openstack/barbican
Code Issues Proposed changes
7826ea9c15
barbican/doc/source/install/common_configure.rst
Ricardo Rocha 6642a60830 Set db_auto_create default to False 
Change the default value for the db_auto_create option to False. This is
vital as the flag is managing upgrades as well if the databases already
exist.

It will prevent production deployments from having their databases
impacted if an API daemon is started for any reason pointing to
a production database.

Change-Id: Id7eac78737af76afe628deeca7c15c2ac969d47e
2020-09-25 14:34:07 +00:00

2.3 KiB
Raw Blame History

  1. Edit the /etc/barbican/barbican.conf file and complete the following actions:

    • In the [DEFAULT] section, configure database access:

      [DEFAULT]
...
sql_connection = mysql+pymysql://barbican:BARBICAN_DBPASS@controller/barbican

      Replace BARBICAN_DBPASS with the password you chose for the Key Manager service database.

    • In the [DEFAULT] section, configure RabbitMQ message queue access:

      [DEFAULT]
...
transport_url = rabbit://openstack:RABBIT_PASS@controller

      Replace RABBIT_PASS with the password you chose for the openstack account in RabbitMQ.

    • In the [keystone_authtoken] section, configure Identity service access:

      [keystone_authtoken]
...
www_authenticate_uri = http://controller:5000
auth_url = http://controller:5000
memcached_servers = controller:11211
auth_type = password
project_domain_name = default
user_domain_name = default
project_name = service
username = barbican
password = BARBICAN_PASS

      Replace BARBICAN_PASS with the password you chose for the barbican user in the Identity service.

      Note

      Comment out or remove any other options in the [keystone_authtoken] section.

  2. Populate the Key Manager service database:

    If you wish the Key Manager service to automatically populate the database when the service is first started, set db_auto_create to True in the [DEFAULT] section. By default this will not be active and you can populate the database manually as below:

    $ su -s /bin/sh -c "barbican-manage db upgrade" barbican

    Note

    Ignore any deprecation messages in this output.

  3. Barbican has a plugin architecture which allows the deployer to store secrets in a number of different back-end secret stores. By default, Barbican is configured to store secrets in a basic file-based keystore. This key store is NOT safe for production use.

    For a list of supported plugins and detailed instructions on how to configure them, see barbican_backend