07d1a50de3
barbican-api.conf files renamed to barbican.conf Updated references in code from barbican-api.conf to barbican.conf Updated references in docs from barbican-api.conf to barbican.conf Change-Id: I89c4c7fdf7fee2dd73e40bdba6052dcd5213d932 Closes-bug: #1459682
340 lines
11 KiB
Plaintext
Executable File
340 lines
11 KiB
Plaintext
Executable File
# lib/barbican
|
|
# Install and start **Barbican** service
|
|
|
|
# To enable a minimal set of Barbican features, add the following to localrc:
|
|
# enable_service barbican
|
|
#
|
|
# Dependencies:
|
|
# - functions
|
|
# - OS_AUTH_URL for auth in api
|
|
# - DEST set to the destination directory
|
|
# - SERVICE_PASSWORD, SERVICE_TENANT_NAME for auth in api
|
|
# - STACK_USER service user
|
|
|
|
# stack.sh
|
|
# ---------
|
|
# install_barbican
|
|
# configure_barbican
|
|
# init_barbican
|
|
# start_barbican
|
|
# stop_barbican
|
|
# cleanup_barbican
|
|
|
|
# Save trace setting
|
|
XTRACE=$(set +o | grep xtrace)
|
|
set +o xtrace
|
|
|
|
|
|
# Defaults
|
|
# --------
|
|
|
|
# Set up default directories
|
|
BARBICAN_DIR=$DEST/barbican
|
|
BARBICANCLIENT_DIR=$DEST/python-barbicanclient
|
|
BARBICAN_CONF_DIR=${BARBICAN_CONF_DIR:-/etc/barbican}
|
|
BARBICAN_CONF=$BARBICAN_CONF_DIR/barbican.conf
|
|
BARBICAN_PASTE_CONF=$BARBICAN_CONF_DIR/barbican-api-paste.ini
|
|
BARBICAN_API_LOG_DIR=$DEST/logs
|
|
BARBICAN_AUTH_CACHE_DIR=${BARBICAN_AUTH_CACHE_DIR:-/var/cache/barbican}
|
|
|
|
# Support potential entry-points console scripts
|
|
BARBICAN_BIN_DIR=$(get_python_exec_prefix)
|
|
|
|
# Set Barbican repository
|
|
BARBICAN_REPO=${BARBICAN_REPO:-${GIT_BASE}/openstack/barbican.git}
|
|
BARBICAN_BRANCH=${BARBICAN_BRANCH:-master}
|
|
|
|
# Set client library repository
|
|
BARBICANCLIENT_REPO=${BARBICANCLIENT_REPO:-${GIT_BASE}/openstack/python-barbicanclient.git}
|
|
BARBICANCLIENT_BRANCH=${BARBICANCLIENT_BRANCH:-master}
|
|
|
|
# Tell Tempest this project is present
|
|
TEMPEST_SERVICES+=,barbican
|
|
|
|
|
|
# Functions
|
|
# ---------
|
|
|
|
# cleanup_barbican - Remove residual data files, anything left over from previous
|
|
# runs that a clean run would need to clean up
|
|
function cleanup_barbican {
|
|
:
|
|
}
|
|
|
|
# configure_barbicanclient - Set config files, create data dirs, etc
|
|
function configure_barbicanclient {
|
|
setup_develop $BARBICANCLIENT_DIR
|
|
}
|
|
|
|
# configure_dogtag_plugin - Change config to use dogtag plugin
|
|
function configure_dogtag_plugin {
|
|
openssl pkcs12 -in /root/.dogtag/pki-tomcat/ca_admin_cert.p12 -passin pass:PASSWORD -out $BARBICAN_CONF_DIR/kra_admin_cert.pem -nodes
|
|
sudo chown $USER $BARBICAN_CONF_DIR/kra_admin_cert.pem
|
|
iniset $BARBICAN_CONF dogtag_plugin dogtag_port 8373
|
|
iniset $BARBICAN_CONF secretstore enabled_secretstore_plugins dogtag_crypto
|
|
iniset $BARBICAN_CONF certificate enabled_certificate_plugins dogtag
|
|
}
|
|
|
|
# configure_barbican - Set config files, create data dirs, etc
|
|
function configure_barbican {
|
|
setup_develop $BARBICAN_DIR
|
|
|
|
[ ! -d $BARBICAN_CONF_DIR ] && sudo mkdir -m 755 -p $BARBICAN_CONF_DIR
|
|
sudo chown $USER $BARBICAN_CONF_DIR
|
|
|
|
[ ! -d $BARBICAN_API_LOG_DIR ] && sudo mkdir -m 755 -p $BARBICAN_API_LOG_DIR
|
|
sudo chown $USER $BARBICAN_API_LOG_DIR
|
|
|
|
[ ! -d $BARBICAN_CONF_DIR ] && sudo mkdir -m 755 -p $BARBICAN_CONF_DIR
|
|
sudo chown $USER $BARBICAN_CONF_DIR
|
|
|
|
# Copy the barbican config files to the config dir
|
|
cp $BARBICAN_DIR/etc/barbican/barbican.conf $BARBICAN_CONF_DIR
|
|
cp $BARBICAN_DIR/etc/barbican/barbican-api-paste.ini $BARBICAN_CONF_DIR
|
|
cp -R $BARBICAN_DIR/etc/barbican/vassals $BARBICAN_CONF_DIR
|
|
|
|
# Copy functional test config
|
|
cp $BARBICAN_DIR/etc/barbican/barbican-functional.conf $BARBICAN_CONF_DIR
|
|
|
|
# Set the logging to INFO
|
|
iniset $BARBICAN_CONF DEFAULT verbose True
|
|
|
|
# Do not set to DEBUG
|
|
iniset $BARBICAN_CONF DEFAULT debug False
|
|
|
|
# Set the log file location
|
|
iniset $BARBICAN_CONF DEFAULT log_file "$BARBICAN_API_LOG_DIR/barbican.log"
|
|
|
|
# Format logging
|
|
if [ "$LOG_COLOR" == "True" ] && [ "$SYSLOG" == "False" ]; then
|
|
setup_colorized_logging $BARBICAN_CONF DEFAULT "project_id" "user_id"
|
|
fi
|
|
|
|
# Install the policy file for the API server
|
|
cp $BARBICAN_DIR/etc/barbican/policy.json $BARBICAN_CONF_DIR
|
|
iniset $BARBICAN_CONF DEFAULT policy_file $BARBICAN_CONF_DIR/policy.json
|
|
|
|
# Set the database connection url
|
|
iniset $BARBICAN_CONF DEFAULT sql_connection `database_connection_url barbican`
|
|
|
|
# Increase default request buffer size, keystone auth PKI tokens can be very long
|
|
iniset $BARBICAN_CONF_DIR/vassals/barbican-api.ini uwsgi buffer-size 65535
|
|
|
|
# Rabbit settings
|
|
if is_service_enabled rabbit; then
|
|
iniset $BARBICAN_CONF 'secrets' broker rabbit://guest:$RABBIT_PASSWORD@$RABBIT_HOST
|
|
else
|
|
echo_summary "Barbican requires that the RabbitMQ service is enabled"
|
|
fi
|
|
|
|
## Set up keystone
|
|
|
|
# Turn on the middleware
|
|
iniset $BARBICAN_PASTE_CONF 'pipeline:barbican_api' pipeline 'keystone_authtoken context apiapp'
|
|
|
|
# Set the keystone parameters
|
|
iniset $BARBICAN_PASTE_CONF 'filter:keystone_authtoken' auth_protocol $KEYSTONE_AUTH_PROTOCOL
|
|
iniset $BARBICAN_PASTE_CONF 'filter:keystone_authtoken' auth_host $KEYSTONE_AUTH_HOST
|
|
iniset $BARBICAN_PASTE_CONF 'filter:keystone_authtoken' auth_port $KEYSTONE_AUTH_PORT
|
|
iniset $BARBICAN_PASTE_CONF 'filter:keystone_authtoken' admin_user barbican
|
|
iniset $BARBICAN_PASTE_CONF 'filter:keystone_authtoken' admin_password $SERVICE_PASSWORD
|
|
iniset $BARBICAN_PASTE_CONF 'filter:keystone_authtoken' admin_tenant_name $SERVICE_TENANT_NAME
|
|
iniset $BARBICAN_PASTE_CONF 'filter:keystone_authtoken' signing_dir $BARBICAN_AUTH_CACHE_DIR
|
|
}
|
|
|
|
# init_barbican - Initialize etc.
|
|
function init_barbican {
|
|
# Create cache dir
|
|
sudo mkdir -p $BARBICAN_AUTH_CACHE_DIR
|
|
sudo chown $STACK_USER $BARBICAN_AUTH_CACHE_DIR
|
|
rm -f $BARBICAN_AUTH_CACHE_DIR/*
|
|
|
|
recreate_database barbican utf8
|
|
}
|
|
|
|
# install_barbican - Collect source and prepare
|
|
function install_barbican {
|
|
# Install package requirements
|
|
if is_fedora; then
|
|
install_package sqlite-devel
|
|
fi
|
|
# TODO(ravips): We need this until barbican gets into devstack
|
|
ERROR_ON_CLONE=False
|
|
git_clone $BARBICAN_REPO $BARBICAN_DIR $BARBICAN_BRANCH
|
|
setup_develop $BARBICAN_DIR
|
|
pip_install 'uwsgi'
|
|
}
|
|
|
|
# install_barbicanclient - Collect source and prepare
|
|
function install_barbicanclient {
|
|
# TODO(ravips): We need this until barbican gets into devstack
|
|
ERROR_ON_CLONE=False
|
|
git_clone $BARBICANCLIENT_REPO $BARBICANCLIENT_DIR $BARBICANCLIENT_BRANCH
|
|
setup_develop $BARBICANCLIENT_DIR
|
|
}
|
|
|
|
# start_barbican - Start running processes, including screen
|
|
function start_barbican {
|
|
screen_it barbican "uwsgi --master --emperor $BARBICAN_CONF_DIR/vassals"
|
|
}
|
|
|
|
# stop_barbican - Stop running processes
|
|
function stop_barbican {
|
|
# This will eventually be refactored to work like
|
|
# Solum and Manila (script to kick off a wsgiref server)
|
|
# For now, this will stop uWSGI rather than have it hang
|
|
killall -9 uwsgi
|
|
|
|
# This cleans up the PID file, but uses pkill so Barbican
|
|
# uWSGI emperor process doesn't actually stop
|
|
screen_stop barbican
|
|
}
|
|
|
|
function get_id {
|
|
echo `"$@" | awk '/ id / { print $4 }'`
|
|
}
|
|
|
|
function create_barbican_accounts {
|
|
#
|
|
# Setup Default Admin User
|
|
#
|
|
SERVICE_TENANT=$(keystone tenant-list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }")
|
|
ADMIN_ROLE=$(keystone role-list | awk "/ admin / { print \$2 }")
|
|
|
|
BARBICAN_USER=$(keystone user-create --name=barbican \
|
|
--pass="$SERVICE_PASSWORD" \
|
|
--tenant-id $SERVICE_TENANT \
|
|
--email=barbican@example.com \
|
|
| grep " id " | get_field 2)
|
|
keystone user-role-add --tenant-id $SERVICE_TENANT \
|
|
--user-id $BARBICAN_USER \
|
|
--role-id $ADMIN_ROLE
|
|
#
|
|
# Setup RBAC User Projects and Roles
|
|
#
|
|
PASSWORD="barbican"
|
|
PROJECT_A_ID=$(get_id keystone tenant-create \
|
|
--name="project_a")
|
|
PROJECT_B_ID=$(get_id keystone tenant-create \
|
|
--name="project_b")
|
|
ROLE_ADMIN_ID=$(get_id keystone role-get admin)
|
|
ROLE_CREATOR_ID=$(get_id keystone role-create \
|
|
--name="creator")
|
|
ROLE_OBSERVER_ID=$(get_id keystone role-create \
|
|
--name="observer")
|
|
ROLE_AUDIT_ID=$(get_id keystone role-create \
|
|
--name="audit")
|
|
#
|
|
# Setup RBAC Admin of Project A
|
|
#
|
|
USER_ID=$(get_id keystone user-create \
|
|
--name="project_a_admin" \
|
|
--pass="$PASSWORD" \
|
|
--email="admin_a@example.net")
|
|
keystone user-role-add \
|
|
--user="$USER_ID" \
|
|
--role="$ROLE_ADMIN_ID" \
|
|
--tenant-id="$PROJECT_A_ID"
|
|
#
|
|
# Setup RBAC Creator of Project A
|
|
#
|
|
USER_ID=$(get_id keystone user-create \
|
|
--name="project_a_creator" \
|
|
--pass="$PASSWORD" \
|
|
--email="creator_a@example.net")
|
|
keystone user-role-add \
|
|
--user="$USER_ID" \
|
|
--role="$ROLE_CREATOR_ID" \
|
|
--tenant-id="$PROJECT_A_ID"
|
|
#
|
|
# Setup RBAC Observer of Project A
|
|
#
|
|
USER_ID=$(get_id keystone user-create \
|
|
--name="project_a_observer" \
|
|
--pass="$PASSWORD" \
|
|
--email="observer_a@example.net")
|
|
keystone user-role-add \
|
|
--user="$USER_ID" \
|
|
--role="$ROLE_OBSERVER_ID" \
|
|
--tenant-id="$PROJECT_A_ID"
|
|
#
|
|
# Setup RBAC Auditor of Project A
|
|
#
|
|
USER_ID=$(get_id keystone user-create \
|
|
--name="project_a_auditor" \
|
|
--pass="$PASSWORD" \
|
|
--email="auditor_a@example.net")
|
|
keystone user-role-add \
|
|
--user="$USER_ID" \
|
|
--role="$ROLE_AUDIT_ID" \
|
|
--tenant-id="$PROJECT_A_ID"
|
|
#
|
|
# Setup RBAC Admin of Project B
|
|
#
|
|
USER_ID=$(get_id keystone user-create \
|
|
--name="project_b_admin" \
|
|
--pass="$PASSWORD" \
|
|
--email="admin_b@example.net")
|
|
keystone user-role-add \
|
|
--user="$USER_ID" \
|
|
--role="$ROLE_ADMIN_ID" \
|
|
--tenant-id="$PROJECT_B_ID"
|
|
#
|
|
# Setup RBAC Creator of Project B
|
|
#
|
|
USER_ID=$(get_id keystone user-create \
|
|
--name="project_b_creator" \
|
|
--pass="$PASSWORD" \
|
|
--email="creator_b@example.net")
|
|
keystone user-role-add \
|
|
--user="$USER_ID" \
|
|
--role="$ROLE_CREATOR_ID" \
|
|
--tenant-id="$PROJECT_B_ID"
|
|
#
|
|
# Setup RBAC Observer of Project B
|
|
#
|
|
USER_ID=$(get_id keystone user-create \
|
|
--name="project_b_observer" \
|
|
--pass="$PASSWORD" \
|
|
--email="observer_b@example.net")
|
|
keystone user-role-add \
|
|
--user="$USER_ID" \
|
|
--role="$ROLE_OBSERVER_ID" \
|
|
--tenant-id="$PROJECT_B_ID"
|
|
#
|
|
# Setup RBAC auditor of Project B
|
|
#
|
|
USER_ID=$(get_id keystone user-create \
|
|
--name="project_b_auditor" \
|
|
--pass="$PASSWORD" \
|
|
--email="auditor_b@example.net")
|
|
keystone user-role-add \
|
|
--user="$USER_ID" \
|
|
--role="$ROLE_AUDIT_ID" \
|
|
--tenant-id="$PROJECT_B_ID"
|
|
#
|
|
# Setup Admin Endpoint
|
|
#
|
|
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
|
|
BARBICAN_SERVICE=$(keystone service-create \
|
|
--name=barbican \
|
|
--type='key-manager' \
|
|
--description="Barbican Service" \
|
|
| grep " id " | get_field 2)
|
|
keystone endpoint-create \
|
|
--region RegionOne \
|
|
--service_id $BARBICAN_SERVICE \
|
|
--publicurl "http://$SERVICE_HOST:9311" \
|
|
--internalurl "http://$SERVICE_HOST:9311"
|
|
fi
|
|
|
|
}
|
|
|
|
|
|
# Restore xtrace
|
|
$XTRACE
|
|
|
|
# Local variables:
|
|
# mode: shell-script
|
|
# End:
|