Update paste, policy and rootwrap configurations 2016-10-13

Barbican's default API pipeline is noauth, a variable to
toggle between noauth and keystone, 'barbican__keystone_auth' has been
added. keystone_authtoken information has been moved to a better home
in barbican.conf.

python-memcached has also been added to the pip package list since it's
a requirement when using keystone authentication with token caching.

Change-Id: I5e731d63f442edf970845f2b821b98ce57176e48

defaults/main.yml

@@ -20,6 +20,9 @@ debug: False
 # Options are 'present' and 'latest'
 barbican_package_state: "latest"
 
+# Toggle keystone authentication for barbican
+barbican_keystone_auth: no
+
 ## System info
 barbican_system_group_name: barbican
 barbican_system_user_name: barbican
@@ -97,8 +100,8 @@ barbican_rabbitmq_vhost: /barbican
 
 # Keystone AuthToken/Middleware
 barbican_keystone_auth_plugin: password
-barbican_service_project_domain_name: Default
-barbican_service_user_domain_name: default
+barbican_service_project_domain_id: default
+barbican_service_user_domain_id: default
 barbican_service_project_name: service
 
 # Apache configuration vars
@@ -155,6 +158,7 @@ barbican_pip_packages:
   - pecan
   - pycadf
   - pycrypto
+  - python-memcached
   - PyMySQL
   - pyOpenSSL
   - ldap3

templates/api_audit_map.conf.j2

@@ -1,6 +1,4 @@
 [DEFAULT]
-# Disable stderr logging
-use_stderr = False
 # default target endpoint type
 # should match the endpoint type defined in service catalog
 target_endpoint_type = key-manager

templates/barbican-api-paste.ini.j2

@@ -1,7 +1,7 @@
 [composite:main]
 use = egg:Paste#urlmap
 /: barbican_version
-/v1: barbican-api-keystone
+/v1: {{ (barbican_keystone_auth | bool) | ternary('barbican-api-keystone', 'barbican_api') }}
 
 # Use this pipeline for Barbican API - versions no authentication
 [pipeline:barbican_version]
@@ -18,11 +18,11 @@ pipeline = cors unauthenticated-context egg:Paste#cgitb egg:Paste#httpexceptions
 
 #Use this pipeline for keystone auth
 [pipeline:barbican-api-keystone]
-pipeline = cors keystone_authtoken context apiapp
+pipeline = cors authtoken context apiapp
 
 #Use this pipeline for keystone auth with audit feature
 [pipeline:barbican-api-keystone-audit]
-pipeline = keystone_authtoken context audit apiapp
+pipeline = authtoken context audit apiapp
 
 [app:apiapp]
 paste.app_factory = barbican.api.app:create_main_app
@@ -43,21 +43,8 @@ paste.filter_factory = barbican.api.middleware.context:ContextMiddleware.factory
 paste.filter_factory = keystonemiddleware.audit:filter_factory
 audit_map_file = /etc/barbican/api_audit_map.conf
 
-[filter:keystone_authtoken]
+[filter:authtoken]
 paste.filter_factory = keystonemiddleware.auth_token:filter_factory
-#need ability to re-auth a token, thus admin url
-identity_uri = {{ keystone_service_adminuri }}
-admin_tenant_name = {{ barbican_service_project_name }}
-admin_user = {{ barbican_service_user_name }}
-admin_password = {{ barbican_service_password }}
-auth_version = v3.0
-#delay failing perhaps to log the unauthorized request in barbican ..
-#delay_auth_decision = true
-# signing_dir is configurable, but the default behavior of the authtoken
-# middleware should be sufficient.  It will create a temporary directory
-# for the user the barbican process is running as.
-#signing_dir = /var/barbican/keystone-signing
-
 
 [filter:profile]
 use = egg:repoze.profile

templates/barbican.conf.j2

@@ -1,3 +1,5 @@
+# {{ ansible_managed }}
+
 [DEFAULT]
 # Disable stderr logging
 use_stderr = False
@@ -137,6 +139,33 @@ rabbit_hosts={{ rabbitmq_servers }}
 # notification_driver = messagingv2
 # notification_driver = log
 
+{% if barbican_keystone_auth | bool %}
+[keystone_authtoken]
+insecure = {{ keystone_service_internaluri_insecure | bool }}
+auth_type = {{ barbican_keystone_auth_plugin }}
+signing_dir = {{ barbican_system_user_home }}/cache/api
+auth_url = {{ keystone_service_adminurl }}
+auth_uri = {{ keystone_service_internaluri }}
+project_domain_id = {{ barbican_service_project_domain_id }}
+user_domain_id = {{ barbican_service_user_domain_id }}
+project_name = {{ barbican_service_project_name }}
+username = {{ barbican_service_user_name }}
+password = {{ barbican_service_password }}
+region_name = {{ keystone_service_region }}
+
+memcached_servers = {{ memcached_servers }}
+
+token_cache_time = 300
+revocation_cache_time = 60
+
+# if your memcached server is shared, use these settings to avoid cache poisoning
+memcache_security_strategy = ENCRYPT
+memcache_secret_key = {{ memcached_encryption_key }}
+
+# if your keystone deployment uses PKI, and you value security over performance:
+check_revocations_for_cached = False
+{% endif %}
+
 # ======== OpenStack policy - oslo_policy ===============
 
 [oslo_policy]

templates/policy.json.j2

@@ -30,7 +30,7 @@
     "secret:decrypt": "rule:secret_decrypt_non_private_read or rule:secret_project_creator or rule:secret_project_admin or rule:secret_acl_read",
     "secret:get": "rule:secret_non_private_read or rule:secret_project_creator or rule:secret_project_admin or rule:secret_acl_read",
     "secret:put": "rule:admin_or_creator and rule:secret_project_match",
-    "secret:delete": "rule:admin and rule:secret_project_match",
+    "secret:delete": "rule:secret_project_admin or rule:secret_project_creator",
     "secrets:post": "rule:admin_or_creator",
     "secrets:get": "rule:all_but_audit",
     "orders:post": "rule:admin_or_creator",
@@ -38,14 +38,16 @@
     "order:get": "rule:all_users",
     "order:put": "rule:admin_or_creator",
     "order:delete": "rule:admin",
-    "consumer:get": "rule:all_users",
-    "consumers:get": "rule:all_users",
-    "consumers:post": "rule:admin",
-    "consumers:delete": "rule:admin",
+    "consumer:get": "rule:admin or rule:observer or rule:creator or rule:audit or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read",
+    "consumers:get": "rule:admin or rule:observer or rule:creator or rule:audit or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read",
+    "consumers:post": "rule:admin or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read",
+    "consumers:delete": "rule:admin or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read",
     "containers:post": "rule:admin_or_creator",
     "containers:get": "rule:all_but_audit",
     "container:get": "rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read",
-    "container:delete": "rule:admin",
+    "container:delete": "rule:container_project_admin or rule:container_project_creator",
+    "container_secret:post": "rule:admin",
+    "container_secret:delete": "rule:admin",
     "transport_key:get": "rule:all_users",
     "transport_key:delete": "rule:admin",
     "transport_keys:get": "rule:all_users",
@@ -78,5 +80,11 @@
     "secret_meta:get": "rule:all_but_audit",
     "secret_meta:post": "rule:admin_or_creator",
     "secret_meta:put": "rule:admin_or_creator",
-    "secret_meta:delete": "rule:admin_or_creator"
+    "secret_meta:delete": "rule:admin_or_creator",
+    "secretstores:get": "rule:admin",
+    "secretstores:get_global_default": "rule:admin",
+    "secretstores:get_preferred": "rule:admin",
+    "secretstore_preferred:post": "rule:admin",
+    "secretstore_preferred:delete": "rule:admin",
+    "secretstore:get": "rule:admin"
 }

tests/test-vars.yml

@@ -3,6 +3,7 @@ barbican_developer_mode: true
 barbican_galera_address: "{{ hostvars[groups['galera_all'][0]]['ansible_host'] }}"
 barbican_galera_database: barbican
 barbican_git_install_branch: master
+barbican_keystone_auth: yes
 barbican_rabbitmq_password: secrete
 barbican_rabbitmq_userid: barbican
 barbican_rabbitmq_vhost: /barbican