Fix can't find /usr/lib/libCryptoki2_64.so in barbican

Link https://docs.openstack.org/project-install-guide/key-manager/newton/barbican-backend.html#simple-crypto-plugin

Change-Id: I351738c2a98090c56ac69e477fbe5ddec4cc5b26
Closes-Bug: #1672001
This commit is contained in:
zhubingbing 2017-03-11 15:29:45 +08:00
parent c0df4ab8b6
commit 6d0e31f232
No known key found for this signature in database
GPG Key ID: EE9630454C697F21
5 changed files with 34 additions and 3 deletions

View File

@ -437,6 +437,13 @@ ceilometer_database_type: "mongodb"
ceilometer_event_type: "mongodb"
#######################
# Barbican options
#######################
# Valid options are [ simple_crypto, p11_crypto ]
barbican_crypto_plugin: "simple_crypto"
barbican_library_path: "/usr/lib/libCryptoki2_64.so"
########################
### Panko options
########################

View File

@ -2,7 +2,6 @@
debug = {{ barbican_logging_debug }}
log_dir = /var/log/kolla/barbican
bind_port = {{ barbican_api_port }}
bind_host = {{ hostvars[inventory_hostname]['ansible_' + api_interface]['ipv4']['address'] }}
host_href = {{ public_protocol }}://{{ kolla_external_fqdn }}:{{ barbican_api_port }}
@ -23,11 +22,12 @@ enabled_secretstore_plugins = store_crypto
# ================= Crypto plugin ===================
[crypto]
namespace = barbican.crypto.plugin
enabled_crypto_plugins = p11_crypto
enabled_crypto_plugins = {{ barbican_crypto_plugin }}
{% if barbican_crypto_plugin == 'p11_crypto' %}
[p11_crypto_plugin]
# Path to vendor PKCS11 library
library_path = '/usr/lib/libCryptoki2_64.so'
library_path = {{ barbican_library_path }}
# Password to login to PKCS11 session
login = '{{ barbican_p11_password }}'
# Label to identify master KEK in the HSM (must not be the same as HMAC label)
@ -36,6 +36,12 @@ mkek_label = 'kolla_master_kek'
mkek_length = 32
# Label to identify HMAC key in the HSM (must not be the same as MKEK label)
hmac_label = 'kolla_hmac'
{% endif %}
{% if barbican_crypto_plugin == 'simple_crypto' %}
[simple_crypto_plugin]
# the kek should be a 32-byte value which is base64 encoded
kek = '{{ barbican_crypto_password }}'
{% endif %}
[keystone_notifications]

View File

@ -240,6 +240,14 @@ kolla_internal_vip_address: "10.10.10.254"
# Valid options are [ mongodb, gnocchi, panko ]
#ceilometer_event_type: "mongodb"
#######################
# Barbican options
#######################
# Valid options are [ simple_crypto, p11_crypto ]
#barbican_crypto_plugin: "simple_crypto"
#barbican_library_path: "/usr/lib/libCryptoki2_64.so"
#######################
## Panko options
#######################

View File

@ -30,6 +30,8 @@ aodh_keystone_password:
barbican_database_password:
barbican_keystone_password:
barbican_p11_password:
barbican_crypto_key:
keystone_admin_password:
keystone_database_password:

View File

@ -21,6 +21,7 @@ import sys
from Crypto.PublicKey import RSA
from hashlib import md5
from hashlib import sha256
from oslo_utils import uuidutils
import yaml
@ -70,6 +71,9 @@ def main():
# HMAC-MD5 keys
hmac_md5_keys = ['designate_rndc_key']
# HMAC-SHA256 keys
hmac_sha256_keys = ['barbican_crypto_key']
# length of password
length = 40
@ -96,6 +100,10 @@ def main():
passwords[k] = (hmac.new(
uuidutils.generate_uuid(), '', md5)
.digest().encode('base64')[:-1])
elif k in hmac_sha256_keys:
passwords[k] = (hmac.new(
uuidutils.generate_uuid(), '', sha256)
.digest().encode('base64')[:-1])
else:
passwords[k] = ''.join([
random.SystemRandom().choice(