Implement X.509 auth for MySQL and Barbican
Change-Id: Ic724d0d3474f0d52c56638e8805b2f64dc21c120
Related-PROD: PROD-22738
diff --git a/README.rst b/README.rst
index 33aea5c..0f4e655 100644
--- a/README.rst
+++ b/README.rst
@@ -389,6 +389,28 @@
encodeb64_payload: true
+Enable x509 and ssl communication between Barbican and Galera cluster.
+---------------------
+By default communication between Barbican and Galera is unsecure.
+
+barbican:
+ server:
+ database:
+ x509:
+ enabled: True
+
+You able to set custom certificates in pillar:
+
+barbican:
+ server:
+ database:
+ x509:
+ cacert: (certificate content)
+ cert: (certificate content)
+ key: (certificate content)
+
+You can read more about it here:
+ https://docs.openstack.org/security-guide/databases/database-access-control.html
Documentation and Bugs
======================
diff --git a/barbican/_ssl.sls b/barbican/_ssl.sls
deleted file mode 100644
index 592c4ea..0000000
--- a/barbican/_ssl.sls
+++ /dev/null
@@ -1,51 +0,0 @@
-{%- from "barbican/map.jinja" import server with context %}
-
-{#
-
-The state reposible for management of CA certificates for the following
-tls communications paths used by Barbican:
-
-- messaging (RabbitMQ Server): rabbitmq_ca_barbican_server
-- database (MySQL Server): mysql_ca_barbican_server
-
-#}
-
-{%- if server.message_queue.ssl.enabled %}
-rabbitmq_ca_barbican_server:
-{% if server.message_queue.ssl.cacert is defined %}
- file.managed:
- - name: {{ server.message_queue.ssl.cacert_file }}
- - contents_pillar: barbican:server:message_queue:ssl:cacert
- - mode: 0444
- - makedirs: true
-{% else %}
- file.exists:
- - name: {{ server.message_queue.ssl.get('cacert_file', server.cacert_file) }}
-{% endif %}
- - watch_in:
- - service: barbican_server_services
- {% if server.get('async_queues_enable', False) %}
- - service: barbican-worker
- {% endif %}
-{% endif %}
-
-{%- if server.database.ssl.enabled %}
-mysql_ca_barbican_server:
-{% if server.database.ssl.cacert is defined %}
- file.managed:
- - name: {{ server.database.ssl.cacert_file }}
- - contents_pillar: barbican:server:database:ssl:cacert
- - mode: 0444
- - makedirs: true
-{% else %}
- file.exists:
- - name: {{ server.database.ssl.get('cacert_file', server.cacert_file) }}
-{% endif %}
- - watch_in:
- - service: barbican_server_services
- {% if server.get('async_queues_enable', False) %}
- - service: barbican-worker
- {% endif %}
- - require_in:
- - cmd: barbican_syncdb
-{% endif %}
diff --git a/barbican/_ssl/mysql.sls b/barbican/_ssl/mysql.sls
new file mode 100644
index 0000000..086a1dd
--- /dev/null
+++ b/barbican/_ssl/mysql.sls
@@ -0,0 +1,85 @@
+{%- from "barbican/map.jinja" import server with context %}
+
+barbican_ssl_mysql:
+ test.show_notification:
+ - text: "Running barbican._ssl.mysql"
+
+{%- if server.database.get('x509',{}).get('enabled',False) %}
+
+ {%- set ca_file=server.database.x509.ca_file %}
+ {%- set key_file=server.database.x509.key_file %}
+ {%- set cert_file=server.database.x509.cert_file %}
+
+mysql_barbican_ssl_x509_ca:
+ {%- if server.database.x509.cacert is defined %}
+ file.managed:
+ - name: {{ ca_file }}
+ - contents_pillar: barbican:server:database:x509:cacert
+ - mode: 444
+ - user: barbican
+ - group: barbican
+ - makedirs: true
+ {%- else %}
+ file.exists:
+ - name: {{ ca_file }}
+ {%- endif %}
+
+mysql_barbican_client_ssl_cert:
+ {%- if server.database.x509.cert is defined %}
+ file.managed:
+ - name: {{ cert_file }}
+ - contents_pillar: barbican:server:database:x509:cert
+ - mode: 440
+ - user: barbican
+ - group: barbican
+ - makedirs: true
+ {%- else %}
+ file.exists:
+ - name: {{ cert_file }}
+ {%- endif %}
+
+mysql_barbican_client_ssl_private_key:
+ {%- if server.database.x509.key is defined %}
+ file.managed:
+ - name: {{ key_file }}
+ - contents_pillar: barbican:server:database:x509:key
+ - mode: 400
+ - user: barbican
+ - group: barbican
+ - makedirs: true
+ {%- else %}
+ file.exists:
+ - name: {{ key_file }}
+ {%- endif %}
+
+mysql_barbican_ssl_x509_set_user_and_group:
+ file.managed:
+ - names:
+ - {{ ca_file }}
+ - {{ cert_file }}
+ - {{ key_file }}
+ - user: barbican
+ - group: barbican
+
+{% elif server.database.get('ssl',{}).get('enabled',False) %}
+
+ mysql_ca_barbican:
+ {%- if server.database.ssl.cacert is defined %}
+ file.managed:
+ - name: {{ server.database.ssl.cacert_file }}
+ - contents_pillar: barbican:server:database:ssl:cacert
+ - mode: 0444
+ - makedirs: true
+ {%- else %}
+ file.exists:
+ - name: {{ server.database.ssl.get('cacert_file', server.cacert_file) }}
+ - watch_in:
+ - service: barbican_server_services
+ {% if server.get('async_queues_enable', False) %}
+ - service: barbican-worker
+ {% endif %}
+ - require_in:
+ - cmd: barbican_syncdb
+ {%- endif %}
+
+{%- endif %}
diff --git a/barbican/_ssl/rabbitmq.sls b/barbican/_ssl/rabbitmq.sls
new file mode 100644
index 0000000..028f43c
--- /dev/null
+++ b/barbican/_ssl/rabbitmq.sls
@@ -0,0 +1,30 @@
+{%- from "barbican/map.jinja" import server with context %}
+
+{#
+
+The state reposible for management of CA certificates for the following
+tls communications paths used by Barbican:
+
+- messaging (RabbitMQ Server): rabbitmq_ca_barbican_server
+- database (MySQL Server): mysql_ca_barbican_server
+
+#}
+
+{%- if server.message_queue.ssl.enabled %}
+rabbitmq_ca_barbican_server:
+{% if server.message_queue.ssl.cacert is defined %}
+ file.managed:
+ - name: {{ server.message_queue.ssl.cacert_file }}
+ - contents_pillar: barbican:server:message_queue:ssl:cacert
+ - mode: 0444
+ - makedirs: true
+{% else %}
+ file.exists:
+ - name: {{ server.message_queue.ssl.get('cacert_file', server.cacert_file) }}
+{% endif %}
+ - watch_in:
+ - service: barbican_server_services
+ {% if server.get('async_queues_enable', False) %}
+ - service: barbican-worker
+ {% endif %}
+{% endif %}
diff --git a/barbican/files/pike/barbican.conf.Debian b/barbican/files/pike/barbican.conf.Debian
index ad79b0f..3de0884 100644
--- a/barbican/files/pike/barbican.conf.Debian
+++ b/barbican/files/pike/barbican.conf.Debian
@@ -1,4 +1,12 @@
{%- from "barbican/map.jinja" import server with context -%}
+
+{%- set connection_x509_ssl_option = '' %}
+{%- if server.database.get('x509',{}).get('enabled',False) %}
+ {%- set connection_x509_ssl_option = '&ssl_ca=' ~ server.database.x509.ca_file ~ '&ssl_cert=' ~ server.database.x509.cert_file ~ '&ssl_key=' ~ server.database.x509.key_file %}
+{%- elif server.database.get('ssl',{}).get('enabled',False) %}
+ {%- set connection_x509_ssl_option = '&ssl_ca=' ~ server.database.ssl.get('cacert_file', server.cacert_file) %}
+{%- endif %}
+
[DEFAULT]
# Show debugging output in logs (sets DEBUG log level output)
#debug = True
@@ -57,7 +65,7 @@
#sql_connection = sqlite:///barbican.sqlite
# Note: For absolute addresses, use '////' slashes after 'sqlite:'
# Uncomment for a more global development environment
-sql_connection = {{ server.database.engine }}://{{ server.database.user }}:{{ server.database.password }}@{{ server.database.host }}/{{ server.database.name }}{%- if server.database.ssl.enabled %}?ssl_ca={{ server.database.ssl.get('cacert_file', server.cacert_file) }}{% endif %}
+sql_connection = {{ server.database.engine }}://{{ server.database.user }}:{{ server.database.password }}@{{ server.database.host }}/{{ server.database.name }}?charset=utf8{{ connection_x509_ssl_option|string }}
db_auto_create = False
# Period in seconds after which SQLAlchemy should reestablish its connection
diff --git a/barbican/files/queens/barbican.conf.Debian b/barbican/files/queens/barbican.conf.Debian
index da9aa74..b59d886 100644
--- a/barbican/files/queens/barbican.conf.Debian
+++ b/barbican/files/queens/barbican.conf.Debian
@@ -1,4 +1,12 @@
{%- from "barbican/map.jinja" import server with context -%}
+
+{%- set connection_x509_ssl_option = '' %}
+{%- if server.database.get('x509',{}).get('enabled',False) %}
+ {%- set connection_x509_ssl_option = '&ssl_ca=' ~ server.database.x509.ca_file ~ '&ssl_cert=' ~ server.database.x509.cert_file ~ '&ssl_key=' ~ server.database.x509.key_file %}
+{%- elif server.database.get('ssl',{}).get('enabled',False) %}
+ {%- set connection_x509_ssl_option = '&ssl_ca=' ~ server.database.ssl.get('cacert_file', server.cacert_file) %}
+{%- endif %}
+
[DEFAULT]
#
@@ -41,7 +49,7 @@
# Note: For absolute addresses, use '////' slashes after 'sqlite:'.
# (string value)
#sql_connection = sqlite:///barbican.sqlite
-sql_connection = {{ server.database.engine }}://{{ server.database.user }}:{{ server.database.password }}@{{ server.database.host }}/{{ server.database.name }}{%- if server.database.ssl.enabled %}?ssl_ca={{ server.database.ssl.get('cacert_file', server.cacert_file) }}{% endif %}
+sql_connection = {{ server.database.engine }}://{{ server.database.user }}:{{ server.database.password }}@{{ server.database.host }}/{{ server.database.name }}?charset=utf8{{ connection_x509_ssl_option|string }}
# Period in seconds after which SQLAlchemy should reestablish its
# connection to the database. MySQL uses a default `wait_timeout` of 8
diff --git a/barbican/server.sls b/barbican/server.sls
index f242e35..0930baa 100644
--- a/barbican/server.sls
+++ b/barbican/server.sls
@@ -3,11 +3,14 @@
include:
- apache
- - barbican._ssl
+ - barbican._ssl.mysql
+ - barbican._ssl.rabbitmq
barbican_server_packages:
pkg.installed:
- names: {{ server.pkgs }}
+ - require_in:
+ - sls: barbican._ssl.mysql
/etc/barbican/barbican.conf:
file.managed:
@@ -17,6 +20,7 @@
- group: barbican
- require:
- pkg: barbican_server_packages
+ - sls: barbican._ssl.mysql
barbican_syncdb:
cmd.run:
diff --git a/tests/pillar/ssl.sls b/tests/pillar/ssl.sls
index f3799df..b8b1398 100644
--- a/tests/pillar/ssl.sls
+++ b/tests/pillar/ssl.sls
@@ -53,8 +53,30 @@
name: barbican
user: barbican
password: password
+ x509:
+ enabled: True
+ ca_file: /etc/barbican/ssl/mysql/ca-cert.pem
+ key_file: /etc/barbican/ssl/mysql/client-key.pem
+ cert_file: /etc/barbican/ssl/mysql/client-cert.pem
+ cacert: |
+ -----BEGIN CERTIFICATE-----
+ MIIFzzCCA7egAwIBAgIIe7zZ8hCvkgowDQYJKoZIhvcNAQELBQAwSjELMAkGA1UE
+ -----END CERTIFICATE-----
+ cert: |
+ -----BEGIN CERTIFICATE-----
+ MIIGSjCCBDKgAwIBAgIJAIHRPs2rZbLvMA0GCSqGSIb3DQEBCwUAMEoxCzAJBgNV
+ -----END CERTIFICATE-----
+ key: |
+ -----BEGIN RSA PRIVATE KEY-----
+ MIIJKQIBAAKCAgEAq0m4kOIITliYea07yJnlSRNY0o6NaykiteSfHGauiub4lNQJ
+ -----END RSA PRIVATE KEY-----
ssl:
enabled: True
+ cacert_file: /etc/barbican/ssl/mysql/ca-cert.pem
+ cacert: |
+ -----BEGIN CERTIFICATE-----
+ MIIFzzCCA7egAwIBAgIIe7zZ8hCvkgowDQYJKoZIhvcNAQELBQAwSjELMAkGA1UE
+ -----END CERTIFICATE-----
bind:
address: 10.0.106.20
port: 9311