diff --git a/defaults/main.yml b/defaults/main.yml index c22795b..18e826f 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -20,6 +20,9 @@ debug: False # Options are 'present' and 'latest' barbican_package_state: "latest" +# Toggle keystone authentication for barbican +barbican_keystone_auth: no + ## System info barbican_system_group_name: barbican barbican_system_user_name: barbican @@ -97,8 +100,8 @@ barbican_rabbitmq_vhost: /barbican # Keystone AuthToken/Middleware barbican_keystone_auth_plugin: password -barbican_service_project_domain_name: Default -barbican_service_user_domain_name: default +barbican_service_project_domain_id: default +barbican_service_user_domain_id: default barbican_service_project_name: service # Apache configuration vars @@ -155,6 +158,7 @@ barbican_pip_packages: - pecan - pycadf - pycrypto + - python-memcached - PyMySQL - pyOpenSSL - ldap3 diff --git a/templates/api_audit_map.conf.j2 b/templates/api_audit_map.conf.j2 index 980cc7d..3d9ab38 100644 --- a/templates/api_audit_map.conf.j2 +++ b/templates/api_audit_map.conf.j2 @@ -1,6 +1,4 @@ [DEFAULT] -# Disable stderr logging -use_stderr = False # default target endpoint type # should match the endpoint type defined in service catalog target_endpoint_type = key-manager diff --git a/templates/barbican-api-paste.ini.j2 b/templates/barbican-api-paste.ini.j2 index d75f5bd..54e2c22 100644 --- a/templates/barbican-api-paste.ini.j2 +++ b/templates/barbican-api-paste.ini.j2 @@ -1,7 +1,7 @@ [composite:main] use = egg:Paste#urlmap /: barbican_version -/v1: barbican-api-keystone +/v1: {{ (barbican_keystone_auth | bool) | ternary('barbican-api-keystone', 'barbican_api') }} # Use this pipeline for Barbican API - versions no authentication [pipeline:barbican_version] @@ -18,11 +18,11 @@ pipeline = cors unauthenticated-context egg:Paste#cgitb egg:Paste#httpexceptions #Use this pipeline for keystone auth [pipeline:barbican-api-keystone] -pipeline = cors keystone_authtoken context apiapp +pipeline = cors authtoken context apiapp #Use this pipeline for keystone auth with audit feature [pipeline:barbican-api-keystone-audit] -pipeline = keystone_authtoken context audit apiapp +pipeline = authtoken context audit apiapp [app:apiapp] paste.app_factory = barbican.api.app:create_main_app @@ -43,21 +43,8 @@ paste.filter_factory = barbican.api.middleware.context:ContextMiddleware.factory paste.filter_factory = keystonemiddleware.audit:filter_factory audit_map_file = /etc/barbican/api_audit_map.conf -[filter:keystone_authtoken] +[filter:authtoken] paste.filter_factory = keystonemiddleware.auth_token:filter_factory -#need ability to re-auth a token, thus admin url -identity_uri = {{ keystone_service_adminuri }} -admin_tenant_name = {{ barbican_service_project_name }} -admin_user = {{ barbican_service_user_name }} -admin_password = {{ barbican_service_password }} -auth_version = v3.0 -#delay failing perhaps to log the unauthorized request in barbican .. -#delay_auth_decision = true -# signing_dir is configurable, but the default behavior of the authtoken -# middleware should be sufficient. It will create a temporary directory -# for the user the barbican process is running as. -#signing_dir = /var/barbican/keystone-signing - [filter:profile] use = egg:repoze.profile diff --git a/templates/barbican.conf.j2 b/templates/barbican.conf.j2 index 105a920..35a655a 100644 --- a/templates/barbican.conf.j2 +++ b/templates/barbican.conf.j2 @@ -1,3 +1,5 @@ +# {{ ansible_managed }} + [DEFAULT] # Disable stderr logging use_stderr = False @@ -137,6 +139,33 @@ rabbit_hosts={{ rabbitmq_servers }} # notification_driver = messagingv2 # notification_driver = log +{% if barbican_keystone_auth | bool %} +[keystone_authtoken] +insecure = {{ keystone_service_internaluri_insecure | bool }} +auth_type = {{ barbican_keystone_auth_plugin }} +signing_dir = {{ barbican_system_user_home }}/cache/api +auth_url = {{ keystone_service_adminurl }} +auth_uri = {{ keystone_service_internaluri }} +project_domain_id = {{ barbican_service_project_domain_id }} +user_domain_id = {{ barbican_service_user_domain_id }} +project_name = {{ barbican_service_project_name }} +username = {{ barbican_service_user_name }} +password = {{ barbican_service_password }} +region_name = {{ keystone_service_region }} + +memcached_servers = {{ memcached_servers }} + +token_cache_time = 300 +revocation_cache_time = 60 + +# if your memcached server is shared, use these settings to avoid cache poisoning +memcache_security_strategy = ENCRYPT +memcache_secret_key = {{ memcached_encryption_key }} + +# if your keystone deployment uses PKI, and you value security over performance: +check_revocations_for_cached = False +{% endif %} + # ======== OpenStack policy - oslo_policy =============== [oslo_policy] diff --git a/templates/policy.json.j2 b/templates/policy.json.j2 index 020cd56..723f1c1 100644 --- a/templates/policy.json.j2 +++ b/templates/policy.json.j2 @@ -30,7 +30,7 @@ "secret:decrypt": "rule:secret_decrypt_non_private_read or rule:secret_project_creator or rule:secret_project_admin or rule:secret_acl_read", "secret:get": "rule:secret_non_private_read or rule:secret_project_creator or rule:secret_project_admin or rule:secret_acl_read", "secret:put": "rule:admin_or_creator and rule:secret_project_match", - "secret:delete": "rule:admin and rule:secret_project_match", + "secret:delete": "rule:secret_project_admin or rule:secret_project_creator", "secrets:post": "rule:admin_or_creator", "secrets:get": "rule:all_but_audit", "orders:post": "rule:admin_or_creator", @@ -38,14 +38,16 @@ "order:get": "rule:all_users", "order:put": "rule:admin_or_creator", "order:delete": "rule:admin", - "consumer:get": "rule:all_users", - "consumers:get": "rule:all_users", - "consumers:post": "rule:admin", - "consumers:delete": "rule:admin", + "consumer:get": "rule:admin or rule:observer or rule:creator or rule:audit or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read", + "consumers:get": "rule:admin or rule:observer or rule:creator or rule:audit or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read", + "consumers:post": "rule:admin or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read", + "consumers:delete": "rule:admin or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read", "containers:post": "rule:admin_or_creator", "containers:get": "rule:all_but_audit", "container:get": "rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read", - "container:delete": "rule:admin", + "container:delete": "rule:container_project_admin or rule:container_project_creator", + "container_secret:post": "rule:admin", + "container_secret:delete": "rule:admin", "transport_key:get": "rule:all_users", "transport_key:delete": "rule:admin", "transport_keys:get": "rule:all_users", @@ -78,5 +80,11 @@ "secret_meta:get": "rule:all_but_audit", "secret_meta:post": "rule:admin_or_creator", "secret_meta:put": "rule:admin_or_creator", - "secret_meta:delete": "rule:admin_or_creator" + "secret_meta:delete": "rule:admin_or_creator", + "secretstores:get": "rule:admin", + "secretstores:get_global_default": "rule:admin", + "secretstores:get_preferred": "rule:admin", + "secretstore_preferred:post": "rule:admin", + "secretstore_preferred:delete": "rule:admin", + "secretstore:get": "rule:admin" } diff --git a/tests/test-vars.yml b/tests/test-vars.yml index 5b6a111..c0aef72 100644 --- a/tests/test-vars.yml +++ b/tests/test-vars.yml @@ -3,6 +3,7 @@ barbican_developer_mode: true barbican_galera_address: "{{ hostvars[groups['galera_all'][0]]['ansible_host'] }}" barbican_galera_database: barbican barbican_git_install_branch: master +barbican_keystone_auth: yes barbican_rabbitmq_password: secrete barbican_rabbitmq_userid: barbican barbican_rabbitmq_vhost: /barbican