[openstack-dev] [QA][grenade] Create new grenade job
Hey QA. I am interested in making a Grenade job for Barbican and I have been messing around with Grenade. I downloaded the repo and ran the "grenade.sh" script but it seems it can't make it pastthe tempest smoke tests against the base. It fails on two tests. Is grenade suppose to work right outside the box or is there some configuration I possibly missed? Here is output of one of the failed tests: Traceback (most recent call last):2016-02-11 23:07:32.785 | File "tempest/test.py", line 113, in wrapper2016-02-11 23:07:32.785 | return f(self, *func_args, **func_kwargs)2016-02-11 23:07:32.785 | File "tempest/scenario/test_volume_boot_pattern.py", line 115, in test_volume_boot_pattern2016-02-11 23:07:32.785 | private_key=keypair['private_key'])2016-02-11 23:07:32.786 | File "tempest/scenario/manager.py", line 622, in create_timestamp2016-02-11 23:07:32.786 | private_key=private_key)2016-02-11 23:07:32.786 | File "tempest/scenario/manager.py", line 377, in get_remote_client2016-02-11 23:07:32.786 | linux_client.validate_authentication()2016-02-11 23:07:32.786 | File "tempest/common/utils/linux/remote_client.py", line 51, in validate_authentication2016-02-11 23:07:32.786 | self.ssh_client.test_connection_auth()2016-02-11 23:07:32.786 | File "/opt/stack/liberty/tempest/.tox/smoke/local/lib/python2.7/site-packages/tempest_lib/common/ssh.py", line 173, in test_connection_auth2016-02-11 23:07:32.786 | connection = self._get_ssh_connection()2016-02-11 23:07:32.786 | File "/opt/stack/liberty/tempest/.tox/smoke/local/lib/python2.7/site-packages/tempest_lib/common/ssh.py", line 88, in _get_ssh_connection2016-02-11 23:07:32.786 | password=self.password)2016-02-11 23:07:32.786 | tempest_lib.exceptions.SSHTimeout: Connection to the 172.24.4.2 via SSH timed out.2016-02-11 23:07:32.786 | User: cirros, Password: NoneThe output of the second test is identical.Here are the test names - tempest.scenario.test_volume_boot_pattern.TestVolumeBootPatternV2.test_volume_boot_pattern [354.787819s] ... FAILED - tempest.scenario.test_volume_boot_pattern.TestVolumeBootPattern.test_volume_boot_pattern [331.473795s] ... FAILEDI am running grenade on a fresh Ubuntu VM in VirtualBox. Thanks!-Christopher Solis __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [Barbican] Multiple KMIP servers on a single barbican
Hey all. I wanted to get people's opinion on allowing barbican to talk to multiple KMIP servers. I got good advice from Nathan and John and it seems like it would be pretty easy keeping track of which secret resides in which KMIP applicance. You would just store the url in the DTO. However, in order for barbican to be aware of all KMIP servers wouldn't that mean that each kmip server url would need to be in the barbican-api.conf file? Or somewhere for barbican to know that multiple kmip servers are available? I noticed that there is a blueprint to introduce the concept of a single active and multiple inactive secret store plugins so I'm trying to stray away from making multiple active plugins. Regards, Chris Solis__ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [barbican] Backing up and restoring lost secrets
Hello. I'm wondering what happens when barbican fails or crashes. What would need to be backed up in order to restore barbican back to a previously functional state? Regards, CHRIS SOLIS__ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [barbican] Storing and retrieving secrets.
Hello. I have a question concerning the creation and retrieval of a secret. I used the orders resource to request a key to be generated of type text/plain. However, I cannot retrieve it of type text/plain. It appears I can only retrieve it of type octet-stream. I just wanted to clarify this is the correct functionality? I can understand why this is the implemented route but just want to make sure it's not possible to retrieve a secret of type text/plain when generated by barbican using the orders resource. Thank You. Regards, CHRIS SOLIS__ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [barbican] Utilizing the KMIP plugin
Hello,
I have some questions concerning what exactly is implemented with respect
to the kmip plugin.
When I attempt to store a symmetric key using the command:
curl -X POST -H 'content-type:application/json' -H 'X-Project-Id:12345' -d
'{name: AES key, algorithm:aes, bit_length:256,
mode:cbc,payload:9A855DC48159F6629EBFF919C045C24B57B6B0327AA43FAA5DD6C87FC3E000AB,payload_content_type:application/octet-stream,payload_content_encoding:base64,
secret_type:symmetric}'
http://localhost:9311/v1/secrets
I receive the following error: SecretGeneralException: Problem seen during
crypto processing - Reason: 'NoneType' object has no attribute 'enum'
When I also ask barbican to generate a symmetric key using the orders
resource:
curl -X POST -H 'content-type:application/json' -H 'X-Project-Id: 12345' -d
'{ type:key, meta: {name: secretname, algorithm: aes,
bit_length: 256, mode: cbc, payload_content_type:
application/octet-stream}}' http://localhost:9311/v1/orders
I get what appears to be the same error: AttributeError: 'NoneType' object
has no attribute 'enum'
Does this mean symmetric key storage is still not fully implemented? Or is
it possible there is a misconfiguration between my kmip plugin and
barbican?
Thank you!
Chris Solis
From: Christopher N Solis/Austin/IBM@IBMUS
To: Coffman, Joel M. joel.coff...@jhuapl.edu
Cc: Reller, Nathan S. nathan.rel...@jhuapl.edu, 'OpenStack
Development Mailing List \(not for usage questions\)'
openstack-dev@lists.openstack.org, Farr, Kaitlin M.
kaitlin.f...@jhuapl.edu
Date: 04/21/2015 03:50 PM
Subject:Re: [openstack-dev] [barbican] Utilizing the KMIP plugin
Hey Joel.
Thanks for the advice!
I was able to solve the problem and have the ssl connection become trusted.
Barbican seems to be authenticating correctly to the KMIP server as well
now.
However, I have another problem.
When I try to store a plain text secret into barbican I receive the
following error:
File /home/swift/barbican/barbican/api/controllers/__init__.py, line 104,
in handler
return fn(inst, *args, **kwargs)
File /home/swift/barbican/barbican/api/controllers/__init__.py, line
90, in enforcer
return fn(inst, *args, **kwargs)
File /home/swift/barbican/barbican/api/controllers/__init__.py, line
146, in content_types_enforcer
return fn(inst, *args, **kwargs)
File /home/swift/barbican/barbican/api/controllers/secrets.py, line
326, in on_post
transport_key_id=data.get('transport_key_id'))
File /home/swift/barbican/barbican/plugin/resources.py, line 95, in
store_secret
plugin_name=plugin_name)
File /home/swift/barbican/barbican/plugin/interface/secret_store.py,
line 478, in _check_plugins_configured
return plugin_related_function(self, *args, **kwargs)
File /home/swift/barbican/barbican/plugin/interface/secret_store.py,
line 513, in get_plugin_store
if ext.obj.store_secret_supports(key_spec):
File /home/swift/barbican/barbican/plugin/kmip_secret_store.py, line
481, in store_secret_supports
return self.generate_supports(key_spec)
File /home/swift/barbican/barbican/plugin/kmip_secret_store.py, line
437, in generate_supports
alg_dict_entry = self.valid_alg_dict.get(key_spec.alg.lower())
AttributeError: 'NoneType' object has no attribute 'lower'
I don't really know what could be causing this error. Any ideas?
Regards,
CHRIS SOLIS
Inactive hide details for Coffman, Joel M. ---04/16/2015 03:22:25
PM---However, I cannot not make a request to the kmip plugiCoffman, Joel
M. ---04/16/2015 03:22:25 PM---However, I cannot not make a request to the
kmip plugin because of an ssl error: The keyfile, certfi
From: Coffman, Joel M. joel.coff...@jhuapl.edu
To: 'OpenStack Development Mailing List (not for usage questions)'
openstack-dev@lists.openstack.org, Christopher N Solis/Austin/IBM@IBMUS
Cc: Reller, Nathan S. nathan.rel...@jhuapl.edu, Farr, Kaitlin M.
kaitlin.f...@jhuapl.edu, Coffman, Joel M. joel.coff...@jhuapl.edu
Date: 04/16/2015 03:22 PM
Subject: RE: [openstack-dev] [barbican] Utilizing the KMIP plugin
However, I cannot not make a request to the kmip plugin because of an ssl
error:
The keyfile, certfile, and ca_certs are passed directly to ssl.wrap_socket.
Debugging any SSL errors isn’t easy – Google is generally the best resource
to identify and resolve issues based on the error codes returned by
OpenSSL. :-(
What exactly is each variable suppose to contain?
See the ssl.wrap_socket documentation for more details.
I have keyfile and certfile being a self signed certificate and 2048 bit
RSA key respectively for barbican to use and ca_certs is the kmip_plugins'
certificate for barbican to trust. Does this setup sound right?
In the sentence, you swap the key and certificate (i.e., the RSA key should
be the keyfile and the self-signed certificate should be the certfile), but
that’s probably not the real issue. :-)
If credentials (i.e., a key and certificate) weren’t provided to you for
the KMIP
Re: [openstack-dev] [barbican] Utilizing the KMIP plugin
Hey Joel.
Thanks for the advice!
I was able to solve the problem and have the ssl connection become trusted.
Barbican seems to be authenticating correctly to the KMIP server as well
now.
However, I have another problem.
When I try to store a plain text secret into barbican I receive the
following error:
File /home/swift/barbican/barbican/api/controllers/__init__.py, line 104,
in handler
return fn(inst, *args, **kwargs)
File /home/swift/barbican/barbican/api/controllers/__init__.py, line
90, in enforcer
return fn(inst, *args, **kwargs)
File /home/swift/barbican/barbican/api/controllers/__init__.py, line
146, in content_types_enforcer
return fn(inst, *args, **kwargs)
File /home/swift/barbican/barbican/api/controllers/secrets.py, line
326, in on_post
transport_key_id=data.get('transport_key_id'))
File /home/swift/barbican/barbican/plugin/resources.py, line 95, in
store_secret
plugin_name=plugin_name)
File /home/swift/barbican/barbican/plugin/interface/secret_store.py,
line 478, in _check_plugins_configured
return plugin_related_function(self, *args, **kwargs)
File /home/swift/barbican/barbican/plugin/interface/secret_store.py,
line 513, in get_plugin_store
if ext.obj.store_secret_supports(key_spec):
File /home/swift/barbican/barbican/plugin/kmip_secret_store.py, line
481, in store_secret_supports
return self.generate_supports(key_spec)
File /home/swift/barbican/barbican/plugin/kmip_secret_store.py, line
437, in generate_supports
alg_dict_entry = self.valid_alg_dict.get(key_spec.alg.lower())
AttributeError: 'NoneType' object has no attribute 'lower'
I don't really know what could be causing this error. Any ideas?
Regards,
CHRIS SOLIS
From: Coffman, Joel M. joel.coff...@jhuapl.edu
To: 'OpenStack Development Mailing List (not for usage
questions)' openstack-dev@lists.openstack.org, Christopher N
Solis/Austin/IBM@IBMUS
Cc: Reller, Nathan S. nathan.rel...@jhuapl.edu, Farr, Kaitlin
M. kaitlin.f...@jhuapl.edu, Coffman, Joel M.
joel.coff...@jhuapl.edu
Date: 04/16/2015 03:22 PM
Subject:RE: [openstack-dev] [barbican] Utilizing the KMIP plugin
However, I cannot not make a request to the kmip plugin because of an ssl
error:
The keyfile, certfile, and ca_certs are passed directly to ssl.wrap_socket.
Debugging any SSL errors isn’t easy – Google is generally the best resource
to identify and resolve issues based on the error codes returned by
OpenSSL. :-(
What exactly is each variable suppose to contain?
See the ssl.wrap_socket documentation for more details.
I have keyfile and certfile being a self signed certificate and 2048 bit
RSA key respectively for barbican to use and ca_certs is the kmip_plugins'
certificate for barbican to trust. Does this setup sound right?
In the sentence, you swap the key and certificate (i.e., the RSA key should
be the keyfile and the self-signed certificate should be the certfile), but
that’s probably not the real issue. :-)
If credentials (i.e., a key and certificate) weren’t provided to you for
the KMIP appliance, you’ll probably need to have the KMIP appliance sign
your self-signed certificate so it knows that it’s valid. The procedure
differs by appliance but loosely resembles the following:
1. Generate key and certificate on local machine using OpenSSL
2. Upload certificate to KMIP appliance
3. Sign the certificate using the KMIP appliance’s server
certificate
Alternatively, a key and certificate could be provided for the KMIP
appliance; you would use those files rather than generating them locally.
Hope that information is helpful.
Joel
From: John Wood [mailto:john.w...@rackspace.com]
Sent: Wednesday, April 15, 2015 9:19 AM
To: OpenStack Development Mailing List (not for usage questions)
Cc: Reller, Nathan S.; Farr, Kaitlin M.
Subject: Re: [openstack-dev] [barbican] Utilizing the KMIP plugin
Hello Christopher,
I’m glad you are making progress. I’m including two folks that worked on
the KMIP plugin to see if they can help with your error diagnosis.
Thanks,
John
From: Christopher N Solis cnso...@us.ibm.com
Reply-To: OpenStack Development Mailing List (not for usage questions)
openstack-dev@lists.openstack.org
Date: Tuesday, April 14, 2015 at 10:21 AM
To: OpenStack Development Mailing List (not for usage questions)
openstack-dev@lists.openstack.org
Subject: Re: [openstack-dev] [barbican] Utilizing the KMIP plugin
Hey John.
Thanks!
You were right. It was reading the config from the /root directory because
I switched to the root user.
After switching back to the normal user it is reading the correct config
file again.
It is trying to use the kmip plugin now.
However, I cannot not make a request to the kmip plugin because of an ssl
error:
2015-04-14 10:02:26,219 - barbican.plugin.kmip_secret_store - ERROR - Error
opening or writing to client
Traceback (most recent call last):
File /home/swift
Re: [openstack-dev] [barbican] Utilizing the KMIP plugin
Hey John. Thanks! You were right. It was reading the config from the /root directory because I switched to the root user. After switching back to the normal user it is reading the correct config file again. It is trying to use the kmip plugin now. However, I cannot not make a request to the kmip plugin because of an ssl error: 2015-04-14 10:02:26,219 - barbican.plugin.kmip_secret_store - ERROR - Error opening or writing to client Traceback (most recent call last): File /home/swift/barbican/barbican/plugin/kmip_secret_store.py, line 167, in generate_symmetric_key self.client.open() File /home/swift/.pyenv/versions/barbican27/lib/python2.7/site-packages/kmip/services/kmip_client.py, line 86, in open self.socket.connect((self.host, self.port)) File /home/swift/.pyenv/versions/2.7.6/lib/python2.7/ssl.py, line 333, in connect self._real_connect(addr, False) File /home/swift/.pyenv/versions/2.7.6/lib/python2.7/ssl.py, line 314, in _real_connect self.ca_certs, self.ciphers) SSLError: [Errno 0] _ssl.c:343: error::lib(0):func(0):reason(0) I believe there is a problem in the KMIP plugin part of the barbican-api.conf file: keyfile = '/path/to/certs/cert.key' certfile = '/path/to/certs/cert.crt' ca_certs = '/path/to/certs/LocalCA.crt' What exactly is each variable suppose to contain? I have keyfile and certfile being a self signed certificate and 2048 bit RSA key respectively for barbican to use and ca_certs is the kmip_plugins' certificate for barbican to trust. Does this setup sound right? Regards, Christopher Solis From: John Wood john.w...@rackspace.com To: OpenStack Development Mailing List (not for usage questions) openstack-dev@lists.openstack.org Date: 04/10/2015 07:24 PM Subject:Re: [openstack-dev] [barbican] Utilizing the KMIP plugin Hello Christopher, It does seem that configs are being read for another location. Try to remove that copy in you home directory (so just keep the /etc location). If you see the same issue, try to rename your /etc/barbican/barbican-api.conf file to something else. Barbican should crash, probably with a No SQL connection error. Also, double check the ‘kmip_plugin’ setting in setup.cfg as per below, and try running ‘pip install -e .’ again in your virtual environment. FWIW, this CR adds better logging of plugin errors once the loading problem you have is figured out: https://review.openstack.org/#/c/171868/ Thanks, John From: Christopher N Solis cnso...@us.ibm.com Reply-To: OpenStack Development Mailing List (not for usage questions) openstack-dev@lists.openstack.org Date: Thursday, April 9, 2015 at 1:55 PM To: OpenStack Development Mailing List (not for usage questions) openstack-dev@lists.openstack.org Subject: Re: [openstack-dev] [barbican] Utilizing the KMIP plugin Hey John. Thanks for letting me know about the error. But I think my configuration is not seeing the kmip_plugin selection. In my barbican-api.conf file in /etc/barbican I have set enabled_secretstore_plugins = kmip_plugin However, I don't think it is creating a KMIPSecretStore instance. I edited the code in kmip_secret_store.py and put a breakpoint at the very beginning of the init function. When I make a barbican request to put a secret in there, it did not stop at the breakpoint at all. I put another breakpoint in the store_crypto.py file inside the init function for the StoreCryptoAdapterPlugin and I was able to enter the code at that breakpoint. So even though in my barbican-api.conf file I specified kmip_plugin it seems to be using the store_crypto plugin instead. Is there something that might cause this to happen? I also want to note that my code has the most up to date pull from the community code. Here's what my /etc/barbican/barbican-api.conf file has in it: # = Secret Store Plugin === [secretstore] namespace = barbican.secretstore.plugin enabled_secretstore_plugins = kmip_plugin ... ... ... # == KMIP plugin = [kmip_plugin] username = '**' password = '**' host = 10.0.2.15 port = 5696 keyfile = '/etc/barbican/rootCA.key' certfile = '/etc/barbican/rootCA.pem' ca_certs = '/etc/barbican/rootCA.pem' Regards, Christopher Solis Inactive hide details for John Wood ---04/08/2015 03:16:58 PM---Hello Christopher, My local configuration is indeed seeing the John Wood ---04/08/2015 03:16:58 PM---Hello Christopher, My local configuration is indeed seeing the kmip_plugin selection, but when steve From: John Wood john.w...@rackspace.com To: OpenStack Development Mailing List (not for usage questions) openstack-dev@lists.openstack.org Date: 04/08/2015 03:16 PM Subject: Re: [openstack-dev] [barbican] Utilizing the KMIP plugin Hello Christopher, My local configuration is indeed seeing the kmip_plugin selection, but when stevedore tries to load the KMIP plugin it crashes because required files are missing in my local environment (see https
Re: [openstack-dev] [barbican] Utilizing the KMIP plugin
Hey John. Thanks for letting me know about the error. But I think my configuration is not seeing the kmip_plugin selection. In my barbican-api.conf file in /etc/barbican I have set enabled_secretstore_plugins = kmip_plugin However, I don't think it is creating a KMIPSecretStore instance. I edited the code in kmip_secret_store.py and put a breakpoint at the very beginning of the init function. When I make a barbican request to put a secret in there, it did not stop at the breakpoint at all. I put another breakpoint in the store_crypto.py file inside the init function for the StoreCryptoAdapterPlugin and I was able to enter the code at that breakpoint. So even though in my barbican-api.conf file I specified kmip_plugin it seems to be using the store_crypto plugin instead. Is there something that might cause this to happen? I also want to note that my code has the most up to date pull from the community code. Here's what my /etc/barbican/barbican-api.conf file has in it: # = Secret Store Plugin === [secretstore] namespace = barbican.secretstore.plugin enabled_secretstore_plugins = kmip_plugin ... ... ... # == KMIP plugin = [kmip_plugin] username = '**' password = '**' host = 10.0.2.15 port = 5696 keyfile = '/etc/barbican/rootCA.key' certfile = '/etc/barbican/rootCA.pem' ca_certs = '/etc/barbican/rootCA.pem' Regards, Christopher Solis From: John Wood john.w...@rackspace.com To: OpenStack Development Mailing List (not for usage questions) openstack-dev@lists.openstack.org Date: 04/08/2015 03:16 PM Subject:Re: [openstack-dev] [barbican] Utilizing the KMIP plugin Hello Christopher, My local configuration is indeed seeing the kmip_plugin selection, but when stevedore tries to load the KMIP plugin it crashes because required files are missing in my local environment (see https://github.com/openstack/barbican/blob/master/barbican/plugin/kmip_secret_store.py#L131 ) for example. Stevedore logs the exception but then doesn’t load this module, so when Barbican asks for an available plugin it doesn’t see it and crashes as you see. So the root exception from stevedore isn’t showing up in my logs for some reason, and probably not in yours as well. We’ll try to put up a CR to at least expose this exception in logs. In the mean time, make sure the KMIP values checked via that link above are configured on your machine. Sorry for the inconvenience, John From: Christopher N Solis cnso...@us.ibm.com Reply-To: OpenStack Development Mailing List (not for usage questions) openstack-dev@lists.openstack.org Date: Wednesday, April 8, 2015 at 11:27 AM To: OpenStack Development Mailing List (not for usage questions) openstack-dev@lists.openstack.org Subject: Re: [openstack-dev] [barbican] Utilizing the KMIP plugin Hey John. I do have the barbican-api.conf file located in the /etc/barbican folder. But that does not seem to be the one that barbican reads from. It seems to be reading from the barbican-api.conf file locate in my home directory. Either way, both have the exact same configurations. I also checked the setup.cfg file and it does have the line for kmip_plugin . Regards, CHRIS SOLIS Inactive hide details for John Wood ---04/07/2015 10:39:18 AM---Hello Christopher, Just checking, but is that barbican-api.confJohn Wood ---04/07/2015 10:39:18 AM---Hello Christopher, Just checking, but is that barbican-api.conf file located in your local system's From: John Wood john.w...@rackspace.com To: openstack-dev@lists.openstack.org openstack-dev@lists.openstack.org Date: 04/07/2015 10:39 AM Subject: Re: [openstack-dev] [barbican] Utilizing the KMIP plugin Hello Christopher, Just checking, but is that barbican-api.conf file located in your local system’s /etc/barbican folder? If not that is the preferred place for local development. Modifying the copy that is in your local git repository will have no effect. Also, please double check that your local git repository’s setup.cfg has a line like this in there (at/around #35): kmip_plugin = barbican.plugin.kmip_secret_store:KMIPSecretStore Thanks, John From: Christopher N Solis cnso...@us.ibm.com Reply-To: openstack-dev@lists.openstack.org openstack-dev@lists.openstack.org Date: Monday, April 6, 2015 at 10:25 AM To: openstack-dev@lists.openstack.org openstack-dev@lists.openstack.org Subject: [openstack-dev] [barbican] Utilizing the KMIP plugin Hello! Sorry to Kaitlin Farr for not responding directly to your e-mail. My openstack settings were misconfigured and I was not receiving e-mail from the dev mailing list. Thanks for looking into the issue. I double checked the permissions at the bottom of the kmip_plugin part in the barbican-api.conf file and they are set to 400. I would also like to note that I do not think the code ever actually entered the __init__ function of KMIPSecretStore. I put a breakpoint in the __init__ function
Re: [openstack-dev] [barbican] Utilizing the KMIP plugin
Hey John. I do have the barbican-api.conf file located in the /etc/barbican folder. But that does not seem to be the one that barbican reads from. It seems to be reading from the barbican-api.conf file locate in my home directory. Either way, both have the exact same configurations. I also checked the setup.cfg file and it does have the line for kmip_plugin . Regards, CHRIS SOLIS From: John Wood john.w...@rackspace.com To: openstack-dev@lists.openstack.org openstack-dev@lists.openstack.org Date: 04/07/2015 10:39 AM Subject:Re: [openstack-dev] [barbican] Utilizing the KMIP plugin Hello Christopher, Just checking, but is that barbican-api.conf file located in your local system’s /etc/barbican folder? If not that is the preferred place for local development. Modifying the copy that is in your local git repository will have no effect. Also, please double check that your local git repository’s setup.cfg has a line like this in there (at/around #35): kmip_plugin = barbican.plugin.kmip_secret_store:KMIPSecretStore Thanks, John From: Christopher N Solis cnso...@us.ibm.com Reply-To: openstack-dev@lists.openstack.org openstack-dev@lists.openstack.org Date: Monday, April 6, 2015 at 10:25 AM To: openstack-dev@lists.openstack.org openstack-dev@lists.openstack.org Subject: [openstack-dev] [barbican] Utilizing the KMIP plugin Hello! Sorry to Kaitlin Farr for not responding directly to your e-mail. My openstack settings were misconfigured and I was not receiving e-mail from the dev mailing list. Thanks for looking into the issue. I double checked the permissions at the bottom of the kmip_plugin part in the barbican-api.conf file and they are set to 400. I would also like to note that I do not think the code ever actually entered the __init__ function of KMIPSecretStore. I put a breakpoint in the __init__ function but the debugger never gets open. The error occurs and returns without ever seeming to enter the init function. Here are the parts of the barbican-api.conf file that concern the kmip_plugin: . [secretstore] namespace = barbican.secretstore.plugin enabled_secretstore_plugins = kmip_plugin . [kmip_plugin] username = '**' password = '**' host = port = keyfile = '/etc/barbican/rootCA.key' certfile = '/etc/barbican/rootCA.pem' ca_certs = '/etc/barbican/rootCA.pem' ... Thank You!! Regards, Christopher Solis __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [barbican] Utilizing the KMIP plugin
Hello! Sorry to Kaitlin Farr for not responding directly to your e-mail. My openstack settings were misconfigured and I was not receiving e-mail from the dev mailing list. Thanks for looking into the issue. I double checked the permissions at the bottom of the kmip_plugin part in the barbican-api.conf file and they are set to 400. I would also like to note that I do not think the code ever actually entered the __init__ function of KMIPSecretStore. I put a breakpoint in the __init__ function but the debugger never gets open. The error occurs and returns without ever seeming to enter the init function. Here are the parts of the barbican-api.conf file that concern the kmip_plugin: . [secretstore] namespace = barbican.secretstore.plugin enabled_secretstore_plugins = kmip_plugin . [kmip_plugin] username = '**' password = '**' host = port = keyfile = '/etc/barbican/rootCA.key' certfile = '/etc/barbican/rootCA.pem' ca_certs = '/etc/barbican/rootCA.pem' ... Thank You!! Regards, Christopher Solis__ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [barbican] Utilizing the KMIP plugin
Hello!
I am having some trouble with the kmip_plugin and would like some help.
When I make a call to barbican to store a secret it returns the following
error:
2015-04-03 12:33:17,279 - barbican.api.controllers - ERROR - Secret
creation failure seen - please contact site administrator.
Traceback (most recent call last):
File /home/swift/barbican/barbican/api/controllers/__init__.py, line
98, in handler
return fn(inst, *args, **kwargs)
File /home/swift/barbican/barbican/api/controllers/__init__.py, line
84, in enforcer
return fn(inst, *args, **kwargs)
File /home/swift/barbican/barbican/api/controllers/__init__.py, line
140, in content_types_enforcer
return fn(inst, *args, **kwargs)
File /home/swift/barbican/barbican/api/controllers/secrets.py, line
294, in on_post
transport_key_id=data.get('transport_key_id'))
File /home/swift/barbican/barbican/plugin/resources.py, line 101, in
store_secret
key_spec=key_spec, plugin_name=plugin_name)
File /home/swift/barbican/barbican/plugin/interface/secret_store.py,
line 477, in _check_plugins_configured
raise SecretStorePluginsNotConfigured()
SecretStorePluginsNotConfigured: No secret store plugins have been
configured
In the barbican-api.conf file I have set enabled_secretstore_plugins to
kmip_plugin.
I have also updated the kmip_plugin part of the file to point to the host
and port where my kmip Key Manager is running
with all the required credentials and ssl certs.
I also made sure the ssl requirements are set to permissions 400.
Is there something I am missing that is causing this problem?
Thank You!!
- Christopher Solis
Regards,
CHRIS SOLIS
Software Developer - Cloud Infrastructure Services Security
Phone: 1-512-286-6458 | Mobile:IBM
1-210-844-5913
E-mail: cnso...@us.ibm.com 11501 Burnet Rd
Austin, TX 78758-3400
United States
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
