40 Commits

Author SHA1 Message Date
OTSUKA, Yuanying
d73bcec500 Set host_href parameter in devstack
`host_href` is used for HATEOS-style references. Currently this
value is set to `http://localhost:9311` and fixed. But sometimes
this value is inconvenient.
This patch fixes it to be able to configure.

Change-Id: I1940139375d9c036e40c93fb1b18fe127e2a7e7f
2015-09-10 17:08:59 +09:00
Juan Antonio Osorio
b95ecb7f58 Force Identity API v3 for endpoint create in devstack
When the switch was made to the Openstack CLI, the Identity API v3 was
being taken into account. And that's the way it worked when the CR was
introduced. But for some reason, the gate is now taking v2 into account
(Which was the original behaviur).

This is problematic in the sense that commands related to identity v2
have a different syntax than commands related to identity v3.

This CR sets v3 specifically in the problematic commands, since it's the
syntax that we were considering initially. And also the goal is to move
towards the usage of Identity v3 as much as possible.

Change-Id: I5be80ce0c222be0a5439f4284351e3d30c40ef2e
2015-09-05 18:42:10 +03:00
Adam Harwell
5fde4ea84f Fix devstack gate (and new gate_hook.sh)
Change-Id: I95219c75b59fc4d49874fb228bba1ae131495159
2015-09-04 00:59:07 -07:00
Dave McCowan
9614a0c45b Introduce the key-manager:service-admin role
In Barbican, the admin role specifies a user that has complete
authority over resources within a project.  An admin for one
project should not have access to resources in a different project.
A project admin should not be able to affect service-wide resources.

With the implementation of the quotas blueprint, there is a need for
a new limited purpose role.  This role will be able to manage project
quotas, but will not have access to projects' stored keys and secrets.

This change request proposes the new role ("key-manager:service-admin")
that can be used for this purpose.

The changes are implemented in the default policy and will
give this new role access to set, read, and delete project quotas.  It
will also have access to the resources and actions available to "all_users".
The default policy grants no other permissions to this role.

Partially-implements: blueprint quota-support-on-barbican-resources
Change-Id: I67be5de62b508fdc88f5d29e69bfa6341d0487d1
2015-08-17 23:55:44 -04:00
Douglas Mendizábal
83d36f4641 Revert backwards incompatible paste change
A breaking change to the paste.ini was introduced in git commit
3b20d84312b6870557a5b1db346de75e928ddbe8 where the main app was
renamed from "apiapp" to "apiapp_v1".

This was an unnecessary change that would force deployers to rewrite
their configuration files, which may include changes to configuration
management systems.

This change reverts the incompatible name change so that operators are
able to upgrade from Kilo to Liberty witouth having to rewrite their
paste file.

Change-Id: If3dc7060ae5ea6d427c3a1e9989fa1e17a469db7
2015-07-28 16:38:18 -05:00
Kaitlin Farr
f113520694 Fix colorized logging in Devstack
When running Barbican with Devstack, the logs would have multiple
entries of "KeyError: 'user_id'". This resolves that error.

Change-Id: Ia4da694decb6451ca67bf4159c803410f4be606b
Closes-Bug: #1478116
2015-07-24 14:42:42 -04:00
Jenkins
5c3616cba5 Merge "Configure dogtag installation's domain name" 2015-07-22 16:36:26 +00:00
Juan Antonio Osorio Robles
f8073466c4 Configure dogtag installation's domain name
It seems that previously we were overriding the /etc/hosts in an
incorrect way. The gate had already several aliases for localhost which
we were completely discarding, and this might cause some issues with
some assumptions that were being taken in the gate.

On the other hand, a newer version of dogtag that is now being used in
the gate requires there to be a proper DNS domain name configured, and
this was causing the installation to fail in the gate.

So as a solution, we now force the fqdn to be localhost.localdomain. And
on the other hand, we explicitly configure dogtag to use localhost as a
hostname, since it was actually getting an alias from the hostname
command, which was not being found with the domain it was fetching from
the dnsdomainname command.

Closes-Bug: #1477118
Change-Id: I7ea518ddc35ac96fb8594d57a1a46a32f30bf3c0
2015-07-22 13:07:18 +00:00
jfwood
02dc4cdb71 Add retry server and functional tests to DevStack
Add a retry scheduler server process to the DevStack start/stop
processes. This includes adding a PBR entry point and barbican.cmd
script for the retry scheduler process, as other projects such as
Glance and Nova are doing now. Eventually we'll want to move over all
our boot scripts to the entry point approach. Verify functional test
for generating a simple certificate order, which is the first of the
extended-workflow order types that utilize the retry processing logic.
Also add try/catch around the retry process because if we don't pass
back a retry interval to the Oslo periodic task framework, it stops
rescheduling tasks! Also added delays to the functional test order
status check as for SQLite I was noticing disk I/O concurrency errors
otherwise. Yes, I'd still like to support SQLite for local functional
testing.

Change-Id: Ib7b50ab7f7354fefebfdf654689427ae7bf59e58
2015-07-12 10:41:03 -05:00
Jenkins
6eb6872e5f Merge "Change naming convention for Barbican config files" 2015-06-24 22:42:15 +00:00
Jenkins
094530c2e6 Merge "Display all versions info in versions controller" 2015-06-24 19:07:32 +00:00
Juan Antonio Osorio Robles
3b20d84312 Display all versions info in versions controller
This patch enables the "versions controller" or "/" resource to display
information relevant to all the versions of the Barbican API (which is
only v1 at the moment). This is done in the same fashion Keystone
displays it, and it has the purpose of enabling more automatic discovery
as described in the blueprint.

Accessing the root resource with the "build" query parameter, such as:

    $ curl http://localhost:9311/?build

will display the build information.

On the other hand, this introduces the V1Controller, which is now the
root controller (which requires authentication) for Barbican.

Accessing the "/v1" resource will display the version information in the
way it's required by keystone.

The json-home implementation is left for a subsequent CR.

Partially implements blueprint fix-version-api
Change-Id: Ie7e706adcf1b5d74f64776b888a06638247b4e87
2015-06-18 05:21:10 +03:00
Juan Antonio Osorio Robles
a488cdd53d service_enabled instead of environment variable for dogtag
This change also adds the dogtag installation functions into the
contrib/devstack/lib/barbican scripts, and enables the installation of
dogtag in the extras.d script making the calling of the dogtag
installation from the functional test pre-hook script not necessary.

Depends-on: I749539f387f163e829fdc8390b6bd16cf23c663b
Change-Id: I60ccfaaa43aa4aa68e99affb9837ecab48c36759
2015-06-10 13:18:59 +03:00
Amy Marrich
07d1a50de3 Change naming convention for Barbican config files
barbican-api.conf files renamed to barbican.conf
Updated references in code from barbican-api.conf to barbican.conf
Updated references in docs from barbican-api.conf to barbican.conf

Change-Id: I89c4c7fdf7fee2dd73e40bdba6052dcd5213d932
Closes-bug: #1459682
2015-06-09 11:04:56 -05:00
Jenkins
83fe7aceeb Merge "Add more users/roles to secret/container RBAC tests" 2015-05-27 15:49:23 +00:00
Steve Heyman
5e82cbeaec Add more users/roles to secret/container RBAC tests
Completed the set of RBAC users by adding audit and
creator users for group b, then add those users to the
tests for secret and container GET tests.  This completes
the matrix of tests for secret and container GET.

Updated the scripts to ensure the users get setup
correctly in devstack and via keystone_data.sh.

Change-Id: Ib598cab8c36728f8ad91c940680e0cdfcfca5c2e
2015-05-22 16:07:16 -05:00
Juan Antonio Osorio Robles
1d0dfb41b3 Fix Dogtag setup script
Change-Id: I625eb834c89ac88191e0418d6145b29de42b92b3
2015-05-22 02:41:55 +03:00
Dave McCowan
28135c1099 Add Multi-user support for Functional Tests
This commit adds the infrastructure for multi user testing.  It also adds
a small set of test cases that exercises RBAC policy for secret and
container reads.

Six users with four roles and two projects are added.
   In Project A: admin_a, creator_a, observer_a, auditor_a
   In Project B: admin_b, observer_b

Get Secrets and Get Containers are tested for each user.

Implements: blueprint add-run-as-for-functional-tests
Relates-to: blueprint multi-user-functional-tests

Change-Id: I65c820440c014301cfce90d360440d3e12e7ffba
2015-05-08 17:06:54 -04:00
Amy Marrich
39ea8464ba Remove deprecated references to admin endpoint.
Removes references to former Admin API port 9312

Removes references to adminurl for admin API endpoint

Removes references to barbican-admin.ini and barbican-admin-paste.ini and files

Change-Id: I7265952d2caf69c1ac322055127f3f84c80641c8
Closes-Bug: #1450277
2015-05-04 15:12:12 -05:00
Douglas Mendizábal
558e3e04ea Refactor dogtag gate scripts
Refactor dogtag installation so it can be run with sudo.

Change-Id: I4d7128dc4ce153a9c96fe2d47e2fcaab1d2bb25c
2015-04-16 15:57:57 -05:00
Adam Harwell
04a255b404 Make the default devstack config use the right password
Now in line with etc/barbican/barbican-functional.conf (and the gate) which
use "secretadmin" as the default devstack password.

Change-Id: Idc8514f56725dd4ac0d1fda9eae0643d0278fd34
2015-03-18 19:44:41 -05:00
John Vrbanac
2a4fb02bb3 Replacing functional test authentication hookup
This change, replaces the authentication wrapper for our functional test
calls with a simple wrapper using Keystone client. As a result, this
change removes our dependence on Tempest trunk to run our functional
tests. Unfortunately, this was done primarally due to the uncompability
between Tempest's oslo.log and the oslo_log that we use in Barbican that
was causing our gates to fail and blocking merges across the project.

Change-Id: I0eee6a34d1ab5ca654e737d95c1e124465dc9c14
2015-03-11 02:39:33 -05:00
Douglas Mendizabal
124d232e5c Remove version from endpoints in catalog
Remove the API version from the endpoints in the Keystone service
catalog.  The python-barbicanclient library expects the endpoint to not
include the version, and will add the version itself.  This is
recommended by the Keystone team as a better approach, since the service
catalog does not need to be updated in the event that a new API version
becomes available.

Change-Id: Ibb63113bcbd33d65c691cb242b5794b30114fb23
2015-02-27 11:26:10 -06:00
Douglas Mendizábal
a1e5404416 Add support for dogtag in devstack testing
Added scripts for installing dogtag and configuring barbican to use the
dogtag plugin in order to add a new gate that run the functional test
suite against dogtag.

Change-Id: I40dfdbc414dbc4fa07b5a5cbed074e6d340c7778
2015-02-20 10:52:04 -06:00
Louis Taylor
bf4084fcf2 Configure colored logging in devstack
This sets up colored logging for the barbican service in devstack.

Change-Id: I44968e4efd84f470f1e56c41751b4c0953b8fe51
2015-02-17 01:10:15 +00:00
Douglas Mendizabal
8a1df28d6e Use "key-manager" for service type
Use "key-manager" as the service type for the Keystone catalog, as it is
a better description of the service, and is more in-line with with the
official program name "Key Management Service".

Change-Id: I1c76dc8e3817b790c9a082c50684af85a1107166
2014-11-11 17:23:35 -06:00
Ravi Sankar Penta
6fba9d6785 Allow devstack to do git clone of barbican
Currently on F20 env when devstack tries to install barbican and
barbicanclient, it's failing as corresponding dir doesn't exist and
ERROR_ON_CLONE=True. As barbican is not part of devstack yet,
we don't expect this dir to be present in this case, we should
set ERROR_ON_CLONE=False to allow devstack to do git clone.

Related-Bug: #1353696
Change-Id: I3c362f1b2e6c9abf940ea68a12085dd747ede37c
2014-08-22 13:00:50 -07:00
Ravi Sankar Penta
126b9a032a Install sqlite-devel package on fedora
On fedora-20 when devstack tries to install barbican,
it is failing with missing sqlite headers. Added sqlite-devel
pkg to resolve the issue.

Closes-Bug: #1353696
Change-Id: Ib2bb66ac6805693d2c275ca7cba0879e141659da
2014-08-13 11:47:27 -07:00
Jenkins
081aa6b4d2 Merge "Update devstack endpoint creation to include v1" 2014-07-23 16:02:30 +00:00
Ravi Sankar Penta
7fffe9540c Fix accepting longer PKI keystone auth requests to Barbican
Passing CLI option '-b' during barbican start is not honored by uwsgi.
So, set buffer-size=65535 in /etc/barbican/vassals/barbican-api.ini
Removed redundant '--logto' CLI option to uwsgi.

Change-Id: Icea0144f2c19e916d65c9836ddc9d7e48ecd9412
2014-07-21 10:11:08 -07:00
Dougal Matthews
81208f852f Update devstack endpoint creation to include v1
Currently with v1 missing, the barbican client doesn't include the /v1
part of the endpoint and gets 404's for all requests.

Change-Id: I14e6083084e4c05998dea2cacb5ac921c340d059
2014-07-07 15:16:48 +01:00
chadlung
8876d74ed6 Add a local.conf for easier DevStack spinning up
Change-Id: I30117fea17068ad21404fdd250e842ec635c4ca8
2014-06-02 17:17:38 -05:00
Stanislaw Pitucha
ab2290630b Update the links to python-barbicanclient
Change-Id: I3f6039c36827c4341b15fbc1f8b3c73e704d29f4
2014-06-02 15:05:04 +01:00
Kaitlin Farr
0aa51da1fb Changing from stackforge to openstack project
Closes-bug: #1323830
Change-Id: I1563072f2419882b539245229be6aef5362e2d91
2014-05-27 16:46:52 -04:00
chadlung
b617461315 Increase DevStack uWSGI buffer for Tempest support (Keystone Headers)
Change-Id: I597c85745f60434477886f14dd8bb7f3d5b39dd3
2014-05-15 08:16:45 -07:00
chadlung
0494edc559 Ensure uWSGI process in DevStack is actually killed
Change-Id: Id03afbeae2fd9151d2d7bcaafd3fc74204946751
2014-05-07 15:04:51 -05:00
Arvind Tiwari
617addcbc7 Barbican should not do rbac on version api call
Closes-Bug: #1290445

Change-Id: Idcd52600542b017f54c25a75ec0ab37348eb109d
2014-03-17 16:57:30 -06:00
Chad Lung
53af996600 Minor changes to make the bash8 check happy
Change-Id: Ic3fd85ce066cd9b15fec95316afe38974e8f19cb
2014-03-05 17:16:18 -06:00
chadlung
ee8349b4f2 Correcting bash script pre-test-hook
Change-Id: Idf004e16c578e77bf78336cccbac3684d7a1f460
2014-03-03 16:42:38 -06:00
chadlung
0e0d062113 Adjust contrib location, minor adjustments
Change-Id: I0a962f487ac3362b209422554286e76441daa06a
2014-02-26 15:33:30 -06:00