Barbican is a ReST API designed for the secure storage, provisioning and management of secrets, including in OpenStack environments.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

200 lines
6.2KB

  1. #!/bin/bash
  2. #------------------------------------
  3. # the devstack way
  4. # cd <devstack-home>
  5. # source openrc nova service
  6. # This sets up an admin user and the service project and passport in environment
  7. #------------------------------------
  8. # alternately export values for
  9. export OS_AUTH_URL="http://localhost:5000/v2.0"
  10. # your secret password
  11. export OS_PASSWORD="password"
  12. export OS_PROJECT_NAME="service"
  13. export OS_USERNAME="nova"
  14. # --------------------------------
  15. # alternately service_token and endpoint
  16. #export OS_TOKEN=orange
  17. #export OS_URL=http://localhost:5000/v3
  18. # ========================================
  19. echo " OS_URL="$OS_URL
  20. echo " OS_TOKEN="$OS_TOKEN
  21. echo " OS_PROJECT_NAME="$OS_PROJECT_NAME
  22. echo " OS_USERNAME="$OS_USERNAME
  23. echo " OS_PASSWORD="$OS_PASSWORD
  24. echo " OS_AUTH_URL="$OS_AUTH_URL
  25. #test with
  26. openstack project list
  27. #------------------------------------------------------------
  28. # Adding the Key Manager Service: barbican
  29. #------------------------------------------------------------
  30. ENABLED_SERVICES="barbican"
  31. SERVICE_PASSWORD="orange"
  32. SERVICE_HOST="localhost"
  33. SERVICE_PROJECT_NAME="service"
  34. KEYSTONE_CATALOG_BACKEND='sql'
  35. #============================
  36. # Lookups
  37. SERVICE_PROJECT=$(openstack project show "$SERVICE_PROJECT_NAME" -f value -c id)
  38. ADMIN_ROLE=$(openstack role show admin -f value -c id)
  39. # Ports to avoid: 3333, 5000, 8773, 8774, 8776, 9292, 9696
  40. # Barbican
  41. if [[ "$ENABLED_SERVICES" =~ "barbican" ]]; then
  42. #
  43. # Setup Default Admin User
  44. #
  45. BARBICAN_USER=$(openstack user create \
  46. --password "$SERVICE_PASSWORD" \
  47. --project $SERVICE_PROJECT \
  48. --email "barbican@example.com" \
  49. barbican -f value -c id)
  50. openstack role add --project $SERVICE_PROJECT \
  51. --user $BARBICAN_USER \
  52. $ADMIN_ROLE
  53. #
  54. # Setup Default service-admin User
  55. #
  56. SERVICE_ADMIN=$(openstack user create \
  57. --password "$SERVICE_PASSWORD" \
  58. --email "service-admin@example.com" \
  59. "service-admin" -f value -c id)
  60. SERVICE_ADMIN_ROLE=$(openstack role create \
  61. "key-manager:service-admin" -f value -c id)
  62. openstack role add \
  63. --user "$SERVICE_ADMIN" \
  64. --project "$SERVICE_PROJECT" \
  65. "$SERVICE_ADMIN_ROLE"
  66. #
  67. # Setup RBAC User Projects and Roles
  68. #
  69. PASSWORD="barbican"
  70. PROJECT_A_ID=$(openstack project create "project_a" -f value -c id)
  71. PROJECT_B_ID=$(openstack project create "project_b" -f value -c id)
  72. ROLE_ADMIN_ID=$(openstack role show admin -f value -c id)
  73. ROLE_CREATOR_ID=$(openstack role create "creator" -f value -c id)
  74. ROLE_OBSERVER_ID=$(openstack role create "observer" -f value -c id)
  75. ROLE_AUDIT_ID=$(openstack role create "audit" -f value -c id)
  76. #
  77. # Setup RBAC Admin of Project A
  78. #
  79. USER_ID=$(openstack user create \
  80. --password "$PASSWORD" \
  81. --email "admin_a@example.net" \
  82. "project_a_admin" -f value -c id)
  83. openstack role add \
  84. --user "$USER_ID" \
  85. --project "$PROJECT_A_ID" \
  86. "$ROLE_ADMIN_ID"
  87. #
  88. # Setup RBAC Creator of Project A
  89. #
  90. USER_ID=$(openstack user create \
  91. --password "$PASSWORD" \
  92. --email "creator_a@example.net" \
  93. "project_a_creator" -f value -c id)
  94. openstack role add \
  95. --user "$USER_ID" \
  96. --project "$PROJECT_A_ID" \
  97. "$ROLE_CREATOR_ID"
  98. # Adding second creator user in project_a
  99. USER_ID=$(openstack user create \
  100. --password "$PASSWORD" \
  101. --email "creator2_a@example.net" \
  102. "project_a_creator_2" -f value -c id)
  103. openstack role add \
  104. --user "$USER_ID" \
  105. --project "$PROJECT_A_ID" \
  106. "$ROLE_CREATOR_ID"
  107. #
  108. # Setup RBAC Observer of Project A
  109. #
  110. USER_ID=$(openstack user create \
  111. --password "$PASSWORD" \
  112. --email "observer_a@example.net" \
  113. "project_a_observer" -f value -c id)
  114. openstack role add \
  115. --user "$USER_ID" \
  116. --project "$PROJECT_A_ID" \
  117. "$ROLE_OBSERVER_ID"
  118. #
  119. # Setup RBAC Auditor of Project A
  120. #
  121. USER_ID=$(openstack user create \
  122. --password "$PASSWORD" \
  123. --email "auditor_a@example.net" \
  124. "project_a_auditor" -f value -c id)
  125. openstack role add \
  126. --user "$USER_ID" \
  127. --project "$PROJECT_A_ID" \
  128. "$ROLE_AUDIT_ID"
  129. #
  130. # Setup RBAC Admin of Project B
  131. #
  132. USER_ID=$(openstack user create \
  133. --password "$PASSWORD" \
  134. --email "admin_b@example.net" \
  135. "project_b_admin" -f value -c id)
  136. openstack role add \
  137. --user "$USER_ID" \
  138. --project "$PROJECT_B_ID" \
  139. "$ROLE_ADMIN_ID"
  140. #
  141. # Setup RBAC Creator of Project B
  142. #
  143. USER_ID=$(openstack user create \
  144. --password "$PASSWORD" \
  145. --email "creator_b@example.net" \
  146. "project_b_creator" -f value -c id)
  147. openstack role add \
  148. --user "$USER_ID" \
  149. --project "$PROJECT_B_ID" \
  150. "$ROLE_CREATOR_ID"
  151. #
  152. # Setup RBAC Observer of Project B
  153. #
  154. USER_ID=$(openstack user create \
  155. --password "$PASSWORD" \
  156. --email "observer_b@example.net" \
  157. "project_b_observer" -f value -c id)
  158. openstack role add \
  159. --user "$USER_ID" \
  160. --project "$PROJECT_B_ID" \
  161. "$ROLE_OBSERVER_ID"
  162. #
  163. # Setup RBAC auditor of Project B
  164. #
  165. USER_ID=$(openstack user create \
  166. --password "$PASSWORD" \
  167. --email "auditor_b@example.net" \
  168. "project_b_auditor" -f value -c id)
  169. openstack role add \
  170. --user "$USER_ID" \
  171. --project "$PROJECT_B_ID" \
  172. "$ROLE_AUDIT_ID"
  173. #
  174. # Setup Barbican Endpoint
  175. #
  176. if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
  177. BARBICAN_SERVICE=$(openstack service create \
  178. --name barbican \
  179. --description "Barbican Service" \
  180. 'key-manager' -f value -c id)
  181. openstack endpoint create \
  182. $BARBICAN_SERVICE \
  183. --region RegionOne \
  184. internal "http://$SERVICE_HOST:9311"
  185. openstack endpoint create \
  186. $BARBICAN_SERVICE \
  187. --region RegionOne \
  188. public "http://$SERVICE_HOST:9311"
  189. fi
  190. fi