-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi Asha,
The reason we support an Unauthenticated Context in Barbican is purely for development purposes. We recommend that all production Barbican deployments use Keystone or an alternative AuthN/AuthZ service in front of Barbican. Setting up a working Keystone environment just to hack on Barbican is a steep requirement, which is why we need the Unauthenticated Context to work. - - Douglas Mendizabal On 5/14/15 6:07 PM, Asha Seshagiri wrote: > Thanks a lot John for your response. But would like to know why do > would we have to fix the issue for creating the secret for > unauthenticated context for Barbican since it would be good to have > access control mechanism enforced to access secrets , orders and > other entities from Barbican. > > This should be the expected behavior from security perspective .And > also we are able to access secrets by providing the right token > from the Identity service (Keystone ). Looking forward for your > response. > > Thanks and Regards, Asha Seshagiri > > On Thu, May 14, 2015 at 4:43 PM, John Vrbanac > <john.vrba...@rackspace.com <mailto:john.vrba...@rackspace.com>> > wrote: > > __ Asha, I spent some time looking into this, It looks to be a > regression that occurred a few days ago when a CR was merged that > moved us over to oslo_context. I have reported the issue here: > https://bugs.launchpad.net/barbican/+bug/1455247 > > I have a couple ideas on how to fix it, so keep your eyes out for > a CR to resolve the issue. > > John Vrbanac > > > > On Thu, 2015-05-14 at 12:26 -0500, Asha Seshagiri wrote: >> Hi all , >> >> >> We are able to execute the curl commands on new barbican code >> provided we integrated it with keystone . I ran into this issue >> because I was trying to configure localhost to actual IP on a >> plain barbican server so that I would get the response and >> request objects with the actual IP rather than the local host . >> This configuration was required for seting up HA proxy for >> Barbican. >> >> And then I thought of integrating with the keystone and >> configure Babrican server to https. >> >> *Its a good learning to know that the latest code drop of >> Barbican enforces the authentication mechanism with the keystone >> which would not allow us to execute the curl command without >> providing the token of Identity service (Keystone ) in the >> request unlike the previous Barbican versions* >> >> Please find the curl command request and responses for >> uploading/reteriving the secets on Barbican Server >> >> root@Clientfor-HAProxy barbican]# curl -X POST -H >> 'content-type:application/json' -H 'X-Project-Id:12345' \ >>> -H "X-Auth-Token:c9ac81784e1e4e089fccbca19f862be2" -d >> '{"payload": "my-secret-here","payload_content_type": >> "text/plain"}' \ >>> -k https://localhost:9311/v1/secrets >> {"secret_ref": >> "https://localhost:9311/v1/secrets/02336016-623b-4deb-bca5-caedc0bf0e 35"}[root@Clientfor-HAProxy >> >> barbican]# >> >> [root@Clientfor-HAProxy barbican]# curl -H 'Accept: >> application/json' -H 'X-Project-Id:12345' \ >>> -H "X-Auth-Token:c9ac81784e1e4e089fccbca19f862be2" -k >> https://localhost:9311/v1/secrets {"secrets": [{"status": >> "ACTIVE", "secret_type": "opaque", "updated": >> "2015-05-14T16:35:44.109536", "name": null, "algorithm": null, >> "created": "2015-05-14T16:35:44.103982", "secret_ref": >> "https://localhost:9311/v1/secrets/02336016-623b-4deb-bca5-caedc0bf0e 35", >> >> "content_types": {"default": "text/plain"}, "creator_id": >> "cedd848a8a9e410196793c601c03b99a", "mode": null, "bit_length": >> null, "expiration": null}], "total": 1}[root@Clientfor-HAProxy >> barbican]# >> >> Thanks and Regards, Asha Seshagiri >> >> On Wed, May 13, 2015 at 4:26 PM, Asha Seshagiri >> <asha.seshag...@gmail.com <mailto:asha.seshag...@gmail.com>> >> wrote: >> >> Hi all , >> >> >> >> When I started debugging ,we find that default group is not >> used instead oslo_policy would be used >> >> Please find the logs below : >> >> >> *2015-05-13 15:59:34.393 13210 WARNING oslo_config.cfg [-] Option >> "policy_default_rule" from group "DEFAULT" is deprecated. Use >> option "policy_default_rule" from group "oslo_policy".* >> *2015-05-13 15:59:34.394 13210 WARNING oslo_config.cfg [-] Option >> "policy_file" from group "DEFAULT" is deprecated. Use option >> "policy_file" from group "oslo_policy".* 2015-05-13 15:59:34.395 >> 13210 DEBUG oslo_policy.openstack.common.fileutils >> [req-0c6d2db4-bc15-4752-93ca-5203cf742d79 - 12345 - - -] >> Reloading cached file /etc/barbican/policy.json read_cached_file >> /usr/lib/python2.7/site-packages/oslo_policy/openstack/common/fileuti ls.py:64 >> >> 2015-05-13 15:59:34.398 13210 DEBUG oslo_policy.policy >> [req-0c6d2db4-bc15-4752-93ca-5203cf742d79 - 12345 - - -] Reloaded >> policy file: /etc/barbican/policy.json _load_policy_file >> /usr/lib/python2.7/site-packages/oslo_policy/policy.py:424 >> 2015-05-13 15:59:34.399 13210 ERROR barbican.api.controllers >> [req-0c6d2db4-bc15-4752-93ca-5203cf742d79 - 12345 - - -] Secret >> creation attempt not allowed - please review your user/project >> privileges 2015-05-13 15:59:34.399 13210 TRACE >> barbican.api.controllers Traceback (most recent call last): >> 2015-05-13 15:59:34.399 13210 TRACE barbican.api.controllers File >> "/root/barbican/barbican/api/controllers/__init__.py", line 104, >> in handler 2015-05-13 15:59:34.399 13210 TRACE >> barbican.api.controllers return fn(inst, *args, **kwargs) >> 2015-05-13 15:59:34.399 13210 TRACE barbican.api.controllers File >> "/root/barbican/barbican/api/controllers/__init__.py", line 85, >> in enforcer 2015-05-13 15:59:34.399 13210 TRACE >> barbican.api.controllers _do_enforce_rbac(inst, >> pecan.request, action_name, ctx, **kwargs) 2015-05-13 >> 15:59:34.399 13210 TRACE barbican.api.controllers File >> "/root/barbican/barbican/api/controllers/__init__.py", line 68, >> in _do_enforce_rbac 2015-05-13 15:59:34.399 13210 TRACE >> barbican.api.controllers credentials, do_raise=True) >> 2015-05-13 15:59:34.399 13210 TRACE barbican.api.controllers File >> "/usr/lib/python2.7/site-packages/oslo_policy/policy.py", line >> 493, in enforce 2015-05-13 15:59:34.399 13210 TRACE >> barbican.api.controllers raise PolicyNotAuthorized(rule, >> target, creds) 2015-05-13 15:59:34.399 13210 TRACE >> barbican.api.controllers PolicyNotAuthorized: secrets:post on >> {u'payload': u'my-secret-here', u'payload_content_type': >> u'text/plain'} by {'project': '12345', 'user': None, 'roles': []} >> disallowed by policy 2015-05-13 15:59:34.399 13210 TRACE >> barbican.api.controllers 2015-05-13 15:59:34.400 13210 INFO >> barbican.api.middleware.context >> [req-0c6d2db4-bc15-4752-93ca-5203cf742d79 - 12345 - - -] >> req-556e8733-aea2-4acf-ac8b-30bc671a6f22 | Processed request: 403 >> Forbidden - POST http://localhost:9311/v1/secrets {address space >> usage: 364666880 bytes/347MB} {rss usage: 65622016 bytes/62MB} >> [pid: 13210|app: 0|req: 1/1] 127.0.0.1 () {30 vars in 358 bytes} >> [Wed May 13 15:59:34 2015] POST /v1/secrets => generated 134 >> bytes in 7 msecs (HTTP/1.1 403) 4 headers in 179 bytes (1 >> switches on core 0) announcing my loyalty to the Emperor... Wed >> May 13 15:59:34 2015 - [emperor] vassal barbican-api.ini is now >> loyal >> >> >> Hence I tried changing policy_default_rule value in the >> barbican.conf file to oslo_policy instead of default and then >> restarting it .It did not work . Please find the rule below : >> >> >> *# Rule checked when requested rule is not found (string value)* >> *policy_default_rule=oslo_policy* >> >> *[root@Clientfor-HAProxy ~]# curl -X POST -H >> 'content-type:application/json' -H 'X-Project-Id:12345' -d >> '{"payload": "my-secret-here", "payload_content_type": >> "text/plain"}' http://localhost:9311/v1/secrets* *{"code": 403, >> "description": "Secret creation attempt not allowed - please >> review your user/project privileges", "title": "Forbidden"}* >> >> >> It would be great if some one could help me out with this.Any >> help would be highly appreciated. >> >> Thanks in advance >> >> >> >> Thanks and Regards, >> >> Asha Seshagiri >> >> >> >> On Tue, May 12, 2015 at 6:31 PM, Asha Seshagiri >> <asha.seshag...@gmail.com <mailto:asha.seshag...@gmail.com>> >> wrote: >> >> Hi All , >> >> >> Installed the barbican today taking the source from github and >> executed the basic curl commands for retrieving and uploading the >> secrets. >> >> Was unable to execute the curl commands for retrieving and >> uploading the secrets. Please find the request and response for >> the command : >> >> [root@Clientfor-HAProxy ~]# curl -X POST -H >> 'content-type:application/json' -H 'X-Project-Id:12345' -d >> '{"payload": "my-secret-here", "payload_content_type": >> "text/plain"}' http://localhost:9311/v1/secrets *{"code": 403, >> "description": "Secret creation attempt not allowed - please >> review your user/project privileges", "title": "Forbidden"}* >> [root@Clientfor-HAProxy ~]# curl -H 'X-Project-Id: 12345' >> http://localhost:9311/v1/secrets *{"code": 403, "description": >> "Secret(s) retrieval attempt not allowed - please review your >> user/project privileges", "title": "Forbidden"}* >> >> >> Would like to know the changes that needs to be done in order to >> execute the basic curl commands for Barbican. >> >> Also noticed that admin config files are not loaded and only the >> APi file is loaded .Please find the logs below : >> >> >> *** Operational MODE: single process *** *** uWSGI is running in >> multiple interpreter mode *** spawned uWSGI master process (pid: >> 9299) Tue May 12 16:23:09 2015 - [emperor] vassal >> barbican-api.ini has been spawned spawned uWSGI worker 1 (pid: >> 9300, cores: 1) *Loading paste environment: >> config:/etc/barbican/barbican-api-paste.ini* 2015-05-12 >> 16:23:11.036 9300 INFO barbican.model.repositories [-] Setting up >> database engine and session factory 2015-05-12 16:23:11.044 9300 >> DEBUG sqlalchemy.pool.NullPool [-] Created new connection >> <sqlite3.Connection object at 0x53d8dc8> __connect >> /usr/lib64/python2.7/site-packages/sqlalchemy/pool.py:540 >> 2015-05-12 16:23:11.045 9300 DEBUG sqlalchemy.pool.NullPool [-] >> Connection <sqlite3.Connection object at 0x53d8dc8> checked out >> from pool checkout >> /usr/lib64/python2.7/site-packages/sqlalchemy/pool.py:458 >> 2015-05-12 16:23:11.046 9300 DEBUG sqlalchemy.pool.NullPool [-] >> Connection <sqlite3.Connection object at 0x53d8dc8> being >> returned to pool _finalize_fairy >> /usr/lib64/python2.7/site-packages/sqlalchemy/pool.py:562 >> 2015-05-12 16:23:11.046 9300 DEBUG sqlalchemy.pool.NullPool [-] >> Connection <sqlite3.Connection object at 0x53d8dc8> >> rollback-on-return _reset >> /usr/lib64/python2.7/site-packages/sqlalchemy/pool.py:698 >> 2015-05-12 16:23:11.046 9300 DEBUG sqlalchemy.pool.NullPool [-] >> Closing connection <sqlite3.Connection object at 0x53d8dc8> >> _close_connection >> /usr/lib64/python2.7/site-packages/sqlalchemy/pool.py:248 >> >> >> >> >> *Any help would be highly appreciated since this would impact my >> work on setting up HA proxy for Barbican* >> >> Thanks in advance ! >> >> >> -- >> >> /Thanks and Regards,/ >> >> /Asha Seshagiri/ >> >> >> >> >> -- >> >> /Thanks and Regards,/ >> >> /Asha Seshagiri/ >> >> >> >> >> -- /Thanks and Regards,/ /Asha Seshagiri/ >> _____________________________________________________________________ _____ >> >> OpenStack Development Mailing List (not for usage questions) >> Unsubscribe: openstack-dev-requ...@lists.openstack.org >> <mailto:openstack-dev-requ...@lists.openstack.org>?subject:unsubscrib e >> >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > ______________________________________________________________________ ____ > > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: > openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > <http://openstack-dev-requ...@lists.openstack.org?subject:unsubscribe> > > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > > > > -- /Thanks and Regards,/ /Asha Seshagiri/ > > > ______________________________________________________________________ ____ > > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: > openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJVVSxdAAoJEB7Z2EQgmLX7tZ4P/RmFMA/m95gU8rIHRSyAIlvN 4WHEiodC5afyss3VhHxhzaAAcZHDYnT2Xy6x0nOleITepnVEapNVHqezI8xlTDyR 2rQoM9isCNCuck4Nmw9t6eoXefBE+1S9/4PhAQZkFrWK5KiIo8YYGDxQ+2dE4/ga xZWtG5E/9D0vUTkKnaKgjLRsIQff2jl+YMIheJCnlz8GBvOiA1W0KuJX2u9d7Ka0 p25M1YC/uUZ34tveQZde6zwSJ8G0hHayZZTQJeVeyR82vjqBSQKrwG0PXgIuewaO opDHEfmTvOaLBUDe8uTU4REIiTf7fCsKMFvq34484ZPn6afXj6UKldRt3+mAx/fr wPGNRtMepJCbkiJ2ez2AFSxJzOAtPDOMXRIiVGKdyFIf1mo5dTbvFYRH9y4VbhCA fyMphB4TaAhTvpnNqO1m4NdLw9NHrCJro9dl0xvnOlzaYBAG7QOsPK6nhPw8rQuq IWMAf/zqYSD1358O7d6bNw4LUproNMOdM/CSQc4oMaEwO4IbmaML8RaIiYLsvNfQ v7wf9zBkSvRfAurXrCD5ycucsxmdX3tdH7YpAaOdLqujLmfPOtypY1c3tsK/q2hu Shhrq57OvPPmaTk6dmgbivNWldHn3GjzGo/Eu+9gtBzeUi9mKrW0taWoSmyxmksB slHw2tobVgi7Q2+e8vfY =Vyfp -----END PGP SIGNATURE----- __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev