barbican/doc/source/install/common_configure.rst
Ricardo Rocha 6642a60830 Set db_auto_create default to False
Change the default value for the db_auto_create option to False. This is
vital as the flag is managing upgrades as well if the databases already
exist.

It will prevent production deployments from having their databases
impacted if an API daemon is started for any reason pointing to
a production database.

Change-Id: Id7eac78737af76afe628deeca7c15c2ac969d47e
2020-09-25 14:34:07 +00:00

74 lines
2.3 KiB
ReStructuredText

2. Edit the ``/etc/barbican/barbican.conf`` file and complete the following
actions:
* In the ``[DEFAULT]`` section, configure database access:
.. code-block:: ini
[DEFAULT]
...
sql_connection = mysql+pymysql://barbican:BARBICAN_DBPASS@controller/barbican
Replace ``BARBICAN_DBPASS`` with the password you chose for the
Key Manager service database.
* In the ``[DEFAULT]`` section,
configure ``RabbitMQ`` message queue access:
.. code-block:: ini
[DEFAULT]
...
transport_url = rabbit://openstack:RABBIT_PASS@controller
Replace ``RABBIT_PASS`` with the password you chose for the
``openstack`` account in ``RabbitMQ``.
* In the ``[keystone_authtoken]`` section, configure Identity
service access:
.. code-block:: ini
[keystone_authtoken]
...
www_authenticate_uri = http://controller:5000
auth_url = http://controller:5000
memcached_servers = controller:11211
auth_type = password
project_domain_name = default
user_domain_name = default
project_name = service
username = barbican
password = BARBICAN_PASS
Replace ``BARBICAN_PASS`` with the password you chose for the
``barbican`` user in the Identity service.
.. note::
Comment out or remove any other options in the
``[keystone_authtoken]`` section.
#. Populate the Key Manager service database:
If you wish the Key Manager service to automatically populate the
database when the service is first started, set db_auto_create to
True in the ``[DEFAULT]`` section. By default this will not be active
and you can populate the database manually as below:
.. code-block:: console
$ su -s /bin/sh -c "barbican-manage db upgrade" barbican
.. note::
Ignore any deprecation messages in this output.
#. Barbican has a plugin architecture which allows the deployer to store secrets in
a number of different back-end secret stores. By default, Barbican is configured to
store secrets in a basic file-based keystore. This key store is NOT safe for
production use.
For a list of supported plugins and detailed instructions on how to configure them,
see :ref:`barbican_backend`