`host_href` is used for HATEOS-style references. Currently this
value is set to `http://localhost:9311` and fixed. But sometimes
this value is inconvenient.
This patch fixes it to be able to configure.
Change-Id: I1940139375d9c036e40c93fb1b18fe127e2a7e7f
When the switch was made to the Openstack CLI, the Identity API v3 was
being taken into account. And that's the way it worked when the CR was
introduced. But for some reason, the gate is now taking v2 into account
(Which was the original behaviur).
This is problematic in the sense that commands related to identity v2
have a different syntax than commands related to identity v3.
This CR sets v3 specifically in the problematic commands, since it's the
syntax that we were considering initially. And also the goal is to move
towards the usage of Identity v3 as much as possible.
Change-Id: I5be80ce0c222be0a5439f4284351e3d30c40ef2e
In Barbican, the admin role specifies a user that has complete
authority over resources within a project. An admin for one
project should not have access to resources in a different project.
A project admin should not be able to affect service-wide resources.
With the implementation of the quotas blueprint, there is a need for
a new limited purpose role. This role will be able to manage project
quotas, but will not have access to projects' stored keys and secrets.
This change request proposes the new role ("key-manager:service-admin")
that can be used for this purpose.
The changes are implemented in the default policy and will
give this new role access to set, read, and delete project quotas. It
will also have access to the resources and actions available to "all_users".
The default policy grants no other permissions to this role.
Partially-implements: blueprint quota-support-on-barbican-resources
Change-Id: I67be5de62b508fdc88f5d29e69bfa6341d0487d1
A breaking change to the paste.ini was introduced in git commit
3b20d84312b6870557a5b1db346de75e928ddbe8 where the main app was
renamed from "apiapp" to "apiapp_v1".
This was an unnecessary change that would force deployers to rewrite
their configuration files, which may include changes to configuration
management systems.
This change reverts the incompatible name change so that operators are
able to upgrade from Kilo to Liberty witouth having to rewrite their
paste file.
Change-Id: If3dc7060ae5ea6d427c3a1e9989fa1e17a469db7
When running Barbican with Devstack, the logs would have multiple
entries of "KeyError: 'user_id'". This resolves that error.
Change-Id: Ia4da694decb6451ca67bf4159c803410f4be606b
Closes-Bug: #1478116
It seems that previously we were overriding the /etc/hosts in an
incorrect way. The gate had already several aliases for localhost which
we were completely discarding, and this might cause some issues with
some assumptions that were being taken in the gate.
On the other hand, a newer version of dogtag that is now being used in
the gate requires there to be a proper DNS domain name configured, and
this was causing the installation to fail in the gate.
So as a solution, we now force the fqdn to be localhost.localdomain. And
on the other hand, we explicitly configure dogtag to use localhost as a
hostname, since it was actually getting an alias from the hostname
command, which was not being found with the domain it was fetching from
the dnsdomainname command.
Closes-Bug: #1477118
Change-Id: I7ea518ddc35ac96fb8594d57a1a46a32f30bf3c0
Add a retry scheduler server process to the DevStack start/stop
processes. This includes adding a PBR entry point and barbican.cmd
script for the retry scheduler process, as other projects such as
Glance and Nova are doing now. Eventually we'll want to move over all
our boot scripts to the entry point approach. Verify functional test
for generating a simple certificate order, which is the first of the
extended-workflow order types that utilize the retry processing logic.
Also add try/catch around the retry process because if we don't pass
back a retry interval to the Oslo periodic task framework, it stops
rescheduling tasks! Also added delays to the functional test order
status check as for SQLite I was noticing disk I/O concurrency errors
otherwise. Yes, I'd still like to support SQLite for local functional
testing.
Change-Id: Ib7b50ab7f7354fefebfdf654689427ae7bf59e58
This patch enables the "versions controller" or "/" resource to display
information relevant to all the versions of the Barbican API (which is
only v1 at the moment). This is done in the same fashion Keystone
displays it, and it has the purpose of enabling more automatic discovery
as described in the blueprint.
Accessing the root resource with the "build" query parameter, such as:
$ curl http://localhost:9311/?build
will display the build information.
On the other hand, this introduces the V1Controller, which is now the
root controller (which requires authentication) for Barbican.
Accessing the "/v1" resource will display the version information in the
way it's required by keystone.
The json-home implementation is left for a subsequent CR.
Partially implements blueprint fix-version-api
Change-Id: Ie7e706adcf1b5d74f64776b888a06638247b4e87
This change also adds the dogtag installation functions into the
contrib/devstack/lib/barbican scripts, and enables the installation of
dogtag in the extras.d script making the calling of the dogtag
installation from the functional test pre-hook script not necessary.
Depends-on: I749539f387f163e829fdc8390b6bd16cf23c663b
Change-Id: I60ccfaaa43aa4aa68e99affb9837ecab48c36759
barbican-api.conf files renamed to barbican.conf
Updated references in code from barbican-api.conf to barbican.conf
Updated references in docs from barbican-api.conf to barbican.conf
Change-Id: I89c4c7fdf7fee2dd73e40bdba6052dcd5213d932
Closes-bug: #1459682
Completed the set of RBAC users by adding audit and
creator users for group b, then add those users to the
tests for secret and container GET tests. This completes
the matrix of tests for secret and container GET.
Updated the scripts to ensure the users get setup
correctly in devstack and via keystone_data.sh.
Change-Id: Ib598cab8c36728f8ad91c940680e0cdfcfca5c2e
This commit adds the infrastructure for multi user testing. It also adds
a small set of test cases that exercises RBAC policy for secret and
container reads.
Six users with four roles and two projects are added.
In Project A: admin_a, creator_a, observer_a, auditor_a
In Project B: admin_b, observer_b
Get Secrets and Get Containers are tested for each user.
Implements: blueprint add-run-as-for-functional-tests
Relates-to: blueprint multi-user-functional-tests
Change-Id: I65c820440c014301cfce90d360440d3e12e7ffba
Removes references to former Admin API port 9312
Removes references to adminurl for admin API endpoint
Removes references to barbican-admin.ini and barbican-admin-paste.ini and files
Change-Id: I7265952d2caf69c1ac322055127f3f84c80641c8
Closes-Bug: #1450277
Now in line with etc/barbican/barbican-functional.conf (and the gate) which
use "secretadmin" as the default devstack password.
Change-Id: Idc8514f56725dd4ac0d1fda9eae0643d0278fd34
This change, replaces the authentication wrapper for our functional test
calls with a simple wrapper using Keystone client. As a result, this
change removes our dependence on Tempest trunk to run our functional
tests. Unfortunately, this was done primarally due to the uncompability
between Tempest's oslo.log and the oslo_log that we use in Barbican that
was causing our gates to fail and blocking merges across the project.
Change-Id: I0eee6a34d1ab5ca654e737d95c1e124465dc9c14
Remove the API version from the endpoints in the Keystone service
catalog. The python-barbicanclient library expects the endpoint to not
include the version, and will add the version itself. This is
recommended by the Keystone team as a better approach, since the service
catalog does not need to be updated in the event that a new API version
becomes available.
Change-Id: Ibb63113bcbd33d65c691cb242b5794b30114fb23
Added scripts for installing dogtag and configuring barbican to use the
dogtag plugin in order to add a new gate that run the functional test
suite against dogtag.
Change-Id: I40dfdbc414dbc4fa07b5a5cbed074e6d340c7778
Use "key-manager" as the service type for the Keystone catalog, as it is
a better description of the service, and is more in-line with with the
official program name "Key Management Service".
Change-Id: I1c76dc8e3817b790c9a082c50684af85a1107166
Currently on F20 env when devstack tries to install barbican and
barbicanclient, it's failing as corresponding dir doesn't exist and
ERROR_ON_CLONE=True. As barbican is not part of devstack yet,
we don't expect this dir to be present in this case, we should
set ERROR_ON_CLONE=False to allow devstack to do git clone.
Related-Bug: #1353696
Change-Id: I3c362f1b2e6c9abf940ea68a12085dd747ede37c
On fedora-20 when devstack tries to install barbican,
it is failing with missing sqlite headers. Added sqlite-devel
pkg to resolve the issue.
Closes-Bug: #1353696
Change-Id: Ib2bb66ac6805693d2c275ca7cba0879e141659da
Passing CLI option '-b' during barbican start is not honored by uwsgi.
So, set buffer-size=65535 in /etc/barbican/vassals/barbican-api.ini
Removed redundant '--logto' CLI option to uwsgi.
Change-Id: Icea0144f2c19e916d65c9836ddc9d7e48ecd9412
Currently with v1 missing, the barbican client doesn't include the /v1
part of the endpoint and gets 404's for all requests.
Change-Id: I14e6083084e4c05998dea2cacb5ac921c340d059