This change adds the force parameter to the secret delete
method. By default, a secret cannot be deleted if it
contains consumers.
This code cannot be merged without a corresponding release and
bump of version for the barbicanclient.
Co-Authored-By: Mauricio Harley <mharley@redhat.com>
Change-Id: I84fd870b1cd19975a5bb832ed6fd6d18ec56eb5a
This change adds the ability to add or remove consumers to a
managed object to allow services to indicate which object is
associated with a specific secret. At this time, only barbican
supports consumers.
This code cannot be merged without a corresponding release and
bump of version for the barbicanclient.
Co-Authored-By: Mauricio Harley <mharley@redhat.com>
Depends-On: https://review.opendev.org/c/openstack/requirements/+/873906
Change-Id: Ic25ac329f87db5992e32ef0b2d7d4020f37b2dee
This commit adds support for a Vault path that is relative to
the root of the Vault KV store. This configuration is optional
and will be a noop for existing deployments.
Change-Id: If34c38c8f0a2f13ea90f564bfe5e933e5e748da4
Vault Namespaces [0] is a feature available in Vault Enterprise that
can be considered as a more advanced isolation feature on top of current
KV Mountpoint option in Castellan Vault plugin.
Passing a namespace in all request headers (including Auth) allows to organize
Vault-in-Vault style of isolation, with clients using the same simple URI path
but accessing separate sets of entities in Vault.
[0] https://www.vaultproject.io/docs/enterprise/namespaces
Change-Id: I627c20002bb2a0a1b346b57e824f87f856eca4c9
This change adds support to the Barbican key manager for configuring a
service user. This can be used to provide additional security through
the combination of a user token and a service token, with appropriate
modifications to Barbican API policy.
Use of a service user is enabled via the [barbican]
send_service_user_token option, which defaults to False. When set to
True, the service user is configured via keystoneauth options in the
barbican_service_user group.
Change-Id: I143cb57c8534a8dc0a91e6e42917dd0c134170c0
This change introduces a new option to define the region to which
the Barbican endpoint belongs. This is required if the deployment has
multiple regions and a single Keystone instance stores multiple
Barbican endpoints for different regions.
This change also ensures that the same interface and region are used
in endpoint detection and api version detection.
Change-Id: If2c0055d45922937e259a8f22f5879c9faa41e35
It is standard practice to search for services in the catalog by
service type and interface only. Service name should be left
to deployers to choose and this could be something other than barbican.
Change-Id: I9dddba1e52bbf1ee1d8227fdb45e625fdbf0a21b
_get_barbican_endpoint now uses barbican_endpoint_type config option to
retrieve a correct endpoint from catalog.
This config option is set to 'public' by default and it's a default
value for ServiceCatalog.endpoint_data_for method. It means that the
default behaviour will be the same as before this patch.
Change-Id: Idf4061fe3e35e3c47a993a56b23c0257c92e5cc3
This patch fixes the issue when guessing the KV API version fails.
From now on, a configuration option should be used to set vault's API
version.
Change-Id: I962b29519c189dddf9723689e6aaeed2cac3ff2c
Signed-off-by: Moisés Guimarães de Medeiros <moguimar@redhat.com>
Vault returns Bad Request error if invalid secret ID is provided. It's
better to have such errors handled instad of generic "KeyError: 'auth'"
execption.
Change-Id: Ibc068af70de4022f544d394ec4b014443a9c16b5
Now we cann't use the verify_ssl if we set True, so we
add the "verify_ssl_path" config to solve it.
Closes-Bug: #1876102
Change-Id: I83bafe5b7e0c4cca67f773858007fb59d98a93a5
The Vault backend doesn't really care about context. Even an empty
string would suffice these checks.
Change-Id: I1c0d00675a479cf05d92cec7b69fd720a88023d3
Signed-off-by: Moisés Guimarães de Medeiros <moguimar@redhat.com>
Both Barbican and Vault backends have this replicated code. Let's
centralize it to reduce code duplication.
Change-Id: I365a6d3031695ee369664c00a61816c77792f2e2
Signed-off-by: Moisés Guimarães de Medeiros <moguimar@redhat.com>
nit: Certificate inherits from ManagedObject which already has
ABCMeta as metaclass.
Change-Id: I17b12980b88e306fbdc99a3e92b1fa22d8e96471
Signed-off-by: Moisés Guimarães de Medeiros <moguimar@redhat.com>
The KeyManager itself should be responsible for advertising the
correct set of options for discovery, not relying on the global
option listing method to know which variable holds the options
and how are they grouped.
Change-Id: I1764c383206df835b7d654f2f776663bd6d4d25b
Signed-off-by: Moisés Guimarães de Medeiros <moguimar@redhat.com>
When castellan trying to recreate trust-scoped token
from RequestContext keystone throw exception
because it's not allowed.
Starting from this commit castellan trying to
reuse existing token constructed from RequestContext
if get_auth_plugin() is available.
Change-Id: I10a12b9a2a7f796eca37dd20a280d3a4015a6903
Closes-Bug: #1827047
Depends-On: https://review.opendev.org/#/c/664558/
Previous code was considering length as bytes, but the API contract
considers the length param to be bits so that the considering `km`
as a VaultKeyManager, the call `km.create_key(ctx, 'AES', 256)` should
generate a 256 bit AES key and not a 2048 bit AES key instead.
Closes-Bug: #1817248
Change-Id: I5815cb74394e18b6058f4c5cf69b656d7cc2c43b
Signed-off-by: Moisés Guimarães de Medeiros <moguimar@redhat.com>
Support end user configuration of KV store in Vault to use for
key storage allowing more flexibility in Vault configuration.
Change-Id: I625a819c2b9b542677258de709a9c520fb86858b
Closes-Bug: 1797148
Add support for use of AppRole's for authentication to Vault; this
feature provides a more application centric approach to managing
long term access to Vault.
The functional tests exercise this integration with a restricted
policy which only allows access to the default 'secret' backend.
Change-Id: I59dfe31adb72712c53d49f66d9ac894e43e8bbad
Closes-Bug: 1796851
The new method handles the HTTP request for the Vault HTTP API
and does the error checking in a single place. The same code
was already in four different places in the same file.
Change-Id: I4b688d8cf994fb26f88570840523fcc0ac24faba
Signed-off-by: Moises Guimaraes de Medeiros <moguimar@redhat.com>
Starting from version 0.10.0, HashiCorp Vault has a different
API for the Key/Value Secrets Engine. This fix implements both
the new API support and the fallback for the legacy one.
Fixes https://bugs.launchpad.net/castellan/+bug/1788375
Change-Id: I7fed7b5091440dae15551d83f0ee0895651e47bf
Signed-off-by: Moises Guimaraes de Medeiros <moguimar@redhat.com>
This change willl allow the user to specify the endpoint
type for Barbican. The allowed values are: public, internal,
and admin. The default value will be 'public' since this is
the current value.
Change-Id: Ic89519ed3a9c347a9fff245ec231aa575b42f1ac
Closes-bug: 1767473
Include the project domain info (name and ID) when creating an identity
token that's associated with a RequestContext. This ensures the keystone
v3 auth plugin will be used whenever possible. Without the domain info,
the v2 plugin would be the only possible choice.
Closes-Bug: #1733898
Change-Id: I8b177725db71002d8eca835a7d5367d7911cf347
This patch addresses a specific use case, where a user has encrypted
volumes based on the fixed_key used by Cinder's and Nova's
ConfKeyManager. The user wishes to switch to Barbican, but existing
volumes must continue to function during the migration period.
The code conditionally adds a shim around the backend KeyManager when
both of these conditions are met:
1) The configuration contains a fixed_key value. This essentially
signals the ConfKeyManager has been in use at one time
2) The current backend is *not* the ConfKeyManager
When the shim is active, a MigrationKeyManager class is dynamically
created that extends the backend's KeyManager class. The
MigrationKeyManager exists solely to override two functions:
o The KeyManager.get() function detects requests for the secret
associated with the fixed_key, which is identified by an all-zeros
key ID.
- Requests for the all-zeros key ID are handled by mimicing the
ConfKeyManager's response, which is a secret derived from the
fixed_key.
- Requests for any other key ID are passed on to the real backend.
o The KeyManager.delete() function is similar:
- Requests to delete the all-zeros key ID are essentially ignored,
just as is done by the ConfKeyManager.
- Requests to delete any other key ID are passed on to the real
backend.
All other KeyManager functions are not overridden, and will therefore be
handled directly by the real backend.
SecurityImpact
Change-Id: Ia5316490201c33e23a4206838d5a4fb3dd00f527
* Uses https://www.vaultproject.io/ to store/fetch secrets
* All we need is the URL and a Token to talk to the vault server
* tox target "functional-vault" sets up a server in development mode
and runs functional tests
* Supports both http:// and https:// url(s)
* the https support was tested by setting up a vault server by hand
(https://gist.github.com/dims/47674cf2c3b0a953df69246c2ea1ff78)
* create_key_pair is the only API that is not implemented
Change-Id: I6436e5841c8e77a7262b4d5aa39201b40a985255
Any implementations of key_manager that don't have "list"
defined (i.e. ConfKeyManager in Nova and Cinder) will not be
instantiable if they try to use a version of Castellan
that was released after "list" was added. Adds a default
implementation of "list" that returns nothing for backwards
compatibility.
Closes-Bug: #1715451
Change-Id: I1e413831163bffaed3a2580f039e242da7d303f8
The managed objects did not have an ID associated with them. This is most
helpful for the list command, where once you have more than one object,
it's hard to track unique identifiers for the objects.
Change-Id: Ibc48762e7c2c71659fb96826c53301bc6f55ddf7
six.moves.urllib.parse.urljoin strips everything that doesn't end
with a forward slash, so for example, if the barbican URL is
http://ip-address/key-manager, the "key-manager" part will be removed.
If the URL is http://ip-address/key-manager/, everything will be fine.
Change-Id: I1afcd7ae460633e451bc365fdb87f6e30bb3a60b
Since all Oslo library drivers are discoverable via
stevedore, we should use stevedore in Castellan as well.
This will make it easier for folks to write their own
custom drivers. Stevedore uses setuptools entry points
for implementing the common patterns for dynamically
loading extensions.
We add [key_manager]/backend as the new option to set
the custom driver. For a while, we should support the
older values that used to be specified using
[key_manager]/apiclass.
Change-Id: I2610459839806a5591da1efa314dfa52bcfb7cda
Importing the barbican client object as barbican_client and
also using barbican_client as a variable name was confusing.
Changes the import name to prevent confusion.
Change-Id: I886f045eb56683713ab75401b5ec1669ddbb072d
The context wrapper classes under castellan.common.credentials were
missing an auth_url property resulting in calls to get_endpoint()
failing with 'Could not determine a suitable URL for the plugin' unless
users set barbican/auth_endpoint.
Change-Id: I1be3a1e11e3f4c2170062927ad359bf679eb25d9
Closes-Bug: #1497993
Adds ability to list secrets, and adds initial filtering ability. Can
filter by secret_type.
Depends-On: I583f27f91cb3c6bdb23438dff6b539407b4005ed
Depends-On: I99cd72724e11bab362bcaaeb773f33b2abfe815c
Change-Id: I245d5846aa8d3b9586bea6dc4e0b24db86c911c9
DevStack was changed so that keystone uses uwsgi [1]. This
means we can't call keystone with the port number anymore.
1. https://review.openstack.org/#/c/456344/
Change-Id: I349b689e8030c8c2a7313b9781973952ead29c75
Adds the ability to retrieve only the metadata of a secret. This is
helpful in situations when the caller wants to know information about
the secret, but doesn't want to unnecessarily handle the secret data.
Change-Id: I63aec037973aad2555190ca3eb6bba765955399a
This new option should be used with caution, but is useful
for development environments where the certificates can't
be verified yet.
Closes-Bug: #1516793
Change-Id: I2e5433fda8dec02556a6715b8182201daf8fe9bb
This allows us to use versionless endpoints for keystone in the
configuration files and furthermore, we won't depend on a specific
keystone version, as is the case today.
Change-Id: I124c0ea2d9403d6b530b33f18896c4e7bf4eabb5
Depends-On: I35f1c9dcd20017b9c442b04c142e46cad4d15eb4