Resolves warnings like the following:
UserWarning: Usage of dash-separated 'description-file' will not be
supported in future versions. Please use the underscore name
'description_file' instead
Change-Id: I5f4746bc4d40b76c562c39c2254f3b8381b4b52f
As per the community goal of migrating the policy file
the format from JSON to YAML[1], we need to do two things:
1. Change the default value of '[oslo_policy] policy_file''
config option from 'policy.json' to 'policy.yaml' with
upgrade checks.
2. Deprecate the JSON formatted policy file on the project side
via warning in doc and releasenotes.
Also replace policy.json to policy.yaml ref from doc and tests.
[1]https://governance.openstack.org/tc/goals/selected/wallaby/migrate-policy-format-from-json-to-yaml.html
Change-Id: Idaa65dac1c97324d671b9a07a2f3d51bb128e8c2
This repo is now testing only with Python 3, so let's make
a few cleanups:
- Remove python 2.7 stanza from setup.py
- Add requires on python >= 3.6 to setup.cfg so that pypi and pip
know about the requirement
- Remove obsolete sections from setup.cfg
- Update classifiers
- Use newer openstackdocstheme and Sphinx versions
- Cleanup */source/conf.py to remove now obsolete content.
- Remove Babel from requirements, it's not needed for running.
- Sync docs deps in tox.ini
Change-Id: Ie1fccdc777be978075e4689eda6c62578bd463e4
This repo uses RST files everywhere, let's be consistent and write the
README using RST as well.
This also fixes a PyPI upload issue where PyPI expects RST and cannot
handle markdown (unless we tell it is markdown). The alternative
solution is https://review.opendev.org/668502.
Change-Id: If9b22f6fea2f16350ba0997d02c6aba33fafcc7d
This adds basic framework for barbican-status upgrade
check commands. For now it has only "check_placeholder"
check implemented.
Real checks can be added to this tool in the future.
Change-Id: I40bfcc0c8755e814c1b63fdf323c32fda967968e
Story: 2003657
Task: 26120
This will provide a Castellan based secret store, which will
allow secret stores which have a castellan backend to be used
behind barbican. The initial example of this is the Vault
backend.
Unit tests have been added. In local tests,
most of the functional tests do in fact pass with a local Vault
backend, though this will need to be demonstrated with a later
review which establishes a Vault based gate.
Change-Id: Ib30fb79304014592bfc37938839d60a4c10c244d
Delete policy.json from repo since we can use policies registered
in code.
We can also change default policy rules through below steps:
- generate policy.yaml and copy to /etc/barbican
- configure `policy_file=policy.yaml` in `oslo_policy` section
- uncomment rules in policy.yaml and make changes as we desire
- restart barbican api service
- test whether new rules take effect on corresponding API
Change-Id: Ia64eac1eb4e30457b323c6ab99d26d3d40c28060
In order to make it simpler to use the default
configuration files when deploying services
from source, the files are added to pbr's
data_files section so that the files are
included in the built wheels and therefore
deployed with the code. Packaging and deployment
tools can then more easily use the default files
if they wish to.
This pattern is already established with similar
files for neutron and the glance metadefs as has
been mentioned in the related bug report.
Change-Id: Iacb17585a3235e95faa109ff11f1b039429ff770
Closes-Bug: #1718356
This commit makes the barbican wsgi script consistent with other
services by leveraging the pbr wsgi_scripts entrypoint to expose it.
While you could still leverage the bundled app.wsgi the entrypoint
barbican's behavior the same as other services. As part of this the
app.wsgi script is deprecated and will be removed in the future.
Change-Id: Id42f76dbfd59209232b37096a708ee18cbf96431
dogtag configurations have been moved to "plugin/dogtag_config_opts.py",
also remove non-existent entry point when generating barbican.conf
Closes-bug: #1704320
Change-Id: I9dd202d82797cb70051323fe949cc66f8a050022
This patch adds the basic framework for registering and using
default policy rules. Rules should be defined and returned from
a module in barbican/common/policies/, and then added to the
list in barbican/common/policies/__init__.py.
Also adds tox env to generate policy sample file.
Change-Id: If25b17ae7eed3f1a8e8e6f29701552a39d5a603f
Currently etc/barbican/barbican.conf is maintained by hand and can not
be regenerated based on the config settings defined in the code.
A common pattern for OpenStack projects is to use oslo-config-generator
for that task.
Co-Authored-By: Randall Burt <randall.burt@rackspace.com>
Depends-On: I90870dcb49cd96f6bf0fe353fa6e779ffd87a5af
Closes-Bug: #1584789
Change-Id: I5f3dcd2fc982f1178ef7dd662c24d3166f91b266
The gating on python 3.4 is restricted to <= Mitaka. This is due to
the change from Ubuntu Trusty to Xenial, where only python3.5 is
available. There is no need to continue to keep these settings.
Change-Id: I4373f5ee1a7addfe981818ef059c73a57594d624
dogtag imports pki so mention it as requirement. python-nss
is needed by dogtag-pki.
Also add a bindep.txt file which is used by bindep to install system
packages.
To install python-nss via pip, header files from nss-devel and
mozilla-nss-devel are needed.
Change-Id: Ia3276ad4be56d40fddbf458f215ab93e44ed6907
Depends-On: Ibedae54e631e9c3d3726453adcd204ce96b19d77
Closes-Bug: #1604417
Set "summary" equal to "OpenStack Secure Key Management".
This value is consumed by various bots and services.
Change-Id: I6d90c66b2eed408d182e2244f9415de4302d5c62
Now that there is a passing gate job, we can claim support for
Python 3.5 in the classifier. This patch also adds the convenience
py35 venv.
Review that added the gate jobs:
https://review.openstack.org/#/c/336272/
Change-Id: I97ef7eef2d6adaec6bd1cd978b7e357c8560eba0
Moving files from doc/source/api/userguide/*.rst
to api-guide/source/*.rst,
also add api-guide/source/conf.py for building api-guide,
add a new tox target named api-guide
Taking a reference from this patch which was used for the
similar migration of Nova api guide:
https://review.openstack.org/#/c/230186
Change-Id: I725e7939f9a88185de6ef32b311159b0924b7183
Partial-Bug: #1540665
Needed-By: I7b7c623e6299c803930e41d72510f1a67d909fa3
Barbican is tested with py34, but the classifier states only 2.7
is supported. This adds 3.4 to the list.
Change-Id: Ic7b14714d9a17a3370a8eb138bf4940ffa4ba999
A new 'barbican-manage' utility command is introduced as Barbican
admin tool. This command interacts with Barbican service for
management operations which usually cannot be accomplished with
REST APIs. This can improve usability and extensibility in the
future.
The related blueprint is https://review.openstack.org/#/c/253719/
This CR includes
1) implementation of barbican_manage.py
2) unit test code
3) document of barbican-manage command
Co-Authored-By: Michael Perng <mperng@us.ibm.com>
Change-Id: I784b46df86742d00d1737e3f8964280514a7fa1b
Moves the keygeneration script from bin to cmd folder.
This is preferred because other scripts for HSM interaction
such as the PKEK re-wrap are located here.
Change-Id: I731ec087e96114d00bd983edd60d2e1806399e16
Bump preversion to mark the start of the Mitaka development branch.
The liberty release branch will be cut from the previous commit.
Change-Id: I0008ef88d5dc7aae070a91695a573e97c8bb76b0
Add a retry scheduler server process to the DevStack start/stop
processes. This includes adding a PBR entry point and barbican.cmd
script for the retry scheduler process, as other projects such as
Glance and Nova are doing now. Eventually we'll want to move over all
our boot scripts to the entry point approach. Verify functional test
for generating a simple certificate order, which is the first of the
extended-workflow order types that utilize the retry processing logic.
Also add try/catch around the retry process because if we don't pass
back a retry interval to the Oslo periodic task framework, it stops
rescheduling tasks! Also added delays to the functional test order
status check as for SQLite I was noticing disk I/O concurrency errors
otherwise. Yes, I'd still like to support SQLite for local functional
testing.
Change-Id: Ib7b50ab7f7354fefebfdf654689427ae7bf59e58
This script pulls all project available KEKs and rewraps them
with a MKEK specified in the barbican config file.
Change-Id: I5f130b8f6d744195e3ed6c708e96b23b200eea2b
Previously there were 4 python scripts being installed
into /usr/{local/}bin/ which contained the extension *.py.
There was also a developers script called barbican.sh
to create a developer's environment.
This change switches away from installing them as scripts,
preferring to use pbr's console_scripts entry point. This
means that the scripts were moved to be part of a 'cmd'
module within the barbican module.
The barbican.sh script is also no longer installed as it
seems inappropriate to install this on consumers machines.
A few cosmetic changes were added to achieve pep8.
Change-Id: I452b56535ec18228060370be899af2a63d138472
Closes-Bug: 1454587
Signed-off-by: Dave Walker (Daviey) <email@daviey.com>
This fixes creation of certificates using the snakeoil_ca plugin, like
passing the configuration properly and encoding resulting data, and adds
support for stored-key requests.
Closes-Bug: #1451456
Change-Id: Ida24a192595429829e870838a487a9c100691b4c
Bump pre-version in setup.cfg to formally open Liberty development.
Kilo release branch will be cut from the previous commit.
Change-Id: I430691b373a06d8cc3cddb8597e90efe05e99abd
This plugin is very useful for dev/testing setups (and Octavia).
Implements: blueprint barbican-snakeoil-ca
Co-authored-by: Adam Harwell <flux.adam@gmail.com>
Change-Id: I15f2ef8559ee5b95c8eef4eeb42edda68859e003
