Commit Graph

9 Commits (06659759f1213df23f1d456503b1dd2ea8e90963)

Author SHA1 Message Date
Michal Arbet 54bea06b5a Fix python3 compatibility
Change-Id: Id8a0913dde556a3e59b1ffdb22ca5e2aabd257a2
Closes-Bug: #1803972
2019-01-17 08:46:52 +00:00
Jenkins 4e1ada7914 Merge "Integrate OSProfiler in Magnum" 2017-01-25 06:47:12 +00:00
Jason Dunsmore a65ef7d3c3 Add an API to rotate a cluster CA certificate
This will give admins a way to revoke access to an existing cluster
once a user has been granted access.

Bumped the API microversion to 1.5 for the new endpoint.

Deprecated policy certificate:get in favor of certificate:get_ca for
clarity and consistency.

Depends-On: Ie960464e45445e195e75b91e8d65a4046eb21e93
Implements: blueprint revoke-cluster-cert
Change-Id: Ief28bef3a79f212acf4166e443a96e5419fbb757
2017-01-23 21:26:05 -06:00
Tovin Seven 32d088b2c1 Integrate OSProfiler in Magnum
* Add osprofiler wsgi middleware. This middleware is used for 2 things:
  1) It checks that person who wants to trace is trusted and knows
     secret HMAC key.
  2) It starts tracing in case of proper trace headers
     and adds first wsgi trace point, with info about HTTP request

* Add initialization of osprofiler at start of service
  Currently that includes oslo.messaging notifer instance creation
  to send Ceilometer backend notifications.

* Traces HTTP/RPC/DB API calls


Co-Authored-By: Hieu LE <>
Implements: blueprint osprofiler-support-in-magnum
Change-Id: I7d68995aab81d365433950aada078ef1fcd5469b
2017-01-24 07:43:31 +07:00
Jaycen Grant 8e0de76aff Rename bay to cluster in certificate object and references
This is patch #2 of 3 to rename the term bay to cluster within
the internal references and objects of magnum. This patch changes
all references to the certificate objects bay_uuid field to
cluster_uuid.  Certifcate does not have a db table so no db
changes were made. No functionality is changed by this patch,
just internal naming.

Change-Id: I68a3b87b75b49de43a7855355807b50a4ae695f3
Implements: blueprint rename-bay-to-cluster
2016-09-01 08:48:24 -07:00
Madhuri Kumari 5f193f2e0e Add x509keypair_cert_manager to store certs in DB
x509keypair_cert_manager stores certs in Magnum DB.

Change-Id: Id8106d7bd5c270679bc189fc0dc17bcbde367d73
Implements: blueprint  blueprint barbican-alternative-store
2016-06-23 09:08:52 +05:30
Andrew Melton fde8d4f673 Set up temp files containing client TLS certs
This sets up three files for clients that accept TLS certs as files:
 * CA Certificate
 * Magnum's Client Private Key
 * Magnum's Client Certificate

The Client Private Key is decrypted as some clients cannot handle
encrypted private keys.

Partially Implements bp secure-docker

Change-Id: I14ca6b1ad520bd8391e119c7e016d765cae32f6b
2015-09-30 16:59:40 -04:00
Tom Cammann bdf880d8fa Fix H405 and E131 ignored pep8 rules
Updated tox.ini and fixed rules.

Fix H405:
Multi line docstring summary not separated with an empty line
Fix E131:
Continuation line unaligned for hanging indent

Change-Id: I20cf75c75cffc434fbdcb05b8e04bffcd4059cd1
Closes-Bug: #1498870
2015-09-23 12:21:09 +01:00
Madhuri cefc5a9ac3 Add Certificate controller for TLS support.
The Certificate controller has 2 operations:


Generate X509 certificate using bay's CA cert.
Below is an example of Certificate POST API request using magnum command:

Example Request:

    curl -X POST -H 'Content-Type: application/json' \
        -d '{"bay_uuid": "<bay_uuid>", "csr": "<csr>"}' \

This creates a X509 certificate signed by the given bay's CA and returns
it. No database information is stored in Magnum against it. For each POST
request, a new certificate is generated.

Example Response:

    {"bay_uuid": "<bay_uuid>", "csr": "<csr>",
     "pem": "<pem encoded certifiacte>"}

2. GET
Fetches the CA cert associated with a bay. Below is an example of CA GET
API request using magnum command:

Example Request:

    curl -X GET http://localhost:9511/v1/certificates/<bay_uuid>

This fetches stored CA cert for the given Bay, which can be used to validate
any client and node certificates signed by the Bay's CA. The value for each
is fetched from Barbican or Magnum db based on the different configuration
for storage of certificates.

Example Response:

    {"bay_uuid": "<bay_uuid>", "pem": "<pem encoded certifiacte>"}

Co-Authored-By: Andrew Melton <>

Change-Id: I4b72cc1e1bddc7a7c7eeb0ab22d3769a666ccb2b
Partially-Implements: bp secure-kubernetes
2015-09-05 13:45:43 +00:00