Merge "Use keystone auth plugin"

This commit is contained in:
Jenkins 2016-05-17 17:12:35 +00:00 committed by Gerrit Code Review
commit 11bcb88a2f
3 changed files with 40 additions and 25 deletions

View File

@ -134,14 +134,20 @@ function configure_barbican {
# Turn on the middleware # Turn on the middleware
iniset $BARBICAN_PASTE_CONF 'pipeline:barbican_api' pipeline 'barbican-api-keystone' iniset $BARBICAN_PASTE_CONF 'pipeline:barbican_api' pipeline 'barbican-api-keystone'
# Keystone complete URIs
KEYSTONE_AUTH_URI=${KEYSTONE_AUTH_PROTOCOL}://${KEYSTONE_AUTH_HOST}:${KEYSTONE_AUTH_PORT}/v3
KEYSTONE_SERVICE_URI=${KEYSTONE_SERVICE_PROTOCOL}://${KEYSTONE_SERVICE_HOST}:${KEYSTONE_SERVICE_PORT}/v3
# Set the keystone parameters # Set the keystone parameters
iniset $BARBICAN_PASTE_CONF 'filter:keystone_authtoken' auth_protocol $KEYSTONE_AUTH_PROTOCOL iniset $BARBICAN_PASTE_CONF 'filter:authtoken' auth_plugin password
iniset $BARBICAN_PASTE_CONF 'filter:keystone_authtoken' auth_host $KEYSTONE_AUTH_HOST iniset $BARBICAN_PASTE_CONF 'filter:authtoken' auth_url $KEYSTONE_AUTH_URI
iniset $BARBICAN_PASTE_CONF 'filter:keystone_authtoken' auth_port $KEYSTONE_AUTH_PORT iniset $BARBICAN_PASTE_CONF 'filter:authtoken' username barbican
iniset $BARBICAN_PASTE_CONF 'filter:keystone_authtoken' admin_user barbican iniset $BARBICAN_PASTE_CONF 'filter:authtoken' password $SERVICE_PASSWORD
iniset $BARBICAN_PASTE_CONF 'filter:keystone_authtoken' admin_password $SERVICE_PASSWORD iniset $BARBICAN_PASTE_CONF 'filter:authtoken' user_domain_id default
iniset $BARBICAN_PASTE_CONF 'filter:keystone_authtoken' admin_tenant_name $SERVICE_PROJECT_NAME iniset $BARBICAN_PASTE_CONF 'filter:authtoken' project_name $SERVICE_PROJECT_NAME
iniset $BARBICAN_PASTE_CONF 'filter:keystone_authtoken' signing_dir $BARBICAN_AUTH_CACHE_DIR iniset $BARBICAN_PASTE_CONF 'filter:authtoken' project_domain_id default
iniset $BARBICAN_PASTE_CONF 'filter:authtoken' auth_uri $KEYSTONE_SERVICE_URI
iniset $BARBICAN_PASTE_CONF 'filter:authtoken' signing_dir $BARBICAN_AUTH_CACHE_DIR
} }
# init_barbican - Initialize etc. # init_barbican - Initialize etc.

View File

@ -27,26 +27,32 @@ the get version call.
1. Turn off any active instances of Barbican 1. Turn off any active instances of Barbican
2. Edit ``/etc/barbican/barbican-api-paste.ini`` 2. Edit ``/etc/barbican/barbican-api-paste.ini``
1. Replace the ``barbican_api`` pipeline with an authenticated pipeline 1. Change the pipeline ``/v1`` value from unauthenticated ``barbican-api``
to the authenticated ``barbican-api-keystone``
.. code-block:: ini .. code-block:: ini
[pipeline:barbican_api] [composite:main]
pipeline = keystone_authtoken context apiapp use = egg:Paste#urlmap
/: barbican_version
/v1: barbican-api-keystone
2. Replace ``keystone_authtoken`` filter values to match your Keystone 2. Replace ``authtoken`` filter values to match your Keystone
setup setup
.. code-block:: ini .. code-block:: ini
[filter:keystone_authtoken] [filter:authtoken]
paste.filter_factory = keystonemiddleware.auth_token:filter_factory paste.filter_factory = keystonemiddleware.auth_token:filter_factory
signing_dir = /tmp/barbican/cache signing_dir = /tmp/barbican/cache
identity_uri = http://{YOUR_KEYSTONE_ENDPOINT}:35357 auth_uri = http://{YOUR_KEYSTONE_ENDPOINT}:5000/v3
admin_tenant_name = service auth_url = http://{YOUR_KEYSTONE_ENDPOINT}:35357/v3
admin_user = {YOUR_KEYSTONE_USERNAME} auth_plugin = password
admin_password = {YOUR_KEYSTONE_PASSWORD} username = {YOUR_KEYSTONE_USERNAME}
auth_version = v2.0 password = {YOUR_KEYSTONE_PASSWORD}
user_domain_id = {YOUR_KEYSTONE_USER_DOMAIN}
project_name = {YOUR_KEYSTONE_PROJECT}
project_domain_id = {YOUR_KEYSTONE_PROJECT_DOMAIN}
3. Start Barbican ``{barbican_home}/bin/barbican.sh start`` 3. Start Barbican ``{barbican_home}/bin/barbican.sh start``

View File

@ -18,11 +18,11 @@ pipeline = cors unauthenticated-context egg:Paste#cgitb egg:Paste#httpexceptions
#Use this pipeline for keystone auth #Use this pipeline for keystone auth
[pipeline:barbican-api-keystone] [pipeline:barbican-api-keystone]
pipeline = cors keystone_authtoken context apiapp pipeline = cors authtoken context apiapp
#Use this pipeline for keystone auth with audit feature #Use this pipeline for keystone auth with audit feature
[pipeline:barbican-api-keystone-audit] [pipeline:barbican-api-keystone-audit]
pipeline = keystone_authtoken context audit apiapp pipeline = authtoken context audit apiapp
[app:apiapp] [app:apiapp]
paste.app_factory = barbican.api.app:create_main_app paste.app_factory = barbican.api.app:create_main_app
@ -43,14 +43,17 @@ paste.filter_factory = barbican.api.middleware.context:ContextMiddleware.factory
paste.filter_factory = keystonemiddleware.audit:filter_factory paste.filter_factory = keystonemiddleware.audit:filter_factory
audit_map_file = /etc/barbican/api_audit_map.conf audit_map_file = /etc/barbican/api_audit_map.conf
[filter:keystone_authtoken] [filter:authtoken]
paste.filter_factory = keystonemiddleware.auth_token:filter_factory paste.filter_factory = keystonemiddleware.auth_token:filter_factory
auth_uri = http://localhost:5000/v3
auth_plugin = password
#need ability to re-auth a token, thus admin url #need ability to re-auth a token, thus admin url
identity_uri = http://localhost:35357 auth_url = http://localhost:35357/v3
admin_tenant_name = service username = barbican
admin_user = barbican password = orange
admin_password = orange user_domain_id = default
auth_version = v3.0 project_name = service
project_domain_id = default
#delay failing perhaps to log the unauthorized request in barbican .. #delay failing perhaps to log the unauthorized request in barbican ..
#delay_auth_decision = true #delay_auth_decision = true
# signing_dir is configurable, but the default behavior of the authtoken # signing_dir is configurable, but the default behavior of the authtoken