openstack-manuals/doc/cli-reference/source/barbican.rst
KATO Tomoyuki 4d16b13157 [cli-ref] add project name with service name
Change-Id: I9170a7927f05e00d6ee99b7211109f15fe8aad88
Partial-Bug: #1490484
2016-12-10 23:23:11 +09:00

22 KiB

Key Manager service (barbican) command-line client

The barbican client is the command-line interface (CLI) for the Key Manager service (barbican) API and its extensions.

This chapter documents barbican version 4.1.0.

For help on a specific barbican command, enter:

$ barbican help COMMAND

barbican usage

usage: barbican [--version] [-v | -q] [--log-file LOG_FILE] [-h] [--debug]
                [--no-auth] [--os-identity-api-version <identity-api-version>]
                [--os-auth-url <auth-url>] [--os-username <auth-user-name>]
                [--os-user-id <auth-user-id>] [--os-password <auth-password>]
                [--os-user-domain-id <auth-user-domain-id>]
                [--os-user-domain-name <auth-user-domain-name>]
                [--os-tenant-name <auth-tenant-name>]
                [--os-tenant-id <tenant-id>]
                [--os-project-id <auth-project-id>]
                [--os-project-name <auth-project-name>]
                [--os-project-domain-id <auth-project-domain-id>]
                [--os-project-domain-name <auth-project-domain-name>]
                [--os-auth-token <auth-token>] [--endpoint <barbican-url>]
                [--interface <barbican-interface>]
                [--service-type <barbican-service-type>]
                [--service-name <barbican-service-name>]
                [--region-name <barbican-region-name>]
                [--barbican-api-version <barbican-api-version>] [--insecure]
                [--os-cacert <ca-certificate>] [--os-cert <certificate>]
                [--os-key <key>] [--timeout <seconds>]

barbican optional arguments

--version

show program's version number and exit

-v, --verbose

Increase verbosity of output. Can be repeated.

-q, --quiet

Suppress output except warnings and errors.

--log-file LOG_FILE

Specify a file to log output. Disabled by default.

-h, --help

Show help message and exit.

--debug

Show tracebacks on errors.

--no-auth, -N

Do not use authentication.

--os-identity-api-version <identity-api-version>

Specify Identity API version to use. Defaults to env[OS_IDENTITY_API_VERSION] or 3.

--os-auth-url <auth-url>, -A <auth-url>

Defaults to env[OS_AUTH_URL].

--os-username <auth-user-name>, -U <auth-user-name>

Defaults to env[OS_USERNAME].

--os-user-id <auth-user-id>

Defaults to env[OS_USER_ID].

--os-password <auth-password>, -P <auth-password>

Defaults to env[OS_PASSWORD].

--os-user-domain-id <auth-user-domain-id>

Defaults to env[OS_USER_DOMAIN_ID].

--os-user-domain-name <auth-user-domain-name>

Defaults to env[OS_USER_DOMAIN_NAME].

--os-tenant-name <auth-tenant-name>, -T <auth-tenant-name>

Defaults to env[OS_TENANT_NAME].

--os-tenant-id <tenant-id>, -I <tenant-id>

Defaults to env[OS_TENANT_ID].

--os-project-id <auth-project-id>

Another way to specify tenant ID. This option is mutually exclusive with --os-tenant-id. Defaults to env[OS_PROJECT_ID].

--os-project-name <auth-project-name>

Another way to specify tenant name. This option is mutually exclusive with --os-tenant-name. Defaults to env[OS_PROJECT_NAME].

--os-project-domain-id <auth-project-domain-id>

Defaults to env[OS_PROJECT_DOMAIN_ID].

--os-project-domain-name <auth-project-domain-name>

Defaults to env[OS_PROJECT_DOMAIN_NAME].

--os-auth-token <auth-token>

Defaults to env[OS_AUTH_TOKEN].

--endpoint <barbican-url>, -E <barbican-url>

Defaults to env[BARBICAN_ENDPOINT].

--interface <barbican-interface>

Defaults to env[BARBICAN_INTERFACE].

--service-type <barbican-service-type>

Defaults to env[BARBICAN_SERVICE_TYPE].

--service-name <barbican-service-name>

Defaults to env[BARBICAN_SERVICE_NAME].

--region-name <barbican-region-name>

Defaults to env[BARBICAN_REGION_NAME].

--barbican-api-version <barbican-api-version>

Defaults to env[BARBICAN_API_VERSION].

--insecure

Explicitly allow client to perform "insecure" TLS (https) requests. The server's certificate will not be verified against any certificate authorities. This option should be used with caution.

--os-cacert <ca-certificate>

Specify a CA bundle file to use in verifying a TLS (https) server certificate. Defaults to env[OS_CACERT].

--os-cert <certificate>

Defaults to env[OS_CERT].

--os-key <key>

Defaults to env[OS_KEY].

--timeout <seconds>

Set request timeout (in seconds).

barbican acl delete

usage: barbican acl delete [-h] URI

Delete ACLs for a secret or container as identified by its href.

Positional arguments:

URI

The URI reference for the secret or container.

Optional arguments:

-h, --help

show this help message and exit

barbican acl get

usage: barbican acl get [-h] [-f {csv,html,json,table,value,yaml}] [-c COLUMN]
                        [--max-width <integer>] [--noindent]
                        [--quote {all,minimal,none,nonnumeric}]
                        URI

Retrieve ACLs for a secret or container by providing its href.

Positional arguments:

URI

The URI reference for the secret or container.

Optional arguments:

-h, --help

show this help message and exit

barbican acl submit

usage: barbican acl submit [-h] [-f {csv,html,json,table,value,yaml}]
                           [-c COLUMN] [--max-width <integer>] [--noindent]
                           [--quote {all,minimal,none,nonnumeric}]
                           [--user [USERS]]
                           [--project-access | --no-project-access]
                           [--operation-type {read}]
                           URI

Submit ACL on a secret or container as identified by its href.

Positional arguments:

URI

The URI reference for the secret or container.

Optional arguments:

-h, --help

show this help message and exit

--user [USERS], -u [USERS]

Keystone userid(s) for ACL.

--project-access

Flag to enable project access behavior.

--no-project-access

Flag to disable project access behavior.

--operation-type {read}, -o {read}

Type of Barbican operation ACL is set for

barbican acl user add

usage: barbican acl user add [-h] [-f {csv,html,json,table,value,yaml}]
                             [-c COLUMN] [--max-width <integer>] [--noindent]
                             [--quote {all,minimal,none,nonnumeric}]
                             [--user [USERS]]
                             [--project-access | --no-project-access]
                             [--operation-type {read}]
                             URI

Add ACL users to a secret or container as identified by its href.

Positional arguments:

URI

The URI reference for the secret or container.

Optional arguments:

-h, --help

show this help message and exit

--user [USERS], -u [USERS]

Keystone userid(s) for ACL.

--project-access

Flag to enable project access behavior.

--no-project-access

Flag to disable project access behavior.

--operation-type {read}, -o {read}

Type of Barbican operation ACL is set for

barbican acl user remove

usage: barbican acl user remove [-h] [-f {csv,html,json,table,value,yaml}]
                                [-c COLUMN] [--max-width <integer>]
                                [--noindent]
                                [--quote {all,minimal,none,nonnumeric}]
                                [--user [USERS]]
                                [--project-access | --no-project-access]
                                [--operation-type {read}]
                                URI

Remove ACL users from a secret or container as identified by its href.

Positional arguments:

URI

The URI reference for the secret or container.

Optional arguments:

-h, --help

show this help message and exit

--user [USERS], -u [USERS]

Keystone userid(s) for ACL.

--project-access

Flag to enable project access behavior.

--no-project-access

Flag to disable project access behavior.

--operation-type {read}, -o {read}

Type of Barbican operation ACL is set for

barbican ca get

usage: barbican ca get [-h] [-f {html,json,shell,table,value,yaml}]
                       [-c COLUMN] [--max-width <integer>] [--noindent]
                       [--prefix PREFIX]
                       URI

Retrieve a CA by providing its URI.

Positional arguments:

URI

The URI reference for the CA.

Optional arguments:

-h, --help

show this help message and exit

barbican ca list

usage: barbican ca list [-h] [-f {csv,html,json,table,value,yaml}] [-c COLUMN]
                        [--max-width <integer>] [--noindent]
                        [--quote {all,minimal,none,nonnumeric}]
                        [--limit LIMIT] [--offset OFFSET] [--name NAME]

List cas.

Optional arguments:

-h, --help

show this help message and exit

--limit LIMIT, -l LIMIT

specify the limit to the number of items to list per page (default: 10; maximum: 100)

--offset OFFSET, -o OFFSET

specify the page offset (default: 0)

--name NAME, -n NAME

specify the secret name (default: None)

barbican secret container create

usage: barbican secret container create [-h]
                                        [-f {html,json,shell,table,value,yaml}]
                                        [-c COLUMN] [--max-width <integer>]
                                        [--noindent] [--prefix PREFIX]
                                        [--name NAME] [--type TYPE]
                                        [--secret SECRET]

Store a container in Barbican.

Optional arguments:

-h, --help

show this help message and exit

--name NAME, -n NAME

a human-friendly name.

--type TYPE

type of container to create (default: generic).

--secret SECRET, -s SECRET

one secret to store in a container (can be set multiple times). Example: --secret "private_key=https://url.test/v1/secrets/1-2-3-4"

barbican secret container delete

usage: barbican secret container delete [-h] URI

Delete a container by providing its href.

Positional arguments:

URI

The URI reference for the container

Optional arguments:

-h, --help

show this help message and exit

barbican secret container get

usage: barbican secret container get [-h]
                                     [-f {html,json,shell,table,value,yaml}]
                                     [-c COLUMN] [--max-width <integer>]
                                     [--noindent] [--prefix PREFIX]
                                     URI

Retrieve a container by providing its URI.

Positional arguments:

URI

The URI reference for the container.

Optional arguments:

-h, --help

show this help message and exit

barbican secret container list

usage: barbican secret container list [-h]
                                      [-f {csv,html,json,table,value,yaml}]
                                      [-c COLUMN] [--max-width <integer>]
                                      [--noindent]
                                      [--quote {all,minimal,none,nonnumeric}]
                                      [--limit LIMIT] [--offset OFFSET]
                                      [--name NAME] [--type TYPE]

List containers.

Optional arguments:

-h, --help

show this help message and exit

--limit LIMIT, -l LIMIT

specify the limit to the number of items to list per page (default: 10; maximum: 100)

--offset OFFSET, -o OFFSET

specify the page offset (default: 0)

--name NAME, -n NAME

specify the container name (default: None)

--type TYPE, -t TYPE

specify the type filter for the list (default: None).

barbican secret delete

usage: barbican secret delete [-h] URI

Delete a secret by providing its URI.

Positional arguments:

URI

The URI reference for the secret

Optional arguments:

-h, --help

show this help message and exit

barbican secret get

usage: barbican secret get [-h] [-f {html,json,shell,table,value,yaml}]
                           [-c COLUMN] [--max-width <integer>] [--noindent]
                           [--prefix PREFIX] [--decrypt] [--payload]
                           [--payload_content_type PAYLOAD_CONTENT_TYPE]
                           URI

Retrieve a secret by providing its URI.

Positional arguments:

URI

The URI reference for the secret.

Optional arguments:

-h, --help

show this help message and exit

--decrypt, -d

if specified, retrieve the unencrypted secret data; the data type can be specified with --payload-content- type.

--payload, -p

if specified, retrieve the unencrypted secret data; the data type can be specified with --payload-content- type. If the user wishes to only retrieve the value of the payload they must add "-f value" to format returning only the value of the payload

--payload_content_type PAYLOAD_CONTENT_TYPE, -t PAYLOAD_CONTENT_TYPE

the content type of the decrypted secret (default: text/plain.

barbican secret list

usage: barbican secret list [-h] [-f {csv,html,json,table,value,yaml}]
                            [-c COLUMN] [--max-width <integer>] [--noindent]
                            [--quote {all,minimal,none,nonnumeric}]
                            [--limit LIMIT] [--offset OFFSET] [--name NAME]
                            [--algorithm ALGORITHM] [--bit-length BIT_LENGTH]
                            [--mode MODE]

List secrets.

Optional arguments:

-h, --help

show this help message and exit

--limit LIMIT, -l LIMIT

specify the limit to the number of items to list per page (default: 10; maximum: 100)

--offset OFFSET, -o OFFSET

specify the page offset (default: 0)

--name NAME, -n NAME

specify the secret name (default: None)

--algorithm ALGORITHM, -a ALGORITHM

the algorithm filter for the list(default: None).

--bit-length BIT_LENGTH, -b BIT_LENGTH

the bit length filter for the list (default: 0).

--mode MODE, -m MODE

the algorithm mode filter for the list (default: None).

barbican secret order create

usage: barbican secret order create [-h]
                                    [-f {html,json,shell,table,value,yaml}]
                                    [-c COLUMN] [--max-width <integer>]
                                    [--noindent] [--prefix PREFIX]
                                    [--name NAME] [--algorithm ALGORITHM]
                                    [--bit-length BIT_LENGTH] [--mode MODE]
                                    [--payload-content-type PAYLOAD_CONTENT_TYPE]
                                    [--expiration EXPIRATION]
                                    [--request-type REQUEST_TYPE]
                                    [--subject-dn SUBJECT_DN]
                                    [--source-container-ref SOURCE_CONTAINER_REF]
                                    [--ca-id CA_ID] [--profile PROFILE]
                                    [--request-file REQUEST_FILE]
                                    type

Create a new order.

Positional arguments:

type

the type of the order to create.

Optional arguments:

-h, --help

show this help message and exit

--name NAME, -n NAME

a human-friendly name.

--algorithm ALGORITHM, -a ALGORITHM

the algorithm to be used with the requested key (default: aes).

--bit-length BIT_LENGTH, -b BIT_LENGTH

the bit length of the requested secret key (default: 256).

--mode MODE, -m MODE

the algorithm mode to be used with the requested key (default: cbc).

--payload-content-type PAYLOAD_CONTENT_TYPE, -t PAYLOAD_CONTENT_TYPE

the type/format of the secret to be generated (default: application/octet-stream).

--expiration EXPIRATION, -x EXPIRATION

the expiration time for the secret in ISO 8601 format.

--request-type REQUEST_TYPE

the type of the certificate request.

--subject-dn SUBJECT_DN

the subject of the certificate.

--source-container-ref SOURCE_CONTAINER_REF

the source of the certificate when using stored-key requests.

--ca-id CA_ID

the identifier of the CA to use for the certificate request.

--profile PROFILE

the profile of certificate to use.

--request-file REQUEST_FILE

the file containing the CSR.

barbican secret order delete

usage: barbican secret order delete [-h] URI

Delete an order by providing its href.

Positional arguments:

URI

The URI reference for the order

Optional arguments:

-h, --help

show this help message and exit

barbican secret order get

usage: barbican secret order get [-h] [-f {html,json,shell,table,value,yaml}]
                                 [-c COLUMN] [--max-width <integer>]
                                 [--noindent] [--prefix PREFIX]
                                 URI

Retrieve an order by providing its URI.

Positional arguments:

URI

The URI reference order.

Optional arguments:

-h, --help

show this help message and exit

barbican secret order list

usage: barbican secret order list [-h] [-f {csv,html,json,table,value,yaml}]
                                  [-c COLUMN] [--max-width <integer>]
                                  [--noindent]
                                  [--quote {all,minimal,none,nonnumeric}]
                                  [--limit LIMIT] [--offset OFFSET]

List orders.

Optional arguments:

-h, --help

show this help message and exit

--limit LIMIT, -l LIMIT

specify the limit to the number of items to list per page (default: 10; maximum: 100)

--offset OFFSET, -o OFFSET

specify the page offset (default: 0)

barbican secret store

usage: barbican secret store [-h] [-f {html,json,shell,table,value,yaml}]
                             [-c COLUMN] [--max-width <integer>] [--noindent]
                             [--prefix PREFIX] [--name NAME]
                             [--payload PAYLOAD] [--secret-type SECRET_TYPE]
                             [--payload-content-type PAYLOAD_CONTENT_TYPE]
                             [--payload-content-encoding PAYLOAD_CONTENT_ENCODING]
                             [--algorithm ALGORITHM] [--bit-length BIT_LENGTH]
                             [--mode MODE] [--expiration EXPIRATION]

Store a secret in Barbican.

Optional arguments:

-h, --help

show this help message and exit

--name NAME, -n NAME

a human-friendly name.

--payload PAYLOAD, -p PAYLOAD

the unencrypted secret; if provided, you must also provide a payload_content_type

--secret-type SECRET_TYPE, -s SECRET_TYPE

the secret type; must be one of symmetric, public, private, certificate, passphrase, opaque (default)

--payload-content-type PAYLOAD_CONTENT_TYPE, -t PAYLOAD_CONTENT_TYPE

the type/format of the provided secret data; "text/plain" is assumed to be UTF-8; required when --payload is supplied.

--payload-content-encoding PAYLOAD_CONTENT_ENCODING, -e PAYLOAD_CONTENT_ENCODING

required if --payload-content-type is "application /octet-stream".

--algorithm ALGORITHM, -a ALGORITHM

the algorithm (default: aes).

--bit-length BIT_LENGTH, -b BIT_LENGTH

the bit length (default: 256).

--mode MODE, -m MODE

the algorithm mode; used only for reference (default: cbc)

--expiration EXPIRATION, -x EXPIRATION

the expiration time for the secret in ISO 8601 format.

barbican secret update

usage: barbican secret update [-h] URI payload

Update a secret with no payload in Barbican.

Positional arguments:

URI

The URI reference for the secret.

payload

the unencrypted secret

Optional arguments:

-h, --help

show this help message and exit