blob: 23610e4cd258330ecd57023c0d7d294bdffd678a [file] [log] [blame]
Petr Jedinýdd6387a2017-08-01 15:50:17 +02001
Petr Jediný1ff6f562017-08-09 14:38:09 +02002================
3Barbican formula
4================
Petr Jedinýdd6387a2017-08-01 15:50:17 +02005
6Barbican is a REST API designed for the secure storage, provisioning and
7management of secrets such as passwords, encryption keys and X.509 Certificates.
8It is aimed at being useful for all environments, including large ephemeral
9Clouds.
10
11Sample pillars
12==============
13
Petr Jediný1ff6f562017-08-09 14:38:09 +020014Barbican cluster service
Petr Jedinýdd6387a2017-08-01 15:50:17 +020015
16.. code-block:: yaml
17
18 barbican:
19 server:
20 enabled: true
21 version: ocata
Petr Jediný1ff6f562017-08-09 14:38:09 +020022 host_href: ''
23 is_proxied: true
24 plugin:
25 simple_crypto:
26 kek: "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoxMjM0NTY="
27 store:
28 software:
29 crypto_plugin: simple_crypto
30 store_plugin: store_crypto
31 global_default: True
32 database:
33 engine: "mysql+pymysql"
34 host: 10.0.106.20
35 port: 3306
36 name: barbican
37 user: barbican
38 password: password
39 bind:
40 address: 10.0.106.20
41 port: 9311
42 admin_port: 9312
43 identity:
44 engine: keystone
45 host: 10.0.106.20
46 port: 35357
47 domain: default
48 tenant: service
49 user: barbican
50 password: password
51 message_queue:
52 engine: rabbitmq
53 user: openstack
54 password: password
55 virtual_host: '/openstack'
56 members:
57 - host: 10.10.10.10
58 port: 5672
59 - host: 10.10.10.11
60 port: 5672
61 - host: 10.10.10.12
62 port: 5672
63 cache:
64 members:
65 - host: 10.10.10.10
66 port: 11211
67 - host: 10.10.10.11
68 port: 11211
69 - host: 10.10.10.12
70 port: 11211
71
sgarbuza9931392018-07-19 10:44:20 +030072Enhanced logging with logging.conf
73----------------------------------
74
75By default logging.conf is disabled.
76
77That is possible to enable per-binary logging.conf with new variables:
78 * openstack_log_appender - set it to true to enable log_config_append for all OpenStack services;
79 * openstack_fluentd_handler_enabled - set to true to enable FluentHandler for all Openstack services.
80 * openstack_ossyslog_handler_enabled - set to true to enable OSSysLogHandler for all Openstack services.
81
82Only WatchedFileHandler, OSSysLogHandler and FluentHandler are available.
83
84Also it is possible to configure this with pillar:
85
86.. code-block:: yaml
87
88 barbican:
89 server:
90 logging:
91 log_appender: true
92 log_handlers:
93 watchedfile:
94 enabled: true
95 fluentd:
96 enabled: true
97 ossyslog:
98 enabled: true
99
Petr Jediný1ff6f562017-08-09 14:38:09 +0200100Running behind loadbalancer
101
102If you are running behind loadbalancer, set the `host_href` to load balancer's
103address. You can set `host_href` empty and the api attempts autodetect correct
104address from http requests.
105
106.. code-block:: yaml
107
108 barbican:
109 server:
110 enabled: true
111 version: ocata
112 host_href: ''
113
114
115Running behind proxy
116
117If you are running behind proxy, set the `is_proxied` parameter to `true`. This
118will allow `host_href` autodetection with help of proxy headers such as
119`X-FORWARDED-FOR` and `X-FORWARDED-PROTO`.
120
121.. code-block:: yaml
122
123 barbican:
124 server:
125 enabled: true
126 version: ocata
127 host_href: ''
128 is_proxied: true
129
130Queuing asynchronous messaging
131
132By default is `async_queues_enable` set `false` to invoke worker tasks
133synchronously (i.e. no-queue standalone mode). To enable queuing asynchronous
134messaging you need to set it true.
135
136.. code-block:: yaml
137
138 barbican:
139 server:
140 enabled: true
141 version: ocata
142 async_queues_enable: true
143
144Keystone notification listener
145
146To enable keystone notification listener, set the `ks_notification_enable`
147to true.
Pavlo Shchelokovskyy65e241f2019-06-12 21:09:21 +0300148
Petr Jediný1ff6f562017-08-09 14:38:09 +0200149`ks_notifications_allow_requeue` enables requeue feature in case of
150notification processing error. Enable this only when underlying transport
151supports this feature.
152
Pavlo Shchelokovskyyf70167c2019-06-19 10:14:49 +0300153`ks_notifications_topic` (defaults to 'notifications') allows to set
154name of the topic to listen for Keystone notifications on. Note that Keystone
155must also be configured to send notifications to this topic.
156If Barbican version and messaging back end support listener pooling,
157it is preferable to leave this value as default and use
158`ks_notifications_pool_name` (see below).
159
160`ks_notifications_pool_name` (Since Pike release) allows to use keystone
161listener together with other applications listening on the same notifications
162topic without interference between services.
163Set it to any distinctive value to enable listener pooling.
164It is enabled by default with pool name 'barbican'.
Pavlo Shchelokovskyy65e241f2019-06-12 21:09:21 +0300165Disable it (by setting to empty string) only if underlying messaging transport
Pavlo Shchelokovskyyf70167c2019-06-19 10:14:49 +0300166does not support this feature or Barbican is the sole service listening for
167notifications on `ks_notifications_topic` (default is 'notifications') topic.
Petr Jediný1ff6f562017-08-09 14:38:09 +0200168
169.. code-block:: yaml
170
171 barbican:
172 server:
173 enabled: true
Pavlo Shchelokovskyy65e241f2019-06-12 21:09:21 +0300174 version: pike
Petr Jediný1ff6f562017-08-09 14:38:09 +0200175 ks_notifications_enable: true
176 ks_notifications_allow_requeue: true
Pavlo Shchelokovskyy65e241f2019-06-12 21:09:21 +0300177 ks_notifications_pool_name: barbican
Petr Jediný1ff6f562017-08-09 14:38:09 +0200178
179
Petr Jediný6e745fb2017-09-05 10:20:05 +0200180MySQL server has gone away
181
182MySQL uses a default `wait_timeout` of 8 hours, after which it will drop
183idle connections. This can result in 'MySQL Gone Away' exceptions. If you
184notice this, you can lower `sql_idle_timeout` to ensure that SQLAlchemy
Petr Jediný09886ec2017-09-06 22:20:38 +0200185reconnects before MySQL can drop the connection. If you run MySQL with HAProxy
186you need to consider haproxy client/server timeout parameters.
Petr Jediný6e745fb2017-09-05 10:20:05 +0200187
188.. code-block:: yaml
189
190 barbican:
191 server:
192 enabled: true
193 version: ocata
194 database:
195 engine: "mysql+pymysql"
196 host: 10.0.106.20
197 port: 3306
198 name: barbican
199 user: barbican
200 password: password
Petr Jediný09886ec2017-09-06 22:20:38 +0200201 sql_idle_timeout: 180
Petr Jediný6e745fb2017-09-05 10:20:05 +0200202
203
Kirill Bespalov95aa8022017-10-31 16:35:06 +0300204Configuring TLS communications
205------------------------------
206
Kirill Bespalov8d133302017-11-01 12:14:28 +0300207In order to trust remote server's certificate during establishing tls
208connection the CA cert must be provided at client side. By default
209system wide installed CA certs are used. You can change this behavior
210by specifying cacert_file and cacert params (optional).
211See examples below:
212
213
214- **RabbitMQ**
Kirill Bespalov95aa8022017-10-31 16:35:06 +0300215
216.. code-block:: yaml
217
218 barbican:
219 server:
220 message_queue:
221 port: 5671
222 ssl:
223 enabled: True
224 cacert: cert body if the cacert_file does not exists
225 cacert_file: /etc/openstack/rabbitmq-ca.pem
226
227
Kirill Bespalov8d133302017-11-01 12:14:28 +0300228- **MySQL**
229
230.. code-block:: yaml
231
232 barbican:
233 server:
234 database:
235 ssl:
236 enabled: True
237 cacert: cert body if the cacert_file does not exists
238 cacert_file: /etc/openstack/mysql-ca.pem
239
Kirill Bespalov95aa8022017-10-31 16:35:06 +0300240
Ivan Berezovskiycadbc132020-01-24 13:53:16 +0400241Change default service policy configuration:
242--------------------------------------------
243
244.. code-block:: yaml
245
246 barbican:
247 server:
248 policy:
249 creator: 'role:creator'
250 audit: 'role:audit'
251 # Add key without value to remove line from policy.json
252 quotas:get:
253
Petr Jediný1ff6f562017-08-09 14:38:09 +0200254Configuring plugins
255-------------------
256
257Dogtag KRA
258
259.. code block:: yaml
260
261 barbican:
262 server:
263 plugin:
264 dogtag:
265 pem_path: '/etc/barbican/kra_admin_cert.pem'
266 dogtag_host: localhost
Petr Jedinýdcc90f82017-10-02 13:46:10 +0200267 dogtag_port: 8443
Petr Jediný1ff6f562017-08-09 14:38:09 +0200268 nss_db_path: '/etc/barbican/alias'
269 nss_db_path_ca: '/etc/barbican/alias-ca'
270 nss_password: 'password123'
271 simple_cmc_profile: 'caOtherCert'
272 ca_expiration_time: 1
273 plugin_working_dir: '/etc/barbican/dogtag'
274
Oleg Iurchenko622ef902017-12-13 01:40:04 +0200275There are few sources (engines) to define KRA admin cert:
276Engine #1: Define KRA admin cert by pillar.
277To define KRA admin cert by pillar need to define the following:
278.. code block:: yaml
279 barbican:
280 server:
281 dogtag_admin_cert:
282 engine: manual
283 key: |
284 ... key data ...
285Engine #2: Receive DogTag cert from Salt Mine.
286DogTag formula sends KRA cert to dogtag_admin_cert mine function.
287.. code block:: yaml
288 barbican:
289 server:
290 dogtag_admin_cert:
291 engine: mine
292 minion: ...name of minion which has installed DogTag..
293Engine #3: No operations.
294In case of some additional steps to install KRA certificate which
295are out of scope for the formula, the formula has 'noop' engine
296to perform no operations. If 'noop' engine is defined the formula will
297do nothing to install KRA admin cert.
298.. code block:: yaml
299 barbican:
300 server:
301 dogtag_admin_cert:
302 engine: noop
303
Petr Jediný1ff6f562017-08-09 14:38:09 +0200304KMIP HSM
305
306.. code block:: yaml
307
308 barbican:
309 server:
310 plugin:
311 kmip:
312 username: 'admin'
313 password: 'password'
314 host: localhost
315 port: 5696
316 keyfile: '/path/to/certs/cert.key'
317 certfile: '/path/to/certs/cert.crt'
318 ca_certs: '/path/to/certs/LocalCA.crt'
319
320
321PKCS11 HSM
322
323.. code block:: yaml
324
325 barbican:
326 server:
327 plugin:
328 p11_crypto:
329 library_path: '/usr/lib/libCryptoki2_64.so'
330 login: 'mypassword'
331 mkek_label: 'an_mkek'
332 mkek_length: 32
333 hmac_label: 'my_hmac_label'
334
Oleksandr Shyshko9c548ab2019-05-08 11:24:55 +0000335VAULT
336
337.. code block:: yaml
338
339 barbican:
340 server:
341 plugin:
342 vault:
343 schema: http
344 host: localhost
345 port: 8200
346 root_token_id: s.hpamtsbW5vcHFyc3R1dnd4eXo
347 approle_role_id: role_id
348 approle_secret_id: secret_id
349 kv_mountpoint: secret
350
351Vault supports secure connection. You able to define following fields for use security connection,
352also you should place file of certificate or define cert content in cacert field, in the last case
353`ssl_ca_crt_file` field required to define.
354
355.. code block:: yaml
356
357 barbican:
358 server:
359 plugin:
360 vault:
361 schema: https
362 ssl_ca_crt_file: '/etc/barbican/ssl/vault/CA.crt'
363 cacert: (certificate content)
Petr Jediný1ff6f562017-08-09 14:38:09 +0200364
365
366Software Only Crypto
367
368`kek` is key encryption key created from 32 bytes encoded as Base64. You should
369not use this in production.
370
371.. code block:: yaml
372
373 barbican:
374 server:
375 plugin:
376 simple_crypto:
377 kek: 'YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoxMjM0NTY='
378
379
380Secret stores
381-------------
382
383.. code-block:: yaml
384
385 barbican:
386 server:
387 plugin:
388 simple_crypto:
389 kek: "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoxMjM0NTY="
390 p11_crypto:
391 library_path: '/usr/lib/libCryptoki2_64.so'
392 login: 'mypassword'
393 mkek_label: 'an_mkek'
394 mkek_length: 32
395 hmac_label: 'my_hmac_label'
396 kmip:
397 username: 'admin'
398 password: 'password'
399 host: localhost
400 port: 5696
401 keyfile: '/path/to/certs/cert.key'
402 certfile: '/path/to/certs/cert.crt'
403 ca_certs: '/path/to/certs/LocalCA.crt'
404 dogtag:
405 pem_path: '/etc/barbican/kra_admin_cert.pem'
406 dogtag_host: localhost
Petr Jedinýdcc90f82017-10-02 13:46:10 +0200407 dogtag_port: 8443
Petr Jediný1ff6f562017-08-09 14:38:09 +0200408 nss_db_path: '/etc/barbican/alias'
409 nss_db_path_ca: '/etc/barbican/alias-ca'
410 nss_password: 'password123'
411 simple_cmc_profile: 'caOtherCert'
412 ca_expiration_time: 1
413 plugin_working_dir: '/etc/barbican/dogtag'
Oleksandr Shyshko9c548ab2019-05-08 11:24:55 +0000414 vault:
415 schema: http
416 host: localhost
417 port: 8200
418 root_token_id: s.hpamtsbW5vcHFyc3R1dnd4eXo
419 approle_role_id: role_id
420 approle_secret_id: secret_id
421 kv_mountpoint: secret
Petr Jediný1ff6f562017-08-09 14:38:09 +0200422 store:
423 software:
424 crypto_plugin: simple_crypto
425 store_plugin: store_crypto
426 global_default: True
427 kmip:
428 store_plugin: kmip_plugin
429 dogtag:
Petr Jedinýdcc90f82017-10-02 13:46:10 +0200430 store_plugin: dogtag_crypto
Petr Jediný1ff6f562017-08-09 14:38:09 +0200431 pkcs11:
432 store_plugin: store_crypto
433 crypto_plugin: p11_crypto
434
Mykyta Karpinae0e66b2018-04-23 18:51:31 +0300435Creating resources in barbican
436------------------------------
437
438To create a secret with payload from file in barbican, next pillar can be used:
439
440.. code-block:: yaml
441
442 barbican:
443 client:
444 enabled: True
445 resources:
446 v1:
447 enabled: true
Ann Taraday96dbd892018-11-19 18:22:45 +0400448 cloud_name: admin_identity
Mykyta Karpinae0e66b2018-04-23 18:51:31 +0300449 secrets:
450 TestSecret:
451 type: certificate
452 algorithm: RSA
453 payload_content_type: application/octet-stream
454 payload_content_encoding: base64
455 payload_path: /tmp/test.crt
456 encodeb64_payload: true
Ann Taraday96dbd892018-11-19 18:22:45 +0400457 acl:
458 TestSecret:
459 test_user:
460 enabled: True
461
462
463Sign image with barbican
464------------------------
465
466To sign image with given image name, secrect name and user credentials, can be
467used the following pillar:
468
469
470.. code-block:: yaml
471
472 barbican:
473 client:
474 enabled: True
475 signed_images:
476 v1:
477 enabled: true
478 images:
479 TestImage:
480 secret_name: 'TestSecret'
481 cert_key: /etc/test/certs/image.key
482 name: test-image-name
483 cloud_name: admin_identity
484
Mykyta Karpinae0e66b2018-04-23 18:51:31 +0300485
486
Oleksandr Shyshko6ccbafa2018-09-11 13:04:36 +0300487Enable x509 and ssl communication between Barbican and Galera cluster.
Ann Taraday96dbd892018-11-19 18:22:45 +0400488----------------------------------------------------------------------
Oleksandr Shyshko6ccbafa2018-09-11 13:04:36 +0300489By default communication between Barbican and Galera is unsecure.
490
491barbican:
492 server:
493 database:
494 x509:
495 enabled: True
496
497You able to set custom certificates in pillar:
498
499barbican:
500 server:
501 database:
502 x509:
503 cacert: (certificate content)
504 cert: (certificate content)
505 key: (certificate content)
506
507You can read more about it here:
508 https://docs.openstack.org/security-guide/databases/database-access-control.html
Petr Jedinýdd6387a2017-08-01 15:50:17 +0200509
Oleksandr Bryndzii1139fcc2018-10-04 12:58:30 +0300510Barbican server with memcached caching and security strategy:
511
512.. code-block:: yaml
513
514 barbican:
515 server:
516 enabled: true
517 ...
518 cache:
519 engine: memcached
520 members:
521 - host: 127.0.0.1
522 port: 11211
523 - host: 127.0.0.1
524 port: 11211
525 security:
526 enabled: true
527 strategy: ENCRYPT
528 secret_key: secret
529
Oleksandr Pidrepnyiad898b22019-05-13 16:53:21 +0300530Change default options using configmap template settings
531========================================================
532
533.. code-block:: yaml
534
535 barbican:
536 server:
537 configmap:
538 DEFAULT:
539 max_allowed_secret_in_bytes: 10000
540 max_allowed_request_size_in_bytes: 1000000
541 sql_pool_max_overflow: 10
542 default_limit_paging: 10
543 max_limit_paging: 100
544 quotas:
545 quota_secrets: -1
546 quota_orders: -1
547 quota_containers: -1
548 quota_consumers: -1
549 quota_cas: -1
550
Petr Jedinýdd6387a2017-08-01 15:50:17 +0200551Read more
552=========
553
554* https://docs.openstack.org/barbican/latest/