Add forgotten templates

templates/api_audit_map.conf.j2

@@ -0,0 +1,26 @@
+[DEFAULT]
+# default target endpoint type
+# should match the endpoint type defined in service catalog
+target_endpoint_type = key-manager
+
+# map urls ending with specific text to a unique action
+# Don't need custom mapping for other resource operations
+# Note: action should match action names defined in CADF taxonomy
+[custom_actions]
+acl/get = read
+
+
+# path of api requests for CADF target typeURI
+# Just need to include top resource path to identify class of resources
+[path_keywords]
+secrets=
+containers=
+orders=
+cas=None
+quotas=
+project-quotas=
+
+
+# map endpoint type defined in service catalog to CADF typeURI
+[service_endpoints]
+key-manager = service/security/keymanager

templates/barbican-api-paste.ini.j2

@@ -0,0 +1,76 @@
+[composite:main]
+use = egg:Paste#urlmap
+/: barbican_version
+/v1: barbican_api
+
+# Use this pipeline for Barbican API - versions no authentication
+[pipeline:barbican_version]
+pipeline = cors versionapp
+
+# Use this pipeline for Barbican API - DEFAULT no authentication
+[pipeline:barbican_api]
+pipeline = cors unauthenticated-context apiapp
+
+#Use this pipeline to activate a repoze.profile middleware and HTTP port,
+#  to provide profiling information for the REST API processing.
+[pipeline:barbican-profile]
+pipeline = cors unauthenticated-context egg:Paste#cgitb egg:Paste#httpexceptions profile apiapp
+
+#Use this pipeline for keystone auth
+[pipeline:barbican-api-keystone]
+pipeline = cors keystone_authtoken context apiapp
+
+#Use this pipeline for keystone auth with audit feature
+[pipeline:barbican-api-keystone-audit]
+pipeline = keystone_authtoken context audit apiapp
+
+[app:apiapp]
+paste.app_factory = barbican.api.app:create_main_app
+
+[app:versionapp]
+paste.app_factory = barbican.api.app:create_version_app
+
+[filter:simple]
+paste.filter_factory = barbican.api.middleware.simple:SimpleFilter.factory
+
+[filter:unauthenticated-context]
+paste.filter_factory = barbican.api.middleware.context:UnauthenticatedContextMiddleware.factory
+
+[filter:context]
+paste.filter_factory = barbican.api.middleware.context:ContextMiddleware.factory
+
+[filter:audit]
+paste.filter_factory = keystonemiddleware.audit:filter_factory
+audit_map_file = /etc/barbican/api_audit_map.conf
+
+[filter:keystone_authtoken]
+paste.filter_factory = keystonemiddleware.auth_token:filter_factory
+#need ability to re-auth a token, thus admin url
+identity_uri = http://localhost:35357
+admin_tenant_name = service
+admin_user = barbican
+admin_password = orange
+auth_version = v3.0
+#delay failing perhaps to log the unauthorized request in barbican ..
+#delay_auth_decision = true
+# signing_dir is configurable, but the default behavior of the authtoken
+# middleware should be sufficient.  It will create a temporary directory
+# for the user the barbican process is running as.
+#signing_dir = /var/barbican/keystone-signing
+
+
+[filter:profile]
+use = egg:repoze.profile
+log_filename = myapp.profile
+cachegrind_filename = cachegrind.out.myapp
+discard_first_request = true
+path = /__profile__
+flush_at_shutdown = true
+unwind = false
+
+[filter:cors]
+paste.filter_factory = oslo_middleware.cors:filter_factory
+oslo_config_project = barbican
+latent_allow_headers = X-Auth-Token, X-Openstack-Request-Id, X-Project-Id, X-Identity-Status, X-User-Id, X-Storage-Token, X-Domain-Id, X-User-Domain-Id, X-Project-Domain-Id, X-Roles
+latent_expose_headers = X-Auth-Token, X-Openstack-Request-Id, X-Project-Id, X-Identity-Status, X-User-Id, X-Storage-Token, X-Domain-Id, X-User-Domain-Id, X-Project-Domain-Id, X-Roles
+latent_allow_methods = GET, PUT, POST, DELETE, PATCH

templates/barbican-vassals-api.ini.j2

@@ -0,0 +1,11 @@
+[uwsgi]
+socket = :9311
+protocol = http
+processes = 1
+lazy = true
+vacuum = true
+no-default-app = true
+memory-report = true
+plugins = python
+paste = config:/etc/barbican/barbican-api-paste.ini
+add-header = Connection: close

templates/barbican.conf.j2

@@ -0,0 +1,381 @@
+[DEFAULT]
+# Show more verbose log output (sets INFO log level output)
+verbose = True
+
+# Show debugging output in logs (sets DEBUG log level output)
+#debug = True
+
+# Address to bind the API server
+bind_host = 0.0.0.0
+
+# Port to bind the API server to
+bind_port = 9311
+
+# Host name, for use in HATEOAS-style references
+#  Note: Typically this would be the load balanced endpoint that clients would use
+#  communicate back with this service.
+host_href = http://localhost:9311
+
+# Log to this file. Make sure you do not set the same log
+# file for both the API and registry servers!
+#log_file = /var/log/barbican/api.log
+
+# Backlog requests when creating socket
+backlog = 4096
+
+# TCP_KEEPIDLE value in seconds when creating socket.
+# Not supported on OS X.
+#tcp_keepidle = 600
+
+# Maximum allowed http request size against the barbican-api
+max_allowed_secret_in_bytes = 10000
+max_allowed_request_size_in_bytes = 1000000
+
+# SQLAlchemy connection string for the reference implementation
+# registry server. Any valid SQLAlchemy connection string is fine.
+# See: http://www.sqlalchemy.org/docs/05/reference/sqlalchemy/connections.html#sqlalchemy.create_engine
+# Uncomment this for local dev, putting db in project directory:
+#sql_connection = sqlite:///barbican.sqlite
+# Note: For absolute addresses, use '////' slashes after 'sqlite:'
+# Uncomment for a more global development environment
+sql_connection = sqlite:////var/lib/barbican/barbican.sqlite
+
+# Period in seconds after which SQLAlchemy should reestablish its connection
+# to the database.
+#
+# MySQL uses a default `wait_timeout` of 8 hours, after which it will drop
+# idle connections. This can result in 'MySQL Gone Away' exceptions. If you
+# notice this, you can lower this value to ensure that SQLAlchemy reconnects
+# before MySQL can drop the connection.
+sql_idle_timeout = 3600
+
+# Accepts a class imported from the sqlalchemy.pool module, and handles the
+# details of building the pool for you. If commented out, SQLAlchemy
+# will select based on the database dialect. Other options are QueuePool
+# (for SQLAlchemy-managed connections) and NullPool (to disabled SQLAlchemy
+# management of connections).
+# See http://docs.sqlalchemy.org/en/latest/core/pooling.html for more details.
+#sql_pool_class = QueuePool
+
+# Show SQLAlchemy pool-related debugging output in logs (sets DEBUG log level
+# output) if specified.
+#sql_pool_logging = True
+
+# Size of pool used by SQLAlchemy. This is the largest number of connections
+# that will be kept persistently in the pool. Can be set to 0 to indicate no
+# size limit. To disable pooling, use a NullPool with sql_pool_class instead.
+# Comment out to allow SQLAlchemy to select the default.
+#sql_pool_size = 5
+
+# The maximum overflow size of the pool used by SQLAlchemy. When the number of
+# checked-out connections reaches the size set in sql_pool_size, additional
+# connections will be returned up to this limit. It follows then that the
+# total number of simultaneous connections the pool will allow is
+# sql_pool_size + sql_pool_max_overflow. Can be set to -1 to indicate no
+# overflow limit, so no limit will be placed on the total number of concurrent
+# connections. Comment out to allow SQLAlchemy to select the default.
+#sql_pool_max_overflow = 10
+
+# Default page size for the 'limit' paging URL parameter.
+default_limit_paging = 10
+
+# Maximum page size for the 'limit' paging URL parameter.
+max_limit_paging = 100
+
+# Role used to identify an authenticated user as administrator
+#admin_role = admin
+
+# Allow unauthenticated users to access the API with read-only
+# privileges. This only applies when using ContextMiddleware.
+#allow_anonymous_access = False
+
+# Allow access to version 1 of barbican api
+#enable_v1_api = True
+
+# Allow access to version 2 of barbican api
+#enable_v2_api = True
+
+# ================= SSL Options ===============================
+
+# Certificate file to use when starting API server securely
+#cert_file = /path/to/certfile
+
+# Private key file to use when starting API server securely
+#key_file = /path/to/keyfile
+
+# CA certificate file to use to verify connecting clients
+#ca_file = /path/to/cafile
+
+# ================= Security Options ==========================
+
+# AES key for encrypting store 'location' metadata, including
+# -- if used -- Swift or S3 credentials
+# Should be set to a random string of length 16, 24 or 32 bytes
+#metadata_encryption_key = <16, 24 or 32 char registry metadata key>
+
+# ================= Queue Options - oslo.messaging ==========================
+
+# Rabbit and HA configuration:
+ampq_durable_queues = True
+rabbit_userid=guest
+rabbit_password=guest
+rabbit_ha_queues = True
+rabbit_port=5672
+
+# For HA, specify queue nodes in cluster, comma delimited:
+#   For example: rabbit_hosts=192.168.50.8:5672, 192.168.50.9:5672
+rabbit_hosts=localhost:5672
+
+# For HA, specify queue nodes in cluster as 'user@host:5672', comma delimited, ending with '/offset':
+#   For example: transport_url = rabbit://guest@192.168.50.8:5672,guest@192.168.50.9:5672/
+#   DO NOT USE THIS, due to '# FIXME(markmc): support multiple hosts' in oslo/messaging/_drivers/amqpdriver.py
+# transport_url = rabbit://guest@localhost:5672/
+
+# oslo notification driver for sending audit events via audit middleware.
+# Meaningful only when middleware is enabled in barbican paste ini file.
+# This is oslo config MultiStrOpt so can be defined multiple times in case
+# there is need to route audit event to messaging as well as log.
+# notification_driver = messagingv2
+# notification_driver = log
+
+# ======== OpenStack policy - oslo_policy ===============
+
+[oslo_policy]
+
+# ======== OpenStack policy integration
+# JSON file representing policy (string value)
+policy_file=/etc/barbican/policy.json
+
+# Rule checked when requested rule is not found (string value)
+policy_default_rule=default
+
+
+# ================= Queue Options - Application ==========================
+
+[queue]
+# Enable queuing asynchronous messaging.
+#   Set false to invoke worker tasks synchronously (i.e. no-queue standalone mode)
+enable = False
+
+# Namespace for the queue
+namespace = 'barbican'
+
+# Topic for the queue
+topic = 'barbican.workers'
+
+# Version for the task API
+version = '1.1'
+
+# Server name for RPC service
+server_name = 'barbican.queue'
+
+# Number of asynchronous worker processes.
+# When greater than 1, then that many additional worker processes are
+# created for asynchronous worker functionality.
+asynchronous_workers = 1
+
+# ================= Retry/Scheduler Options ==========================
+
+[retry_scheduler]
+# Seconds (float) to wait between starting retry scheduler
+initial_delay_seconds = 10.0
+
+# Seconds (float) to wait between starting retry scheduler
+periodic_interval_max_seconds = 10.0
+
+
+# ====================== Quota Options ===============================
+
+[quotas]
+# For each resource, the default maximum number that can be used for
+# a project is set below.  This value can be overridden for each
+# project through the API.  A negative value means no limit.  A zero
+# value effectively disables the resource.
+
+# default number of secrets allowed per project
+quota_secrets = -1
+
+# default number of orders allowed per project
+quota_orders = -1
+
+# default number of containers allowed per project
+quota_containers = -1
+
+# default number of consumers allowed per project
+quota_consumers = -1
+
+# default number of CAs allowed per project
+quota_cas = -1
+
+# ================= Keystone Notification Options - Application ===============
+
+[keystone_notifications]
+
+# Keystone notification functionality uses transport related configuration
+# from barbican common configuration as defined under
+# 'Queue Options - oslo.messaging' comments.
+# The HA related configuration is also shared with notification server.
+
+# True enables keystone notification listener functionality.
+enable = False
+
+# The default exchange under which topics are scoped.
+# May be overridden by an exchange name specified in the transport_url option.
+control_exchange = 'openstack'
+
+# Keystone notification queue topic name.
+# This name needs to match one of values mentioned in Keystone deployment's
+# 'notification_topics' configuration e.g.
+#      notification_topics=notifications, barbican_notifications
+# Multiple servers may listen on a topic and messages will be dispatched to one
+# of the servers in a round-robin fashion. That's why Barbican service should
+# have its own dedicated notification queue so that it receives all of Keystone
+# notifications.
+topic = 'notifications'
+
+# True enables requeue feature in case of notification processing error.
+# Enable this only when underlying transport supports this feature.
+allow_requeue = False
+
+# Version of tasks invoked via notifications
+version = '1.0'
+
+# Define the number of max threads to be used for notification server
+# processing functionality.
+thread_pool_size = 10
+
+# ================= Secret Store Plugin ===================
+[secretstore]
+namespace = barbican.secretstore.plugin
+enabled_secretstore_plugins = store_crypto
+
+# ================= Crypto plugin ===================
+[crypto]
+namespace = barbican.crypto.plugin
+enabled_crypto_plugins = simple_crypto
+
+[simple_crypto_plugin]
+# the kek should be a 32-byte value which is base64 encoded
+kek = 'YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoxMjM0NTY='
+
+[dogtag_plugin]
+pem_path = '/etc/barbican/kra_admin_cert.pem'
+dogtag_host = localhost
+dogtag_port = 8443
+nss_db_path = '/etc/barbican/alias'
+nss_db_path_ca = '/etc/barbican/alias-ca'
+nss_password = 'password123'
+simple_cmc_profile = 'caOtherCert'
+ca_expiration_time = 1
+plugin_working_dir = '/etc/barbican/dogtag'
+
+
+[p11_crypto_plugin]
+# Path to vendor PKCS11 library
+library_path = '/usr/lib/libCryptoki2_64.so'
+# Password to login to PKCS11 session
+login = 'mypassword'
+# Label to identify master KEK in the HSM (must not be the same as HMAC label)
+mkek_label = 'an_mkek'
+# Length in bytes of master KEK
+mkek_length = 32
+# Label to identify HMAC key in the HSM (must not be the same as MKEK label)
+hmac_label = 'my_hmac_label'
+# HSM Slot id (Should correspond to a configured PKCS11 slot). Default: 1
+# slot_id = 1
+# Enable Read/Write session with the HSM?
+# rw_session = True
+# Length of Project KEKs to create
+# pkek_length = 32
+# How long to cache unwrapped Project KEKs
+# pkek_cache_ttl = 900
+# Max number of items in pkek cache
+# pkek_cache_limit = 100
+
+
+# ================== KMIP plugin =====================
+[kmip_plugin]
+username = 'admin'
+password = 'password'
+host = localhost
+port = 5696
+keyfile = '/path/to/certs/cert.key'
+certfile = '/path/to/certs/cert.crt'
+ca_certs = '/path/to/certs/LocalCA.crt'
+
+
+# ================= Certificate plugin ===================
+[certificate]
+namespace = barbican.certificate.plugin
+enabled_certificate_plugins = simple_certificate
+enabled_certificate_plugins = snakeoil_ca
+
+[certificate_event]
+namespace = barbican.certificate.event.plugin
+enabled_certificate_event_plugins = simple_certificate
+
+[snakeoil_ca_plugin]
+ca_cert_path = /etc/barbican/snakeoil-ca.crt
+ca_cert_key_path = /etc/barbican/snakeoil-ca.key
+ca_cert_chain_path = /etc/barbican/snakeoil-ca.chain
+ca_cert_pkcs7_path = /etc/barbican/snakeoil-ca.p7b
+subca_cert_key_directory=/etc/barbican/snakeoil-cas
+
+[cors]
+
+#
+# From oslo.middleware.cors
+#
+
+# Indicate whether this resource may be shared with the domain
+# received in the requests "origin" header. (list value)
+#allowed_origin = <None>
+
+# Indicate that the actual request can include user credentials
+# (boolean value)
+#allow_credentials = true
+
+# Indicate which headers are safe to expose to the API. Defaults to
+# HTTP Simple Headers. (list value)
+#expose_headers = Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma
+
+# Maximum cache age of CORS preflight requests. (integer value)
+#max_age = 3600
+
+# Indicate which methods can be used during the actual request. (list
+# value)
+#allow_methods = GET,POST,PUT,DELETE,OPTIONS
+
+# Indicate which header field names may be used during the actual
+# request. (list value)
+#allow_headers = Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma
+
+
+[cors.subdomain]
+
+#
+# From oslo.middleware.cors
+#
+
+# Indicate whether this resource may be shared with the domain
+# received in the requests "origin" header. (list value)
+#allowed_origin = <None>
+
+# Indicate that the actual request can include user credentials
+# (boolean value)
+#allow_credentials = true
+
+# Indicate which headers are safe to expose to the API. Defaults to
+# HTTP Simple Headers. (list value)
+#expose_headers = Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma
+
+# Maximum cache age of CORS preflight requests. (integer value)
+#max_age = 3600
+
+# Indicate which methods can be used during the actual request. (list
+# value)
+#allow_methods = GET,POST,PUT,DELETE,OPTIONS
+
+# Indicate which header field names may be used during the actual
+# request. (list value)
+#allow_headers = Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma

templates/policy.json.j2

@@ -0,0 +1,78 @@
+{
+    "admin": "role:admin",
+    "observer": "role:observer",
+    "creator": "role:creator",
+    "audit": "role:audit",
+    "service_admin": "role:key-manager:service-admin",
+    "admin_or_user_does_not_work": "project_id:%(project_id)s",
+    "admin_or_user": "rule:admin or project_id:%(project_id)s",
+    "admin_or_creator": "rule:admin or rule:creator",
+    "all_but_audit": "rule:admin or rule:observer or rule:creator",
+    "all_users": "rule:admin or rule:observer or rule:creator or rule:audit or rule:service_admin",
+    "secret_project_match": "project:%(target.secret.project_id)s",
+    "secret_acl_read": "'read':%(target.secret.read)s",
+    "secret_private_read": "'False':%(target.secret.read_project_access)s",
+    "secret_creator_user": "user:%(target.secret.creator_id)s",
+    "container_project_match": "project:%(target.container.project_id)s",
+    "container_acl_read": "'read':%(target.container.read)s",
+    "container_private_read": "'False':%(target.container.read_project_access)s",
+    "container_creator_user": "user:%(target.container.creator_id)s",
+
+    "secret_non_private_read": "rule:all_users and rule:secret_project_match and not rule:secret_private_read",
+    "secret_decrypt_non_private_read": "rule:all_but_audit and rule:secret_project_match and not rule:secret_private_read",
+    "container_non_private_read": "rule:all_users and rule:container_project_match and not rule:container_private_read",
+    "secret_project_admin": "rule:admin and rule:secret_project_match",
+    "secret_project_creator": "rule:creator and rule:secret_project_match and rule:secret_creator_user",
+    "container_project_admin": "rule:admin and rule:container_project_match",
+    "container_project_creator": "rule:creator and rule:container_project_match and rule:container_creator_user",
+
+    "version:get": "@",
+    "secret:decrypt": "rule:secret_decrypt_non_private_read or rule:secret_project_creator or rule:secret_project_admin or rule:secret_acl_read",
+    "secret:get": "rule:secret_non_private_read or rule:secret_project_creator or rule:secret_project_admin or rule:secret_acl_read",
+    "secret:put": "rule:admin_or_creator and rule:secret_project_match",
+    "secret:delete": "rule:admin and rule:secret_project_match",
+    "secrets:post": "rule:admin_or_creator",
+    "secrets:get": "rule:all_but_audit",
+    "orders:post": "rule:admin_or_creator",
+    "orders:get": "rule:all_but_audit",
+    "order:get": "rule:all_users",
+    "order:put": "rule:admin_or_creator",
+    "order:delete": "rule:admin",
+    "consumer:get": "rule:all_users",
+    "consumers:get": "rule:all_users",
+    "consumers:post": "rule:admin",
+    "consumers:delete": "rule:admin",
+    "containers:post": "rule:admin_or_creator",
+    "containers:get": "rule:all_but_audit",
+    "container:get": "rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read",
+    "container:delete": "rule:admin",
+    "transport_key:get": "rule:all_users",
+    "transport_key:delete": "rule:admin",
+    "transport_keys:get": "rule:all_users",
+    "transport_keys:post": "rule:admin",
+    "certificate_authorities:get_limited": "rule:all_users",
+    "certificate_authorities:get_all": "rule:admin",
+    "certificate_authorities:post": "rule:admin",
+    "certificate_authorities:get_preferred_ca": "rule:all_users",
+    "certificate_authorities:get_global_preferred_ca": "rule:service_admin",
+    "certificate_authorities:unset_global_preferred": "rule:service_admin",
+    "certificate_authority:delete": "rule:admin",
+    "certificate_authority:get": "rule:all_users",
+    "certificate_authority:get_cacert": "rule:all_users",
+    "certificate_authority:get_ca_cert_chain": "rule:all_users",
+    "certificate_authority:get_projects": "rule:service_admin",
+    "certificate_authority:add_to_project": "rule:admin",
+    "certificate_authority:remove_from_project": "rule:admin",
+    "certificate_authority:set_preferred": "rule:admin",
+    "certificate_authority:set_global_preferred": "rule:service_admin",
+    "secret_acls:put_patch": "rule:secret_project_admin or rule:secret_project_creator",
+    "secret_acls:delete": "rule:secret_project_admin or rule:secret_project_creator",
+    "secret_acls:get": "rule:all_but_audit and rule:secret_project_match",
+    "container_acls:put_patch": "rule:container_project_admin or rule:container_project_creator",
+    "container_acls:delete": "rule:container_project_admin or rule:container_project_creator",
+    "container_acls:get": "rule:all_but_audit and rule:container_project_match",
+    "quotas:get": "rule:all_users",
+    "project_quotas:get": "rule:service_admin",
+    "project_quotas:put": "rule:service_admin",
+    "project_quotas:delete": "rule:service_admin"
+}