barbican/doc/source/setup/keystone.rst
Paulo Ewerton 8abb2c6a0b Use keystone auth plugin
keystonemiddleware admin settings are deprecated
so we should stop using them in favor of a keystone
auth plugin. This patch updates the config file
to use keystone API v3 by default.

Change-Id: I9d10ac29ab33cbdd845573106960e5f181afdb69
Closes-Bug: 1579801
2016-05-16 14:19:41 +00:00

2.0 KiB

Using Keystone Middleware with Barbican

Prerequisites

To enable Keystone integration with Barbican you'll need a relatively current version of Keystone. If you don't have an instance of Keystone available, you can use one of the following ways to setup your own.

  1. Simple Dockerized Keystone
  2. Installing Keystone
  3. Devstack

Hooking up Barbican to Keystone

Assuming that you've already setup your Keystone instance, connecting Barbican to Keystone is quite simple. When completed, Barbican should require a valid X-Auth-Token to be provided with all API calls except the get version call.

  1. Turn off any active instances of Barbican

  2. Edit /etc/barbican/barbican-api-paste.ini

    1. Change the pipeline /v1 value from unauthenticated barbican-api to the authenticated barbican-api-keystone
    [composite:main]
    use = egg:Paste#urlmap
    /: barbican_version
    /v1: barbican-api-keystone
    1. Replace authtoken filter values to match your Keystone setup
    [filter:authtoken]
    paste.filter_factory = keystonemiddleware.auth_token:filter_factory
    signing_dir = /tmp/barbican/cache
    auth_uri = http://{YOUR_KEYSTONE_ENDPOINT}:5000/v3
    auth_url = http://{YOUR_KEYSTONE_ENDPOINT}:35357/v3
    auth_plugin = password
    username = {YOUR_KEYSTONE_USERNAME}
    password = {YOUR_KEYSTONE_PASSWORD}
    user_domain_id = {YOUR_KEYSTONE_USER_DOMAIN}
    project_name = {YOUR_KEYSTONE_PROJECT}
    project_domain_id = {YOUR_KEYSTONE_PROJECT_DOMAIN}
  3. Start Barbican {barbican_home}/bin/barbican.sh start