Re: [openstack-dev] Barbican : Unable to create the secret after Integrating Barbican with HSM HA
Asha, I'm not sure what went wrong. Something must have happened during your HA setup. You might check a couple different things, first you might check out your HA policies and HA group setup. The other thing you might make sure is that you only generate one mkek and hmac on one hsm (I use direct slot and not the HA virtual slot for this) and then replicate (vtl haAdmin -synchronize). If the HA group is setup properly it should replicate your mkek and hmac across the other HSMs in the HA group. As a side note, the pkcs11 plugin in Barbican currently retrieves the mkek and hmac by label, so make sure you don't have multiple keys in the HSM with the same label. John Vrbanac From: Asha Seshagiri asha.seshag...@gmail.com Sent: Tuesday, July 28, 2015 9:22 AM To: John Vrbanac Cc: openstack-dev; John Wood; Douglas Mendizabal; Reller, Nathan S. Subject: Re: Barbican : Unable to create the secret after Integrating Barbican with HSM HA Hi John , Any help would highly be appreciated. Thanks and Regards, Asha Seshagiri On Mon, Jul 27, 2015 at 3:10 PM, Asha Seshagiri asha.seshag...@gmail.commailto:asha.seshag...@gmail.com wrote: Hi John , Thanks a lot for providing me the response:) I followed the link[1] for configuring the HA SETUP [1] : http://docs.aws.amazon.com/cloudhsm/latest/userguide/ha-setup.html the final step in the above link is haAdmin command which is run on the client side(on Barbican) . The slot 6 is the virtual slot(only on the client side and not visible on LUNA SA ) and 1 and 2 are actual slots on LUNA SA HSM Please find the response below : [root@HSM-Client bin]# ./vtl haAdmin show HA Global Configuration Settings === HA Proxy: disabled HA Auto Recovery: disabled Maximum Auto Recovery Retry: 0 Auto Recovery Poll Interval: 60 seconds HA Logging: disabled Only Show HA Slots: no HA Group and Member Information HA Group Label: barbican_ha HA Group Number: 1489361010 HA Group Slot #: 6 Synchronization: enabled Group Members: 489361010, 489361011 Standby members: none Slot # Member S/N Member Label Status == == == 1 489361010 barbican2 alive 2 489361011 barbican3 alive After knowing the virtual slot HA number , I ran the pkcs11-key-generation with slot number 6 which did create mkek and hmac in slot/partition 1 and 2 automatically . I am not sure why do we have to replicate the keys between partitions? Configured the slot 6 on the barbican.conf as mentioned in my first email Not sure what might be the issue and It would be great if you could tell me the steps or where I would have gone wrong. Thanks and Regards, Asha Seshagiri On Mon, Jul 27, 2015 at 2:36 PM, John Vrbanac john.vrba...@rackspace.commailto:john.vrba...@rackspace.com wrote: Asha, I've used the Safenet HSM HA virtual slot setup and it does work. However, the setup is very interesting because you need to generate the MKEK and HMAC on a single HSM and then replicate it to the other HSMs out of band of anything we have in Barbican. If I recall correctly, the Safenet Luna docs mention how to replicate keys or partitions between HSMs. John Vrbanac From: Asha Seshagiri asha.seshag...@gmail.commailto:asha.seshag...@gmail.com Sent: Monday, July 27, 2015 2:00 PM To: openstack-dev Cc: John Wood; Douglas Mendizabal; John Vrbanac; Reller, Nathan S. Subject: Barbican : Unable to create the secret after Integrating Barbican with HSM HA Hi All , I am working on Integrating Barbican with HSM HA set up. I have configured slot 1 and slot 2 to be on HA on Luna SA set up . Slot 6 is a virtual slot on the client side which acts as the proxy for the slot 1 and 2. Hence on the Barbican side , I mentioned the slot number 6 and its password which is identical to that of the passwords of slot1 and slot 2 in barbican.conf file. Please find the contents of the file : # = Secret Store Plugin === [secretstore] namespace = barbican.secretstore.plugin enabled_secretstore_plugins = store_crypto # = Crypto plugin === [crypto] namespace = barbican.crypto.plugin enabled_crypto_plugins = p11_crypto [simple_crypto_plugin] # the kek should be a 32-byte value which is base64 encoded kek = 'YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoxMjM0NTY=' [dogtag_plugin] pem_path = '/etc/barbican/kra_admin_cert.pem' dogtag_host = localhost dogtag_port = 8443 nss_db_path = '/etc/barbican/alias' nss_db_path_ca = '/etc/barbican/alias-ca' nss_password = 'password123' simple_cmc_profile = 'caOtherCert' [p11_crypto_plugin] # Path to vendor PKCS11 library library_path = '/usr/lib/libCryptoki2_64.so' # Password to login to PKCS11 session login = 'test5678' # Label to identify master KEK in the HSM (must not be the same as HMAC label) mkek_label = 'ha_mkek' # Length in bytes of master KEK mkek_length = 32
Re: [openstack-dev] Barbican : Unable to create the secret after Integrating Barbican with HSM HA
Asha, I've used the Safenet HSM HA virtual slot setup and it does work. However, the setup is very interesting because you need to generate the MKEK and HMAC on a single HSM and then replicate it to the other HSMs out of band of anything we have in Barbican. If I recall correctly, the Safenet Luna docs mention how to replicate keys or partitions between HSMs. John Vrbanac From: Asha Seshagiri asha.seshag...@gmail.com Sent: Monday, July 27, 2015 2:00 PM To: openstack-dev Cc: John Wood; Douglas Mendizabal; John Vrbanac; Reller, Nathan S. Subject: Barbican : Unable to create the secret after Integrating Barbican with HSM HA Hi All , I am working on Integrating Barbican with HSM HA set up. I have configured slot 1 and slot 2 to be on HA on Luna SA set up . Slot 6 is a virtual slot on the client side which acts as the proxy for the slot 1 and 2. Hence on the Barbican side , I mentioned the slot number 6 and its password which is identical to that of the passwords of slot1 and slot 2 in barbican.conf file. Please find the contents of the file : # = Secret Store Plugin === [secretstore] namespace = barbican.secretstore.plugin enabled_secretstore_plugins = store_crypto # = Crypto plugin === [crypto] namespace = barbican.crypto.plugin enabled_crypto_plugins = p11_crypto [simple_crypto_plugin] # the kek should be a 32-byte value which is base64 encoded kek = 'YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoxMjM0NTY=' [dogtag_plugin] pem_path = '/etc/barbican/kra_admin_cert.pem' dogtag_host = localhost dogtag_port = 8443 nss_db_path = '/etc/barbican/alias' nss_db_path_ca = '/etc/barbican/alias-ca' nss_password = 'password123' simple_cmc_profile = 'caOtherCert' [p11_crypto_plugin] # Path to vendor PKCS11 library library_path = '/usr/lib/libCryptoki2_64.so' # Password to login to PKCS11 session login = 'test5678' # Label to identify master KEK in the HSM (must not be the same as HMAC label) mkek_label = 'ha_mkek' # Length in bytes of master KEK mkek_length = 32 # Label to identify HMAC key in the HSM (must not be the same as MKEK label) hmac_label = 'ha_hmac' # HSM Slot id (Should correspond to a configured PKCS11 slot). Default: 1 slot_id = 6 Was able to create MKEK and HMAC successfully for the slots 1 and 2 on the HSM when we run the pkcs11-key-generation script for slot 6 which should be the expected behaviour. [root@HSM-Client bin]# python pkcs11-key-generation --library-path '/usr/lib/libCryptoki2_64.so' --passphrase 'test5678' --slot-id 6 mkek --label 'ha_mkek' Verified label ! MKEK successfully generated! [root@HSM-Client bin]# python pkcs11-key-generation --library-path '/usr/lib/libCryptoki2_64.so' --passphrase 'test5678' --slot-id 6 hmac --label 'ha_hmac' HMAC successfully generated! [root@HSM-Client bin]# Please find the HSM commands and responses to show the details of the partitions and partitions contents : root@HSM-Client bin]# ./vtl verify The following Luna SA Slots/Partitions were found: Slot Serial # Label = 1 489361010 barbican2 2 489361011 barbican3 [HSMtestLuna1] lunash: partition showcontents -partition barbican2 Please enter the user password for the partition: Partition Name: barbican2 Partition SN: 489361010 Storage (Bytes): Total=1046420, Used=256, Free=1046164 Number objects: 2 Object Label: ha_mkek Object Type: Symmetric Key Object Label: ha_hmac Object Type: Symmetric Key Command Result : 0 (Success) [HSMtestLuna1] lunash: partition showcontents -partition barbican3 Please enter the user password for the partition: Partition Name: barbican3 Partition SN: 489361011 Storage (Bytes): Total=1046420, Used=256, Free=1046164 Number objects: 2 Object Label: ha_mkek Object Type: Symmetric Key Object Label: ha_hmac Object Type: Symmetric Key [root@HSM-Client bin]# ./lunacm LunaCM V2.3.3 - Copyright (c) 2006-2013 SafeNet, Inc. Available HSM's: Slot Id - 1 HSM Label - barbican2 HSM Serial Number - 489361010 HSM Model - LunaSA HSM Firmware Version - 6.2.1 HSM Configuration - Luna SA Slot (PW) Signing With Cloning Mode HSM Status - OK Slot Id - 2 HSM Label - barbican3 HSM Serial Number - 489361011 HSM Model - LunaSA HSM Firmware Version - 6.2.1 HSM Configuration - Luna SA Slot (PW) Signing With Cloning Mode HSM Status - OK Slot Id - 6 HSM Label - barbican_ha HSM Serial Number - 1489361010 HSM Model - LunaVirtual HSM Firmware Version - 6.2.1 HSM Configuration - Virtual HSM (PW) Signing With Cloning Mode HSM Status - N/A - HA Group Current Slot Id: 1 Tried creating the secrets using the below command : root@HSM-Client barbican]# curl -X POST -H 'content-type:application/json' -H 'X-Project-Id:12345' -d '{payload: my-secret-here, payload_content_type: text/plain}' http://localhost:9311/v1/secrets {code: 500, description: Secret creation failure seen - please contact
Re: [openstack-dev] Barbican : Unable to store the secret when Barbican was Integrated with SafeNet HSM
Hmm... This error is usually because one of the parameters is an incorrect type. I'm wondering if the length is coming through as a string instead of an integer. As the length defaults to 32, try not specifying the length parameter. If that works, we need to report a defect to make sure that it's properly converted to an integer. John Vrbanac From: Asha Seshagiri asha.seshag...@gmail.com Sent: Monday, July 20, 2015 10:30 AM To: OpenStack Development Mailing List (not for usage questions) Cc: Reller, Nathan S. Subject: Re: [openstack-dev] Barbican : Unable to store the secret when Barbican was Integrated with SafeNet HSM Hi John , Thanks a lot John for your response. I tried executing the script with the following options before , but it seems it did not work .Hence tried with the curly baraces . Please find other options below : [root@HSM-Client bin]# python pkcs11-key-generation --library-path '/usr/lib/libCryptoki2_64.so' --passphrase 'test123' --slot-id 1 mkek --length 32 --label 'an_mkek' HSM returned response code: 0x13L CKR_ATTRIBUTE_VALUE_INVALID [root@HSM-Client bin]# python pkcs11-key-generation --library-path /usr/lib/libCryptoki2_64.so --passphrase test123 --slot-id 1 mkek --length 32 --label an_mkek HSM returned response code: 0x13L CKR_ATTRIBUTE_VALUE_INVALID Would be of great help if l could the syntax for running the script Thanks and Regards, Asha Seshagiri On Sun, Jul 19, 2015 at 6:25 PM, John Vrbanac john.vrba...@rackspace.commailto:john.vrba...@rackspace.com wrote: Don't include the curly brackets on the script arguments. The documentation is just using them to indicate that those are placeholders for real values. John Vrbanac From: Asha Seshagiri asha.seshag...@gmail.commailto:asha.seshag...@gmail.com Sent: Sunday, July 19, 2015 2:15 PM To: OpenStack Development Mailing List (not for usage questions) Cc: Reller, Nathan S. Subject: Re: [openstack-dev] Barbican : Unable to store the secret when Barbican was Integrated with SafeNet HSM Hi John , Thanks for pointing me to the right script. I appreciate your help . I tried running the script with the following command : [root@HSM-Client bin]# python pkcs11-key-generation --library-path {/usr/lib/libCryptoki2_64.so} --passphrase {test123} --slot-id 1 mkek --length 32 --label 'an_mkek' Traceback (most recent call last): File pkcs11-key-generation, line 120, in module main() File pkcs11-key-generation, line 115, in main kg = KeyGenerator() File pkcs11-key-generation, line 38, in __init__ ffi=ffi File /root/barbican/barbican/plugin/crypto/pkcs11.py, line 315, in __init__ self.lib = self.ffi.dlopen(library_path) File /usr/lib64/python2.7/site-packages/cffi/api.py, line 127, in dlopen lib, function_cache = _make_ffi_library(self, name, flags) File /usr/lib64/python2.7/site-packages/cffi/api.py, line 572, in _make_ffi_library backendlib = _load_backend_lib(backend, libname, flags) File /usr/lib64/python2.7/site-packages/cffi/api.py, line 561, in _load_backend_lib return backend.load_library(name, flags) OSError: cannot load library {/usr/lib/libCryptoki2_64.so}: {/usr/lib/libCryptoki2_64.so}: cannot open shared object file: No such file or directory Unable to run the script since the library libCryptoki2_64.so cannot be opened. Tried the following solution : *vi /etc/ld.so.conf * Added both the paths of ld.so.conf in the /etc/ld.so.conf file got from the command find / -name libCryptoki2_64.so * /usr/safenet/lunaclient/lib/libCryptoki2_64.so * /usr/lib/libCryptoki2_64.so * sudo ldconfig * ldconfig -p But the above solution failed and am geting the same error. Any help would highly be apprecited. Thanks in advance! Thanks and Regards, Asha Seshagiri On Sat, Jul 18, 2015 at 11:12 PM, John Vrbanac john.vrba...@rackspace.commailto:john.vrba...@rackspace.com wrote: Asha, It looks like you don't have your mkek label correctly configured. Make sure that the mkek_label and hmac_label values in your config correctly reflect the keys that you've generated on your HSM. The plugin will cache the key handle to the mkek and hmac when the plugin starts, so if it cannot find them, it'll fail to load the plugin altogether. If you need help generating your mkek and hmac, refer to http://docs.openstack.org/developer/barbican/api/quickstart/pkcs11keygeneration.html for instructions on how to create them using a script. As far as who uses HSMs, I know we (Rackspace) use them with Barbican. John Vrbanac From: Asha Seshagiri asha.seshag...@gmail.commailto:asha.seshag...@gmail.com Sent: Saturday, July 18, 2015 8:47 PM To: openstack-dev Cc: Reller, Nathan S. Subject: [openstack-dev] Barbican : Unable to store the secret when Barbican was Integrated with SafeNet HSM Hi All , I have configured Barbican to integrate with SafeNet
Re: [openstack-dev] Barbican : Unable to store the secret when Barbican was Integrated with SafeNet HSM
Don't include the curly brackets on the script arguments. The documentation is just using them to indicate that those are placeholders for real values. John Vrbanac From: Asha Seshagiri asha.seshag...@gmail.com Sent: Sunday, July 19, 2015 2:15 PM To: OpenStack Development Mailing List (not for usage questions) Cc: Reller, Nathan S. Subject: Re: [openstack-dev] Barbican : Unable to store the secret when Barbican was Integrated with SafeNet HSM Hi John , Thanks for pointing me to the right script. I appreciate your help . I tried running the script with the following command : [root@HSM-Client bin]# python pkcs11-key-generation --library-path {/usr/lib/libCryptoki2_64.so} --passphrase {test123} --slot-id 1 mkek --length 32 --label 'an_mkek' Traceback (most recent call last): File pkcs11-key-generation, line 120, in module main() File pkcs11-key-generation, line 115, in main kg = KeyGenerator() File pkcs11-key-generation, line 38, in __init__ ffi=ffi File /root/barbican/barbican/plugin/crypto/pkcs11.py, line 315, in __init__ self.lib = self.ffi.dlopen(library_path) File /usr/lib64/python2.7/site-packages/cffi/api.py, line 127, in dlopen lib, function_cache = _make_ffi_library(self, name, flags) File /usr/lib64/python2.7/site-packages/cffi/api.py, line 572, in _make_ffi_library backendlib = _load_backend_lib(backend, libname, flags) File /usr/lib64/python2.7/site-packages/cffi/api.py, line 561, in _load_backend_lib return backend.load_library(name, flags) OSError: cannot load library {/usr/lib/libCryptoki2_64.so}: {/usr/lib/libCryptoki2_64.so}: cannot open shared object file: No such file or directory Unable to run the script since the library libCryptoki2_64.so cannot be opened. Tried the following solution : *vi /etc/ld.so.conf * Added both the paths of ld.so.conf in the /etc/ld.so.conf file got from the command find / -name libCryptoki2_64.so * /usr/safenet/lunaclient/lib/libCryptoki2_64.so * /usr/lib/libCryptoki2_64.so * sudo ldconfig * ldconfig -p But the above solution failed and am geting the same error. Any help would highly be apprecited. Thanks in advance! Thanks and Regards, Asha Seshagiri On Sat, Jul 18, 2015 at 11:12 PM, John Vrbanac john.vrba...@rackspace.commailto:john.vrba...@rackspace.com wrote: Asha, It looks like you don't have your mkek label correctly configured. Make sure that the mkek_label and hmac_label values in your config correctly reflect the keys that you've generated on your HSM. The plugin will cache the key handle to the mkek and hmac when the plugin starts, so if it cannot find them, it'll fail to load the plugin altogether. If you need help generating your mkek and hmac, refer to http://docs.openstack.org/developer/barbican/api/quickstart/pkcs11keygeneration.html for instructions on how to create them using a script. As far as who uses HSMs, I know we (Rackspace) use them with Barbican. John Vrbanac From: Asha Seshagiri asha.seshag...@gmail.commailto:asha.seshag...@gmail.com Sent: Saturday, July 18, 2015 8:47 PM To: openstack-dev Cc: Reller, Nathan S. Subject: [openstack-dev] Barbican : Unable to store the secret when Barbican was Integrated with SafeNet HSM Hi All , I have configured Barbican to integrate with SafeNet HSM. Installed safenet client libraries , registered the barbican machine to point to HSM server and also assigned HSM partition. The following were the changes done in barbican.conf file # = Secret Store Plugin === [secretstore] namespace = barbican.secretstore.plugin enabled_secretstore_plugins = store_crypto # = Crypto plugin === [crypto] namespace = barbican.crypto.plugin enabled_crypto_plugins = p11_crypto [p11_crypto_plugin] # Path to vendor PKCS11 library library_path = '/usr/lib/libCryptoki2_64.so' # Password to login to PKCS11 session login = 'test123' # Label to identify master KEK in the HSM (must not be the same as HMAC label) mkek_label = 'an_mkek' # Length in bytes of master KEK mkek_length = 32 # Label to identify HMAC key in the HSM (must not be the same as MKEK label) hmac_label = 'my_hmac_label' # HSM Slot id (Should correspond to a configured PKCS11 slot). Default: 1 slot_id = 1 Unable to store the secret when Barbican was integrated with HSM. [root@HSM-Client crypto]# curl -X POST -H 'content-type:application/json' -H 'X-Project-Id:12345' -d '{payload: my-secret-here, payload_content_type: text/plain}' http://localhost:9311/v1/secrets {code: 500, description: Secret creation failure seen - please contact site administrator., title: Internal Server Error}[root@HSM-Client crypto]# Please find the logs below : 2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils [req-354affce-b3d6-41fd-b050-5e5c604004eb - 12345 - - -] Problem seen creating plugin: 'p11_crypto' 2015-07-18
Re: [openstack-dev] Barbican : Unable to store the secret when Barbican was Integrated with SafeNet HSM
Asha, It looks like you don't have your mkek label correctly configured. Make sure that the mkek_label and hmac_label values in your config correctly reflect the keys that you've generated on your HSM. The plugin will cache the key handle to the mkek and hmac when the plugin starts, so if it cannot find them, it'll fail to load the plugin altogether. If you need help generating your mkek and hmac, refer to http://docs.openstack.org/developer/barbican/api/quickstart/pkcs11keygeneration.html for instructions on how to create them using a script. As far as who uses HSMs, I know we (Rackspace) use them with Barbican. John Vrbanac From: Asha Seshagiri asha.seshag...@gmail.com Sent: Saturday, July 18, 2015 8:47 PM To: openstack-dev Cc: Reller, Nathan S. Subject: [openstack-dev] Barbican : Unable to store the secret when Barbican was Integrated with SafeNet HSM Hi All , I have configured Barbican to integrate with SafeNet HSM. Installed safenet client libraries , registered the barbican machine to point to HSM server and also assigned HSM partition. The following were the changes done in barbican.conf file # = Secret Store Plugin === [secretstore] namespace = barbican.secretstore.plugin enabled_secretstore_plugins = store_crypto # = Crypto plugin === [crypto] namespace = barbican.crypto.plugin enabled_crypto_plugins = p11_crypto [p11_crypto_plugin] # Path to vendor PKCS11 library library_path = '/usr/lib/libCryptoki2_64.so' # Password to login to PKCS11 session login = 'test123' # Label to identify master KEK in the HSM (must not be the same as HMAC label) mkek_label = 'an_mkek' # Length in bytes of master KEK mkek_length = 32 # Label to identify HMAC key in the HSM (must not be the same as MKEK label) hmac_label = 'my_hmac_label' # HSM Slot id (Should correspond to a configured PKCS11 slot). Default: 1 slot_id = 1 Unable to store the secret when Barbican was integrated with HSM. [root@HSM-Client crypto]# curl -X POST -H 'content-type:application/json' -H 'X-Project-Id:12345' -d '{payload: my-secret-here, payload_content_type: text/plain}' http://localhost:9311/v1/secrets {code: 500, description: Secret creation failure seen - please contact site administrator., title: Internal Server Error}[root@HSM-Client crypto]# Please find the logs below : 2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils [req-354affce-b3d6-41fd-b050-5e5c604004eb - 12345 - - -] Problem seen creating plugin: 'p11_crypto' 2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils Traceback (most recent call last): 2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils File /root/barbican/barbican/plugin/util/utils.py, line 42, in instantiate_plugins 2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils plugin_instance = ext.plugin(*invoke_args, **invoke_kwargs) 2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils File /root/barbican/barbican/plugin/crypto/p11_crypto.py, line 70, in __init__ 2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils conf.p11_crypto_plugin.hmac_label) 2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils File /root/barbican/barbican/plugin/crypto/pkcs11.py, line 344, in cache_mkek_and_hmac 2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils self.get_mkek(self.current_mkek_label, session) 2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils File /root/barbican/barbican/plugin/crypto/pkcs11.py, line 426, in get_mkek 2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils raise P11CryptoKeyHandleException() 2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils P11CryptoKeyHandleException: No key handle was found 2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers [req-354affce-b3d6-41fd-b050-5e5c604004eb - 12345 - - -] Secret creation failure seen - please contact site administrator. (I am not sure why we are geting CryptoPluginNotFound: Crypto plugin not found. Exception since the changes is able to hit the p11_crypto.py code) 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers Traceback (most recent call last): 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers File /root/barbican/barbican/api/controllers/__init__.py, line 104, in handler 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers return fn(inst, *args, **kwargs) 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers File /root/barbican/barbican/api/controllers/__init__.py, line 90, in enforcer 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers return fn(inst, *args, **kwargs) 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers File /root/barbican/barbican/api/controllers/__init__.py, line 146, in content_types_enforcer 2015-07-18 17:15:32.643 29838
Re: [openstack-dev] Barbican : Regarding the API support for Order and Consumer Resource
Asha, We haven't removed anything. Unfortunately, no one has had the chance to port those resources over from the old github wiki page and into the new sphinx format yet. Also, yes they are still supported. John Vrbanac From: Asha Seshagiri asha.seshag...@gmail.com Sent: Monday, June 1, 2015 2:38 AM To: openstack-dev Subject: Re: [openstack-dev] Barbican : Regarding the API support for Order and Consumer Resource Editing the subject On Mon, Jun 1, 2015 at 2:35 AM, Asha Seshagiri asha.seshag...@gmail.commailto:asha.seshag...@gmail.com wrote: Hi All , Would like to know why have we removed the API details for Order and Consumer Resource in the following update link for API Documentation of Barbican http://docs.openstack.org/developer/barbican/api/index.html Does the Barbican support order and consumer resource now ? Any help would be highly appreciated. Thanks in Advance -- Thanks and Regards, Asha Seshagiri -- Thanks and Regards, Asha Seshagiri __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [barbican] Nominating Kaitlin Farr for barbican-core
+1 John Vrbanac From: Douglas Mendizábal douglas.mendiza...@rackspace.com Sent: Tuesday, May 19, 2015 7:09 PM To: OpenStack Development Mailing List (not for usage questions) Subject: [openstack-dev] [barbican] Nominating Kaitlin Farr for barbican-core -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi All, I would like to nominate Kaitlin Farr for barbican-core. Kaitlin has been contributing to the project for a long time, both by contributing code to Barbican, python-barbicanclient and Castellan, and also by providing valuable reviews. [1] As a reminder to the rest of the core team, we use the process outlined in https://wiki.openstack.org/wiki/Barbican/CoreTeam to add members to the barbican-core team. Thanks, Douglas Mendizábal [1] http://stackalytics.com/report/contribution/barbican-group/90 -BEGIN PGP SIGNATURE- Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJVW9CgAAoJEB7Z2EQgmLX7u6kP/22G3NqsnJmKRsnw065btt8z /Sb7OqFa2RKuIKk88a9yehwRuunh2YCdfLmXta1+XXpucghG9dbflfFVGU4/VujX VG/B3yUXTBYT2kn72mtwpKk4S6mYXBPn+fpKGR7iJrifYSg55XO7a2c2m/xIC8pO R9+d5/8ZztxS1UbmhNuqLwBDpo9FIG+5CoWOfYPTAQ1TxB/SIs2ltk4jzLaU05yb 5LTG3uq5K3CT+LvM3Rl6SCZ7bIiTmaTuPsXMnqqLiqhya90U63VJGGXUE1yjW11G Kgm7yxUV8DkcESHXEe0aW8hpLMuGKda/f83XetGN27+YpM3/G1z8N656zLX9sF3t oVU7dWnARn9NsByFP9ASg8BCk8iWr/mCeB/fajwXT95C+OXAicNWn5jXKowXQhQH v4XaFrjafROLdJocgH0mfcoEbTXZXlsKyHYtnZdwAO+T06RNd21c/lnNiG1rMYeh 2Yl48nzxxx33YprizHDRMEhABIb11HO040+j+EHNCvbsGSJGZIZmzzbxNe2QGXkx q++JvMBW60pPd6pi7nEVjbjSEZhb6f6xHs13/y+nZ9NCSNkUPx1UoxKz18JRtrLi /XDZLv6D92Trlaxae9mpVlWTM1elYPWSm3QVMxMrSP9wtAYbUIoq0PN+WwKk/1J7 WaeQpFjA1SdFHj5uPNZk =1OIW -END PGP SIGNATURE- __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Barbican] Nominating Chelsea Winfree for Barbican core
?+1 John Vrbanac From: Chad Lung chad.l...@gmail.com Sent: Sunday, May 17, 2015 6:34 PM To: openstack-dev@lists.openstack.org Subject: [openstack-dev] [Barbican] Nominating Chelsea Winfree for Barbican core Hi all, I'd like to nominate Chelsea Winfree for the Barbican core review team. Chelsea has been active in Barbican as a regular contributor of code and helping always needed documentation. http://stackalytics.com/?user_id=chelsea-winfreerelease=all As a reminder to barbican-core members we use the voting process outlined in https://wiki.openstack.org/wiki/Barbican/CoreTeam to add members to our team. Thanks, Chad Lung EMC Cloud Services __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Barbican : Unable to execute the curl command for uploading/retrieving the secrets with the latest Barbican code.
Asha, We landed the fix in: https://review.openstack.org/#/c/183391/ Hopefully, that should address the problem you've been seeing. Thanks! John Vrbanac On Thu, 2015-05-14 at 18:14 -0500, Douglas Mendizábal wrote: Hi Asha, The reason we support an Unauthenticated Context in Barbican is purely for development purposes. We recommend that all production Barbican deployments use Keystone or an alternative AuthN/AuthZ service in front of Barbican. Setting up a working Keystone environment just to hack on Barbican is a steep requirement, which is why we need the Unauthenticated Context to work. - Douglas Mendizabal On 5/14/15 6:07 PM, Asha Seshagiri wrote: Thanks a lot John for your response. But would like to know why do would we have to fix the issue for creating the secret for unauthenticated context for Barbican since it would be good to have access control mechanism enforced to access secrets , orders and other entities from Barbican. This should be the expected behavior from security perspective .And also we are able to access secrets by providing the right token from the Identity service (Keystone ). Looking forward for your response. Thanks and Regards, Asha Seshagiri On Thu, May 14, 2015 at 4:43 PM, John Vrbanac john.vrba...@rackspace.com mailto:john.vrba...@rackspace.com wrote: __ Asha, I spent some time looking into this, It looks to be a regression that occurred a few days ago when a CR was merged that moved us over to oslo_context. I have reported the issue here: https://bugs.launchpad.net/barbican/+bug/1455247 I have a couple ideas on how to fix it, so keep your eyes out for a CR to resolve the issue. John Vrbanac On Thu, 2015-05-14 at 12:26 -0500, Asha Seshagiri wrote: Hi all , We are able to execute the curl commands on new barbican code provided we integrated it with keystone . I ran into this issue because I was trying to configure localhost to actual IP on a plain barbican server so that I would get the response and request objects with the actual IP rather than the local host . This configuration was required for seting up HA proxy for Barbican. And then I thought of integrating with the keystone and configure Babrican server to https. *Its a good learning to know that the latest code drop of Barbican enforces the authentication mechanism with the keystone which would not allow us to execute the curl command without providing the token of Identity service (Keystone ) in the request unlike the previous Barbican versions* Please find the curl command request and responses for uploading/reteriving the secets on Barbican Server root@Clientfor-HAProxy barbican]# curl -X POST -H 'content-type:application/json' -H 'X-Project-Id:12345' \ -H X-Auth-Token:c9ac81784e1e4e089fccbca19f862be2 -d '{payload: my-secret-here,payload_content_type: text/plain}' \ -k https://localhost:9311/v1/secrets {secret_ref: https://localhost:9311/v1/secrets/02336016-623b-4deb-bca5-caedc0bf0e 35}[root@Clientfor-HAProxy barbican]# [root@Clientfor-HAProxy barbican]# curl -H 'Accept: application/json' -H 'X-Project-Id:12345' \ -H X-Auth-Token:c9ac81784e1e4e089fccbca19f862be2 -k https://localhost:9311/v1/secrets {secrets: [{status: ACTIVE, secret_type: opaque, updated: 2015-05-14T16:35:44.109536, name: null, algorithm: null, created: 2015-05-14T16:35:44.103982, secret_ref: https://localhost:9311/v1/secrets/02336016-623b-4deb-bca5-caedc0bf0e 35, content_types: {default: text/plain}, creator_id: cedd848a8a9e410196793c601c03b99a, mode: null, bit_length: null, expiration: null}], total: 1}[root@Clientfor-HAProxy barbican]# Thanks and Regards, Asha Seshagiri On Wed, May 13, 2015 at 4:26 PM, Asha Seshagiri asha.seshag...@gmail.com mailto:asha.seshag...@gmail.com wrote: Hi all , When I started debugging ,we find that default group is not used instead oslo_policy would be used Please find the logs below : *2015-05-13 15:59:34.393 13210 WARNING oslo_config.cfg [-] Option policy_default_rule from group DEFAULT is deprecated. Use option policy_default_rule from group oslo_policy.* *2015-05-13 15:59:34.394 13210 WARNING oslo_config.cfg [-] Option policy_file from group DEFAULT is deprecated. Use option policy_file from group oslo_policy.* 2015-05-13 15:59:34.395 13210 DEBUG oslo_policy.openstack.common.fileutils [req-0c6d2db4-bc15-4752-93ca-5203cf742d79 - 12345 - - -] Reloading cached file /etc/barbican/policy.json read_cached_file /usr/lib/python2.7/site-packages/oslo_policy/openstack/common/fileuti ls.py:64 2015-05-13 15:59:34.398 13210 DEBUG oslo_policy.policy [req-0c6d2db4-bc15-4752-93ca-5203cf742d79 - 12345 - - -] Reloaded policy file: /etc/barbican/policy.json _load_policy_file /usr/lib/python2.7/site-packages/oslo_policy/policy.py:424 2015
Re: [openstack-dev] Barbican : Unable to execute the curl command for uploading/retrieving the secrets with the latest Barbican code.
Asha, I spent some time looking into this, It looks to be a regression that occurred a few days ago when a CR was merged that moved us over to oslo_context. I have reported the issue here: https://bugs.launchpad.net/barbican/+bug/1455247 I have a couple ideas on how to fix it, so keep your eyes out for a CR to resolve the issue. John Vrbanac On Thu, 2015-05-14 at 12:26 -0500, Asha Seshagiri wrote: Hi all , We are able to execute the curl commands on new barbican code provided we integrated it with keystone . I ran into this issue because I was trying to configure localhost to actual IP on a plain barbican server so that I would get the response and request objects with the actual IP rather than the local host . This configuration was required for seting up HA proxy for Barbican. And then I thought of integrating with the keystone and configure Babrican server to https. Its a good learning to know that the latest code drop of Barbican enforces the authentication mechanism with the keystone which would not allow us to execute the curl command without providing the token of Identity service (Keystone ) in the request unlike the previous Barbican versions Please find the curl command request and responses for uploading/reteriving the secets on Barbican Server root@Clientfor-HAProxy barbican]# curl -X POST -H 'content-type:application/json' -H 'X-Project-Id:12345' \ -H X-Auth-Token:c9ac81784e1e4e089fccbca19f862be2 -d '{payload: my-secret-here,payload_content_type: text/plain}' \ -k https://localhost:9311/v1/secrets {secret_ref: https://localhost:9311/v1/secrets/02336016-623b-4deb-bca5-caedc0bf0e35}[root@Clientfor-HAProxy barbican]# [root@Clientfor-HAProxy barbican]# curl -H 'Accept: application/json' -H 'X-Project-Id:12345' \ -H X-Auth-Token:c9ac81784e1e4e089fccbca19f862be2 -k https://localhost:9311/v1/secrets {secrets: [{status: ACTIVE, secret_type: opaque, updated: 2015-05-14T16:35:44.109536, name: null, algorithm: null, created: 2015-05-14T16:35:44.103982, secret_ref: https://localhost:9311/v1/secrets/02336016-623b-4deb-bca5-caedc0bf0e35;, content_types: {default: text/plain}, creator_id: cedd848a8a9e410196793c601c03b99a, mode: null, bit_length: null, expiration: null}], total: 1}[root@Clientfor-HAProxy barbican]# Thanks and Regards, Asha Seshagiri On Wed, May 13, 2015 at 4:26 PM, Asha Seshagiri asha.seshag...@gmail.commailto:asha.seshag...@gmail.com wrote: Hi all , When I started debugging ,we find that default group is not used instead oslo_policy would be used Please find the logs below : 2015-05-13 15:59:34.393 13210 WARNING oslo_config.cfg [-] Option policy_default_rule from group DEFAULT is deprecated. Use option policy_default_rule from group oslo_policy. 2015-05-13 15:59:34.394 13210 WARNING oslo_config.cfg [-] Option policy_file from group DEFAULT is deprecated. Use option policy_file from group oslo_policy. 2015-05-13 15:59:34.395 13210 DEBUG oslo_policy.openstack.common.fileutils [req-0c6d2db4-bc15-4752-93ca-5203cf742d79 - 12345 - - -] Reloading cached file /etc/barbican/policy.json read_cached_file /usr/lib/python2.7/site-packages/oslo_policy/openstack/common/fileutils.py:64 2015-05-13 15:59:34.398 13210 DEBUG oslo_policy.policy [req-0c6d2db4-bc15-4752-93ca-5203cf742d79 - 12345 - - -] Reloaded policy file: /etc/barbican/policy.json _load_policy_file /usr/lib/python2.7/site-packages/oslo_policy/policy.py:424 2015-05-13 15:59:34.399 13210 ERROR barbican.api.controllers [req-0c6d2db4-bc15-4752-93ca-5203cf742d79 - 12345 - - -] Secret creation attempt not allowed - please review your user/project privileges 2015-05-13 15:59:34.399 13210 TRACE barbican.api.controllers Traceback (most recent call last): 2015-05-13 15:59:34.399 13210 TRACE barbican.api.controllers File /root/barbican/barbican/api/controllers/__init__.py, line 104, in handler 2015-05-13 15:59:34.399 13210 TRACE barbican.api.controllers return fn(inst, *args, **kwargs) 2015-05-13 15:59:34.399 13210 TRACE barbican.api.controllers File /root/barbican/barbican/api/controllers/__init__.py, line 85, in enforcer 2015-05-13 15:59:34.399 13210 TRACE barbican.api.controllers _do_enforce_rbac(inst, pecan.request, action_name, ctx, **kwargs) 2015-05-13 15:59:34.399 13210 TRACE barbican.api.controllers File /root/barbican/barbican/api/controllers/__init__.py, line 68, in _do_enforce_rbac 2015-05-13 15:59:34.399 13210 TRACE barbican.api.controllers credentials, do_raise=True) 2015-05-13 15:59:34.399 13210 TRACE barbican.api.controllers File /usr/lib/python2.7/site-packages/oslo_policy/policy.py, line 493, in enforce 2015-05-13 15:59:34.399 13210 TRACE barbican.api.controllers raise PolicyNotAuthorized(rule, target, creds) 2015-05-13 15:59:34.399 13210 TRACE barbican.api.controllers PolicyNotAuthorized: secrets:post on {u'payload': u'my-secret-here', u'payload_content_type': u'text/plain'} by {'project': '12345', 'user': None, 'roles': []} disallowed
Re: [openstack-dev] [barbican] Nominating Ade Lee for barbican-core
+1 John Vrbanac From: Douglas Mendizabal [douglas.mendiza...@rackspace.com] Sent: Thursday, July 10, 2014 11:55 AM To: OpenStack Development Mailing List (not for usage questions); a...@redhat.com Subject: [openstack-dev] [barbican] Nominating Ade Lee for barbican-core Hi Everyone, I would like to nominate Ade Lee for the barbican-core team. Ade has been involved in the development of Barbican since January of this year, and he’s been driving the work to enable DogTag to be used as a back end for Barbican. Ade’s input to the design of barbican has been invaluable, and his reviews are always helpful, which has earned him the respect of the existing barbican-core team. As a reminder to barbican-core members, we use the voting process outlined in https://wiki.openstack.org/wiki/Barbican/CoreTeam to add members to our team. Thanks, Doug Douglas Mendizábal IRC: redrobot PGP Key: 245C 7B6F 70E9 D8F3 F5D5 0CC9 AD14 1F30 2D58 923C ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [barbican] Nominating Nathan Reller for barbican-core
+1 John Vrbanac From: Douglas Mendizabal [douglas.mendiza...@rackspace.com] Sent: Thursday, July 10, 2014 12:11 PM To: OpenStack Development Mailing List (not for usage questions); Nathan Reller Subject: [openstack-dev] [barbican] Nominating Nathan Reller for barbican-core Hi Everyone, I would also like to nominate Nathan Reller for the barbican-core team. Nathan has been involved with the Key Management effort since early 2013. Recently, Nate has been driving the development of a KMIP backend for Barbican, which will enable Barbican to be used with KMIP devices. Nate’s input to the design of the plug-in mechanisms in Barbican has been extremely helpful, as well as his feedback in CR reviews. As a reminder to barbican-core members, we use the voting process outlined in https://wiki.openstack.org/wiki/Barbican/CoreTeam to add members to our team. Thanks, Doug Douglas Mendizábal IRC: redrobot PGP Key: 245C 7B6F 70E9 D8F3 F5D5 0CC9 AD14 1F30 2D58 923C ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev