A recent patch in devstack [1] forces the use of path access instead
of port for Keystone authentication, leading to connection error when
launching the devstack.
[1] https://review.openstack.org/#/c/456344/
Change-Id: I47b8035782bf27ee47227063381bc7dc041944b3
This patch enables configuration of domains when using Keystone v3
authentication in the functional test suite.
Change-Id: If7fbb1924ebb99dc93eacedc371369fe1fa6312f
Modified policy and tests to verify this change.
As per this change, user with 'creator' role can delete a secret or
a container as long as that user has initially created that secret
or container.
There is still a difference between 'admin' role and 'creator' role
behavior around delete operation. With this change, users with 'creator'
role cannot delete any other user's secret/container in same project
while user with 'admin' role can do that.
Updated role docs to reflect this behavior.
Change-Id: I53e5529ed34ac4acc76348ca0431cb3de7934b6d
Currently barbican provides hostname part of hrefs returned in response
based on host_href value defined in barbican.conf.
This approach would not work if barbican API needs to be accessed via
public or internal endpoint as they can be different endpoints in
control planes. The endpoint used by client depends on which network client
is making the API request. For same reasons, keystone also allows different
endpoint for a service to expose as public or internal interface in service
catalog.
To allow that kind of deployment model for barbican service, now enhancing
its logic to derive this hostname (http_scheme+host+port) information from
wsgi requests when host_href value is not set in barbican.conf. So deployment
requiring this behavior can leave host_href blank in their barbican.conf. The
host_href needs to be set empty as not setting it results in default.
Generally in this kind of deployment, proxy (e.g. haproxy) will set
appropriate host, http scheme header. Request url received at barbican side
will have the client IP address and scheme inserted directly inside it.
Reference: https://en.wikipedia.org/wiki/X-Forwarded-For
Updated existing 'change host header' related functional test to skip when
host_href is not set in barbican server side. Added new functional tests when
hrefs are derived from wsgi request. New tests are skipped when host_href is
set at server side.
Added a flag in barbican-functional.conf to indicate barbican server setting
Default is to use CONF.host_href value. Explicit flag is added as functional
test setup may not always have barbican server conf available locally.
Change-Id: Idb8e62867f6cbd457eb64ea31500e93e74d247ea
Closes-Bug: 1541118
Normal requests from the functional tests specify verify=True to
validate certs. However, for internal or test deployments you
may require verify=False. This CR adds a line in
etc/barbican/barbican-functional.conf where you can configure
the setting for verify.
To set this, edit the etc/barbican/barbican-functional.conf
file and under the [keymanager] section, specify
verify_ssl=True (which is the default) or verify_ssl=False
to skip certificate validation.
Change-Id: Ie8eaa9348a938b9df31e9ff754bd2b5b78c26833
When debugging API calls, you often timeout because of breakpoints.
The default value is 10 seconds which isn't long enough for debugging.
This CR makes that setting configurable in barbican-functional.conf
and retains the default of 10 seconds.
Change-Id: I51685d5df903088773cba4ca624bbd0360ed0d16
Added configurable attributes in barbican functional config with current
values as default values. So it should not impact gate builds.
Change-Id: I4908e0da700154322183f82431c0a1a0f272cf52
Closes-bug: #1501462
Expected quota limits were -1, but deployers can change these defaults
so functional tests should also allow for these default limits to be
configured. This CR adds those configurations.
Change-Id: I889227560206cd60f774157e690d9341441ee76b
Closes-Bug: #1498525
In Barbican, the admin role specifies a user that has complete
authority over resources within a project. An admin for one
project should not have access to resources in a different project.
A project admin should not be able to affect service-wide resources.
With the implementation of the quotas blueprint, there is a need for
a new limited purpose role. This role will be able to manage project
quotas, but will not have access to projects' stored keys and secrets.
This change request proposes the new role ("key-manager:service-admin")
that can be used for this purpose.
The changes are implemented in the default policy and will
give this new role access to set, read, and delete project quotas. It
will also have access to the resources and actions available to "all_users".
The default policy grants no other permissions to this role.
Partially-implements: blueprint quota-support-on-barbican-resources
Change-Id: I67be5de62b508fdc88f5d29e69bfa6341d0487d1
Completed the set of RBAC users by adding audit and
creator users for group b, then add those users to the
tests for secret and container GET tests. This completes
the matrix of tests for secret and container GET.
Updated the scripts to ensure the users get setup
correctly in devstack and via keystone_data.sh.
Change-Id: Ib598cab8c36728f8ad91c940680e0cdfcfca5c2e
This commit adds the infrastructure for multi user testing. It also adds
a small set of test cases that exercises RBAC policy for secret and
container reads.
Six users with four roles and two projects are added.
In Project A: admin_a, creator_a, observer_a, auditor_a
In Project B: admin_b, observer_b
Get Secrets and Get Containers are tested for each user.
Implements: blueprint add-run-as-for-functional-tests
Relates-to: blueprint multi-user-functional-tests
Change-Id: I65c820440c014301cfce90d360440d3e12e7ffba
This change, replaces the authentication wrapper for our functional test
calls with a simple wrapper using Keystone client. As a result, this
change removes our dependence on Tempest trunk to run our functional
tests. Unfortunately, this was done primarally due to the uncompability
between Tempest's oslo.log and the oslo_log that we use in Barbican that
was causing our gates to fail and blocking merges across the project.
Change-Id: I0eee6a34d1ab5ca654e737d95c1e124465dc9c14