openstack/deb-barbican
Code Issues Proposed changes
ab0e991f2f
deb-barbican/doc/source/setup/keystone.rst
Paulo Ewerton 8abb2c6a0b Use keystone auth plugin 
keystonemiddleware admin settings are deprecated
so we should stop using them in favor of a keystone
auth plugin. This patch updates the config file
to use keystone API v3 by default.

Change-Id: I9d10ac29ab33cbdd845573106960e5f181afdb69
Closes-Bug: 1579801
2016-05-16 14:19:41 +00:00

2.0 KiB
Raw Blame History

Using Keystone Middleware with Barbican

Prerequisites

To enable Keystone integration with Barbican you'll need a relatively current version of Keystone. If you don't have an instance of Keystone available, you can use one of the following ways to setup your own.

  1. Simple Dockerized Keystone
  2. Installing Keystone
  3. Devstack

Hooking up Barbican to Keystone

Assuming that you've already setup your Keystone instance, connecting Barbican to Keystone is quite simple. When completed, Barbican should require a valid X-Auth-Token to be provided with all API calls except the get version call.

  1. Turn off any active instances of Barbican

  2. Edit /etc/barbican/barbican-api-paste.ini

    1. Change the pipeline /v1 value from unauthenticated barbican-api to the authenticated barbican-api-keystone
    [composite:main]
use = egg:Paste#urlmap
/: barbican_version
/v1: barbican-api-keystone
    1. Replace authtoken filter values to match your Keystone setup
    [filter:authtoken]
paste.filter_factory = keystonemiddleware.auth_token:filter_factory
signing_dir = /tmp/barbican/cache
auth_uri = http://{YOUR_KEYSTONE_ENDPOINT}:5000/v3
auth_url = http://{YOUR_KEYSTONE_ENDPOINT}:35357/v3
auth_plugin = password
username = {YOUR_KEYSTONE_USERNAME}
password = {YOUR_KEYSTONE_PASSWORD}
user_domain_id = {YOUR_KEYSTONE_USER_DOMAIN}
project_name = {YOUR_KEYSTONE_PROJECT}
project_domain_id = {YOUR_KEYSTONE_PROJECT_DOMAIN}

  3. Start Barbican {barbican_home}/bin/barbican.sh start