3c69c5182f
Change-Id: I5d05d59279dcff46a0763d4f24703b0350d318e0 Implements: blueprint remove-pki
406 lines
14 KiB
Django/Jinja
406 lines
14 KiB
Django/Jinja
# {{ ansible_managed }}
|
|
|
|
[DEFAULT]
|
|
# Disable stderr logging
|
|
use_stderr = False
|
|
# Show debugging output in logs (sets DEBUG log level output)
|
|
debug = {{ debug }}
|
|
|
|
# Address to bind the API server
|
|
bind_host = 0.0.0.0
|
|
|
|
# Port to bind the API server to
|
|
bind_port = 9311
|
|
|
|
# Host name, for use in HATEOAS-style references
|
|
# Note: Typically this would be the load balanced endpoint that clients would use
|
|
# communicate back with this service.
|
|
host_href = {{ barbican_service_publicurl }}
|
|
|
|
# Log to this file. Make sure you do not set the same log
|
|
# file for both the API and registry servers!
|
|
#log_file = /var/log/barbican/api.log
|
|
|
|
# Backlog requests when creating socket
|
|
backlog = 4096
|
|
|
|
# TCP_KEEPIDLE value in seconds when creating socket.
|
|
# Not supported on OS X.
|
|
#tcp_keepidle = 600
|
|
|
|
# Maximum allowed http request size against the barbican-api
|
|
max_allowed_secret_in_bytes = 10000
|
|
max_allowed_request_size_in_bytes = 1000000
|
|
|
|
# SQLAlchemy connection string for the reference implementation
|
|
# registry server. Any valid SQLAlchemy connection string is fine.
|
|
# See: http://www.sqlalchemy.org/docs/05/reference/sqlalchemy/connections.html#sqlalchemy.create_engine
|
|
# Uncomment this for local dev, putting db in project directory:
|
|
#sql_connection = sqlite:///barbican.sqlite
|
|
# Note: For absolute addresses, use '////' slashes after 'sqlite:'
|
|
# Uncomment for a more global development environment
|
|
sql_connection = mysql+pymysql://{{ barbican_galera_user }}:{{ barbican_galera_password }}@{{ barbican_galera_address }}/{{ barbican_galera_database }}?charset=utf8
|
|
|
|
# Period in seconds after which SQLAlchemy should reestablish its connection
|
|
# to the database.
|
|
#
|
|
# MySQL uses a default `wait_timeout` of 8 hours, after which it will drop
|
|
# idle connections. This can result in 'MySQL Gone Away' exceptions. If you
|
|
# notice this, you can lower this value to ensure that SQLAlchemy reconnects
|
|
# before MySQL can drop the connection.
|
|
sql_idle_timeout = 3600
|
|
|
|
# Accepts a class imported from the sqlalchemy.pool module, and handles the
|
|
# details of building the pool for you. If commented out, SQLAlchemy
|
|
# will select based on the database dialect. Other options are QueuePool
|
|
# (for SQLAlchemy-managed connections) and NullPool (to disabled SQLAlchemy
|
|
# management of connections).
|
|
# See http://docs.sqlalchemy.org/en/latest/core/pooling.html for more details.
|
|
#sql_pool_class = QueuePool
|
|
|
|
# Show SQLAlchemy pool-related debugging output in logs (sets DEBUG log level
|
|
# output) if specified.
|
|
#sql_pool_logging = True
|
|
|
|
# Size of pool used by SQLAlchemy. This is the largest number of connections
|
|
# that will be kept persistently in the pool. Can be set to 0 to indicate no
|
|
# size limit. To disable pooling, use a NullPool with sql_pool_class instead.
|
|
# Comment out to allow SQLAlchemy to select the default.
|
|
#sql_pool_size = 5
|
|
|
|
# The maximum overflow size of the pool used by SQLAlchemy. When the number of
|
|
# checked-out connections reaches the size set in sql_pool_size, additional
|
|
# connections will be returned up to this limit. It follows then that the
|
|
# total number of simultaneous connections the pool will allow is
|
|
# sql_pool_size + sql_pool_max_overflow. Can be set to -1 to indicate no
|
|
# overflow limit, so no limit will be placed on the total number of concurrent
|
|
# connections. Comment out to allow SQLAlchemy to select the default.
|
|
#sql_pool_max_overflow = 10
|
|
|
|
# Default page size for the 'limit' paging URL parameter.
|
|
default_limit_paging = 10
|
|
|
|
# Maximum page size for the 'limit' paging URL parameter.
|
|
max_limit_paging = 100
|
|
|
|
# Role used to identify an authenticated user as administrator
|
|
#admin_role = admin
|
|
|
|
# Allow unauthenticated users to access the API with read-only
|
|
# privileges. This only applies when using ContextMiddleware.
|
|
#allow_anonymous_access = False
|
|
|
|
# Allow access to version 1 of barbican api
|
|
#enable_v1_api = True
|
|
|
|
# Allow access to version 2 of barbican api
|
|
#enable_v2_api = True
|
|
|
|
# ================= SSL Options ===============================
|
|
|
|
# Certificate file to use when starting API server securely
|
|
#cert_file = /path/to/certfile
|
|
|
|
# Private key file to use when starting API server securely
|
|
#key_file = /path/to/keyfile
|
|
|
|
# CA certificate file to use to verify connecting clients
|
|
#ca_file = /path/to/cafile
|
|
|
|
# ================= Security Options ==========================
|
|
|
|
# AES key for encrypting store 'location' metadata, including
|
|
# -- if used -- Swift or S3 credentials
|
|
# Should be set to a random string of length 16, 24 or 32 bytes
|
|
#metadata_encryption_key = <16, 24 or 32 char registry metadata key>
|
|
|
|
# ================= Queue Options - oslo.messaging ==========================
|
|
|
|
# Rabbit and HA configuration:
|
|
ampq_durable_queues = True
|
|
rabbit_userid = {{ barbican_rabbitmq_userid }}
|
|
rabbit_password = {{ barbican_rabbitmq_password }}
|
|
rabbit_ha_queues = True
|
|
rabbit_port = {{ rabbitmq_port }}
|
|
|
|
# For HA, specify queue nodes in cluster, comma delimited:
|
|
# For example: rabbit_hosts=192.168.50.8:5672, 192.168.50.9:5672
|
|
rabbit_hosts={{ rabbitmq_servers }}
|
|
|
|
# For HA, specify queue nodes in cluster as 'user@host:5672', comma delimited, ending with '/offset':
|
|
# For example: transport_url = rabbit://guest@192.168.50.8:5672,guest@192.168.50.9:5672/
|
|
# DO NOT USE THIS, due to '# FIXME(markmc): support multiple hosts' in oslo/messaging/_drivers/amqpdriver.py
|
|
# transport_url = rabbit://guest@localhost:5672/
|
|
|
|
# oslo notification driver for sending audit events via audit middleware.
|
|
# Meaningful only when middleware is enabled in barbican paste ini file.
|
|
# This is oslo config MultiStrOpt so can be defined multiple times in case
|
|
# there is need to route audit event to messaging as well as log.
|
|
# notification_driver = messagingv2
|
|
# notification_driver = log
|
|
|
|
{% if barbican_keystone_auth | bool %}
|
|
[keystone_authtoken]
|
|
insecure = {{ keystone_service_internaluri_insecure | bool }}
|
|
auth_type = {{ barbican_keystone_auth_plugin }}
|
|
auth_url = {{ keystone_service_adminurl }}
|
|
auth_uri = {{ keystone_service_internaluri }}
|
|
project_domain_id = {{ barbican_service_project_domain_id }}
|
|
user_domain_id = {{ barbican_service_user_domain_id }}
|
|
project_name = {{ barbican_service_project_name }}
|
|
username = {{ barbican_service_user_name }}
|
|
password = {{ barbican_service_password }}
|
|
region_name = {{ keystone_service_region }}
|
|
|
|
memcached_servers = {{ memcached_servers }}
|
|
|
|
token_cache_time = 300
|
|
|
|
# if your memcached server is shared, use these settings to avoid cache poisoning
|
|
memcache_security_strategy = ENCRYPT
|
|
memcache_secret_key = {{ memcached_encryption_key }}
|
|
|
|
{% endif %}
|
|
|
|
# ======== OpenStack policy - oslo_policy ===============
|
|
|
|
[oslo_policy]
|
|
|
|
# ======== OpenStack policy integration
|
|
# JSON file representing policy (string value)
|
|
policy_file=/etc/barbican/policy.json
|
|
|
|
# Rule checked when requested rule is not found (string value)
|
|
policy_default_rule=default
|
|
|
|
|
|
# ================= Queue Options - Application ==========================
|
|
|
|
[queue]
|
|
# Enable queuing asynchronous messaging.
|
|
# Set false to invoke worker tasks synchronously (i.e. no-queue standalone mode)
|
|
enable = False
|
|
|
|
# Namespace for the queue
|
|
namespace = 'barbican'
|
|
|
|
# Topic for the queue
|
|
topic = 'barbican.workers'
|
|
|
|
# Version for the task API
|
|
version = '1.1'
|
|
|
|
# Server name for RPC service
|
|
server_name = 'barbican.queue'
|
|
|
|
# Number of asynchronous worker processes.
|
|
# When greater than 1, then that many additional worker processes are
|
|
# created for asynchronous worker functionality.
|
|
asynchronous_workers = 1
|
|
|
|
# ================= Retry/Scheduler Options ==========================
|
|
|
|
[retry_scheduler]
|
|
# Seconds (float) to wait between starting retry scheduler
|
|
initial_delay_seconds = 10.0
|
|
|
|
# Seconds (float) to wait between starting retry scheduler
|
|
periodic_interval_max_seconds = 10.0
|
|
|
|
|
|
# ====================== Quota Options ===============================
|
|
|
|
[quotas]
|
|
# For each resource, the default maximum number that can be used for
|
|
# a project is set below. This value can be overridden for each
|
|
# project through the API. A negative value means no limit. A zero
|
|
# value effectively disables the resource.
|
|
|
|
# default number of secrets allowed per project
|
|
quota_secrets = -1
|
|
|
|
# default number of orders allowed per project
|
|
quota_orders = -1
|
|
|
|
# default number of containers allowed per project
|
|
quota_containers = -1
|
|
|
|
# default number of consumers allowed per project
|
|
quota_consumers = -1
|
|
|
|
# default number of CAs allowed per project
|
|
quota_cas = -1
|
|
|
|
# ================= Keystone Notification Options - Application ===============
|
|
|
|
[keystone_notifications]
|
|
|
|
# Keystone notification functionality uses transport related configuration
|
|
# from barbican common configuration as defined under
|
|
# 'Queue Options - oslo.messaging' comments.
|
|
# The HA related configuration is also shared with notification server.
|
|
|
|
# True enables keystone notification listener functionality.
|
|
enable = False
|
|
|
|
# The default exchange under which topics are scoped.
|
|
# May be overridden by an exchange name specified in the transport_url option.
|
|
control_exchange = 'openstack'
|
|
|
|
# Keystone notification queue topic name.
|
|
# This name needs to match one of values mentioned in Keystone deployment's
|
|
# 'notification_topics' configuration e.g.
|
|
# notification_topics=notifications, barbican_notifications
|
|
# Multiple servers may listen on a topic and messages will be dispatched to one
|
|
# of the servers in a round-robin fashion. That's why Barbican service should
|
|
# have its own dedicated notification queue so that it receives all of Keystone
|
|
# notifications.
|
|
topic = 'notifications'
|
|
|
|
# True enables requeue feature in case of notification processing error.
|
|
# Enable this only when underlying transport supports this feature.
|
|
allow_requeue = False
|
|
|
|
# Version of tasks invoked via notifications
|
|
version = '1.0'
|
|
|
|
# Define the number of max threads to be used for notification server
|
|
# processing functionality.
|
|
thread_pool_size = 10
|
|
|
|
# ================= Secret Store Plugin ===================
|
|
[secretstore]
|
|
namespace = barbican.secretstore.plugin
|
|
enabled_secretstore_plugins = store_crypto
|
|
|
|
# ================= Crypto plugin ===================
|
|
[crypto]
|
|
namespace = barbican.crypto.plugin
|
|
enabled_crypto_plugins = simple_crypto
|
|
|
|
[simple_crypto_plugin]
|
|
# the kek should be a 32-byte value which is base64 encoded
|
|
kek = 'YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoxMjM0NTY='
|
|
|
|
[dogtag_plugin]
|
|
pem_path = '/etc/barbican/kra_admin_cert.pem'
|
|
dogtag_host = localhost
|
|
dogtag_port = 8443
|
|
nss_db_path = '/etc/barbican/alias'
|
|
nss_db_path_ca = '/etc/barbican/alias-ca'
|
|
nss_password = 'password123'
|
|
simple_cmc_profile = 'caOtherCert'
|
|
ca_expiration_time = 1
|
|
plugin_working_dir = '/etc/barbican/dogtag'
|
|
|
|
|
|
[p11_crypto_plugin]
|
|
# Path to vendor PKCS11 library
|
|
library_path = '/usr/lib/libCryptoki2_64.so'
|
|
# Password to login to PKCS11 session
|
|
login = 'mypassword'
|
|
# Label to identify master KEK in the HSM (must not be the same as HMAC label)
|
|
mkek_label = 'an_mkek'
|
|
# Length in bytes of master KEK
|
|
mkek_length = 32
|
|
# Label to identify HMAC key in the HSM (must not be the same as MKEK label)
|
|
hmac_label = 'my_hmac_label'
|
|
# HSM Slot id (Should correspond to a configured PKCS11 slot). Default: 1
|
|
# slot_id = 1
|
|
# Enable Read/Write session with the HSM?
|
|
# rw_session = True
|
|
# Length of Project KEKs to create
|
|
# pkek_length = 32
|
|
# How long to cache unwrapped Project KEKs
|
|
# pkek_cache_ttl = 900
|
|
# Max number of items in pkek cache
|
|
# pkek_cache_limit = 100
|
|
|
|
|
|
# ================== KMIP plugin =====================
|
|
[kmip_plugin]
|
|
username = 'admin'
|
|
password = 'password'
|
|
host = localhost
|
|
port = 5696
|
|
keyfile = '/path/to/certs/cert.key'
|
|
certfile = '/path/to/certs/cert.crt'
|
|
ca_certs = '/path/to/certs/LocalCA.crt'
|
|
|
|
|
|
# ================= Certificate plugin ===================
|
|
[certificate]
|
|
namespace = barbican.certificate.plugin
|
|
enabled_certificate_plugins = simple_certificate
|
|
enabled_certificate_plugins = snakeoil_ca
|
|
|
|
[certificate_event]
|
|
namespace = barbican.certificate.event.plugin
|
|
enabled_certificate_event_plugins = simple_certificate
|
|
|
|
[snakeoil_ca_plugin]
|
|
ca_cert_path = /etc/barbican/snakeoil-ca.crt
|
|
ca_cert_key_path = /etc/barbican/snakeoil-ca.key
|
|
ca_cert_chain_path = /etc/barbican/snakeoil-ca.chain
|
|
ca_cert_pkcs7_path = /etc/barbican/snakeoil-ca.p7b
|
|
subca_cert_key_directory=/etc/barbican/snakeoil-cas
|
|
|
|
[cors]
|
|
|
|
#
|
|
# From oslo.middleware.cors
|
|
#
|
|
|
|
# Indicate whether this resource may be shared with the domain
|
|
# received in the requests "origin" header. (list value)
|
|
#allowed_origin = <None>
|
|
|
|
# Indicate that the actual request can include user credentials
|
|
# (boolean value)
|
|
#allow_credentials = true
|
|
|
|
# Indicate which headers are safe to expose to the API. Defaults to
|
|
# HTTP Simple Headers. (list value)
|
|
#expose_headers = Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma
|
|
|
|
# Maximum cache age of CORS preflight requests. (integer value)
|
|
#max_age = 3600
|
|
|
|
# Indicate which methods can be used during the actual request. (list
|
|
# value)
|
|
#allow_methods = GET,POST,PUT,DELETE,OPTIONS
|
|
|
|
# Indicate which header field names may be used during the actual
|
|
# request. (list value)
|
|
#allow_headers = Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma
|
|
|
|
|
|
[cors.subdomain]
|
|
|
|
#
|
|
# From oslo.middleware.cors
|
|
#
|
|
|
|
# Indicate whether this resource may be shared with the domain
|
|
# received in the requests "origin" header. (list value)
|
|
#allowed_origin = <None>
|
|
|
|
# Indicate that the actual request can include user credentials
|
|
# (boolean value)
|
|
#allow_credentials = true
|
|
|
|
# Indicate which headers are safe to expose to the API. Defaults to
|
|
# HTTP Simple Headers. (list value)
|
|
#expose_headers = Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma
|
|
|
|
# Maximum cache age of CORS preflight requests. (integer value)
|
|
#max_age = 3600
|
|
|
|
# Indicate which methods can be used during the actual request. (list
|
|
# value)
|
|
#allow_methods = GET,POST,PUT,DELETE,OPTIONS
|
|
|
|
# Indicate which header field names may be used during the actual
|
|
# request. (list value)
|
|
#allow_headers = Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma
|