blob: 0557f4635073cd9773b7b677b9aae8dce6bca064 [file] [log] [blame]
Petr Jedinýdd6387a2017-08-01 15:50:17 +02001
Petr Jediný1ff6f562017-08-09 14:38:09 +02002================
3Barbican formula
4================
Petr Jedinýdd6387a2017-08-01 15:50:17 +02005
6Barbican is a REST API designed for the secure storage, provisioning and
7management of secrets such as passwords, encryption keys and X.509 Certificates.
8It is aimed at being useful for all environments, including large ephemeral
9Clouds.
10
11Sample pillars
12==============
13
Petr Jediný1ff6f562017-08-09 14:38:09 +020014Barbican cluster service
Petr Jedinýdd6387a2017-08-01 15:50:17 +020015
16.. code-block:: yaml
17
18 barbican:
19 server:
20 enabled: true
21 version: ocata
Petr Jediný1ff6f562017-08-09 14:38:09 +020022 host_href: ''
23 is_proxied: true
24 plugin:
25 simple_crypto:
26 kek: "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoxMjM0NTY="
27 store:
28 software:
29 crypto_plugin: simple_crypto
30 store_plugin: store_crypto
31 global_default: True
32 database:
33 engine: "mysql+pymysql"
34 host: 10.0.106.20
35 port: 3306
36 name: barbican
37 user: barbican
38 password: password
39 bind:
40 address: 10.0.106.20
41 port: 9311
42 admin_port: 9312
43 identity:
44 engine: keystone
45 host: 10.0.106.20
46 port: 35357
47 domain: default
48 tenant: service
49 user: barbican
50 password: password
51 message_queue:
52 engine: rabbitmq
53 user: openstack
54 password: password
55 virtual_host: '/openstack'
56 members:
57 - host: 10.10.10.10
58 port: 5672
59 - host: 10.10.10.11
60 port: 5672
61 - host: 10.10.10.12
62 port: 5672
63 cache:
64 members:
65 - host: 10.10.10.10
66 port: 11211
67 - host: 10.10.10.11
68 port: 11211
69 - host: 10.10.10.12
70 port: 11211
71
sgarbuza9931392018-07-19 10:44:20 +030072Enhanced logging with logging.conf
73----------------------------------
74
75By default logging.conf is disabled.
76
77That is possible to enable per-binary logging.conf with new variables:
78 * openstack_log_appender - set it to true to enable log_config_append for all OpenStack services;
79 * openstack_fluentd_handler_enabled - set to true to enable FluentHandler for all Openstack services.
80 * openstack_ossyslog_handler_enabled - set to true to enable OSSysLogHandler for all Openstack services.
81
82Only WatchedFileHandler, OSSysLogHandler and FluentHandler are available.
83
84Also it is possible to configure this with pillar:
85
86.. code-block:: yaml
87
88 barbican:
89 server:
90 logging:
91 log_appender: true
92 log_handlers:
93 watchedfile:
94 enabled: true
95 fluentd:
96 enabled: true
97 ossyslog:
98 enabled: true
99
Petr Jediný1ff6f562017-08-09 14:38:09 +0200100Running behind loadbalancer
101
102If you are running behind loadbalancer, set the `host_href` to load balancer's
103address. You can set `host_href` empty and the api attempts autodetect correct
104address from http requests.
105
106.. code-block:: yaml
107
108 barbican:
109 server:
110 enabled: true
111 version: ocata
112 host_href: ''
113
114
115Running behind proxy
116
117If you are running behind proxy, set the `is_proxied` parameter to `true`. This
118will allow `host_href` autodetection with help of proxy headers such as
119`X-FORWARDED-FOR` and `X-FORWARDED-PROTO`.
120
121.. code-block:: yaml
122
123 barbican:
124 server:
125 enabled: true
126 version: ocata
127 host_href: ''
128 is_proxied: true
129
130Queuing asynchronous messaging
131
132By default is `async_queues_enable` set `false` to invoke worker tasks
133synchronously (i.e. no-queue standalone mode). To enable queuing asynchronous
134messaging you need to set it true.
135
136.. code-block:: yaml
137
138 barbican:
139 server:
140 enabled: true
141 version: ocata
142 async_queues_enable: true
143
144Keystone notification listener
145
146To enable keystone notification listener, set the `ks_notification_enable`
147to true.
148`ks_notifications_allow_requeue` enables requeue feature in case of
149notification processing error. Enable this only when underlying transport
150supports this feature.
151
152
153.. code-block:: yaml
154
155 barbican:
156 server:
157 enabled: true
158 version: ocata
159 ks_notifications_enable: true
160 ks_notifications_allow_requeue: true
161
162
Petr Jediný6e745fb2017-09-05 10:20:05 +0200163MySQL server has gone away
164
165MySQL uses a default `wait_timeout` of 8 hours, after which it will drop
166idle connections. This can result in 'MySQL Gone Away' exceptions. If you
167notice this, you can lower `sql_idle_timeout` to ensure that SQLAlchemy
Petr Jediný09886ec2017-09-06 22:20:38 +0200168reconnects before MySQL can drop the connection. If you run MySQL with HAProxy
169you need to consider haproxy client/server timeout parameters.
Petr Jediný6e745fb2017-09-05 10:20:05 +0200170
171.. code-block:: yaml
172
173 barbican:
174 server:
175 enabled: true
176 version: ocata
177 database:
178 engine: "mysql+pymysql"
179 host: 10.0.106.20
180 port: 3306
181 name: barbican
182 user: barbican
183 password: password
Petr Jediný09886ec2017-09-06 22:20:38 +0200184 sql_idle_timeout: 180
Petr Jediný6e745fb2017-09-05 10:20:05 +0200185
186
Kirill Bespalov95aa8022017-10-31 16:35:06 +0300187Configuring TLS communications
188------------------------------
189
Kirill Bespalov8d133302017-11-01 12:14:28 +0300190In order to trust remote server's certificate during establishing tls
191connection the CA cert must be provided at client side. By default
192system wide installed CA certs are used. You can change this behavior
193by specifying cacert_file and cacert params (optional).
194See examples below:
195
196
197- **RabbitMQ**
Kirill Bespalov95aa8022017-10-31 16:35:06 +0300198
199.. code-block:: yaml
200
201 barbican:
202 server:
203 message_queue:
204 port: 5671
205 ssl:
206 enabled: True
207 cacert: cert body if the cacert_file does not exists
208 cacert_file: /etc/openstack/rabbitmq-ca.pem
209
210
Kirill Bespalov8d133302017-11-01 12:14:28 +0300211- **MySQL**
212
213.. code-block:: yaml
214
215 barbican:
216 server:
217 database:
218 ssl:
219 enabled: True
220 cacert: cert body if the cacert_file does not exists
221 cacert_file: /etc/openstack/mysql-ca.pem
222
Kirill Bespalov95aa8022017-10-31 16:35:06 +0300223
Petr Jediný1ff6f562017-08-09 14:38:09 +0200224Configuring plugins
225-------------------
226
227Dogtag KRA
228
229.. code block:: yaml
230
231 barbican:
232 server:
233 plugin:
234 dogtag:
235 pem_path: '/etc/barbican/kra_admin_cert.pem'
236 dogtag_host: localhost
Petr Jedinýdcc90f82017-10-02 13:46:10 +0200237 dogtag_port: 8443
Petr Jediný1ff6f562017-08-09 14:38:09 +0200238 nss_db_path: '/etc/barbican/alias'
239 nss_db_path_ca: '/etc/barbican/alias-ca'
240 nss_password: 'password123'
241 simple_cmc_profile: 'caOtherCert'
242 ca_expiration_time: 1
243 plugin_working_dir: '/etc/barbican/dogtag'
244
Oleg Iurchenko622ef902017-12-13 01:40:04 +0200245There are few sources (engines) to define KRA admin cert:
246Engine #1: Define KRA admin cert by pillar.
247To define KRA admin cert by pillar need to define the following:
248.. code block:: yaml
249 barbican:
250 server:
251 dogtag_admin_cert:
252 engine: manual
253 key: |
254 ... key data ...
255Engine #2: Receive DogTag cert from Salt Mine.
256DogTag formula sends KRA cert to dogtag_admin_cert mine function.
257.. code block:: yaml
258 barbican:
259 server:
260 dogtag_admin_cert:
261 engine: mine
262 minion: ...name of minion which has installed DogTag..
263Engine #3: No operations.
264In case of some additional steps to install KRA certificate which
265are out of scope for the formula, the formula has 'noop' engine
266to perform no operations. If 'noop' engine is defined the formula will
267do nothing to install KRA admin cert.
268.. code block:: yaml
269 barbican:
270 server:
271 dogtag_admin_cert:
272 engine: noop
273
Petr Jediný1ff6f562017-08-09 14:38:09 +0200274KMIP HSM
275
276.. code block:: yaml
277
278 barbican:
279 server:
280 plugin:
281 kmip:
282 username: 'admin'
283 password: 'password'
284 host: localhost
285 port: 5696
286 keyfile: '/path/to/certs/cert.key'
287 certfile: '/path/to/certs/cert.crt'
288 ca_certs: '/path/to/certs/LocalCA.crt'
289
290
291PKCS11 HSM
292
293.. code block:: yaml
294
295 barbican:
296 server:
297 plugin:
298 p11_crypto:
299 library_path: '/usr/lib/libCryptoki2_64.so'
300 login: 'mypassword'
301 mkek_label: 'an_mkek'
302 mkek_length: 32
303 hmac_label: 'my_hmac_label'
304
305
306
307Software Only Crypto
308
309`kek` is key encryption key created from 32 bytes encoded as Base64. You should
310not use this in production.
311
312.. code block:: yaml
313
314 barbican:
315 server:
316 plugin:
317 simple_crypto:
318 kek: 'YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoxMjM0NTY='
319
320
321Secret stores
322-------------
323
324.. code-block:: yaml
325
326 barbican:
327 server:
328 plugin:
329 simple_crypto:
330 kek: "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoxMjM0NTY="
331 p11_crypto:
332 library_path: '/usr/lib/libCryptoki2_64.so'
333 login: 'mypassword'
334 mkek_label: 'an_mkek'
335 mkek_length: 32
336 hmac_label: 'my_hmac_label'
337 kmip:
338 username: 'admin'
339 password: 'password'
340 host: localhost
341 port: 5696
342 keyfile: '/path/to/certs/cert.key'
343 certfile: '/path/to/certs/cert.crt'
344 ca_certs: '/path/to/certs/LocalCA.crt'
345 dogtag:
346 pem_path: '/etc/barbican/kra_admin_cert.pem'
347 dogtag_host: localhost
Petr Jedinýdcc90f82017-10-02 13:46:10 +0200348 dogtag_port: 8443
Petr Jediný1ff6f562017-08-09 14:38:09 +0200349 nss_db_path: '/etc/barbican/alias'
350 nss_db_path_ca: '/etc/barbican/alias-ca'
351 nss_password: 'password123'
352 simple_cmc_profile: 'caOtherCert'
353 ca_expiration_time: 1
354 plugin_working_dir: '/etc/barbican/dogtag'
355 store:
356 software:
357 crypto_plugin: simple_crypto
358 store_plugin: store_crypto
359 global_default: True
360 kmip:
361 store_plugin: kmip_plugin
362 dogtag:
Petr Jedinýdcc90f82017-10-02 13:46:10 +0200363 store_plugin: dogtag_crypto
Petr Jediný1ff6f562017-08-09 14:38:09 +0200364 pkcs11:
365 store_plugin: store_crypto
366 crypto_plugin: p11_crypto
367
Mykyta Karpinae0e66b2018-04-23 18:51:31 +0300368Creating resources in barbican
369------------------------------
370
371To create a secret with payload from file in barbican, next pillar can be used:
372
373.. code-block:: yaml
374
375 barbican:
376 client:
377 enabled: True
378 resources:
379 v1:
380 enabled: true
Ann Taraday96dbd892018-11-19 18:22:45 +0400381 cloud_name: admin_identity
Mykyta Karpinae0e66b2018-04-23 18:51:31 +0300382 secrets:
383 TestSecret:
384 type: certificate
385 algorithm: RSA
386 payload_content_type: application/octet-stream
387 payload_content_encoding: base64
388 payload_path: /tmp/test.crt
389 encodeb64_payload: true
Ann Taraday96dbd892018-11-19 18:22:45 +0400390 acl:
391 TestSecret:
392 test_user:
393 enabled: True
394
395
396Sign image with barbican
397------------------------
398
399To sign image with given image name, secrect name and user credentials, can be
400used the following pillar:
401
402
403.. code-block:: yaml
404
405 barbican:
406 client:
407 enabled: True
408 signed_images:
409 v1:
410 enabled: true
411 images:
412 TestImage:
413 secret_name: 'TestSecret'
414 cert_key: /etc/test/certs/image.key
415 name: test-image-name
416 cloud_name: admin_identity
417
Mykyta Karpinae0e66b2018-04-23 18:51:31 +0300418
419
Oleksandr Shyshko6ccbafa2018-09-11 13:04:36 +0300420Enable x509 and ssl communication between Barbican and Galera cluster.
Ann Taraday96dbd892018-11-19 18:22:45 +0400421----------------------------------------------------------------------
Oleksandr Shyshko6ccbafa2018-09-11 13:04:36 +0300422By default communication between Barbican and Galera is unsecure.
423
424barbican:
425 server:
426 database:
427 x509:
428 enabled: True
429
430You able to set custom certificates in pillar:
431
432barbican:
433 server:
434 database:
435 x509:
436 cacert: (certificate content)
437 cert: (certificate content)
438 key: (certificate content)
439
440You can read more about it here:
441 https://docs.openstack.org/security-guide/databases/database-access-control.html
Petr Jedinýdd6387a2017-08-01 15:50:17 +0200442
Oleksandr Bryndzii1139fcc2018-10-04 12:58:30 +0300443Barbican server with memcached caching and security strategy:
444
445.. code-block:: yaml
446
447 barbican:
448 server:
449 enabled: true
450 ...
451 cache:
452 engine: memcached
453 members:
454 - host: 127.0.0.1
455 port: 11211
456 - host: 127.0.0.1
457 port: 11211
458 security:
459 enabled: true
460 strategy: ENCRYPT
461 secret_key: secret
462
Petr Jedinýdd6387a2017-08-01 15:50:17 +0200463Read more
464=========
465
466* https://docs.openstack.org/barbican/latest/