barbican/install-guide/source/common_configure.rst
Jeremy Liu 61aa385e80 Correct configuration of db connection
Change-Id: I314874866e725cf982a229cfebdffc7b3aa47a03
Closes-bug: #1655323
Closes-bug: #1654402
2017-01-18 15:13:19 +08:00

2.6 KiB

  1. Edit the /etc/barbican/barbican.conf file and complete the following actions:

    • In the [DEFAULT] section, configure database access:

      [DEFAULT]
      ...
      sql_connection = mysql+pymysql://barbican:BARBICAN_DBPASS@controller/barbican

      Replace BARBICAN_DBPASS with the password you chose for the Key Manager service database.

    • In the [DEFAULT] section, configure RabbitMQ message queue access:

      [DEFAULT]
      ...
      transport_url = rabbit://openstack:RABBIT_PASS@controller

      Replace RABBIT_PASS with the password you chose for the openstack account in RabbitMQ.

    • In the [keystone_authtoken] section, configure Identity service access:

      [keystone_authtoken]
      ...
      auth_uri = http://controller:5000
      auth_url = http://controller:35357
      memcached_servers = controller:11211
      auth_type = password
      project_domain_name = default
      user_domain_name = default
      project_name = service
      username = barbican
      password = BARBICAN_PASS

      Replace BARBICAN_PASS with the password you chose for the barbican user in the Identity service.

      Note

      Comment out or remove any other options in the [keystone_authtoken] section.

  2. Edit the /etc/barbican/barbican-api-paste.ini file and complete the following actions:

    • In the [pipeline:barbican_api] section, configure the pipeline to use the Identity Service auth token.

      [pipeline:barbican_api]
      pipeline = cors authtoken context apiapp
  3. Populate the Key Manager service database:

    The Key Manager service database will be automatically populated when the service is first started. To prevent this, and run the database sync manually, edit the /etc/barbican/barbican.conf file and set db_auto_create in the [DEFAULT] section to False.

    Then populate the database as below:

    $ su -s /bin/sh -c "barbican-manage db upgrade" barbican

    Note

    Ignore any deprecation messages in this output.

  4. Barbican has a plugin architecture which allows the deployer to store secrets in a number of different back-end secret stores. By default, Barbican is configured to store secrets in a basic file-based keystore. This key store is NOT safe for production use.

    For a list of supported plugins and detailed instructions on how to configure them, see barbican_backend