Basic barbican configuration
Usual suspects:
- database
- keystone
- messaging
Services:
- apache web site for api's
- worker
- keystone-listener
Barbican:
- Crypto plugins configuration fragments
- Support multiple stores
Add some information to README
Change-Id: Ie58a0daf318c99ea0e41c3c9dd5fcc450f356276
diff --git a/README.rst b/README.rst
index af029bc..4d28f57 100644
--- a/README.rst
+++ b/README.rst
@@ -1,7 +1,7 @@
-==================================
-barbican formula
-==================================
+================
+Barbican formula
+================
Barbican is a REST API designed for the secure storage, provisioning and
management of secrets such as passwords, encryption keys and X.509 Certificates.
@@ -11,7 +11,7 @@
Sample pillars
==============
-Single barbican service
+Barbican cluster service
.. code-block:: yaml
@@ -19,6 +19,234 @@
server:
enabled: true
version: ocata
+ host_href: ''
+ is_proxied: true
+ plugin:
+ simple_crypto:
+ kek: "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoxMjM0NTY="
+ store:
+ software:
+ crypto_plugin: simple_crypto
+ store_plugin: store_crypto
+ global_default: True
+ database:
+ engine: "mysql+pymysql"
+ host: 10.0.106.20
+ port: 3306
+ name: barbican
+ user: barbican
+ password: password
+ bind:
+ address: 10.0.106.20
+ port: 9311
+ admin_port: 9312
+ identity:
+ engine: keystone
+ host: 10.0.106.20
+ port: 35357
+ domain: default
+ tenant: service
+ user: barbican
+ password: password
+ message_queue:
+ engine: rabbitmq
+ user: openstack
+ password: password
+ virtual_host: '/openstack'
+ members:
+ - host: 10.10.10.10
+ port: 5672
+ - host: 10.10.10.11
+ port: 5672
+ - host: 10.10.10.12
+ port: 5672
+ cache:
+ members:
+ - host: 10.10.10.10
+ port: 11211
+ - host: 10.10.10.11
+ port: 11211
+ - host: 10.10.10.12
+ port: 11211
+
+Running behind loadbalancer
+
+If you are running behind loadbalancer, set the `host_href` to load balancer's
+address. You can set `host_href` empty and the api attempts autodetect correct
+address from http requests.
+
+.. code-block:: yaml
+
+ barbican:
+ server:
+ enabled: true
+ version: ocata
+ host_href: ''
+
+
+Running behind proxy
+
+If you are running behind proxy, set the `is_proxied` parameter to `true`. This
+will allow `host_href` autodetection with help of proxy headers such as
+`X-FORWARDED-FOR` and `X-FORWARDED-PROTO`.
+
+.. code-block:: yaml
+
+ barbican:
+ server:
+ enabled: true
+ version: ocata
+ host_href: ''
+ is_proxied: true
+
+Queuing asynchronous messaging
+
+By default is `async_queues_enable` set `false` to invoke worker tasks
+synchronously (i.e. no-queue standalone mode). To enable queuing asynchronous
+messaging you need to set it true.
+
+.. code-block:: yaml
+
+ barbican:
+ server:
+ enabled: true
+ version: ocata
+ async_queues_enable: true
+
+Keystone notification listener
+
+To enable keystone notification listener, set the `ks_notification_enable`
+to true.
+`ks_notifications_allow_requeue` enables requeue feature in case of
+notification processing error. Enable this only when underlying transport
+supports this feature.
+
+
+.. code-block:: yaml
+
+ barbican:
+ server:
+ enabled: true
+ version: ocata
+ ks_notifications_enable: true
+ ks_notifications_allow_requeue: true
+
+
+Configuring plugins
+-------------------
+
+Dogtag KRA
+
+.. code block:: yaml
+
+ barbican:
+ server:
+ plugin:
+ dogtag:
+ pem_path: '/etc/barbican/kra_admin_cert.pem'
+ dogtag_host: localhost
+ dogtag_port: 8433
+ nss_db_path: '/etc/barbican/alias'
+ nss_db_path_ca: '/etc/barbican/alias-ca'
+ nss_password: 'password123'
+ simple_cmc_profile: 'caOtherCert'
+ ca_expiration_time: 1
+ plugin_working_dir: '/etc/barbican/dogtag'
+
+KMIP HSM
+
+.. code block:: yaml
+
+ barbican:
+ server:
+ plugin:
+ kmip:
+ username: 'admin'
+ password: 'password'
+ host: localhost
+ port: 5696
+ keyfile: '/path/to/certs/cert.key'
+ certfile: '/path/to/certs/cert.crt'
+ ca_certs: '/path/to/certs/LocalCA.crt'
+
+
+PKCS11 HSM
+
+.. code block:: yaml
+
+ barbican:
+ server:
+ plugin:
+ p11_crypto:
+ library_path: '/usr/lib/libCryptoki2_64.so'
+ login: 'mypassword'
+ mkek_label: 'an_mkek'
+ mkek_length: 32
+ hmac_label: 'my_hmac_label'
+
+
+
+Software Only Crypto
+
+`kek` is key encryption key created from 32 bytes encoded as Base64. You should
+not use this in production.
+
+.. code block:: yaml
+
+ barbican:
+ server:
+ plugin:
+ simple_crypto:
+ kek: 'YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoxMjM0NTY='
+
+
+Secret stores
+-------------
+
+.. code-block:: yaml
+
+ barbican:
+ server:
+ plugin:
+ simple_crypto:
+ kek: "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoxMjM0NTY="
+ p11_crypto:
+ library_path: '/usr/lib/libCryptoki2_64.so'
+ login: 'mypassword'
+ mkek_label: 'an_mkek'
+ mkek_length: 32
+ hmac_label: 'my_hmac_label'
+ kmip:
+ username: 'admin'
+ password: 'password'
+ host: localhost
+ port: 5696
+ keyfile: '/path/to/certs/cert.key'
+ certfile: '/path/to/certs/cert.crt'
+ ca_certs: '/path/to/certs/LocalCA.crt'
+ dogtag:
+ pem_path: '/etc/barbican/kra_admin_cert.pem'
+ dogtag_host: localhost
+ dogtag_port: 8433
+ nss_db_path: '/etc/barbican/alias'
+ nss_db_path_ca: '/etc/barbican/alias-ca'
+ nss_password: 'password123'
+ simple_cmc_profile: 'caOtherCert'
+ ca_expiration_time: 1
+ plugin_working_dir: '/etc/barbican/dogtag'
+ store:
+ software:
+ crypto_plugin: simple_crypto
+ store_plugin: store_crypto
+ global_default: True
+ kmip:
+ store_plugin: kmip_plugin
+ dogtag:
+ store_plugin: dogtag_plugin
+ pkcs11:
+ store_plugin: store_crypto
+ crypto_plugin: p11_crypto
+
Documentation and Bugs
======================
diff --git a/barbican/files/barbican.conf b/barbican/files/barbican.conf
deleted file mode 100644
index 44e3449..0000000
--- a/barbican/files/barbican.conf
+++ /dev/null
@@ -1 +0,0 @@
-# Service config file
\ No newline at end of file
diff --git a/barbican/files/ocata/barbican-api.apache2.conf.Debian b/barbican/files/ocata/barbican-api.apache2.conf.Debian
new file mode 100644
index 0000000..38249b0
--- /dev/null
+++ b/barbican/files/ocata/barbican-api.apache2.conf.Debian
@@ -0,0 +1,19 @@
+{%- from "barbican/map.jinja" import server with context %}
+Listen {{ server.bind.address }}:{{ server.bind.port }}
+Listen {{ server.bind.address }}:{{ server.bind.admin_port }}
+
+<VirtualHost *:{{ server.bind.port }}>
+ WSGIScriptAlias / /usr/share/barbican/app.wsgi
+ WSGIDaemonProcess barbican-api user=barbican group=barbican processes=3 threads=10
+ WSGIProcessGroup barbican-api
+ ErrorLog /var/log/barbican/barbican-api.log
+ CustomLog /var/log/barbican/barbican-api.log combined
+</VirtualHost>
+
+<VirtualHost *:{{ server.bind.admin_port }}>
+ WSGIScriptAlias / /usr/share/barbican/app.wsgi
+ WSGIDaemonProcess barbican-api-admin user=barbican group=barbican processes=3 threads=10
+ WSGIProcessGroup barbican-api-admin
+ ErrorLog /var/log/barbican/barbican-api.log
+ CustomLog /var/log/barbican/barbican-api.log combined
+</VirtualHost>
diff --git a/barbican/files/ocata/barbican.conf.Debian b/barbican/files/ocata/barbican.conf.Debian
new file mode 100644
index 0000000..54ff0be
--- /dev/null
+++ b/barbican/files/ocata/barbican.conf.Debian
@@ -0,0 +1,608 @@
+{%- from "barbican/map.jinja" import server with context -%}
+[DEFAULT]
+# Show debugging output in logs (sets DEBUG log level output)
+#debug = True
+
+# Address to bind the API server
+bind_host = {{ server.bind.address }}
+
+# Port to bind the API server to
+bind_port = {{ server.bind.port }}
+
+# Host name, for use in HATEOAS-style references
+# Note: Typically this would be the load balanced endpoint that clients would use
+# communicate back with this service.
+# If a deployment wants to derive host from wsgi request instead then make this
+# blank. Blank is needed to override default config value which is
+# 'http://localhost:9311'.
+### host_href = http://localhost:9311
+host_href = {{ server.get('host_href', '') }}
+
+# Log to this file. Make sure you do not set the same log
+# file for both the API and registry servers!
+#log_file = /var/log/barbican/api.log
+
+# Backlog requests when creating socket
+backlog = 4096
+
+# TCP_KEEPIDLE value in seconds when creating socket.
+# Not supported on OS X.
+#tcp_keepidle = 600
+
+# Maximum allowed http request size against the barbican-api
+max_allowed_secret_in_bytes = 10000
+max_allowed_request_size_in_bytes = 1000000
+
+# SQLAlchemy connection string for the reference implementation
+# registry server. Any valid SQLAlchemy connection string is fine.
+# See: http://www.sqlalchemy.org/docs/05/reference/sqlalchemy/connections.html#sqlalchemy.create_engine
+# Uncomment this for local dev, putting db in project directory:
+#sql_connection = sqlite:///barbican.sqlite
+# Note: For absolute addresses, use '////' slashes after 'sqlite:'
+# Uncomment for a more global development environment
+sql_connection = {{ server.database.engine }}://{{ server.database.user }}:{{ server.database.password }}@{{ server.database.host }}/{{ server.database.name }}
+
+# Period in seconds after which SQLAlchemy should reestablish its connection
+# to the database.
+#
+# MySQL uses a default `wait_timeout` of 8 hours, after which it will drop
+# idle connections. This can result in 'MySQL Gone Away' exceptions. If you
+# notice this, you can lower this value to ensure that SQLAlchemy reconnects
+# before MySQL can drop the connection.
+sql_idle_timeout = 3600
+
+# Accepts a class imported from the sqlalchemy.pool module, and handles the
+# details of building the pool for you. If commented out, SQLAlchemy
+# will select based on the database dialect. Other options are QueuePool
+# (for SQLAlchemy-managed connections) and NullPool (to disabled SQLAlchemy
+# management of connections).
+# See http://docs.sqlalchemy.org/en/latest/core/pooling.html for more details.
+#sql_pool_class = QueuePool
+
+# Show SQLAlchemy pool-related debugging output in logs (sets DEBUG log level
+# output) if specified.
+#sql_pool_logging = True
+
+# Size of pool used by SQLAlchemy. This is the largest number of connections
+# that will be kept persistently in the pool. Can be set to 0 to indicate no
+# size limit. To disable pooling, use a NullPool with sql_pool_class instead.
+# Comment out to allow SQLAlchemy to select the default.
+#sql_pool_size = 5
+
+# The maximum overflow size of the pool used by SQLAlchemy. When the number of
+# checked-out connections reaches the size set in sql_pool_size, additional
+# connections will be returned up to this limit. It follows then that the
+# total number of simultaneous connections the pool will allow is
+# sql_pool_size + sql_pool_max_overflow. Can be set to -1 to indicate no
+# overflow limit, so no limit will be placed on the total number of concurrent
+# connections. Comment out to allow SQLAlchemy to select the default.
+#sql_pool_max_overflow = 10
+
+# Default page size for the 'limit' paging URL parameter.
+default_limit_paging = 10
+
+# Maximum page size for the 'limit' paging URL parameter.
+max_limit_paging = 100
+
+# Role used to identify an authenticated user as administrator
+#admin_role = admin
+
+# Allow unauthenticated users to access the API with read-only
+# privileges. This only applies when using ContextMiddleware.
+#allow_anonymous_access = False
+
+# Allow access to version 1 of barbican api
+#enable_v1_api = True
+
+# Allow access to version 2 of barbican api
+#enable_v2_api = True
+
+# ================= SSL Options ===============================
+
+# Certificate file to use when starting API server securely
+#cert_file = /path/to/certfile
+
+# Private key file to use when starting API server securely
+#key_file = /path/to/keyfile
+
+# CA certificate file to use to verify connecting clients
+#ca_file = /path/to/cafile
+
+# ================= Security Options ==========================
+
+# AES key for encrypting store 'location' metadata, including
+# -- if used -- Swift or S3 credentials
+# Should be set to a random string of length 16, 24 or 32 bytes
+#metadata_encryption_key = <16, 24 or 32 char registry metadata key>
+
+# ================= Queue Options - oslo.messaging ==========================
+{%- if server.message_queue.members is defined %}
+transport_url = rabbit://{% for member in server.message_queue.members -%}
+ {{ server.message_queue.user }}:{{ server.message_queue.password }}@{{ member.host }}:{{ member.get('port', 5672) }}
+ {%- if not loop.last -%},{%- endif -%}
+ {%- endfor -%}
+ /{{ server.message_queue.virtual_host }}
+{%- else %}
+transport_url = rabbit://{{ server.message_queue.user }}:{{ server.message_queue.password }}@{{ server.message_queue.host }}:{{ server.message_queue.port }}/{{ server.message_queue.virtual_host }}
+{%- endif %}
+
+[oslo_messaging_rabbit]
+
+# Rabbit and HA configuration:
+## amqp_durable_queues = True
+# rabbit_userid=guest
+# rabbit_password=guest
+# rabbit_ha_queues = True
+# rabbit_port=5672
+
+# For HA, specify queue nodes in cluster, comma delimited:
+# For example: rabbit_hosts=192.168.50.8:5672, 192.168.50.9:5672
+# rabbit_hosts=localhost:5672
+
+# For HA, specify queue nodes in cluster as 'user@host:5672', comma delimited, ending with '/offset':
+# For example: transport_url = rabbit://guest@192.168.50.8:5672,guest@192.168.50.9:5672/
+# DO NOT USE THIS, due to '# FIXME(markmc): support multiple hosts' in oslo/messaging/_drivers/amqpdriver.py
+# transport_url = rabbit://guest@localhost:5672/
+
+
+[oslo_messaging_notifications]
+# oslo notification driver for sending audit events via audit middleware.
+# Meaningful only when middleware is enabled in barbican paste ini file.
+# This is oslo config MultiStrOpt so can be defined multiple times in case
+# there is need to route audit event to messaging as well as log.
+# driver = messagingv2
+# driver = log
+
+
+# ======== OpenStack policy - oslo_policy ===============
+
+[oslo_policy]
+
+# ======== OpenStack policy integration
+# JSON file representing policy (string value)
+policy_file=/etc/barbican/policy.json
+
+# Rule checked when requested rule is not found (string value)
+policy_default_rule=default
+
+
+# ================= Queue Options - Application ==========================
+
+[queue]
+# Enable queuing asynchronous messaging.
+# Set false to invoke worker tasks synchronously (i.e. no-queue standalone mode)
+enable = {{ server.get('async_queues_enable', False) }}
+
+# Namespace for the queue
+namespace = 'barbican'
+
+# Topic for the queue
+topic = 'barbican.workers'
+
+# Version for the task API
+version = '1.1'
+
+# Server name for RPC service
+server_name = 'barbican.queue'
+
+# Number of asynchronous worker processes.
+# When greater than 1, then that many additional worker processes are
+# created for asynchronous worker functionality.
+asynchronous_workers = 1
+
+# ================= Retry/Scheduler Options ==========================
+
+[retry_scheduler]
+# Seconds (float) to wait between starting retry scheduler
+initial_delay_seconds = 10.0
+
+# Seconds (float) to wait between starting retry scheduler
+periodic_interval_max_seconds = 10.0
+
+
+# ====================== Quota Options ===============================
+
+[quotas]
+# For each resource, the default maximum number that can be used for
+# a project is set below. This value can be overridden for each
+# project through the API. A negative value means no limit. A zero
+# value effectively disables the resource.
+
+# default number of secrets allowed per project
+quota_secrets = -1
+
+# default number of orders allowed per project
+quota_orders = -1
+
+# default number of containers allowed per project
+quota_containers = -1
+
+# default number of consumers allowed per project
+quota_consumers = -1
+
+# default number of CAs allowed per project
+quota_cas = -1
+
+# ================= Keystone Notification Options - Application ===============
+
+[keystone_notifications]
+
+# Keystone notification functionality uses transport related configuration
+# from barbican common configuration as defined under
+# 'Queue Options - oslo.messaging' comments.
+# The HA related configuration is also shared with notification server.
+
+# True enables keystone notification listener functionality.
+enable = {{ server.get('ks_notifications_enable', 'False') }}
+
+# The default exchange under which topics are scoped.
+# May be overridden by an exchange name specified in the transport_url option.
+control_exchange = 'openstack'
+
+# Keystone notification queue topic name.
+# This name needs to match one of values mentioned in Keystone deployment's
+# 'notification_topics' configuration e.g.
+# notification_topics=notifications, barbican_notifications
+# Multiple servers may listen on a topic and messages will be dispatched to one
+# of the servers in a round-robin fashion. That's why Barbican service should
+# have its own dedicated notification queue so that it receives all of Keystone
+# notifications.
+topic = 'notifications'
+
+# True enables requeue feature in case of notification processing error.
+# Enable this only when underlying transport supports this feature.
+allow_requeue = {{ server.get('ks_notifications_allow_requeue', 'False') }}
+
+# Version of tasks invoked via notifications
+version = '1.0'
+
+# Define the number of max threads to be used for notification server
+# processing functionality.
+thread_pool_size = 10
+
+# ================= Secret Store Plugin ===================
+[secretstore]
+namespace = barbican.secretstore.plugin
+enabled_secretstore_plugins = store_crypto
+enable_multiple_secret_stores = True
+stores_lookup_suffix = {{ server.get('store', {}).keys() | join(', ') }}
+
+# ================= Crypto plugin ===================
+[crypto]
+namespace = barbican.crypto.plugin
+enabled_crypto_plugins = simple_crypto
+
+{% for store_name, store in server.get('store', {}).iteritems() %}
+[secretstore:{{ store_name }}]
+{% if store.store_plugin is defined -%}
+secret_store_plugin = {{ store.store_plugin }}
+{%- endif %}
+{% if store.crypto_plugin is defined -%}
+crypto_plugin = {{ store.crypto_plugin }}
+{%- endif %}
+{% if store.global_default is defined -%}
+global_default = {{ store.global_default }}
+{%- endif %}
+{% endfor %}
+
+{% for plugin_name, plugin in server.get('plugin', {}).iteritems() %}
+{%- set plugin_fragment = "barbican/files/" + server.version + "/plugin/_" + plugin_name +".conf" %}
+{%- include plugin_fragment %}
+{% endfor %}
+
+# [simple_crypto_plugin]
+# # the kek should be a 32-byte value which is base64 encoded
+# kek = 'YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoxMjM0NTY='
+
+# # User friendly plugin name
+# # plugin_name = 'Software Only Crypto'
+
+# [dogtag_plugin]
+# pem_path = '/etc/barbican/kra_admin_cert.pem'
+# dogtag_host = localhost
+# dogtag_port = 8443
+# nss_db_path = '/etc/barbican/alias'
+# nss_db_path_ca = '/etc/barbican/alias-ca'
+# nss_password = 'password123'
+# simple_cmc_profile = 'caOtherCert'
+# ca_expiration_time = 1
+# plugin_working_dir = '/etc/barbican/dogtag'
+
+# # User friendly plugin name
+# # plugin_name = 'Dogtag KRA'
+
+
+# [p11_crypto_plugin]
+# # Path to vendor PKCS11 library
+# library_path = '/usr/lib/libCryptoki2_64.so'
+# # Password to login to PKCS11 session
+# login = 'mypassword'
+# # Label to identify master KEK in the HSM (must not be the same as HMAC label)
+# mkek_label = 'an_mkek'
+# # Length in bytes of master KEK
+# mkek_length = 32
+# # Label to identify HMAC key in the HSM (must not be the same as MKEK label)
+# hmac_label = 'my_hmac_label'
+# # HSM Slot id (Should correspond to a configured PKCS11 slot). Default: 1
+# # slot_id = 1
+# # Enable Read/Write session with the HSM?
+# # rw_session = True
+# # Length of Project KEKs to create
+# # pkek_length = 32
+# # How long to cache unwrapped Project KEKs
+# # pkek_cache_ttl = 900
+# # Max number of items in pkek cache
+# # pkek_cache_limit = 100
+
+# # User friendly plugin name
+# # plugin_name = 'PKCS11 HSM'
+
+
+# # ================== KMIP plugin =====================
+# [kmip_plugin]
+# username = 'admin'
+# password = 'password'
+# host = localhost
+# port = 5696
+# keyfile = '/path/to/certs/cert.key'
+# certfile = '/path/to/certs/cert.crt'
+# ca_certs = '/path/to/certs/LocalCA.crt'
+
+# # User friendly plugin name
+# # plugin_name = 'KMIP HSM'
+
+
+# # ================= Certificate plugin ===================
+
+# # DEPRECATION WARNING: The Certificates Plugin has been deprecated
+# # and will be removed in the P release.
+
+# [certificate]
+# namespace = barbican.certificate.plugin
+# enabled_certificate_plugins = simple_certificate
+# enabled_certificate_plugins = snakeoil_ca
+
+# [certificate_event]
+# namespace = barbican.certificate.event.plugin
+# enabled_certificate_event_plugins = simple_certificate_event
+
+[snakeoil_ca_plugin]
+ca_cert_path = /etc/barbican/snakeoil-ca.crt
+ca_cert_key_path = /etc/barbican/snakeoil-ca.key
+ca_cert_chain_path = /etc/barbican/snakeoil-ca.chain
+ca_cert_pkcs7_path = /etc/barbican/snakeoil-ca.p7b
+subca_cert_key_directory=/etc/barbican/snakeoil-cas
+
+# ========================================================
+
+[cors]
+
+#
+# From oslo.middleware.cors
+#
+
+# Indicate whether this resource may be shared with the domain
+# received in the requests "origin" header. (list value)
+#allowed_origin = <None>
+
+# Indicate that the actual request can include user credentials
+# (boolean value)
+#allow_credentials = true
+
+# Indicate which headers are safe to expose to the API. Defaults to
+# HTTP Simple Headers. (list value)
+#expose_headers = X-Auth-Token, X-Openstack-Request-Id, X-Project-Id, X-Identity-Status, X-User-Id, X-Storage-Token, X-Domain-Id, X-User-Domain-Id, X-Project-Domain-Id, X-Roles
+
+# Maximum cache age of CORS preflight requests. (integer value)
+#max_age = 3600
+
+# Indicate which methods can be used during the actual request. (list
+# value)
+#allow_methods = GET,PUT,POST,DELETE,PATCH
+
+# Indicate which header field names may be used during the actual
+# request. (list value)
+#allow_headers = X-Auth-Token, X-Openstack-Request-Id, X-Project-Id, X-Identity-Status, X-User-Id, X-Storage-Token, X-Domain-Id, X-User-Domain-Id, X-Project-Domain-Id, X-Roles
+
+
+[cors.subdomain]
+
+#
+# From oslo.middleware.cors
+#
+
+# Indicate whether this resource may be shared with the domain
+# received in the requests "origin" header. (list value)
+#allowed_origin = <None>
+
+# Indicate that the actual request can include user credentials
+# (boolean value)
+#allow_credentials = true
+
+# Indicate which headers are safe to expose to the API. Defaults to
+# HTTP Simple Headers. (list value)
+#expose_headers = X-Auth-Token, X-Openstack-Request-Id, X-Project-Id, X-Identity-Status, X-User-Id, X-Storage-Token, X-Domain-Id, X-User-Domain-Id, X-Project-Domain-Id, X-Roles
+
+# Maximum cache age of CORS preflight requests. (integer value)
+#max_age = 3600
+
+# Indicate which methods can be used during the actual request. (list
+# value)
+#allow_methods = GET,PUT,POST,DELETE,PATCH
+
+# Indicate which header field names may be used during the actual
+# request. (list value)
+#allow_headers = X-Auth-Token, X-Openstack-Request-Id, X-Project-Id, X-Identity-Status, X-User-Id, X-Storage-Token, X-Domain-Id, X-User-Domain-Id, X-Project-Domain-Id, X-Roles
+
+
+[oslo_middleware]
+
+#
+# From oslo.middleware.http_proxy_to_wsgi
+#
+
+# Wether the application is behind a proxy or not. This determines if
+# the middleware should parse the headers or not. (boolean value)
+enable_proxy_headers_parsing = {{ server.get('is_proxied', False) }}
+
+
+[keystone_authtoken]
+
+#
+# From keystonemiddleware.auth_token
+#
+
+auth_type = password
+user_domain_id = {{ server.identity.get('domain', 'default') }}
+project_domain_id = {{ server.identity.get('domain', 'default') }}
+project_name = {{ server.identity.tenant }}
+username = {{ server.identity.user }}
+password = {{ server.identity.password }}
+auth_uri = http://{{ server.identity.host }}:5000
+auth_url = http://{{ server.identity.host }}:35357
+interface = {{ server.identity.get('endpoint_type', 'internal') }}
+
+{%- if server.cache is defined %}
+memcached_servers = {%- for member in server.cache.members %}{{ member.host }}:{{ member.get('port', '11211') }}{% if not loop.last %},{% endif %}{%- endfor %}
+{%- else %}
+token_cache_time = -1
+{%- endif %}
+
+region_name = {{ server.get('region', 'RegionOne') }}
+
+# Complete "public" Identity API endpoint. This endpoint should not be an
+# "admin" endpoint, as it should be accessible by all end users. Unauthenticated
+# clients are redirected to this endpoint to authenticate. Although this
+# endpoint should ideally be unversioned, client support in the wild varies.
+# If you're using a versioned v2 endpoint here, then this should *not* be the
+# same endpoint the service user utilizes for validating tokens, because normal
+# end users may not be able to reach that endpoint. (string value)
+#auth_uri = <None>
+
+# API version of the admin Identity API endpoint. (string value)
+#auth_version = <None>
+
+# Do not handle authorization requests within the middleware, but delegate the
+# authorization decision to downstream WSGI components. (boolean value)
+#delay_auth_decision = false
+
+# Request timeout value for communicating with Identity API server. (integer
+# value)
+#http_connect_timeout = <None>
+
+# How many times are we trying to reconnect when communicating with Identity API
+# Server. (integer value)
+#http_request_max_retries = 3
+
+# Request environment key where the Swift cache object is stored. When
+# auth_token middleware is deployed with a Swift cache, use this option to have
+# the middleware share a caching backend with swift. Otherwise, use the
+# ``memcached_servers`` option instead. (string value)
+#cache = <None>
+
+# Required if identity server requires client certificate (string value)
+#certfile = <None>
+
+# Required if identity server requires client certificate (string value)
+#keyfile = <None>
+
+# A PEM encoded Certificate Authority to use when verifying HTTPs connections.
+# Defaults to system CAs. (string value)
+#cafile = <None>
+
+# Verify HTTPS connections. (boolean value)
+#insecure = false
+
+# The region in which the identity server can be found. (string value)
+#region_name = <None>
+
+# Directory used to cache files related to PKI tokens. (string value)
+#signing_dir = <None>
+
+# Optionally specify a list of memcached server(s) to use for caching. If left
+# undefined, tokens will instead be cached in-process. (list value)
+# Deprecated group/name - [keystone_authtoken]/memcache_servers
+#memcached_servers = <None>
+
+# In order to prevent excessive effort spent validating tokens, the middleware
+# caches previously-seen tokens for a configurable duration (in seconds). Set to
+# -1 to disable caching completely. (integer value)
+#token_cache_time = 300
+
+# Determines the frequency at which the list of revoked tokens is retrieved from
+# the Identity service (in seconds). A high number of revocation events combined
+# with a low cache duration may significantly reduce performance. Only valid for
+# PKI tokens. (integer value)
+#revocation_cache_time = 10
+
+# (Optional) If defined, indicate whether token data should be authenticated or
+# authenticated and encrypted. If MAC, token data is authenticated (with HMAC)
+# in the cache. If ENCRYPT, token data is encrypted and authenticated in the
+# cache. If the value is not one of these options or empty, auth_token will
+# raise an exception on initialization. (string value)
+# Allowed values: None, MAC, ENCRYPT
+#memcache_security_strategy = None
+
+# (Optional, mandatory if memcache_security_strategy is defined) This string is
+# used for key derivation. (string value)
+#memcache_secret_key = <None>
+
+# (Optional) Number of seconds memcached server is considered dead before it is
+# tried again. (integer value)
+#memcache_pool_dead_retry = 300
+
+# (Optional) Maximum total number of open connections to every memcached server.
+# (integer value)
+#memcache_pool_maxsize = 10
+
+# (Optional) Socket timeout in seconds for communicating with a memcached
+# server. (integer value)
+#memcache_pool_socket_timeout = 3
+
+# (Optional) Number of seconds a connection to memcached is held unused in the
+# pool before it is closed. (integer value)
+#memcache_pool_unused_timeout = 60
+
+# (Optional) Number of seconds that an operation will wait to get a memcached
+# client connection from the pool. (integer value)
+#memcache_pool_conn_get_timeout = 10
+
+# (Optional) Use the advanced (eventlet safe) memcached client pool. The
+# advanced pool will only work under python 2.x. (boolean value)
+#memcache_use_advanced_pool = false
+
+# (Optional) Indicate whether to set the X-Service-Catalog header. If False,
+# middleware will not ask for service catalog on token validation and will not
+# set the X-Service-Catalog header. (boolean value)
+#include_service_catalog = true
+
+# Used to control the use and type of token binding. Can be set to: "disabled"
+# to not check token binding. "permissive" (default) to validate binding
+# information if the bind type is of a form known to the server and ignore it if
+# not. "strict" like "permissive" but if the bind type is unknown the token will
+# be rejected. "required" any form of token binding is needed to be allowed.
+# Finally the name of a binding method that must be present in tokens. (string
+# value)
+#enforce_token_bind = permissive
+
+# If true, the revocation list will be checked for cached tokens. This requires
+# that PKI tokens are configured on the identity server. (boolean value)
+#check_revocations_for_cached = false
+
+# Hash algorithms to use for hashing PKI tokens. This may be a single algorithm
+# or multiple. The algorithms are those supported by Python standard
+# hashlib.new(). The hashes will be tried in the order given, so put the
+# preferred one first for performance. The result of the first hash will be
+# stored in the cache. This will typically be set to multiple values only while
+# migrating from a less secure algorithm to a more secure one. Once all the old
+# tokens are expired this option should be set to a single value for better
+# performance. (list value)
+#hash_algorithms = md5
+
+# Authentication type to load (string value)
+# Deprecated group/name - [keystone_authtoken]/auth_plugin
+#auth_type = <None>
+
+# Config Section from which to load plugin specific options (string value)
+#auth_section = <None>
+
diff --git a/barbican/files/ocata/plugin/_dogtag.conf b/barbican/files/ocata/plugin/_dogtag.conf
new file mode 100644
index 0000000..fb16a77
--- /dev/null
+++ b/barbican/files/ocata/plugin/_dogtag.conf
@@ -0,0 +1,13 @@
+[{{ plugin_name }}_plugin]
+pem_path = '{{ plugin.get('pem_path', '/etc/barbican/kra_admin_cert.pem') }}'
+dogtag_host = {{ plugin.get('dogtag_host', 'localhost') }}
+dogtag_port = {{ plugin.get('dogtag_port', '8433') }}
+nss_db_path = '{{ plugin.get('nss_db_path', '/etc/barbican/alias') }}'
+nss_db_path_ca = '{{ plugin.get('nss_db_path_ca', '/etc/barbican/alias-ca') }}'
+nss_password = '{{ plugin.nss_password }}'
+simple_cmc_profile = '{{ plugin.simple_cmc_profile }}'
+ca_expiration_time = {{ plugin.get('ca_expiration_time', '1') }}
+plugin_working_dir = '{{ plugin.get('plugin_working_dir', '/etc/barbican/dogtag') }}'
+
+# User friendly plugin name
+# plugin_name = 'Dogtag KRA'
\ No newline at end of file
diff --git a/barbican/files/ocata/plugin/_kmip.conf b/barbican/files/ocata/plugin/_kmip.conf
new file mode 100644
index 0000000..0d2c501
--- /dev/null
+++ b/barbican/files/ocata/plugin/_kmip.conf
@@ -0,0 +1,11 @@
+[{{ plugin_name }}_plugin]
+username = '{{ plugin.get('username', 'admin') }}'
+password = '{{ plugin.password }}'
+host = {{ plugin.get('host', 'localhost') }}
+port = {{ plugin.get('port', '5696') }}
+keyfile = '{{ plugin.get('keyfile', '/etc/barbican/kmip/cert.key') }}'
+certfile = '{{ plugin.get('certfile', '/etc/barbican/kmip/cert.crt') }}'
+ca_certs = '{{ plugin.get('ca_certs', '/etc/barbican/kmip/LocalCA.crt') }}'
+
+# User friendly plugin name
+# plugin_name = 'KMIP HSM'
\ No newline at end of file
diff --git a/barbican/files/ocata/plugin/_p11_crypto.conf b/barbican/files/ocata/plugin/_p11_crypto.conf
new file mode 100644
index 0000000..72dc45c
--- /dev/null
+++ b/barbican/files/ocata/plugin/_p11_crypto.conf
@@ -0,0 +1,24 @@
+[{{ plugin_name }}_plugin]
+# Path to vendor PKCS11 library
+library_path = '{{ plugin.get('library_path', '/usr/lib/libCryptoki2_64.so') }}'
+# Password to login to PKCS11 session
+login = '{{ plugin.login }}'
+# Label to identify master KEK in the HSM (must not be the same as HMAC label)
+mkek_label = '{{ plugin.mkek_label }}'
+# Length in bytes of master KEK
+mkek_length = {{ plugin.get('mkek_length', 32) }}
+# Label to identify HMAC key in the HSM (must not be the same as MKEK label)
+hmac_label = '{{ plugin.hmac_label }}'
+# HSM Slot id (Should correspond to a configured PKCS11 slot). Default: 1
+# slot_id = 1
+# Enable Read/Write session with the HSM?
+# rw_session = True
+# Length of Project KEKs to create
+# pkek_length = 32
+# How long to cache unwrapped Project KEKs
+# pkek_cache_ttl = 900
+# Max number of items in pkek cache
+# pkek_cache_limit = 100
+
+# User friendly plugin name
+# plugin_name = 'PKCS11 HSM'
\ No newline at end of file
diff --git a/barbican/files/ocata/plugin/_simple_crypto.conf b/barbican/files/ocata/plugin/_simple_crypto.conf
new file mode 100644
index 0000000..3e38dfc
--- /dev/null
+++ b/barbican/files/ocata/plugin/_simple_crypto.conf
@@ -0,0 +1,6 @@
+[{{ plugin_name }}_plugin]
+# the kek should be a 32-byte value which is base64 encoded
+kek = '{{ plugin.kek }}'
+
+# User friendly plugin name
+# plugin_name = 'Software Only Crypto'
\ No newline at end of file
diff --git a/barbican/map.jinja b/barbican/map.jinja
index fdffae3..f7332ad 100644
--- a/barbican/map.jinja
+++ b/barbican/map.jinja
@@ -1,10 +1,20 @@
{%- load_yaml as base_defaults %}
-
+default:
+ bind:
+ address: 127.0.0.1
+ port: 8080
+ cache:
+ engine: noop
Debian:
pkgs:
- - barbican
+ - barbican-api
+ - barbican-keystone-listener
+ - barbican-worker
+ services:
+ - barbican-keystone-listener
+ - barbican-worker
{%- endload %}
-{%- set server = salt['grains.filter_by'](base_defaults, merge=salt['pillar.get']('barbican:server')) %}
+{%- set server = salt['grains.filter_by'](base_defaults, merge=salt['pillar.get']('barbican:server'), base='default') %}
diff --git a/barbican/meta/sphinx.yml b/barbican/meta/sphinx.yml
index 61cd3d1..62e989c 100644
--- a/barbican/meta/sphinx.yml
+++ b/barbican/meta/sphinx.yml
@@ -1,12 +1,15 @@
{%- from "barbican/map.jinja" import server with context %}
# Fill in documentation details
doc:
- name: barbican
- description: Some service info
+ name: Barbican
+ description: |
+ Barbican is a REST API designed for the secure storage, provisioning and
+ management of secrets such as passwords, encryption keys and X.509 Certificates.
+ It is aimed at being useful for all environments, including large ephemeral
+ Clouds.
role:
server:
name: server
param:
- some_param:
- name: "Some name"
- value: "some value"
+ version:
+ value: "{{ server.version }}"
diff --git a/barbican/server.sls b/barbican/server.sls
index 9a375ce..351160f 100644
--- a/barbican/server.sls
+++ b/barbican/server.sls
@@ -1,4 +1,49 @@
{%- from "barbican/map.jinja" import server with context %}
{%- if server.enabled %}
+barbican_server_packages:
+ pkg.installed:
+ - names: {{ server.pkgs }}
+
+/etc/barbican/barbican.conf:
+ file.managed:
+ - source: salt://barbican/files/{{ server.version }}/barbican.conf.{{ grains.os_family }}
+ - template: jinja
+ - require:
+ - pkg: barbican_server_packages
+
+/etc/apache2/conf-enabled/barbican-api.conf:
+ file.absent:
+ - require:
+ - pkg: barbican_server_packages
+
+
+/etc/apache2/sites-available/barbican-api.conf:
+ file.managed:
+ - source: salt://barbican/files/{{ server.version }}/barbican-api.apache2.conf.Debian
+ - template: jinja
+ - require:
+ - pkg: barbican_server_packages
+
+barbican_api_config:
+ file.symlink:
+ - name: /etc/apache2/sites-enabled/barbican-api.conf
+ - target: /etc/apache2/sites-available/barbican-api.conf
+
+barbican_apache_restart:
+ service.running:
+ - enable: true
+ - name: apache2
+ - watch:
+ - file: /etc/barbican/barbican.conf
+ - file: /etc/apache2/sites-available/barbican-api.conf
+
+
+barbican_server_services:
+ service.running:
+ - names: {{ server.services }}
+ - enable: true
+ - watch:
+ - file: /etc/barbican/barbican.conf
+
{%- endif %}
diff --git a/metadata/service/server/cluster.yml b/metadata/service/server/cluster.yml
index ca23e30..73a690e 100644
--- a/metadata/service/server/cluster.yml
+++ b/metadata/service/server/cluster.yml
@@ -3,8 +3,53 @@
classes:
- service.barbican.support
parameters:
+ _param:
+ keystone_barbican_endpoint_type: internalURL
barbican:
server:
enabled: true
+ version: ${_param:barbican_version}
+ region: ${_param:openstack_region}
+ host_href: ''
+ is_proxied: true
bind:
- address: 0.0.0.0
+ address: ${_param:cluster_local_address}
+ port: 9311
+ admin_port: 9312
+ database:
+ engine: "mysql+pymysql"
+ host: ${_param:cluster_vip_address}
+ port: 3306
+ name: barbican
+ user: barbican
+ password: ${_param:mysql_barbican_password}
+ identity:
+ engine: keystone
+ host: ${_param:cluster_vip_address}
+ port: 35357
+ domain: default
+ tenant: service
+ user: barbican
+ password: ${_param:keystone_barbican_password}
+ endpoint_type: ${_param:keystone_barbican_endpoint_type}
+ message_queue:
+ engine: rabbitmq
+ user: openstack
+ password: ${_param:rabbitmq_openstack_password}
+ virtual_host: '/openstack'
+ members:
+ - host: ${_param:openstack_message_queue_node01_address}
+ port: 5672
+ - host: ${_param:openstack_message_queue_node02_address}
+ port: 5672
+ - host: ${_param:openstack_message_queue_node03_address}
+ port: 5672
+ cache:
+ members:
+ - host: ${_param:openstack_control_node01_address}
+ port: 11211
+ - host: ${_param:openstack_control_node02_address}
+ port: 11211
+ - host: ${_param:openstack_control_node03_address}
+ port: 11211
+
diff --git a/metadata/service/server/plugin/dogtag.yml b/metadata/service/server/plugin/dogtag.yml
new file mode 100644
index 0000000..5979258
--- /dev/null
+++ b/metadata/service/server/plugin/dogtag.yml
@@ -0,0 +1,16 @@
+parameters:
+ _param:
+ barbican_dogtag_host: localhost
+ barbican_dogtag_simple_cmc_profile: 'caOtherCert'
+ barbican:
+ server:
+ plugin:
+ dogtag:
+ dogtag_host: ${_param:barbican_dogtag_host}
+ dogtag_port: 8433
+ nss_db_path: '/etc/barbican/alias'
+ nss_db_path_ca: '/etc/barbican/alias-ca'
+ nss_password: "${_param:barbican_dogtag_nss_password}"
+ simple_cmc_profile: "${_param:barbican_dogtag_simple_cmc_profile}"
+ ca_expiration_time: 1
+ plugin_working_dir: '/etc/barbican/dogtag'
diff --git a/metadata/service/server/plugin/kmip.yml b/metadata/service/server/plugin/kmip.yml
new file mode 100644
index 0000000..b0ac108
--- /dev/null
+++ b/metadata/service/server/plugin/kmip.yml
@@ -0,0 +1,18 @@
+parameters:
+ _param:
+ barbican_kmip_username: admin
+ barbican_kmip_host: localhost
+ barbican_kmip_keyfile: '/etc/barbican/kmip/cert.key'
+ barbican_kmip_certfile: '/etc/barbican/kmip/cert.crt'
+ barbican_kmip_ca_certs: '/etc/barbican/kmip/LocalCA.crt'
+ barbican:
+ server:
+ plugin:
+ kmip:
+ username: "${_param:barbican_kmip_username}"
+ password: "${_param:barbican_kmip_password}"
+ host: ${_param:barbican_kmip_host}
+ port: 5696
+ keyfile: "${_param:barbican_kmip_keyfile}"
+ certfile: "${_param:barbican_kmip_certfile}"
+ ca_certs: "${_param:barbican_kmip_ca_certs}"
diff --git a/metadata/service/server/plugin/p11_crypto.yml b/metadata/service/server/plugin/p11_crypto.yml
new file mode 100644
index 0000000..394c094
--- /dev/null
+++ b/metadata/service/server/plugin/p11_crypto.yml
@@ -0,0 +1,12 @@
+parameters:
+ _param:
+ barbican_p11crypto_mkek_length: 32
+ barbican:
+ server:
+ plugin:
+ p11_crypto:
+ library_path: '/usr/lib/libCryptoki2_64.so'
+ login: ${_param:barbican_p11crypto_login}
+ mkek_label: ${_param:barbican_p11crypto_mkek_label}
+ mkek_length: ${_param:barbican_p11crypto_mkek_length}
+ hmac_label: ${_param:barbican_p11crypto_hmac_label}
diff --git a/metadata/service/server/plugin/simple_crypto.yml b/metadata/service/server/plugin/simple_crypto.yml
new file mode 100644
index 0000000..65ff497
--- /dev/null
+++ b/metadata/service/server/plugin/simple_crypto.yml
@@ -0,0 +1,6 @@
+parameters:
+ barbican:
+ server:
+ plugin:
+ simple_crypto:
+ kek: ${_param:barbican_simple_crypto_kek}
\ No newline at end of file
diff --git a/metadata/service/server/single.yml b/metadata/service/server/single.yml
index ca23e30..91d1b2f 100644
--- a/metadata/service/server/single.yml
+++ b/metadata/service/server/single.yml
@@ -3,8 +3,44 @@
classes:
- service.barbican.support
parameters:
+ _param:
+ keystone_barbican_endpoint_type: internalURL
barbican:
server:
enabled: true
+ version: ${_param:barbican_version}
+ region: ${_param:openstack_region}
+ host_href: ''
+ is_proxied: false
bind:
- address: 0.0.0.0
+ address: ${_param:single_address}
+ port: 9311
+ admin_port: 9312
+ database:
+ engine: "mysql+pymysql"
+ host: ${_param:single_address}
+ port: 3306
+ name: barbican
+ user: barbican
+ password: ${_param:mysql_barbican_password}
+ identity:
+ engine: keystone
+ host: ${_param:single_address}
+ port: 35357
+ domain: default
+ tenant: service
+ user: barbican
+ password: ${_param:keystone_barbican_password}
+ endpoint_type: ${_param:keystone_barbican_endpoint_type}
+ message_queue:
+ engine: rabbitmq
+ host: ${_param:single_address}
+ port: 5672
+ user: openstack
+ password: ${_param:rabbitmq_openstack_password}
+ virtual_host: '/openstack'
+ cache:
+ members:
+ - host: ${_param:single_address}
+ port: 11211
+
diff --git a/tests/pillar/compute_cluster.sls b/tests/pillar/compute_cluster.sls
deleted file mode 100644
index 6f03b6e..0000000
--- a/tests/pillar/compute_cluster.sls
+++ /dev/null
@@ -1,49 +0,0 @@
-nova:
- compute:
- version: liberty
- enabled: true
- virtualization: kvm
- heal_instance_info_cache_interval: 60
- vncproxy_url: openstack:6080
- bind:
- vnc_address: 127.0.0.1
- vnc_port: 6080
- vnc_name: 0.0.0.0
- database:
- engine: mysql
- host: 127.0.0.1
- port: 3306
- name: nova
- user: nova
- password: password
- identity:
- engine: keystone
- host: 127.0.0.1
- port: 35357
- user: nova
- password: password
- tenant: service
- message_queue:
- engine: rabbitmq
- host: 127.0.0.1
- port: 5672
- user: openstack
- password: password
- virtual_host: '/openstack'
- image:
- engine: glance
- host: 127.0.0.1
- port: 9292
- network:
- engine: neutron
- host: 127.0.0.1
- port: 9696
- cache:
- engine: memcached
- members:
- - host: 127.0.0.1
- port: 11211
- - host: 127.0.1.1
- port: 11211
- - host: 127.0.2.1
- port: 11211
diff --git a/tests/pillar/compute_single.sls b/tests/pillar/compute_single.sls
deleted file mode 100644
index 036a140..0000000
--- a/tests/pillar/compute_single.sls
+++ /dev/null
@@ -1,45 +0,0 @@
-nova:
- compute:
- version: liberty
- enabled: true
- virtualization: kvm
- heal_instance_info_cache_interval: 60
- vncproxy_url: openstack:6080
- bind:
- vnc_address: 127.0.0.1
- vnc_port: 6080
- vnc_name: 0.0.0.0
- database:
- engine: mysql
- host: 127.0.0.1
- port: 3306
- name: nova
- user: nova
- password: password
- identity:
- engine: keystone
- host: 127.0.0.1
- port: 35357
- user: nova
- password: password
- tenant: service
- message_queue:
- engine: rabbitmq
- host: 127.0.0.1
- port: 5672
- user: openstack
- password: password
- virtual_host: '/openstack'
- image:
- engine: glance
- host: 127.0.0.1
- port: 9292
- network:
- engine: neutron
- host: 127.0.0.1
- port: 9696
- cache:
- engine: memcached
- members:
- - host: 127.0.0.1
- port: 11211
diff --git a/tests/pillar/control_cluster.sls b/tests/pillar/control_cluster.sls
index 158f565..d438e3d 100644
--- a/tests/pillar/control_cluster.sls
+++ b/tests/pillar/control_cluster.sls
@@ -1,48 +1,84 @@
-nova:
- controller:
+barbican:
+ server:
enabled: true
- networking: default
- version: liberty
- vncproxy_url: 127.0.0.1
- security_group: false
- dhcp_domain: novalocal
- scheduler_default_filters: "DifferentHostFilter,RetryFilter,AvailabilityZoneFilter,RamFilter,CoreFilter,DiskFilter,ComputeFilter,ComputeCapabilitiesFilter,ImagePropertiesFilter,ServerGroupAntiAffinityFilter,ServerGroupAffinityFilter"
- cpu_allocation_ratio: 16.0
- ram_allocation_ratio: 1.5
- bind:
- private_address: 127.0.0.1
- public_address: 127.0.0.1
- public_name: 127.0.0.1
- novncproxy_port: 6080
+ version: ocata
+ host_href: ''
+ is_proxied: true
+ plugin:
+ simple_crypto:
+ kek: "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoxMjM0NTY="
+ p11_crypto:
+ library_path: '/usr/lib/libCryptoki2_64.so'
+ login: 'mypassword'
+ mkek_label: 'an_mkek'
+ mkek_length: 32
+ hmac_label: 'my_hmac_label'
+ kmip:
+ username: 'admin'
+ password: 'password'
+ host: localhost
+ port: 5696
+ keyfile: '/path/to/certs/cert.key'
+ certfile: '/path/to/certs/cert.crt'
+ ca_certs: '/path/to/certs/LocalCA.crt'
+ dogtag:
+ pem_path: '/etc/barbican/kra_admin_cert.pem'
+ dogtag_host: localhost
+ dogtag_port: 8433
+ nss_db_path: '/etc/barbican/alias'
+ nss_db_path_ca: '/etc/barbican/alias-ca'
+ nss_password: 'password123'
+ simple_cmc_profile: 'caOtherCert'
+ ca_expiration_time: 1
+ plugin_working_dir: '/etc/barbican/dogtag'
+ store:
+ software:
+ crypto_plugin: simple_crypto
+ store_plugin: store_crypto
+ global_default: True
+ kmip:
+ store_plugin: kmip_plugin
+ dogtag:
+ store_plugin: dogtag_plugin
+ pkcs11:
+ store_plugin: store_crypto
+ crypto_plugin: p11_crypto
database:
- engine: mysql
- host: 127.0.0.1
+ engine: "mysql+pymysql"
+ host: 10.0.106.20
port: 3306
- name: nova
- user: nova
+ name: barbican
+ user: barbican
password: password
+ bind:
+ address: 10.0.106.20
+ port: 9311
+ admin_port: 9312
identity:
engine: keystone
- host: 127.0.0.1
+ host: 10.0.106.20
port: 35357
- user: nova
- password: password
+ domain: default
tenant: service
+ user: barbican
+ password: password
message_queue:
engine: rabbitmq
- host: 127.0.0.1
- port: 5672
user: openstack
password: password
virtual_host: '/openstack'
- ha_queues: true
- glance:
- host:
- port: 9292
- network:
- engine: neutron
- host: 127.0.0.1
- port: 9696
- mtu: 1500
- metadata:
- password: metadata
+ members:
+ - host: 10.10.10.10
+ port: 5672
+ - host: 10.10.10.11
+ port: 5672
+ - host: 10.10.10.12
+ port: 5672
+ cache:
+ members:
+ - host: 10.10.10.10
+ port: 11211
+ - host: 10.10.10.11
+ port: 11211
+ - host: 10.10.10.12
+ port: 11211
diff --git a/tests/pillar/control_single.sls b/tests/pillar/control_single.sls
index 68c77b2..d438e3d 100644
--- a/tests/pillar/control_single.sls
+++ b/tests/pillar/control_single.sls
@@ -1,52 +1,84 @@
-nova:
- controller:
+barbican:
+ server:
enabled: true
- networking: contrail
- version: liberty
- security_group: false
- vncproxy_url: 127.0.0.1
- dhcp_domain: novalocal
- scheduler_default_filters: "DifferentHostFilter,RetryFilter,AvailabilityZoneFilter,RamFilter,CoreFilter,DiskFilter,ComputeFilter,ComputeCapabilitiesFilter,ImagePropertiesFilter,ServerGroupAntiAffinityFilter,ServerGroupAffinityFilter"
- cpu_allocation_ratio: 16.0
- ram_allocation_ratio: 1.5
- bind:
- private_address: 127.0.0.1
- public_address: 127.0.0.1
- public_name: 127.0.0.1
- novncproxy_port: 6080
+ version: ocata
+ host_href: ''
+ is_proxied: true
+ plugin:
+ simple_crypto:
+ kek: "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoxMjM0NTY="
+ p11_crypto:
+ library_path: '/usr/lib/libCryptoki2_64.so'
+ login: 'mypassword'
+ mkek_label: 'an_mkek'
+ mkek_length: 32
+ hmac_label: 'my_hmac_label'
+ kmip:
+ username: 'admin'
+ password: 'password'
+ host: localhost
+ port: 5696
+ keyfile: '/path/to/certs/cert.key'
+ certfile: '/path/to/certs/cert.crt'
+ ca_certs: '/path/to/certs/LocalCA.crt'
+ dogtag:
+ pem_path: '/etc/barbican/kra_admin_cert.pem'
+ dogtag_host: localhost
+ dogtag_port: 8433
+ nss_db_path: '/etc/barbican/alias'
+ nss_db_path_ca: '/etc/barbican/alias-ca'
+ nss_password: 'password123'
+ simple_cmc_profile: 'caOtherCert'
+ ca_expiration_time: 1
+ plugin_working_dir: '/etc/barbican/dogtag'
+ store:
+ software:
+ crypto_plugin: simple_crypto
+ store_plugin: store_crypto
+ global_default: True
+ kmip:
+ store_plugin: kmip_plugin
+ dogtag:
+ store_plugin: dogtag_plugin
+ pkcs11:
+ store_plugin: store_crypto
+ crypto_plugin: p11_crypto
database:
- engine: mysql
- host: localhost
+ engine: "mysql+pymysql"
+ host: 10.0.106.20
port: 3306
- name: nova
- user: nova
+ name: barbican
+ user: barbican
password: password
+ bind:
+ address: 10.0.106.20
+ port: 9311
+ admin_port: 9312
identity:
engine: keystone
- host: 127.0.0.1
+ host: 10.0.106.20
port: 35357
- user: nova
- password: password
+ domain: default
tenant: service
+ user: barbican
+ password: password
message_queue:
engine: rabbitmq
- host: 127.0.0.1
- port: 5672
user: openstack
password: password
virtual_host: '/openstack'
- glance:
- host: 127.0.0.1
- port: 9292
- network:
- engine: neutron
- host: 127.0.0.1
- port: 9696
- mtu: 1500
- metadata:
- password: password
- cache:
- engine: memcached
members:
- - host: 127.0.0.1
+ - host: 10.10.10.10
+ port: 5672
+ - host: 10.10.10.11
+ port: 5672
+ - host: 10.10.10.12
+ port: 5672
+ cache:
+ members:
+ - host: 10.10.10.10
+ port: 11211
+ - host: 10.10.10.11
+ port: 11211
+ - host: 10.10.10.12
port: 11211