fix gate devstack
A recent patch in devstack [1] forces the use of path access instead
of port for Keystone authentication, leading to connection error when
launching the devstack.

[1] https://review.openstack.org/#/c/456344/

Change-Id: I47b8035782bf27ee47227063381bc7dc041944b3
2017-04-19 22:10:58 +08:00
Douglas Mendizábal
39331ca5d2 Use Domains with Keystone v3 in functional tests
This patch enables configuration of domains when using Keystone v3
authentication in the functional test suite.

Change-Id: If7fbb1924ebb99dc93eacedc371369fe1fa6312f
2016-09-27 21:22:25 +00:00
Arun Kant
845b3d045b Adding functional tests for multiple backend changes (Part 5)
Change-Id: Iaf02d446a178baaa3e61d6a7267717822bd957f8
Partially-Implements: blueprint multiple-secret-backend
2016-09-14 10:18:37 -07:00
Arun Kant
ce6336f393 User with creator role can delete his/her own secret and container
Modified policy and tests to verify this change.

As per this change, user with 'creator' role can delete a secret or
a container as long as that user has initially created that secret
or container.

There is still a difference between 'admin' role and 'creator' role
behavior around delete operation. With this change, users with 'creator'
role cannot delete any other user's secret/container in same project
while user with 'admin' role can do that.

Updated role docs to reflect this behavior.

Change-Id: I53e5529ed34ac4acc76348ca0431cb3de7934b6d
2016-07-25 13:42:01 -07:00
Arun Kant
19f69ccee2 Adding support for barbican host href to be derived from wsgi request
Currently barbican provides hostname part of hrefs returned in response
based on host_href value defined in barbican.conf.

This approach would not work if barbican API needs to be accessed via
public or internal endpoint as they can be different endpoints in
control planes. The endpoint used by client depends on which network client
is making the API request. For same reasons, keystone also allows different
endpoint for a service to expose as public or internal interface in service
catalog.

To allow that kind of deployment model for barbican service, now enhancing
its logic to derive this hostname (http_scheme+host+port) information from
wsgi requests when host_href value is not set in barbican.conf. So deployment
requiring this behavior can leave host_href blank in their barbican.conf. The
host_href needs to be set empty as not setting it results in default.

Generally in this kind of deployment, proxy (e.g. haproxy) will set
appropriate host, http scheme header. Request url received at barbican side
will have the client IP address and scheme inserted directly inside it.
Reference: https://en.wikipedia.org/wiki/X-Forwarded-For

Updated existing 'change host header' related functional test to skip when
host_href is not set in barbican server side. Added new functional tests when
hrefs are derived from wsgi request. New tests are skipped when host_href is
set at server side.

Added a flag in barbican-functional.conf to indicate barbican server setting
Default is to use CONF.host_href value. Explicit flag is added as functional
test setup may not always have barbican server conf available locally.

Change-Id: Idb8e62867f6cbd457eb64ea31500e93e74d247ea
Closes-Bug: 1541118
2016-04-13 09:33:56 -07:00
Steve Heyman
c68acb2f28 Add a configurable setting in barbican-functional.conf for SSL
Normal requests from the functional tests specify verify=True to
validate certs.  However, for internal or test deployments you
may require verify=False.  This CR adds a line in
etc/barbican/barbican-functional.conf where you can configure
the setting for verify.

To set this, edit the etc/barbican/barbican-functional.conf
file and under the [keymanager] section, specify
verify_ssl=True (which is the default) or verify_ssl=False
to skip certificate validation.

Change-Id: Ie8eaa9348a938b9df31e9ff754bd2b5b78c26833
2016-03-23 09:30:53 -05:00
Steve Heyman
82de5e3175 Add a configurable setting in barbican-functional.conf for timeouts
When debugging API calls, you often timeout because of breakpoints.
The default value is 10 seconds which isn't long enough for debugging.
This CR makes that setting configurable in barbican-functional.conf
and retains the default of 10 seconds.

Change-Id: I51685d5df903088773cba4ca624bbd0360ed0d16
2016-03-21 14:17:58 -05:00
Steve Heyman
9e4bddbe8f Add secret=True so passwords do not get logged
Update config opts to add secret=True so that we do
not log sensitive information.

Change-Id: Iebf33dfdd4564a82fc1ef22685bd3ec842a0e85d
2016-01-22 12:50:59 -06:00
Arun Kant
ea95d8e768 Making barbican endpoint selection values to be configurable attributes.
Added configurable attributes in barbican functional config with current
values as default values. So it should not impact gate builds.

Change-Id: I4908e0da700154322183f82431c0a1a0f272cf52
Closes-bug: #1501462
2015-09-30 12:25:18 -07:00
jfwood
dea3b4817c Add default quota limit config to functional tests
Expected quota limits were -1, but deployers can change these defaults
so functional tests should also allow for these default limits to be
configured. This CR adds those configurations.

Change-Id: I889227560206cd60f774157e690d9341441ee76b
Closes-Bug: #1498525
2015-09-22 09:55:19 -05:00
Dave McCowan
9614a0c45b Introduce the key-manager:service-admin role
In Barbican, the admin role specifies a user that has complete
authority over resources within a project.  An admin for one
project should not have access to resources in a different project.
A project admin should not be able to affect service-wide resources.

With the implementation of the quotas blueprint, there is a need for
a new limited purpose role.  This role will be able to manage project
quotas, but will not have access to projects' stored keys and secrets.

This change request proposes the new role ("key-manager:service-admin")
that can be used for this purpose.

The changes are implemented in the default policy and will
give this new role access to set, read, and delete project quotas.  It
will also have access to the resources and actions available to "all_users".
The default policy grants no other permissions to this role.

Partially-implements: blueprint quota-support-on-barbican-resources
Change-Id: I67be5de62b508fdc88f5d29e69bfa6341d0487d1
2015-08-17 23:55:44 -04:00
Steve Heyman
5e82cbeaec Add more users/roles to secret/container RBAC tests
Completed the set of RBAC users by adding audit and
creator users for group b, then add those users to the
tests for secret and container GET tests.  This completes
the matrix of tests for secret and container GET.

Updated the scripts to ensure the users get setup
correctly in devstack and via keystone_data.sh.

Change-Id: Ib598cab8c36728f8ad91c940680e0cdfcfca5c2e
2015-05-22 16:07:16 -05:00
Dave McCowan
28135c1099 Add Multi-user support for Functional Tests
This commit adds the infrastructure for multi user testing.  It also adds
a small set of test cases that exercises RBAC policy for secret and
container reads.

Six users with four roles and two projects are added.
   In Project A: admin_a, creator_a, observer_a, auditor_a
   In Project B: admin_b, observer_b

Get Secrets and Get Containers are tested for each user.

Implements: blueprint add-run-as-for-functional-tests
Relates-to: blueprint multi-user-functional-tests

Change-Id: I65c820440c014301cfce90d360440d3e12e7ffba
2015-05-08 17:06:54 -04:00
John Vrbanac
2a4fb02bb3 Replacing functional test authentication hookup
This change, replaces the authentication wrapper for our functional test
calls with a simple wrapper using Keystone client. As a result, this
change removes our dependence on Tempest trunk to run our functional
tests. Unfortunately, this was done primarally due to the uncompability
between Tempest's oslo.log and the oslo_log that we use in Barbican that
was causing our gates to fail and blocking merges across the project.

Change-Id: I0eee6a34d1ab5ca654e737d95c1e124465dc9c14
2015-03-11 02:39:33 -05:00