Add install guide

Install Guides are maintained within the project and are linked
to the official docs.

This commit adds the framework and some initial content.

Change-Id: Iff18f0e866d95ff4b8b490511c2acf3209690b69
This commit is contained in:
Ade Lee 2016-08-17 00:38:00 -04:00
parent 1fe54a5433
commit edb2c18be6
13 changed files with 870 additions and 0 deletions

View File

@ -0,0 +1,174 @@
.. _barbican_backend:
Secret Store Back-ends
~~~~~~~~~~~~~~~~~~~~~~
The Key Manager service has a plugin architecture that allows the deployer to
store secrets in one or more secret stores. Secret stores can be software-based
such as a software token, or hardware devices such as a hardware security
module (HSM).
This section describes the plugins that are currently available
and how they might be configured.
Crypto Plugins
--------------
These types of plugins store secrets as encrypted blobs within the
Barbican database. The plugin is invoked to encrypt the secret on secret
storage, and decrypt the secret on secret retrieval.
To enable these plugins, add ``store_crypto`` to the list of enabled
secret store plugins in the ``[secret_store]`` section of
``/etc/barbican/barbican.conf`` :
.. code-block:: ini
[secretstore]
namespace = barbican.secretstore.plugin
enabled_secretstore_plugins = store_crypto
There are two flavors of storage plugins currently available: the Simple
Crypto plugin and the PKCS#11 crypto plugin.
Simple Crypto Plugin
^^^^^^^^^^^^^^^^^^^^
This crypto plugin is configured by default in barbican.conf. This plugin
is completely insecure and is only suitable for development testing.
.. warning::
THIS PLUGIN IS NOT SUITABLE FOR PRODUCTION DEPLOYMENTS.
This plugin uses single symmetric key (kek - or 'key encryption key')
- which is stored in plain text in the ``barbican.conf`` file to encrypt
and decrypt all secrets.
The configuration for this plugin in ``barbican.conf`` is as follows:
.. code-block:: ini
# ================= Secret Store Plugin ===================
[secretstore]
..
enabled_secretstore_plugins = store_crypto
# ================= Crypto plugin ===================
[crypto]
..
enabled_crypto_plugins = simple_crypto
[simple_crypto_plugin]
# the kek should be a 32-byte value which is base64 encoded
kek = 'YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoxMjM0NTY='
PKCS#11 Crypto Plugin
^^^^^^^^^^^^^^^^^^^^^
This crypto plugin can be used to interface with a Hardware Security Module (HSM)
using the PKCS#11 protocol.
Secrets are encrypted (and decrypted on retrieval) by a project specific
Key Encryption Key (KEK), which resides in the HSM.
The configuration for this plugin in ``barbican.conf`` with settings shown for
use with a SafeNet HSM is as follows:
.. code-block:: ini
# ================= Secret Store Plugin ===================
[secretstore]
..
enabled_secretstore_plugins = store_crypto
[p11_crypto_plugin]
# Path to vendor PKCS11 library
library_path = '/usr/lib/libCryptoki2_64.so'
# Password to login to PKCS11 session
login = 'mypassword'
# Label to identify master KEK in the HSM (must not be the same as HMAC label)
mkek_label = 'an_mkek'
# Length in bytes of master KEK
mkek_length = 32
# Label to identify HMAC key in the HSM (must not be the same as MKEK label)
hmac_label = 'my_hmac_label'
# HSM Slot id (Should correspond to a configured PKCS11 slot). Default: 1
# slot_id = 1
# Enable Read/Write session with the HSM?
# rw_session = True
# Length of Project KEKs to create
# pkek_length = 32
# How long to cache unwrapped Project KEKs
# pkek_cache_ttl = 900
# Max number of items in pkek cache
# pkek_cache_limit = 100
KMIP Plugin
-----------
This secret store plugin is used to communicate with a KMIP device.
The secret is securely stored in the KMIP device directly, rather than in the
Barbican database. The Barbican database maintains a reference to the
secret's location for later retrieval.
The plugin can be configured to authenticate to the KMIP device using either
a username and password, or using a client certificate.
The configuration for this plugin in ``barbican.conf`` is as follows:
.. code-block:: ini
[secretstore]
..
enabled_secretstore_plugins = kmip_crypto
[kmip_plugin]
username = 'admin'
password = 'password'
host = localhost
port = 5696
keyfile = '/path/to/certs/cert.key'
certfile = '/path/to/certs/cert.crt'
ca_certs = '/path/to/certs/LocalCA.crt'
Dogtag Plugin
-------------
Dogtag is the upstream project corresponding to the Red Hat Certificate System.
a robust, full-featured PKI solution that contains a Certificate Manager (CA)
and a Key Recovery Authority (KRA) which is used to securely store secrets.
The KRA stores secrets as encrypted blobs in its internal database, with the
master encryption keys being stored either in a software-based NSS security
database, or in a Hardware Security Module (HSM).
Note that the software-based NSS database configuration provides a secure option for
those deployments that do not require or cannot afford an HSM. This is the only
current plugin to provide this option.
The KRA communicates with HSMs using PKCS#11. For a list of certified HSMs,
see the latest `release notes <https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/9/html/Release_Notes/Release_Notes-Deployment_Notes.html>`_. Dogtag and the KRA meet all the relevant Common Criteria and FIPS specifications.
The KRA is a component of FreeIPA. Therefore, it is possible to configure the plugin
with a FreeIPA server. More detailed instructions on how to set up Barbican with FreeIPA
are provided `here <https://vakwetu.wordpress.com/2015/11/30/barbican-and-dogtagipa/>`_.
The plugin communicates with the KRA using a client certificate for a trusted KRA agent.
That certificate is stored in an NSS database as well as a PEM file as seen in the
configuration below.
The configuration for this plugin in ``barbican.conf`` is as follows:
.. code-block:: ini
[secretstore]
..
enabled_secretstore_plugins = dogtag_crypto
[dogtag_plugin]
pem_path = '/etc/barbican/kra_admin_cert.pem'
dogtag_host = localhost
dogtag_port = 8443
nss_db_path = '/etc/barbican/alias'
nss_password = 'password123'

View File

@ -0,0 +1,92 @@
2. Edit the ``/etc/barbican/barbican.conf`` file and complete the following
actions:
* In the ``[database]`` section, configure database access:
.. code-block:: none
[database]
...
connection = mysql+pymysql://barbican:BARBICAN_DBPASS@controller/barbican
Replace ``BARBICAN_DBPASS`` with the password you chose for the
Key Manager service database.
* In the ``[DEFAULT]`` and ``[oslo_messaging_rabbit]`` sections,
configure ``RabbitMQ`` message queue access:
.. code-block:: ini
[DEFAULT]
...
rpc_backend = rabbit
[oslo_messaging_rabbit]
...
rabbit_host = controller
rabbit_userid = openstack
rabbit_password = RABBIT_PASS
Replace ``RABBIT_PASS`` with the password you chose for the
``openstack`` account in ``RabbitMQ``.
* In the ``[keystone_authtoken]`` section, configure Identity
service access:
.. code-block:: ini
[keystone_authtoken]
...
auth_uri = http://controller:5000
auth_url = http://controller:35357
memcached_servers = controller:11211
auth_type = password
project_domain_name = default
user_domain_name = default
project_name = service
username = barbican
password = BARBICAN_PASS
Replace ``BARBICAN_PASS`` with the password you chose for the
``barbican`` user in the Identity service.
.. note::
Comment out or remove any other options in the
``[keystone_authtoken]`` section.
#. Edit the ``/etc/barbican/barbican-api-paste.ini`` file and complete the
following actions:
* In the ``[pipeline:barbican_api]`` section, configure the pipeline to
use the Identity Service auth token.
.. code-block:: ini
[pipeline:barbican_api]
pipeline = cors authtoken context apiapp
#. Populate the Key Manager service database:
The Key Manager service database will be automatically populated
when the service is first started. To prevent this, and run the
database sync manually, edit the ``/etc/barbican/barbican.conf`` file
and set db_auto_create in the ``[DEFAULT]`` section to False.
Then populate the database as below:
.. code-block:: console
$ su -s /bin/sh -c "barbican-manage db_sync" barbican
.. note::
Ignore any deprecation messages in this output.
#. Barbican has a plugin architecture which allows the deployer to store secrets in
a number of different back-end secret stores. By default, Barbican is configured to
store secrets in a basic file-based keystore. This key store is NOT safe for
production use.
For a list of supported plugins and detailed instructions on how to configure them,
see :ref:`barbican_backend`

View File

@ -0,0 +1,87 @@
Prerequisites
-------------
Before you install and configure the Key Manager service,
you must create a database, service credentials, and API endpoints.
#. To create the database, complete these steps:
* Use the database access client to connect to the database
server as the ``root`` user:
.. code-block:: console
$ mysql -u root -p
* Create the ``barbican`` database:
.. code-block:: mysql
CREATE DATABASE barbican;
* Grant proper access to the ``barbican`` database:
.. code-block:: mysql
GRANT ALL PRIVILEGES ON barbican.* TO 'barbican'@'localhost' \
IDENTIFIED BY 'BARBICAN_DBPASS';
GRANT ALL PRIVILEGES ON barbican.* TO 'barbican'@'%' \
IDENTIFIED BY 'BARBICAN_DBPASS';
Replace ``BARBICAN_DBPASS`` with a suitable password.
* Exit the database access client.
.. code-block:: mysql
exit;
#. Source the ``admin`` credentials to gain access to
admin-only CLI commands:
.. code-block:: console
$ source admin-openrc
#. To create the service credentials, complete these steps:
* Create the ``barbican`` user:
.. code-block:: console
$ openstack user create --domain default --password-prompt barbican
* Add the ``admin`` role to the ``barbican`` user:
.. code-block:: console
$ openstack role add --project service --user barbican admin
* Create the ``creator`` role:
.. code-block:: console
$ openstack role create creator
* Add the ``creator`` role to the ``barbican`` user:
.. code-block:: console
$ openstack role add --project service --user barbican creator
* Create the barbican service entities:
.. code-block:: console
$ openstack service create --name barbican --description "Key Manager" key-manager
#. Create the Key Manager service API endpoints:
.. code-block:: console
$ openstack endpoint create --region RegionOne \
key-manager public http://controller:9311/v1/%\(tenant_id\)s
$ openstack endpoint create --region RegionOne \
key-manager internal http://controller:9311/v1/%\(tenant_id\)s
$ openstack endpoint create --region RegionOne \
key-manager admin http://controller:9311/v1/%\(tenant_id\)s

View File

@ -0,0 +1,302 @@
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
# implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# This file is execfile()d with the current directory set to its
# containing dir.
#
# Note that not all possible configuration values are present in this
# autogenerated file.
#
# All configuration values have a default; values that are commented out
# serve to show the default.
import os
# import sys
import openstackdocstheme
# If extensions (or modules to document with autodoc) are in another directory,
# add these directories to sys.path here. If the directory is relative to the
# documentation root, use os.path.abspath to make it absolute, like shown here.
# sys.path.insert(0, os.path.abspath('.'))
# -- General configuration ------------------------------------------------
# If your documentation needs a minimal Sphinx version, state it here.
# needs_sphinx = '1.0'
# Add any Sphinx extension module names here, as strings. They can be
# extensions coming with Sphinx (named 'sphinx.ext.*') or your custom
# ones.
# TODO(ajaeger): enable PDF building, for example add 'rst2pdf.pdfbuilder'
# extensions =
# Add any paths that contain templates here, relative to this directory.
# templates_path = ['_templates']
# The suffix of source filenames.
source_suffix = '.rst'
# The encoding of source files.
# source_encoding = 'utf-8-sig'
# The master toctree document.
master_doc = 'index'
# General information about the project.
project = u'Installation Guide for Key Manager Service'
bug_tag = u'install-guide'
copyright = u'2016, OpenStack contributors'
# The version info for the project you're documenting, acts as replacement for
# |version| and |release|, also used in various other places throughout the
# built documents.
#
# The short X.Y version.
version = '0.1'
# The full version, including alpha/beta/rc tags.
release = '0.1'
# A few variables have to be set for the log-a-bug feature.
# giturl: The location of conf.py on Git. Must be set manually.
# gitsha: The SHA checksum of the bug description. Automatically
# extracted from git log.
# bug_tag: Tag for categorizing the bug. Must be set manually.
# These variables are passed to the logabug code via html_context.
giturl = (u'http://git.openstack.org/cgit/openstack/barbican/'
'tree/install-guide/source')
git_cmd = "/usr/bin/git log | head -n1 | cut -f2 -d' '"
gitsha = os.popen(git_cmd).read().strip('\n')
html_context = {"gitsha": gitsha, "bug_tag": bug_tag,
"giturl": giturl,
"bug_project": "barbican"}
# The language for content autogenerated by Sphinx. Refer to documentation
# for a list of supported languages.
# language = None
# There are two options for replacing |today|: either, you set today to some
# non-false value, then it is used:
# today = ''
# Else, today_fmt is used as the format for a strftime call.
# today_fmt = '%B %d, %Y'
# List of patterns, relative to source directory, that match files and
# directories to ignore when looking for source files.
exclude_patterns = ["common_prerequisites.rst", "common_configure.rst"]
# The reST default role (used for this markup: `text`) to use for all
# documents.
# default_role = None
# If true, '()' will be appended to :func: etc. cross-reference text.
# add_function_parentheses = True
# If true, the current module name will be prepended to all description
# unit titles (such as .. function::).
# add_module_names = True
# If true, sectionauthor and moduleauthor directives will be shown in the
# output. They are ignored by default.
# show_authors = False
# The name of the Pygments (syntax highlighting) style to use.
pygments_style = 'sphinx'
# A list of ignored prefixes for module index sorting.
# modindex_common_prefix = []
# If true, keep warnings as "system message" paragraphs in the built documents.
# keep_warnings = False
# -- Options for HTML output ----------------------------------------------
# The theme to use for HTML and HTML Help pages. See the documentation for
# a list of builtin themes.
html_theme = 'openstackdocs'
# Theme options are theme-specific and customize the look and feel of a theme
# further. For a list of options available for each theme, see the
# documentation.
# html_theme_options = {}
# Add any paths that contain custom themes here, relative to this directory.
html_theme_path = [openstackdocstheme.get_html_theme_path()]
# The name for this set of Sphinx documents. If None, it defaults to
# "<project> v<release> documentation".
# html_title = None
# A shorter title for the navigation bar. Default is the same as html_title.
# html_short_title = None
# The name of an image file (relative to this directory) to place at the top
# of the sidebar.
# html_logo = None
# The name of an image file (within the static path) to use as favicon of the
# docs. This file should be a Windows icon file (.ico) being 16x16 or 32x32
# pixels large.
# html_favicon = None
# Add any paths that contain custom static files (such as style sheets) here,
# relative to this directory. They are copied after the builtin static files,
# so a file named "default.css" will overwrite the builtin "default.css".
# html_static_path = []
# Add any extra paths that contain custom files (such as robots.txt or
# .htaccess) here, relative to this directory. These files are copied
# directly to the root of the documentation.
# html_extra_path = []
# If not '', a 'Last updated on:' timestamp is inserted at every page bottom,
# using the given strftime format.
# So that we can enable "log-a-bug" links from each output HTML page, this
# variable must be set to a format that includes year, month, day, hours and
# minutes.
html_last_updated_fmt = '%Y-%m-%d %H:%M'
# If true, SmartyPants will be used to convert quotes and dashes to
# typographically correct entities.
# html_use_smartypants = True
# Custom sidebar templates, maps document names to template names.
# html_sidebars = {}
# Additional templates that should be rendered to pages, maps page names to
# template names.
# html_additional_pages = {}
# If false, no module index is generated.
# html_domain_indices = True
# If false, no index is generated.
html_use_index = False
# If true, the index is split into individual pages for each letter.
# html_split_index = False
# If true, links to the reST sources are added to the pages.
html_show_sourcelink = False
# If true, "Created using Sphinx" is shown in the HTML footer. Default is True.
# html_show_sphinx = True
# If true, "(C) Copyright ..." is shown in the HTML footer. Default is True.
# html_show_copyright = True
# If true, an OpenSearch description file will be output, and all pages will
# contain a <link> tag referring to it. The value of this option must be the
# base URL from which the finished HTML is served.
# html_use_opensearch = ''
# This is the file name suffix for HTML files (e.g. ".xhtml").
# html_file_suffix = None
# Output file base name for HTML help builder.
htmlhelp_basename = 'install-guide'
# If true, publish source files
html_copy_source = False
# -- Options for LaTeX output ---------------------------------------------
latex_elements = {
# The paper size ('letterpaper' or 'a4paper').
# 'papersize': 'letterpaper',
# The font size ('10pt', '11pt' or '12pt').
# 'pointsize': '10pt',
# Additional stuff for the LaTeX preamble.
# 'preamble': '',
}
# Grouping the document tree into LaTeX files. List of tuples
# (source start file, target name, title,
# author, documentclass [howto, manual, or own class]).
latex_documents = [
('index', 'InstallGuide.tex', u'Install Guide',
u'OpenStack contributors', 'manual'),
]
# The name of an image file (relative to this directory) to place at the top of
# the title page.
# latex_logo = None
# For "manual" documents, if this is true, then toplevel headings are parts,
# not chapters.
# latex_use_parts = False
# If true, show page references after internal links.
# latex_show_pagerefs = False
# If true, show URL addresses after external links.
# latex_show_urls = False
# Documents to append as an appendix to all manuals.
# latex_appendices = []
# If false, no module index is generated.
# latex_domain_indices = True
# -- Options for manual page output ---------------------------------------
# One entry per manual page. List of tuples
# (source start file, name, description, authors, manual section).
man_pages = [
('index', 'installguide', u'Install Guide',
[u'OpenStack contributors'], 1)
]
# If true, show URL addresses after external links.
# man_show_urls = False
# -- Options for Texinfo output -------------------------------------------
# Grouping the document tree into Texinfo files. List of tuples
# (source start file, target name, title, author,
# dir menu entry, description, category)
texinfo_documents = [
('index', 'InstallGuide', u'Install Guide',
u'OpenStack contributors', 'InstallGuide',
'This guide shows OpenStack end users how to install '
'an OpenStack cloud.', 'Miscellaneous'),
]
# Documents to append as an appendix to all manuals.
# texinfo_appendices = []
# If false, no module index is generated.
# texinfo_domain_indices = True
# How to display URL addresses: 'footnote', 'no', or 'inline'.
# texinfo_show_urls = 'footnote'
# If true, do not generate a @detailmenu in the "Top" node's menu.
# texinfo_no_detailmenu = False
# -- Options for Internationalization output ------------------------------
locale_dirs = ['locale/']
# -- Options for PDF output --------------------------------------------------
pdf_documents = [
('index', u'InstallGuide', u'Install Guide',
u'OpenStack contributors')
]

View File

@ -0,0 +1,10 @@
============================
Key Manager service overview
============================
The Key Manager service provides...
The Key Manager service consists of the following components:
``barbican-api`` service
Accepts and responds to end user compute API calls...

View File

@ -0,0 +1,16 @@
=====================
Key Manager service
=====================
.. toctree::
:maxdepth: 2
get_started.rst
install.rst
verify.rst
next-steps.rst
The Key Manager service (barbican) provides...
This chapter assumes a working setup of OpenStack following the
`OpenStack Installation Tutorial <http://docs.openstack.org/#install-guides>`_.

View File

@ -0,0 +1,34 @@
.. _install-obs:
Install and configure for openSUSE and SUSE Linux Enterprise
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This section describes how to install and configure the Key Manager service
for openSUSE Leap 42.1 and SUSE Linux Enterprise Server 12 SP1.
.. include:: common_prerequisites.rst
Install and configure components
--------------------------------
#. Install the packages:
.. code-block:: console
# zypper --quiet --non-interactive install
.. include:: common_configure.rst
Finalize installation
---------------------
Start the Key Manager services and configure them to start when
the system boots:
.. code-block:: console
# systemctl enable openstack-barbican-api.service
# systemctl start openstack-barbican-api.service

View File

@ -0,0 +1,62 @@
.. _install-rdo:
Install and configure for Red Hat Enterprise Linux and CentOS
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This section describes how to install and configure the Key Manager service
for Red Hat Enterprise Linux 7 and CentOS 7.
.. include:: common_prerequisites.rst
Install and configure components
--------------------------------
#. Install the packages:
.. code-block:: console
# yum install openstack-barbican-api
.. include:: common_configure.rst
Finalize installation
---------------------
#. Create the ``/etc/httpd/conf.d/wsgi-barbican.conf`` file with the following content:
.. code-block:: apache
<VirtualHost [::1]:9311>
ServerName controller
## Vhost docroot
DocumentRoot "/var/www/cgi-bin/barbican"
## Directories, there should at least be a declaration for /var/www/cgi-bin/barbican
<Directory "/var/www/cgi-bin/barbican">
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Require all granted
</Directory>
## Logging
ErrorLog "/var/log/httpd/barbican_wsgi_main_error_ssl.log"
LogLevel debug
ServerSignature Off
CustomLog "/var/log/httpd/barbican_wsgi_main_access_ssl.log" combined
WSGIApplicationGroup %{GLOBAL}
WSGIDaemonProcess barbican-api display-name=barbican-api group=barbican processes=2 threads=8 user=barbican
WSGIProcessGroup barbican-api
WSGIScriptAlias / "/var/www/cgi-bin/barbican/main"
WSGIPassAuthorization On
</VirtualHost>
#. Start the Apache HTTP service and configure it to start when the system boots:
.. code-block:: console
# systemctl enable httpd.service
# systemctl start httpd.service

View File

@ -0,0 +1,31 @@
.. _install-ubuntu:
Install and configure for Ubuntu
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This section describes how to install and configure the Key Manager
service for Ubuntu 14.04 (LTS).
.. include:: common_prerequisites.rst
Install and configure components
--------------------------------
#. Install the packages:
.. code-block:: console
# apt-get update
# apt-get install
.. include:: common_configure.rst
Finalize installation
---------------------
Restart the Key Manager services:
.. code-block:: console
# service openstack-barbican-api restart

View File

@ -0,0 +1,25 @@
.. _install:
Install and configure
~~~~~~~~~~~~~~~~~~~~~
This section describes how to install and configure the
Key Manager service, code-named barbican, on the controller node.
This section assumes that you already have a working OpenStack
environment with at least the Identity Service (keystone) installed.
For simplicity, this configuration stores secrets on the local
file system.
Note that installation and configuration vary by distribution.
.. toctree::
:maxdepth: 2
install-obs.rst
install-rdo.rst
install-ubuntu.rst
barbican-backend.rst

View File

@ -0,0 +1,10 @@
.. _next-steps:
Next steps
~~~~~~~~~~
Your OpenStack environment now includes the barbican service.
To add additional services, see
docs.openstack.org/draft/install-guides/index.html .

View File

@ -0,0 +1,24 @@
.. _verify:
Verify operation
~~~~~~~~~~~~~~~~
Verify operation of the Key Manager service.
.. note::
Perform these commands on the controller node.
#. Source the ``admin`` project credentials to gain access to
admin-only CLI commands:
.. code-block:: console
$ . admin-openrc
#. List service components to verify successful launch and registration
of each process:
.. code-block:: console
$ openstack key manager service list

View File

@ -76,3 +76,6 @@ exclude = .git,.idea,.tox,bin,dist,debian,rpmbuild,tools,*.egg-info,*.eggs,*open
[testenv:bandit] [testenv:bandit]
deps = -r{toxinidir}/test-requirements.txt deps = -r{toxinidir}/test-requirements.txt
commands = bandit -r barbican -x tests -n5 commands = bandit -r barbican -x tests -n5
[testenv:install-guide]
commands = sphinx-build -a -E -W -d install-guide/build/doctrees -b html install-guide/source install-guide/build/html