Added KMIP Secret Store to Devstack

Added code to devstack libraries to allow KMIP secret store to be
enabled. This edits barbican.conf to enable the KMIP secret store.

The Barbican PyKMIP client can be configured to connect to an existing
KMIP device or use PyKMIP's server. If the client configuration is all
that is needed then enable the 'barbican-pykmip' service in the
devstack configuration and set the appropriate key, certificate, and
CA path variables. This will allow the Barbican KMIP secret store to
connect to an existing KMIP server.

If a KMIP server is requested then also enable the 'pykmip-server'
service in the devstack configuration. This will install, configure,
and start the KMIP server. This option requires the 'barbican-pykmip'
service be configured as well.

Added passenv command to tox to allow the KMIP_PLUGIN_ENABLED
environment variable to be passed to the underlying command. Without
this the environment variable will not be seen by the tox command.

Change-Id: Ib804fa97545f14ed866bfd73bb251e85923a2e4e
Depends-On: Ifda13a84607bb199b794dc24f5dbba0ee8108dbf
This commit is contained in:
Nathan Reller 2016-03-13 14:14:04 -04:00
parent c695dcab25
commit 5ef6c3e2e4
5 changed files with 77 additions and 1 deletions

View File

@ -25,6 +25,12 @@
XTRACE=$(set +o | grep xtrace) XTRACE=$(set +o | grep xtrace)
set +o xtrace set +o xtrace
# PyKMIP configuration
PYKMIP_SERVER_KEY=${PYKMIP_SERVER_KEY:-$INT_CA_DIR/private/pykmip-server.key}
PYKMIP_SERVER_CERT=${PYKMIP_SERVER_CERT:-$INT_CA_DIR/pykmip-server.crt}
PYKMIP_CLIENT_KEY=${PYKMIP_CLIENT_KEY:-$INT_CA_DIR/private/pykmip-client.key}
PYKMIP_CLIENT_CERT=${PYKMIP_CLIENT_CERT:-$INT_CA_DIR/pykmip-client.crt}
PYKMIP_CA_PATH=${PYKMIP_CA_PATH:-$INT_CA_DIR/ca-chain.pem}
# Functions # Functions
# --------- # ---------
@ -355,6 +361,59 @@ function create_barbican_accounts {
} }
# PyKMIP functions
# ----------------
# install_pykmip - install the PyKMIP python module
# create keys and certificate for server
function install_pykmip {
pip_install 'pykmip'
if is_service_enabled pykmip-server; then
[ ! -d ${PYKMIP_CONF_DIR} ] && sudo mkdir -p ${PYKMIP_CONF_DIR}
sudo chown ${USER} ${PYKMIP_CONF_DIR}
[ ! -d ${PYKMIP_LOG_DIR} ] && sudo mkdir -p ${PYKMIP_LOG_DIR}
sudo chown ${USER} ${PYKMIP_LOG_DIR}
init_CA
if [ ! -e ${PYKMIP_SERVER_KEY} ]; then
make_cert ${INT_CA_DIR} 'pykmip-server' 'pykmip-server'
chmod 400 ${PYKMIP_SERVER_KEY}
fi
if [ ! -e ${PYKMIP_CLIENT_KEY} ]; then
make_cert ${INT_CA_DIR} 'pykmip-client' 'pykmip-client'
chmod 400 ${PYKMIP_CLIENT_KEY}
fi
if [ ! -e ${PYKMIP_CONF} ]; then
cat > ${PYKMIP_CONF} <<EOF
[server]
hostname=127.0.0.1
port=5696
certificate_path=${PYKMIP_SERVER_CERT}
key_path=${PYKMIP_SERVER_KEY}
ca_path=${PYKMIP_CA_PATH}
auth_suite=Basic
EOF
fi
fi
}
# configure_pykmip - enable KMIP plugin and configure
function configure_pykmip {
iniset $BARBICAN_CONF secretstore enabled_secretstore_plugins kmip_plugin
iniset $BARBICAN_CONF kmip_plugin username demo
iniset $BARBICAN_CONF kmip_plugin password secretpassword
iniset $BARBICAN_CONF kmip_plugin keyfile ${PYKMIP_CLIENT_KEY}
iniset $BARBICAN_CONF kmip_plugin certfile ${PYKMIP_CLIENT_CERT}
iniset $BARBICAN_CONF kmip_plugin ca_certs ${PYKMIP_CA_PATH}
}
# start_pykmip - start the PyKMIP server
function start_pykmip {
run_process pykmip-server "pykmip-server -f \'${PYKMIP_CONF}\' -l \'${PYKMIP_LOG_DIR}/pykmip-devstack.log\'"
}
# Dogtag functions # Dogtag functions
# ---------------- # ----------------

View File

@ -9,6 +9,10 @@ if is_service_enabled barbican; then
echo_summary "Installing Barbican" echo_summary "Installing Barbican"
install_barbican install_barbican
install_barbicanclient install_barbicanclient
if is_service_enabled barbican-pykmip; then
echo_summary "Installing PyKMIP"
install_pykmip
fi
if is_service_enabled barbican-dogtag; then if is_service_enabled barbican-dogtag; then
echo_summary "Installing Dogtag" echo_summary "Installing Dogtag"
install_dogtag_components install_dogtag_components
@ -16,6 +20,10 @@ if is_service_enabled barbican; then
elif [[ "$1" == "stack" && "$2" == "post-config" ]]; then elif [[ "$1" == "stack" && "$2" == "post-config" ]]; then
echo_summary "Configuring Barbican" echo_summary "Configuring Barbican"
configure_barbican configure_barbican
if is_service_enabled barbican-pykmip; then
echo_summary "Configuring KMIP plugin"
configure_pykmip
fi
if is_service_enabled barbican-dogtag; then if is_service_enabled barbican-dogtag; then
echo_summary "Configuring Dogtag plugin" echo_summary "Configuring Dogtag plugin"
configure_dogtag_plugin configure_dogtag_plugin
@ -29,6 +37,10 @@ if is_service_enabled barbican; then
echo_summary "Initializing Barbican" echo_summary "Initializing Barbican"
init_barbican init_barbican
start_barbican start_barbican
if is_service_enabled pykmip-server; then
echo_summary "Starting PyKMIP server"
start_pykmip
fi
fi fi
if [[ "$1" == "unstack" ]]; then if [[ "$1" == "unstack" ]]; then

View File

@ -10,6 +10,10 @@ BARBICAN_PASTE_CONF=$BARBICAN_CONF_DIR/barbican-api-paste.ini
BARBICAN_API_LOG_DIR=$DEST/logs BARBICAN_API_LOG_DIR=$DEST/logs
BARBICAN_AUTH_CACHE_DIR=${BARBICAN_AUTH_CACHE_DIR:-/var/cache/barbican} BARBICAN_AUTH_CACHE_DIR=${BARBICAN_AUTH_CACHE_DIR:-/var/cache/barbican}
PYKMIP_CONF_DIR=${PYKMIP_CONF_DIR:-/etc/pykmip}
PYKMIP_CONF=${PYKMIP_CONF_DIR}/server.conf
PYKMIP_LOG_DIR=${PYKMIP_LOG_DIR:-/var/log/pykmip}
# Support potential entry-points console scripts # Support potential entry-points console scripts
BARBICAN_BIN_DIR=$(get_python_exec_prefix) BARBICAN_BIN_DIR=$(get_python_exec_prefix)

View File

@ -5,7 +5,7 @@ coverage>=3.6 # Apache-2.0
hacking<0.11,>=0.10.0 hacking<0.11,>=0.10.0
mock>=1.2 # BSD mock>=1.2 # BSD
oslotest>=1.10.0 # Apache-2.0 oslotest>=1.10.0 # Apache-2.0
pykmip>=0.4.0 # Apache 2.0 License pykmip>=0.5.0 # Apache 2.0 License
testrepository>=0.0.18 # Apache-2.0/BSD testrepository>=0.0.18 # Apache-2.0/BSD
testtools>=1.4.0 # MIT testtools>=1.4.0 # MIT
fixtures<2.0,>=1.3.1 # Apache-2.0/BSD fixtures<2.0,>=1.3.1 # Apache-2.0/BSD

View File

@ -116,6 +116,7 @@ setenv = OS_TEST_PATH={toxinidir}/functionaltests
commands = commands =
/usr/bin/find . -type f -name "*.pyc" -delete /usr/bin/find . -type f -name "*.pyc" -delete
/bin/bash {toxinidir}/functionaltests/pretty_tox.sh '{posargs}' /bin/bash {toxinidir}/functionaltests/pretty_tox.sh '{posargs}'
passenv = KMIP_PLUGIN_ENABLED
[flake8] [flake8]
exclude = .git,.idea,.tox,bin,dist,debian,rpmbuild,tools,*.egg-info,*.eggs,*openstack/common,contrib, exclude = .git,.idea,.tox,bin,dist,debian,rpmbuild,tools,*.egg-info,*.eggs,*openstack/common,contrib,