Berbican has been historically using own implementation with sqlalchemy
to connect to database but this causes some feature gaps with the other
services using oslo.db to generate database engine.
This replaces the own implementation by oslo.db's one so that barbican
can also leverage the features implemented in the shared library.
With this change the deprecated database options are removed, because
the deprecated options were already removed from oslo.db.
Change-Id: I10fe4ab04996885e8aff7fab8ace78a6fe7eb6e7
This patch refactors the devstack plugin to separate the legacy (now
deprecated) RBAC settings from the Secure RBAC (new default) settings.
The legacy policies can still be deployed by setting
ENFORCE_SCOPE=False.
Change-Id: Idec818e43016402de0188cf5ade032a1aee638ff
Since we removed certificate order, we no longer have to maintain
these logics.
This also removes the release note for deprecation of symantec
certificate plugin, which was added during this cycle, because
the plugin is also being removed by this change.
Change-Id: I8e901024677e889d05ad8653389fb46487bc7745
This patch updates the installation doc for the devstack plugin. It
also removes the Vagrant option as it has not been maintained in quite
some time.
Change-Id: I97fc2fac0cb29b1059b668bbe817a2778a8a4a70
Make devstack's create_barbican_accounts function idempotent by
using get_or_create_XXX functions to configure resources (users,
roles, endpoints, etc.).
This avoids problems in situations such [1], where the cinder service
needs the "creator" role. Cinder ends up creating the role first,
which would cause create_barbican_accounts to subsequently fail if
barbican assumes that it will create the role.
[1] Ia3f414c4b9b0829f60841a6dd63c97a893fdde4d
Change-Id: I216f78e8a300ab3f79bbcbb38110adf2bbec2196
The configure_auth_token_middleware function has been deprecated for some time,
see [0], replace it with configure_keystone_authtoken_middleware.
There no longer is a need for an AUTH_CACHE_DIR since keystone removed PKI
support.
[0] Id0dec1ba72467cce5cacfcfdb2bc0af2bd3a3610
Change-Id: I1507cb04e812cd94c77828fe53c22200aed045b4
This patch updates the gate jobs to stop using legacy
jobs and use the new Zuul v3 jobs instead.
The tempest tests will be re-enabled in a future patch.
Depends-On: I5d2bda5e653ee5d7c17cb7697247802916bdc5f7
Change-Id: Id91f44e8053cf4f40224959021d43736d5525107
- Clean up vault related things before starting new screen session
- Add the clean up functions in the cleanup stage
Change-Id: I6e291a975755491927a971b7c3bf97e5dabafa05
- follow the standard installation pattern for barbicanclient:
only clones if it is installed from source. This way it is
possible to install and test barbicanclient from pip
by default, additional jobs can simply add it
to required-projects;
- define the repository metadata using the GIT* arrays.
They are also defined by stackrc, but they should be probably
removed from there;
- remove the useless call of configure_barbicanclient (the same
steps are already performed by install_barbicanclient).
Going forward, configure_barbicanclient can be removed
Change-Id: Iea1cd3f82c3b38f03f91b0191846e1ddbbfb1d6c
The dogtag pki python module has been moved to Python 3 in
Fedora 29. This patch also fixes a few Python 3
compatibility issues in the DogTag backend plugin.
Unfortunately, there is a bug in the dogtag pki module
that must be fixed before the gate will pass. [1]
This patch temporarily makes the DogTag gate non-voting
to unblock the gate while we wait for a fix from the
DogTag maintainers.
[1] https://pagure.io/dogtagpki/issue/3108
Depends-on: https://review.opendev.org/#/c/662529/
Change-Id: Iaa7a535c410c726fa8e7346c2ef775fbaf58eb61
Tempest's service_available config option includes all the service
availability which is further used by tests to take decision of skip
or run the test.
For example, [service_available].barbican is true then, barbican test will run
or if [service_available].barbican is false then, all barbican related tests either
in barbican tempest plugin or any other plugins[1] will be skipped.
So it is important that when barbican is installed via devstack plugin then,
it set the service_available.barbican value to True in tempest conf.
This commit add the setting of barbican service[2] on barbican devstack plugin.
Related-Bug: #1743688
Related-Bug: #1817154
[1] 0a0f9b342a/octavia_tempest_plugin/tests/barbican_scenario/v2/test_tls_barbican.py (L53)
[2] 123dd7d416/barbican_tempest_plugin/config.py (L18)
Change-Id: I7fd60d48802cc5e9071c39eaeb83351bec36cc41
Work with 389-ds-base-1.4.0.20. Following
https://pagure.io/389-ds-base/c/4fd73c5 `dscreate fromfile`
got renamed to `dscreate from-file`.
Save dogtag server files for future debug.
Removed pip install of dogtag-pki which installed old Dogtag client code.
Temporarily skipping paging tests and making grenade non-voting.
Change-Id: I4bbc3d39c8d4a3591374e5c4a733a987f001a896
Currently the devstack plugin sets creator role for tempest user, but it may
conflict with other roles already set to that configuration key. This patch
adds the creator role to the list of roles instead of replacing its value.
Change-Id: I8bdfc31bb2baeabe1d599ea6e9be3c473531f8b6
The Dogtag gate is broken because the directory server install
commands have changed. Fix gate script to use the newer commands.
Change-Id: I546c324ddfb9d156f38a963d6d47b9562e1caed6
I met with the following error when I was installing lastest version
devstack for Barbican:
+++ /opt/stack/barbican/devstack/lib/barbican:configure_vault_plugin:613 : cat vault_root_token_id
cat: vault_root_token_id: No such file or directory
Change-Id: Iaf81c6bf8ac42048b138360151f7df8fe70bc0cd
This bumps testing on fedora to 28, it also allows openstack-infra in
the future to make changes to fedora much easier.
Also, Dogtag now pulls in python3-requests, so no need to remove the
pip installed python2-requests, which is needed by keystone-manage.
Change-Id: I7635f039848f8c3ab052f339344bb1cb8ea4aecd
Signed-off-by: Paul Belanger <pabelanger@redhat.com>
The following related tests in 'barbican-vault-devstack-functional' jenkins
job should pass with this patch:
test_secret_get_nones_payload_with_a_octet_stream
test_secret_create_defaults_valid_types_and_encoding
test_secret_create_with_secret_type
This patch also enables kv version 1 in Vault, otherwise the Vault API
interaction in castellan will fail.
Change-Id: Id3b2503b2adb4f1f5eff55bb22f41d904232c284
Story: 2002976
Task: 22984
Update the vault to latest release(0.10.3).
I can volunteer to be the vault plugin maintainer.
my IRC name: lxkong
my email address: anlin.kong@gmail.com
Change-Id: Iff05d55545da258c40bf101279510d37b6996d45
In the Vagrantfile, it still using trusty64. It is
too old and it should be updated to Ubuntu16.04
Change-Id: I83477eeb40db5c9da2e9ab9cdfb9b31a176800e9
Barbican keystone listener needs to have its db initialized.
Also adding barbican-keystone-listener to run in devstack.
Functional tests will be added in a subsequent commit.
Change-Id: Ie80a2e67a4ed4e62326b716b4925b7d4aa39eb77
Closed-Bug: 1750333
TEMPEST_SERVICES global variable is not supported
by devstack since long back.
- I380dd20e5ed716a0bdf92aa02c3730359b8136e4
- I9c24705e494689f09a885eb0a640efd50db33fcf
Service availability of tempest known services will be
set by devstack with local check.
- I02be777bf93143d946ccbb8e9eff637bfd1928d4
This commit removes the TEMPEST_SERVICES setting.
Change-Id: I381dbd1c2887189333463eb75363937c7509613c
Related-Bug: #1743688
This patch set is to update the command to
start the barbican-svc service after upgrade.
Co-Authored-By: Nam Nguyen Hoai <namnh@vn.fujitsu.com>
Change-Id: I237ef2df09b9fd60bc8b6eeca9ee36ce79052530
Delete policy.json from repo since we can use policies registered
in code.
We can also change default policy rules through below steps:
- generate policy.yaml and copy to /etc/barbican
- configure `policy_file=policy.yaml` in `oslo_policy` section
- uncomment rules in policy.yaml and make changes as we desire
- restart barbican api service
- test whether new rules take effect on corresponding API
Change-Id: Ia64eac1eb4e30457b323c6ab99d26d3d40c28060
This is a mostely complete solution. Ideally we could use the stevedore
entry point name 'barbican' instead of the full class name for cinder, but
I87926d6c95ac82b6f74c263c7441614f80348c1e needs to merge first.
Change-Id: I32ed528f585e790bc771473504ab7e4bfeb63de9
In Barbican stable branches, we run a gate job on Fedora 26.
devstack needs FORCE=yes flag to run on f26 for Pike and
earlier releases.
Change-Id: I9de812991c4476af4010cd6ecebb8e3c912abf52
Castellan unintentionally can't handle a barbican URL that has a path in
addition to the hostname, such as http://ip-address/key-manager, unless
it is followed by a forward slash (http://ip-address/key-manager/ ). We
should either revert this change before rc1 or merge
https://review.openstack.org/#/c/491942/, make a new release of
Castellan, and beg for a change in upper-constraints for castellan to
handle the new release.
This reverts commit 508a34e23c05013a7ba1f33120c78e0da5cc8f28.
Change-Id: Iceb3a5fa890d64468cd6e7f5dec297d11a274d20
This commit switches barbican to use the devstack common functions for
deploying a wsgi app under uwsgi and apache. This will make the barbican
deployment consistent with the other services.
Change-Id: I8429e9a8f0db98c5f5a345190be71cae862af845
This patch updated some points that it will use
openstack command instead of barbican command.
Change-Id: I164f57eae4cc5df18bfe5a95465a617870924759
Closes-Bug: #1697333
DevStack Ocata version and master use different default images
(Ocata:uec and master:qcow2), this will lead to tempest encrypt test
failure in grenade gate.
This patch hard-code default images in base version and will be
removed if devstack master and ocata patches are proposed.
Change-Id: I997c759fc026366fe48de9ac7e8c58941622c9cd
Co-Authored-By: Nam Nguyen Hoai <namnh@vn.fujitsu.com>
