0deaa0ab84
Right now barbican client is not usable when importing from other OpenStack modules. This is due to the fact that logging under barbican.openstack.common wants to do things like register default CONF options. And, as these have already been registered, this will fail with exceptions like ArgsAlreadyParsedError. Therefore, move this client to follow the examples provided by the other python-*client modules. Namely, import standard logging module and move the setup into the keep client itself. Now when called from places like Nova, we will not encounter import issues. Additionally, this change fixes a bug in barbicanclient.common.auth where LOG was used but not defined.
python-barbicanclient
This is a client for the Barbican
Key Management API. There is a Python library for accessing the API
(barbicanclient module), and a command-line script (keep).
barbicanclient - Python API
The full api is documented in the wiki.
Quickstart
Store a secret in barbican using keystone for authentication:
>>> from barbicanclient.common import auth
>>> from barbicanclient import client
# We'll use keystone for authentication
>>> keystone = auth.KeystoneAuthV2(auth_url='http://keystone-int.cloudkeep.io:5000/v2.0',
... username='USER', password='PASSWORD', tenant_name='TENANT')
>>> barbican = client.Client(auth_plugin=keystone)
# Let's store some sensitive data, Barbican encrypts it and stores it securely in the cloud
>>> secret_uri = barbican.secrets.store(name='Self destruction sequence',
... payload='the magic words are squeamish ossifrage',
... payload_content_type='text/plain')
# Let's look at some properties of a barbican Secret
>>> secret = barbican.secrets.get(secret_uri)
>>> print(secret.secret_ref)
u'http://api-01-int.cloudkeep.io:9311/v1/test_tenant/secrets/49496a6d-c674-4384-b208-7cf4988f84ee'
>>> print(secret.name)
Self destruction sequence
# Now let's retrieve the secret payload. Barbican decrypts it and sends it back.
>>> print(barbican.secrets.decrypt(secret.secret_ref))
the magic words are squeamish ossifrage
keep - Command Line Client
Command line client configuration and usage is documented in the wiki.
usage: keep [-h] [--no-auth | --os-auth-url <auth-url>]
[--os-username <auth-user-name>] [--os-password <auth-password>]
[--os-tenant-name <auth-tenant-name>] [--os-tenant-id <tenant-id>]
[--endpoint <barbican-url>]
<entity> <action> ...
Command-line interface to the Barbican API.
positional arguments:
<entity> Entity used for command, e.g., order, secret.
optional arguments:
-h, --help show this help message and exit
--no-auth, -N Do not use authentication.
--os-auth-url <auth-url>, -A <auth-url>
Defaults to env[OS_AUTH_URL].
--os-username <auth-user-name>, -U <auth-user-name>
Defaults to env[OS_USERNAME].
--os-password <auth-password>, -P <auth-password>
Defaults to env[OS_PASSWORD].
--os-tenant-name <auth-tenant-name>, -T <auth-tenant-name>
Defaults to env[OS_TENANT_NAME].
--os-tenant-id <tenant-id>, -I <tenant-id>
Defaults to env[OS_TENANT_ID].
--endpoint <barbican-url>, -E <barbican-url>
Defaults to env[BARBICAN_ENDPOINT].
subcommands:
Action to perform
<action>
create Create a new order.
store Store a secret in barbican.
get Retrieve a secret or an order by providing its URI.
list List secrets or orders
delete Delete a secret or an order by providing its href.