openstack
/
barbican
Code Issues Proposed changes
barbican/install-guide/source/common_configure.rst

2.8 KiB
Raw Blame History

  1. Edit the /etc/barbican/barbican.conf file and complete the following actions:

    • In the [database] section, configure database access:

      [database]
...
connection = mysql+pymysql://barbican:BARBICAN_DBPASS@controller/barbican

      Replace BARBICAN_DBPASS with the password you chose for the Key Manager service database.

    • In the [DEFAULT] and [oslo_messaging_rabbit] sections, configure RabbitMQ message queue access:

      [DEFAULT]
...
rpc_backend = rabbit

[oslo_messaging_rabbit]
...
rabbit_host = controller
rabbit_userid = openstack
rabbit_password = RABBIT_PASS

      Replace RABBIT_PASS with the password you chose for the openstack account in RabbitMQ.

    • In the [keystone_authtoken] section, configure Identity service access:

      [keystone_authtoken]
...
auth_uri = http://controller:5000
auth_url = http://controller:35357
memcached_servers = controller:11211
auth_type = password
project_domain_name = default
user_domain_name = default
project_name = service
username = barbican
password = BARBICAN_PASS

      Replace BARBICAN_PASS with the password you chose for the barbican user in the Identity service.

      Note

      Comment out or remove any other options in the [keystone_authtoken] section.

  2. Edit the /etc/barbican/barbican-api-paste.ini file and complete the following actions:

    • In the [pipeline:barbican_api] section, configure the pipeline to use the Identity Service auth token.

      [pipeline:barbican_api]
pipeline = cors authtoken context apiapp

  3. Populate the Key Manager service database:

    The Key Manager service database will be automatically populated when the service is first started. To prevent this, and run the database sync manually, edit the /etc/barbican/barbican.conf file and set db_auto_create in the [DEFAULT] section to False.

    Then populate the database as below:

    $ su -s /bin/sh -c "barbican-manage db upgrade" barbican

    Note

    Ignore any deprecation messages in this output.

  4. Barbican has a plugin architecture which allows the deployer to store secrets in a number of different back-end secret stores. By default, Barbican is configured to store secrets in a basic file-based keystore. This key store is NOT safe for production use.

    For a list of supported plugins and detailed instructions on how to configure them, see barbican_backend