Asha,
I spent some time looking into this, It looks to be a regression that occurred
a few days ago when a CR was merged that moved us over to oslo_context.
I have reported the issue here: https://bugs.launchpad.net/barbican/+bug/1455247
I have a couple ideas on how to fix it, so keep your eyes out for a CR to
resolve the issue.
John Vrbanac
On Thu, 2015-05-14 at 12:26 -0500, Asha Seshagiri wrote:
Hi all ,
We are able to execute the curl commands on new barbican code provided we
integrated it with keystone .
I ran into this issue because I was trying to configure localhost to actual IP
on a plain barbican server so that I would get the response and request objects
with the actual IP rather than the local host .
This configuration was required for seting up HA proxy for Barbican.
And then I thought of integrating with the keystone and configure Babrican
server to https.
Its a good learning to know that the latest code drop of Barbican enforces the
authentication mechanism with the keystone which would not allow us to execute
the curl command without providing the token of Identity service (Keystone ) in
the request unlike the previous Barbican versions
Please find the curl command request and responses for uploading/reteriving the
secets on Barbican Server
root@Clientfor-HAProxy barbican]# curl -X POST -H
'content-type:application/json' -H 'X-Project-Id:12345' \
> -H "X-Auth-Token:c9ac81784e1e4e089fccbca19f862be2" -d '{"payload":
> "my-secret-here","payload_content_type": "text/plain"}' \
> -k https://localhost:9311/v1/secrets
{"secret_ref":
"https://localhost:9311/v1/secrets/02336016-623b-4deb-bca5-caedc0bf0e35"}[root@Clientfor-HAProxy
barbican]#
[root@Clientfor-HAProxy barbican]# curl -H 'Accept: application/json' -H
'X-Project-Id:12345' \
> -H "X-Auth-Token:c9ac81784e1e4e089fccbca19f862be2" -k
> https://localhost:9311/v1/secrets
{"secrets": [{"status": "ACTIVE", "secret_type": "opaque", "updated":
"2015-05-14T16:35:44.109536", "name": null, "algorithm": null, "created":
"2015-05-14T16:35:44.103982", "secret_ref":
"https://localhost:9311/v1/secrets/02336016-623b-4deb-bca5-caedc0bf0e35";,
"content_types": {"default": "text/plain"}, "creator_id":
"cedd848a8a9e410196793c601c03b99a", "mode": null, "bit_length": null,
"expiration": null}], "total": 1}[root@Clientfor-HAProxy barbican]#
Thanks and Regards,
Asha Seshagiri
On Wed, May 13, 2015 at 4:26 PM, Asha Seshagiri
<[email protected]<mailto:[email protected]>> wrote:
Hi all ,
When I started debugging ,we find that default group is not used instead
oslo_policy would be used
Please find the logs below :
2015-05-13 15:59:34.393 13210 WARNING oslo_config.cfg [-] Option
"policy_default_rule" from group "DEFAULT" is deprecated. Use option
"policy_default_rule" from group "oslo_policy".
2015-05-13 15:59:34.394 13210 WARNING oslo_config.cfg [-] Option "policy_file"
from group "DEFAULT" is deprecated. Use option "policy_file" from group
"oslo_policy".
2015-05-13 15:59:34.395 13210 DEBUG oslo_policy.openstack.common.fileutils
[req-0c6d2db4-bc15-4752-93ca-5203cf742d79 - 12345 - - -] Reloading cached file
/etc/barbican/policy.json read_cached_file
/usr/lib/python2.7/site-packages/oslo_policy/openstack/common/fileutils.py:64
2015-05-13 15:59:34.398 13210 DEBUG oslo_policy.policy
[req-0c6d2db4-bc15-4752-93ca-5203cf742d79 - 12345 - - -] Reloaded policy file:
/etc/barbican/policy.json _load_policy_file
/usr/lib/python2.7/site-packages/oslo_policy/policy.py:424
2015-05-13 15:59:34.399 13210 ERROR barbican.api.controllers
[req-0c6d2db4-bc15-4752-93ca-5203cf742d79 - 12345 - - -] Secret creation
attempt not allowed - please review your user/project privileges
2015-05-13 15:59:34.399 13210 TRACE barbican.api.controllers Traceback (most
recent call last):
2015-05-13 15:59:34.399 13210 TRACE barbican.api.controllers File
"/root/barbican/barbican/api/controllers/__init__.py", line 104, in handler
2015-05-13 15:59:34.399 13210 TRACE barbican.api.controllers return
fn(inst, *args, **kwargs)
2015-05-13 15:59:34.399 13210 TRACE barbican.api.controllers File
"/root/barbican/barbican/api/controllers/__init__.py", line 85, in enforcer
2015-05-13 15:59:34.399 13210 TRACE barbican.api.controllers
_do_enforce_rbac(inst, pecan.request, action_name, ctx, **kwargs)
2015-05-13 15:59:34.399 13210 TRACE barbican.api.controllers File
"/root/barbican/barbican/api/controllers/__init__.py", line 68, in
_do_enforce_rbac
2015-05-13 15:59:34.399 13210 TRACE barbican.api.controllers credentials,
do_raise=True)
2015-05-13 15:59:34.399 13210 TRACE barbican.api.controllers File
"/usr/lib/python2.7/site-packages/oslo_policy/policy.py", line 493, in enforce
2015-05-13 15:59:34.399 13210 TRACE barbican.api.controllers raise
PolicyNotAuthorized(rule, target, creds)
2015-05-13 15:59:34.399 13210 TRACE barbican.api.controllers
PolicyNotAuthorized: secrets:post on {u'payload': u'my-secret-here',
u'payload_content_type': u'text/plain'} by {'project': '12345', 'user': None,
'roles': []} disallowed by policy
2015-05-13 15:59:34.399 13210 TRACE barbican.api.controllers
2015-05-13 15:59:34.400 13210 INFO barbican.api.middleware.context
[req-0c6d2db4-bc15-4752-93ca-5203cf742d79 - 12345 - - -]
req-556e8733-aea2-4acf-ac8b-30bc671a6f22 | Processed request: 403 Forbidden -
POST http://localhost:9311/v1/secrets
{address space usage: 364666880 bytes/347MB} {rss usage: 65622016 bytes/62MB}
[pid: 13210|app: 0|req: 1/1] 127.0.0.1 () {30 vars in 358 bytes} [Wed May 13
15:59:34 2015] POST /v1/secrets => generated 134 bytes in 7 msecs (HTTP/1.1
403) 4 headers in 179 bytes (1 switches on core 0)
announcing my loyalty to the Emperor...
Wed May 13 15:59:34 2015 - [emperor] vassal barbican-api.ini is now loyal
Hence I tried changing policy_default_rule value in the barbican.conf file to
oslo_policy instead of default and then restarting it .It did not work .
Please find the rule below :
# Rule checked when requested rule is not found (string value)
policy_default_rule=oslo_policy
[root@Clientfor-HAProxy ~]# curl -X POST -H 'content-type:application/json' -H
'X-Project-Id:12345' -d '{"payload": "my-secret-here", "payload_content_type":
"text/plain"}' http://localhost:9311/v1/secrets
{"code": 403, "description": "Secret creation attempt not allowed - please
review your user/project privileges", "title": "Forbidden"}
It would be great if some one could help me out with this.Any help would be
highly appreciated.
Thanks in advance
Thanks and Regards,
Asha Seshagiri
On Tue, May 12, 2015 at 6:31 PM, Asha Seshagiri
<[email protected]<mailto:[email protected]>> wrote:
Hi All ,
Installed the barbican today taking the source from github and executed the
basic curl commands for retrieving and uploading the secrets.
Was unable to execute the curl commands for retrieving and uploading the
secrets.
Please find the request and response for the command :
[root@Clientfor-HAProxy ~]# curl -X POST -H 'content-type:application/json' -H
'X-Project-Id:12345' -d '{"payload": "my-secret-here", "payload_content_type":
"text/plain"}' http://localhost:9311/v1/secrets
{"code": 403, "description": "Secret creation attempt not allowed - please
review your user/project privileges", "title": "Forbidden"}
[root@Clientfor-HAProxy ~]# curl -H 'X-Project-Id: 12345'
http://localhost:9311/v1/secrets
{"code": 403, "description": "Secret(s) retrieval attempt not allowed - please
review your user/project privileges", "title": "Forbidden"}
Would like to know the changes that needs to be done in order to execute the
basic curl commands for Barbican.
Also noticed that admin config files are not loaded and only the APi file is
loaded .Please find the logs below :
*** Operational MODE: single process ***
*** uWSGI is running in multiple interpreter mode ***
spawned uWSGI master process (pid: 9299)
Tue May 12 16:23:09 2015 - [emperor] vassal barbican-api.ini has been spawned
spawned uWSGI worker 1 (pid: 9300, cores: 1)
Loading paste environment: config:/etc/barbican/barbican-api-paste.ini
2015-05-12 16:23:11.036 9300 INFO barbican.model.repositories [-] Setting up
database engine and session factory
2015-05-12 16:23:11.044 9300 DEBUG sqlalchemy.pool.NullPool [-] Created new
connection <sqlite3.Connection object at 0x53d8dc8> __connect
/usr/lib64/python2.7/site-packages/sqlalchemy/pool.py:540
2015-05-12 16:23:11.045 9300 DEBUG sqlalchemy.pool.NullPool [-] Connection
<sqlite3.Connection object at 0x53d8dc8> checked out from pool checkout
/usr/lib64/python2.7/site-packages/sqlalchemy/pool.py:458
2015-05-12 16:23:11.046 9300 DEBUG sqlalchemy.pool.NullPool [-] Connection
<sqlite3.Connection object at 0x53d8dc8> being returned to pool _finalize_fairy
/usr/lib64/python2.7/site-packages/sqlalchemy/pool.py:562
2015-05-12 16:23:11.046 9300 DEBUG sqlalchemy.pool.NullPool [-] Connection
<sqlite3.Connection object at 0x53d8dc8> rollback-on-return _reset
/usr/lib64/python2.7/site-packages/sqlalchemy/pool.py:698
2015-05-12 16:23:11.046 9300 DEBUG sqlalchemy.pool.NullPool [-] Closing
connection <sqlite3.Connection object at 0x53d8dc8> _close_connection
/usr/lib64/python2.7/site-packages/sqlalchemy/pool.py:248
Any help would be highly appreciated since this would impact my work on setting
up HA proxy for Barbican
Thanks in advance !
--
Thanks and Regards,
Asha Seshagiri
--
Thanks and Regards,
Asha Seshagiri
--
Thanks and Regards,
Asha Seshagiri
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe:
[email protected]<mailto:[email protected]>?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: [email protected]?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
