Add file to the reno documentation build to show release notes for
stable/2024.1.
Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/2024.1.
Sem-Ver: feature
Change-Id: I3ed6662c2c6c440435eae5d6f05a8abb83dae142
Since bc6d87b969 was merged, any
implementations inheriting the base KeyManager class should implement
the two new consumer interfaces. This documents that upgrade impact
so that the note appears in release note.
Change-Id: Id6ba2f3dff279371a13e319773b4579c82338774
Add file to the reno documentation build to show release notes for
stable/2023.2.
Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/2023.2.
Sem-Ver: feature
Change-Id: I678310a4dcc6268263a7a42f4f425907f35079e4
Add file to the reno documentation build to show release notes for
stable/2023.1.
Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/2023.1.
Sem-Ver: feature
Change-Id: Ic3218dd69770273a5b4cae181bc21d015501378f
Add file to the reno documentation build to show release notes for
stable/zed.
Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/zed.
Sem-Ver: feature
Change-Id: I3136f2dc8f4a6b2f9d15a12a880fa1a5c551343e
Add file to the reno documentation build to show release notes for
stable/yoga.
Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/yoga.
Sem-Ver: feature
Change-Id: I600b3e54f31a622862c178452ab68c1059f34036
Vault Namespaces [0] is a feature available in Vault Enterprise that
can be considered as a more advanced isolation feature on top of current
KV Mountpoint option in Castellan Vault plugin.
Passing a namespace in all request headers (including Auth) allows to organize
Vault-in-Vault style of isolation, with clients using the same simple URI path
but accessing separate sets of entities in Vault.
[0] https://www.vaultproject.io/docs/enterprise/namespaces
Change-Id: I627c20002bb2a0a1b346b57e824f87f856eca4c9
Add file to the reno documentation build to show release notes for
stable/xena.
Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/xena.
Sem-Ver: feature
Change-Id: I1f1fdd54490efa1ca406c7e6b807ce643a73f613
This change adds support to the Barbican key manager for configuring a
service user. This can be used to provide additional security through
the combination of a user token and a service token, with appropriate
modifications to Barbican API policy.
Use of a service user is enabled via the [barbican]
send_service_user_token option, which defaults to False. When set to
True, the service user is configured via keystoneauth options in the
barbican_service_user group.
Change-Id: I143cb57c8534a8dc0a91e6e42917dd0c134170c0
Add file to the reno documentation build to show release notes for
stable/wallaby.
Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/wallaby.
Sem-Ver: feature
Change-Id: Ia9a6c82e840dc8cbd6d37aca394e718a03ba4c77
This change introduces a new option to define the region to which
the Barbican endpoint belongs. This is required if the deployment has
multiple regions and a single Keystone instance stores multiple
Barbican endpoints for different regions.
This change also ensures that the same interface and region are used
in endpoint detection and api version detection.
Change-Id: If2c0055d45922937e259a8f22f5879c9faa41e35
Add file to the reno documentation build to show release notes for
stable/victoria.
Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/victoria.
Change-Id: I575db9ce1ee0db31b48bf6e8cfd813807eba868c
Sem-Ver: feature
_get_barbican_endpoint now uses barbican_endpoint_type config option to
retrieve a correct endpoint from catalog.
This config option is set to 'public' by default and it's a default
value for ServiceCatalog.endpoint_data_for method. It means that the
default behaviour will be the same as before this patch.
Change-Id: Idf4061fe3e35e3c47a993a56b23c0257c92e5cc3
This patch centralizes the managed objects conversion in order to be
used across multiple key_manager backends.
Change-Id: Ia2e15d46eb2e504b815a7f51173aecaf82978402
Signed-off-by: Moisés Guimarães de Medeiros <moguimar@redhat.com>
This patch fixes the issue when guessing the KV API version fails.
From now on, a configuration option should be used to set vault's API
version.
Change-Id: I962b29519c189dddf9723689e6aaeed2cac3ff2c
Signed-off-by: Moisés Guimarães de Medeiros <moguimar@redhat.com>
Switch to openstackdocstheme 2.2.1 and reno 3.1.0 versions. Using
these versions will allow especially:
* Linking from HTML to PDF document
* Allow parallel building of documents
* Fix some rendering problems
Update Sphinx version as well.
Set openstackdocs_pdf_link to link to PDF file. Note that
the link to the published document only works on docs.openstack.org
where the PDF file is placed in the top-level html directory. The
site-preview places the PDF in a pdf directory.
Disable openstackdocs_auto_name to use 'project' variable as name.
Change pygments_style to 'native' since old theme version always used
'native' and the theme now respects the setting and using 'sphinx' can
lead to some strange rendering.
openstackdocstheme renames some variables, so follow the renames
before the next release removes them. A couple of variables are also
not needed anymore, remove them.
See also
http://lists.openstack.org/pipermail/openstack-discuss/2020-May/014971.html
Change-Id: If5b3ea5c50a91f623b0dd4d1dd347ee8a6b90290
Now we cann't use the verify_ssl if we set True, so we
add the "verify_ssl_path" config to solve it.
Closes-Bug: #1876102
Change-Id: I83bafe5b7e0c4cca67f773858007fb59d98a93a5
Add file to the reno documentation build to show release notes for
stable/ussuri.
Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/ussuri.
Change-Id: I493a26372b6be92e6d02c342d8f699ef19cd7f59
Sem-Ver: feature
The KeyManager itself should be responsible for advertising the
correct set of options for discovery, not relying on the global
option listing method to know which variable holds the options
and how are they grouped.
Change-Id: I1764c383206df835b7d654f2f776663bd6d4d25b
Signed-off-by: Moisés Guimarães de Medeiros <moguimar@redhat.com>
Add file to the reno documentation build to show release notes for
stable/train.
Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/train.
Change-Id: Id2b4e1d7910bfa8b4a482b1481a13cfc183a692f
Sem-Ver: feature
Add file to the reno documentation build to show release notes for
stable/stein.
Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/stein.
Change-Id: I5ef039b5cfeeae24f7f48e5fde2155ca77f81563
Sem-Ver: feature
Previous code was considering length as bytes, but the API contract
considers the length param to be bits so that the considering `km`
as a VaultKeyManager, the call `km.create_key(ctx, 'AES', 256)` should
generate a 256 bit AES key and not a 2048 bit AES key instead.
Closes-Bug: #1817248
Change-Id: I5815cb74394e18b6058f4c5cf69b656d7cc2c43b
Signed-off-by: Moisés Guimarães de Medeiros <moguimar@redhat.com>
Support end user configuration of KV store in Vault to use for
key storage allowing more flexibility in Vault configuration.
Change-Id: I625a819c2b9b542677258de709a9c520fb86858b
Closes-Bug: 1797148
Add support for use of AppRole's for authentication to Vault; this
feature provides a more application centric approach to managing
long term access to Vault.
The functional tests exercise this integration with a restricted
policy which only allows access to the default 'secret' backend.
Change-Id: I59dfe31adb72712c53d49f66d9ac894e43e8bbad
Closes-Bug: 1796851
This patch addresses a specific use case, where a user has encrypted
volumes based on the fixed_key used by Cinder's and Nova's
ConfKeyManager. The user wishes to switch to Barbican, but existing
volumes must continue to function during the migration period.
The code conditionally adds a shim around the backend KeyManager when
both of these conditions are met:
1) The configuration contains a fixed_key value. This essentially
signals the ConfKeyManager has been in use at one time
2) The current backend is *not* the ConfKeyManager
When the shim is active, a MigrationKeyManager class is dynamically
created that extends the backend's KeyManager class. The
MigrationKeyManager exists solely to override two functions:
o The KeyManager.get() function detects requests for the secret
associated with the fixed_key, which is identified by an all-zeros
key ID.
- Requests for the all-zeros key ID are handled by mimicing the
ConfKeyManager's response, which is a secret derived from the
fixed_key.
- Requests for any other key ID are passed on to the real backend.
o The KeyManager.delete() function is similar:
- Requests to delete the all-zeros key ID are essentially ignored,
just as is done by the ConfKeyManager.
- Requests to delete any other key ID are passed on to the real
backend.
All other KeyManager functions are not overridden, and will therefore be
handled directly by the real backend.
SecurityImpact
Change-Id: Ia5316490201c33e23a4206838d5a4fb3dd00f527
Release notes are version independent, so remove version/release
values. We've found that projects now require the service package
to be installed in order to build release notes, and this is entirely
due to the current convention of pulling in the version information.
Release notes should not need installation in order to build, so this
unnecessary version setting needs to be removed.
This is needed for new release notes publishing, see
I56909152975f731a9d2c21b2825b972195e48ee8 and the discussion starting
at
http://lists.openstack.org/pipermail/openstack-dev/2017-November/124480.html
.
Change-Id: Id70a728eedb6121784333e8fed0e608834f98d84
* Uses https://www.vaultproject.io/ to store/fetch secrets
* All we need is the URL and a Token to talk to the vault server
* tox target "functional-vault" sets up a server in development mode
and runs functional tests
* Supports both http:// and https:// url(s)
* the https support was tested by setting up a vault server by hand
(https://gist.github.com/dims/47674cf2c3b0a953df69246c2ea1ff78)
* create_key_pair is the only API that is not implemented
Change-Id: I6436e5841c8e77a7262b4d5aa39201b40a985255
The context wrapper classes under castellan.common.credentials were
missing an auth_url property resulting in calls to get_endpoint()
failing with 'Could not determine a suitable URL for the plugin' unless
users set barbican/auth_endpoint.
Change-Id: I1be3a1e11e3f4c2170062927ad359bf679eb25d9
Closes-Bug: #1497993