openstack/barbican
Code Issues Proposed changes
Files
2f2d718bb76bd37cc6555a587f771e7472ab0620
barbican/etc/barbican/barbican-functional.conf
Arun Kant 19f69ccee2 Adding support for barbican host href to be derived from wsgi request 
Currently barbican provides hostname part of hrefs returned in response
based on host_href value defined in barbican.conf.

This approach would not work if barbican API needs to be accessed via
public or internal endpoint as they can be different endpoints in
control planes. The endpoint used by client depends on which network client
is making the API request. For same reasons, keystone also allows different
endpoint for a service to expose as public or internal interface in service
catalog.

To allow that kind of deployment model for barbican service, now enhancing
its logic to derive this hostname (http_scheme+host+port) information from
wsgi requests when host_href value is not set in barbican.conf. So deployment
requiring this behavior can leave host_href blank in their barbican.conf. The
host_href needs to be set empty as not setting it results in default.

Generally in this kind of deployment, proxy (e.g. haproxy) will set
appropriate host, http scheme header. Request url received at barbican side
will have the client IP address and scheme inserted directly inside it.
Reference: https://en.wikipedia.org/wiki/X-Forwarded-For

Updated existing 'change host header' related functional test to skip when
host_href is not set in barbican server side. Added new functional tests when
hrefs are derived from wsgi request. New tests are skipped when host_href is
set at server side.

Added a flag in barbican-functional.conf to indicate barbican server setting
Default is to use CONF.host_href value. Explicit flag is added as functional
test setup may not always have barbican server conf available locally.

Change-Id: Idb8e62867f6cbd457eb64ea31500e93e74d247ea
Closes-Bug: 1541118
2016-04-13 09:33:56 -07:00

91 lines
2.4 KiB
Plaintext
Raw Blame History

[DEFAULT]
[identity]
# Replace these with values that represent your identity configuration
uri=http://localhost:5000/v3
version=v3
username=admin
project_name=admin
password=secretadmin
domain_name=Default
service_admin=service-admin
service_admin_project=service
service_admin_password=secretservice
[rbac_users]
# Replace these values that represent additional users for RBAC testing
project_a=project_a
project_b=project_b
# users for project_a
admin_a=project_a_admin
admin_a_password=barbican
creator_a=project_a_creator
creator_a_password=barbican
observer_a=project_a_observer
observer_a_password=barbican
auditor_a=project_a_auditor
auditor_a_password=barbican
# users for project_b
admin_b=project_b_admin
admin_b_password=barbican
creator_b=project_b_creator
creator_b_password=barbican
observer_b=project_b_observer
observer_b_password=barbican
auditor_b=project_b_auditor
auditor_b_password=barbican
[keymanager]
# For selecting service endpoint from service catalog,
# following attributes are used to find it.
#service_type=key-manager
#service_name=barbican
#region_name=RegionOne
#endpoint_type=public
#verify_ssl=True
# use this to increase the timeout (in seconds) when debugging API calls
#timeout=10
# use this to run the functional tests against a
# different barbican server than the one that is
# specified in the service catalog. To use what is
# in the service catalog, just comment this out
# or leave it blank.
# override_url=http://localhost:9311
# override_url_version=v1
# Flag to indicate if (when True) the server is setting the href's returned in
# requests via barbican.conf's 'host_href' setting, or else (when False) the
# server is setting the href's from the wsgi request.
# Default value is True.
server_host_href_set = True
[quotas]
# For each resource, the default maximum number that can be used for
# a project is set below. This value can be overridden for each
# project through the API. A negative value means no limit. A zero
# value effectively disables the resource.
# These should be set identically to the system under test.
# default number of secrets allowed per project
quota_secrets = -1
# default number of orders allowed per project
quota_orders = -1
# default number of containers allowed per project
quota_containers = -1
# default number of consumers allowed per project
quota_consumers = -1
# default number of CAs allowed per project
quota_cas = -1
View Git Blame Copy Permalink