From 8f92d6f5085428d200bd5b6b6adf00c25075fb2b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Douglas=20Mendiz=C3=A1bal?= Date: Fri, 16 Feb 2024 10:59:11 -0500 Subject: [PATCH] Update devstack plugin for Secure RBAC This patch refactors the devstack plugin to separate the legacy (now deprecated) RBAC settings from the Secure RBAC (new default) settings. The legacy policies can still be deployed by setting ENFORCE_SCOPE=False. Change-Id: Idec818e43016402de0188cf5ade032a1aee638ff --- .zuul.yaml | 8 +++ devstack/lib/barbican | 124 ++++++++++++++++++++++++------------------ devstack/lib/tempest | 16 ++++++ devstack/plugin.sh | 44 ++++----------- devstack/settings | 3 + 5 files changed, 108 insertions(+), 87 deletions(-) create mode 100644 devstack/lib/tempest diff --git a/.zuul.yaml b/.zuul.yaml index 8e91e4fb1..3f17e3bc3 100644 --- a/.zuul.yaml +++ b/.zuul.yaml @@ -113,6 +113,13 @@ tempest_test_regex: '\[.*\bsmoke\b.*\]|^(barbican_tempest_plugin.tests)' tox_envlist: all +- job: + name: octavia-v2-dsvm-tls-barbican-secure-rbac + parent: octavia-v2-dsvm-tls-barbican + vars: + devstack_localrc: + ENFORCE_SCOPE: True + - project: queue: barbican templates: @@ -134,6 +141,7 @@ - barbican-tox-functional-fips: voting: false - octavia-v2-dsvm-tls-barbican + - octavia-v2-dsvm-tls-barbican-secure-rbac - barbican-tox-py310-with-sqlalchemy-2x gate: jobs: diff --git a/devstack/lib/barbican b/devstack/lib/barbican index fba9ecc40..2685ef114 100644 --- a/devstack/lib/barbican +++ b/devstack/lib/barbican @@ -1,6 +1,7 @@ #!/usr/bin/env bash -# Install and start **Barbican** service +# lib/barbican +# Functions to control the configuration and operation of **Barbican** # To enable a minimal set of Barbican features, add the following to localrc: # enable_service barbican-svc barbican-retry barbican-keystone-listener @@ -87,6 +88,21 @@ function configure_barbicanclient { setup_dev_lib "python-barbicanclient" } +# Set the correct config options in Nova, Cinder and Glance +function configure_core_services { + if is_service_enabled n-cpu; then + iniset $NOVA_CONF key_manager backend 'barbican' + fi + + if is_service_enabled c-vol; then + iniset $CINDER_CONF key_manager backend 'barbican' + fi + + if is_service_enabled g-api; then + iniset $GLANCE_API_CONF key_manager backend 'barbican' + fi +} + # configure_dogtag_plugin - Change config to use dogtag plugin function configure_dogtag_plugin { sudo openssl pkcs12 -in /root/.dogtag/pki-tomcat/ca_admin_cert.p12 -passin pass:PASSWORD -out $BARBICAN_CONF_DIR/kra_admin_cert.pem -nodes @@ -169,6 +185,10 @@ function configure_barbican { # Enable the keystone listener iniset $BARBICAN_CONF keystone_notifications enable True iniset $BARBICAN_CONF keystone_notifications control_exchange 'keystone' + + # Set the Secure RBAC options + iniset $BARBICAN_CONF oslo_policy enforce_scope $BARBICAN_ENFORCE_SCOPE + iniset $BARBICAN_CONF oslo_policy enforce_new_defaults $BARBICAN_ENFORCE_SCOPE } # init_barbican - Initialize etc. @@ -234,17 +254,52 @@ function get_id { echo `"$@" | awk '/ id / { print $4 }'` } +# create_barbican_accounts() - Sets up required keystone accounts function create_barbican_accounts { - # - # Setup Default Admin User - # - SERVICE_PROJECT=$(openstack project list | awk "/ $SERVICE_PROJECT_NAME / { print \$2 }") - ADMIN_ROLE=$(openstack role list | awk "/ admin / { print \$2 }") + # create barbican service user + # the "admin" role is created by the keystone bootstrap process so we + # just reference it here. + local admin_role="admin" + create_service_user barbican $admin_role +} - create_service_user barbican $ADMIN_ROLE - # - # Setup Default service-admin User - # +# create_barbican_endpoints() - Sets up keystone endpoints for the barbican +# service. +function create_barbican_endpoints { + BARBICAN_SERVICE=$(get_or_create_service \ + "barbican" \ + "key-manager" \ + "Barbican Key Manager Service") + # create all 3 endpoints (public, admin, internal) + get_or_create_endpoint \ + "$BARBICAN_SERVICE" \ + "RegionOne" \ + "$SERVICE_PROTOCOL://$SERVICE_HOST/key-manager" \ + "$SERVICE_PROTOCOL://$SERVICE_HOST/key-manager" \ + "$SERVICE_PROTOCOL://$SERVICE_HOST/key-manager" +} + +# create_deprecated_rbac_accounts() - Sets up rbac accounts for the deprecated +# legacy policies. Required wieh BARBICAN_ENABLE_SCOPE=False. The following +# accounts will be created: +# +# +---------------------+---------------------------+-----------+ +# | user | role | project | +# +---------------------+---------------------------+-----------+ +# | service-admin | key-manager:service-admin | service | +# | project_a_admin | admin | project_a | +# | project_a_creator | creator | project_a | +# | project_a_creator_2 | creator | project_a | +# | project_a_observer | observer | project_a | +# | project_a_auditor | audit | project_a | +# | project_b_admin | admin | project_b | +# | project_b_creator | creator | project_b | +# | project_b_observer | observer | project_b | +# | project_b_auditor | audit | project_b | +# +---------------------+---------------------------+-----------+ +# +function create_deprecated_rbac_accounts { + # Set up the system-admin SERVICE_ADMIN=$(get_or_create_user \ "service-admin" \ "$SERVICE_PASSWORD" \ @@ -254,10 +309,9 @@ function create_barbican_accounts { get_or_add_user_project_role \ "$SERVICE_ADMIN_ROLE" \ "$SERVICE_ADMIN" \ - "$SERVICE_PROJECT" - # - # Setup RBAC User Projects and Roles - # + "$SERVICE_PROJECT_NAME" + + # Set up legacy RBAC User Projects and Roles PASSWORD="barbican" PROJECT_A_ID=$(get_or_create_project "project_a" "default") PROJECT_B_ID=$(get_or_create_project "project_b" "default") @@ -265,100 +319,62 @@ function create_barbican_accounts { ROLE_CREATOR_ID=$(get_or_create_role "creator") ROLE_OBSERVER_ID=$(get_or_create_role "observer") ROLE_AUDIT_ID=$(get_or_create_role "audit") - # - # Setup RBAC Admin of Project A - # + USER_ID=$(get_or_create_user \ "project_a_admin" \ "$PASSWORD" \ "default" \ "admin_a@example.net") get_or_add_user_project_role "$ROLE_ADMIN_ID" "$USER_ID" "$PROJECT_A_ID" - # - # Setup RBAC Creator of Project A - # USER_ID=$(get_or_create_user \ "project_a_creator" \ "$PASSWORD" \ "default" \ "creator_a@example.net") get_or_add_user_project_role "$ROLE_CREATOR_ID" "$USER_ID" "$PROJECT_A_ID" - # Adding second creator user in project_a USER_ID=$(get_or_create_user \ "project_a_creator_2" \ "$PASSWORD" \ "default" \ "creator2_a@example.net") get_or_add_user_project_role "$ROLE_CREATOR_ID" "$USER_ID" "$PROJECT_A_ID" - # - # Setup RBAC Observer of Project A - # USER_ID=$(get_or_create_user \ "project_a_observer" \ "$PASSWORD" \ "default" \ "observer_a@example.net") get_or_add_user_project_role "$ROLE_OBSERVER_ID" "$USER_ID" "$PROJECT_A_ID" - # - # Setup RBAC Auditor of Project A - # USER_ID=$(get_or_create_user \ "project_a_auditor" \ "$PASSWORD" \ "default" \ "auditor_a@example.net") get_or_add_user_project_role "$ROLE_AUDIT_ID" "$USER_ID" "$PROJECT_A_ID" - # - # Setup RBAC Admin of Project B - # + USER_ID=$(get_or_create_user \ "project_b_admin" \ "$PASSWORD" \ "default" \ "admin_b@example.net") get_or_add_user_project_role "$ROLE_ADMIN_ID" "$USER_ID" "$PROJECT_B_ID" - # - # Setup RBAC Creator of Project B - # USER_ID=$(get_or_create_user \ "project_b_creator" \ "$PASSWORD" \ "default" \ "creator_b@example.net") get_or_add_user_project_role "$ROLE_CREATOR_ID" "$USER_ID" "$PROJECT_B_ID" - # - # Setup RBAC Observer of Project B - # USER_ID=$(get_or_create_user \ "project_b_observer" \ "$PASSWORD" \ "default" \ "observer_b@example.net") get_or_add_user_project_role "$ROLE_OBSERVER_ID" "$USER_ID" "$PROJECT_B_ID" - # - # Setup RBAC auditor of Project B - # USER_ID=$(get_or_create_user \ "project_b_auditor" \ "$PASSWORD" \ "default" \ "auditor_b@example.net") get_or_add_user_project_role "$ROLE_AUDIT_ID" "$USER_ID" "$PROJECT_B_ID" - # - # Setup Barbican Endpoint - # - BARBICAN_SERVICE=$(get_or_create_service \ - "barbican" \ - "key-manager" \ - "Barbican Service") - # This creates all 3 endpoints (public, admin, internal) - get_or_create_endpoint \ - "$BARBICAN_SERVICE" \ - "RegionOne" \ - "$SERVICE_PROTOCOL://$SERVICE_HOST/key-manager" \ - "$SERVICE_PROTOCOL://$SERVICE_HOST/key-manager" \ - "$SERVICE_PROTOCOL://$SERVICE_HOST/key-manager" - } # PyKMIP functions diff --git a/devstack/lib/tempest b/devstack/lib/tempest new file mode 100644 index 000000000..32cc5248b --- /dev/null +++ b/devstack/lib/tempest @@ -0,0 +1,16 @@ +function configure_barbican_tempest() { + + iniset $TEMPEST_CONFIG service_available barbican True + iniset $TEMPEST_CONFIG enforce_scope barbican $BARBICAN_ENFORCE_SCOPE + + if [[ "$BARBICAN_ENFORCE_SCOPE" == "False" ]]; then + # NOTE: legacy policies require the "creator" role + roles="$(iniget $TEMPEST_CONFIG auth tempest_roles)" + if [[ -z $roles ]]; then + roles="creator" + else + roles="$roles,creator" + fi + iniset $TEMPEST_CONFIG auth tempest_roles $roles + fi +} diff --git a/devstack/plugin.sh b/devstack/plugin.sh index d49afab4b..19876c178 100644 --- a/devstack/plugin.sh +++ b/devstack/plugin.sh @@ -1,23 +1,11 @@ -# Configure the needed tempest options -function configure_barbican_tempest() { - iniset $TEMPEST_CONFIG service_available barbican True - roles="$(iniget $TEMPEST_CONFIG auth tempest_roles)" - if [[ -z $roles ]]; then - roles="creator" - else - roles="$roles,creator" - fi - iniset $TEMPEST_CONFIG auth tempest_roles $roles - iniset $TEMPEST_CONFIG service_available barbican True -} +# For more information on Devstack plugins, including a more detailed +# explanation on when the different steps are executed please see: +# https://docs.openstack.org/devstack/latest/plugins.html + +BARBICAN_PLUGIN=$DEST/barbican/devstack +source $BARBICAN_PLUGIN/lib/barbican -# check for service enabled if is_service_enabled barbican; then - if [[ "$1" == "source" || "`type -t install_barbican`" != 'function' ]]; then - # Initial source - source $BARBICAN_DIR/devstack/lib/barbican - fi - if [[ "$1" == "stack" && "$2" == "install" ]]; then echo_summary "Installing Barbican" stack_install_service barbican @@ -55,6 +43,10 @@ if is_service_enabled barbican; then if is_service_enabled key; then create_barbican_accounts + create_barbican_endpoints + if [[ "$BARBICAN_ENFORCE_SCOPE" == "False" ]]; then + create_deprecated_rbac_accounts + fi fi elif [[ "$1" == "stack" && "$2" == "extra" ]]; then echo_summary "Initializing Barbican" @@ -67,6 +59,7 @@ if is_service_enabled barbican; then elif [[ "$1" == "stack" && "$2" == "test-config" ]]; then if is_service_enabled tempest; then echo_summary "Configuring Tempest options for Barbican" + source $BARBICAN_PLUGIN/lib/tempest configure_barbican_tempest fi fi @@ -79,18 +72,3 @@ if is_service_enabled barbican; then cleanup_barbican fi fi - -# Set the correct config options in Nova, Cinder and Glance -function configure_core_services { - if is_service_enabled n-cpu; then - iniset $NOVA_CONF key_manager backend 'barbican' - fi - - if is_service_enabled c-vol; then - iniset $CINDER_CONF key_manager backend 'barbican' - fi - - if is_service_enabled g-api; then - iniset $GLANCE_API_CONF key_manager backend 'barbican' - fi -} diff --git a/devstack/settings b/devstack/settings index fb23c47eb..4b2be521c 100644 --- a/devstack/settings +++ b/devstack/settings @@ -41,4 +41,7 @@ GITREPO["barbican-tempest-plugin"]=${BARBICANTEMPEST_REPO:-${GIT_BASE}/openstack GITBRANCH["barbican-tempest-plugin"]=${BARBICANTEMPEST_BRANCH:-master} GITDIR["barbican-tempest-plugin"]=$DEST/barbican-tempest-plugin +# Secure RBAC +BARBICAN_ENFORCE_SCOPE=$(trueorfalse True ENFORCE_SCOPE) + enable_service barbican