* Update barbican-specs from branch 'master'
to 33b30e604c5d47a0cf202c1c87eec91d6898c3ca
- Update the secret consumers spec
This changes the spec, so that the API makes the same assumptions
as the container consumers API.
Change-Id: I02f6dfc072416780dc541534733274279a849423
* Update barbican-specs from branch 'master'
to 5e3201676baf6a4e19faffb0e311558b078797c4
- docs: Update Freenode to OFTC
The OpenDev IRC services has switch from Freenode to OFTC
network [1].
This patch updates document with OFTC network details.
[1] http://lists.openstack.org/pipermail/openstack-discuss/2021-May/022718.html
Change-Id: I8b938f0866ff06bf5adcc57c2c8d38e6bc0b2150
* Update barbican-specs from branch 'master'
to d062723f97c25628deff921be956e321bca2cc57
- remove unicode from code
Change-Id: I358528ba14ad874009d61d61f1272903f81ab2d8
* Update barbican-specs from branch 'master'
- Switch to newer openstackdocstheme and reno versions
Switch to openstackdocstheme 2.2.1 and reno 3.1.0 versions. Using
these versions will allow especially:
* Linking from HTML to PDF document
* Allow parallel building of documents
* Fix some rendering problems
Update Sphinx version as well.
Disable openstackdocs_auto_name to use 'project' variable as name.
Change pygments_style to 'native' since old theme version always used
'native' and the theme now respects the setting and using 'sphinx' can
lead to some strange rendering.
openstackdocstheme renames some variables, so follow the renames
before the next release removes them. A couple of variables are also
not needed anymore, remove them.
See also
http://lists.openstack.org/pipermail/openstack-discuss/2020-May/014971.html
Change-Id: Iac415cd5bd7346847edeb174b059ffbc3e2a1bdf
* Update barbican-specs from branch 'master'
- Cleanup py27 support and docs
Make a few cleanups:
- Remove obsolete sections from setup.cfg
- Remove install_command from tox.ini, the default
is fine
- Switch to sphinx-build
- Enable warnings for doc build, fix all warnings
- Remove git handling from conf.py, openstackdocstheme does this now
- Cleanup tox.ini
Change-Id: I51796be20596afc2305c2d8ea189b4037bd28b2d
* Update barbican-specs from branch 'master'
- Update README and specs/template.rst
Updated to remove leftover copy/paste references to Nova, as well
as our use of Storyboard instead of Launchpad.
Change-Id: Ie4c3d86eb4751151409006c817e4da7524d7e39a
* Update barbican-specs from branch 'master'
- Fix tox -e docs build
The docs target in tox was failing because it was still using
oslosphinx. This patch replaces it with openstackdocstheme.
Change-Id: I4b6a93a306441f25d333889eaab3e9bbab3974c6
Story: 2005767
Task: 33481
- OpenDev Migration Patch
This commit was bulk generated and pushed by the OpenDev sysadmins
as a part of the Git hosting and code review systems migration
detailed in these mailing list posts:
http://lists.openstack.org/pipermail/openstack-discuss/2019-March/003603.htmlhttp://lists.openstack.org/pipermail/openstack-discuss/2019-April/004920.html
Attempts have been made to correct repository namespaces and
hostnames based on simple pattern matching, but it's possible some
were updated incorrectly or missed entirely. Please reach out to us
via the contact information listed at https://opendev.org/ with any
questions you may have.
* Update barbican-specs from branch 'master'
- Merge "Replacing the HTTP protocal with HTTPS"
- Replacing the HTTP protocal with HTTPS
Change-Id: I7cc3a4a8c399fa8a4cce91b36b1a9e91b4e2bf94
* Update barbican-specs from branch 'master'
- Delete the duplicate words in template.rst
Change-Id: Id2ea13e81a6c28321d99ec090f5f2c229dfa3302
- Update http to https.
Change-Id: Id7f87dca40686908aad73fb160096ee5ef4216fb
- Merge "Advancing the protocal of the website to HTTPS in rolling-upgrade.rst."
- Merge "remove those copy words occured twice times in template.rst"
- Merge "dumplicate words was deleted in template.rst"
- Merge "omit the twice occured words in template.rst"
- Merge "omit the twice occured words in audit-cadf-events.rst"
- Add Train specs directory
The "T" release of OpenStack is officially "Train".
http://lists.openstack.org/pipermail/openstack-dev/2018-November/136464.html
Change-Id: Ib6301c7e0d96a291922004c2a407d189f9f185a2
- Advancing the protocal of the website to HTTPS in rolling-upgrade.rst.
Change-Id: I97a01744383c1d7a8c07b9536244cd487b81190f
- omit the twice occured words in template.rst
Change-Id: I01a055bfc96c0ecacef04cbc40ecb3fd8c8424b2
- omit the twice occured words in audit-cadf-events.rst
Change-Id: Icfdd850fce479047271ad013ef6776992cd85dd0
- dumplicate words was deleted in template.rst
Change-Id: I828ef74830efe5e3f199d3d09d712f9178219415
- remove those copy words occured twice times in template.rst
Change-Id: Ib64691a287bd6b38b36a1646b6007a0b9ab4bfc7
- Update min tox version to 2.0
The commands used by constraints need at least tox 2.0. Update to
reflect reality, which should help with local running of constraints
targets.
Change-Id: Idd54092b2d2b9713d4ffbc2bcbd87a0f222d8a23
- import zuul job settings from project-config
This is a mechanically generated patch to complete step 1 of moving
the zuul job settings out of project-config and into each project
repository.
Because there will be a separate patch on each branch, the branch
specifiers for branch-specific jobs have been removed.
Because this patch is generated by a script, there may be some
cosmetic changes to the layout of the YAML file(s) as the contents are
normalized.
See the python3-first goal document for details:
https://governance.openstack.org/tc/goals/stein/python3-first.html
Remove stein from toc, there's no spec yet and zuul complains about an
empty toc.
Change-Id: Iede70fc477d0fe7b0b63336d1e120d5d5c23160d
Story: #2002586
Task: #24285
- Add stein specs to toc
Change-Id: I3b523dcb7f72f7c5cb90cbf92c1a4d11ec6f8045
- add stein directory
Change-Id: Ie2f07ba0b1547c1b8ec0497e72e2094467c56bd0
- fix tox python3 overrides
We want to default to running all tox environments under python 3, so
set the basepython value in each environment.
We do not want to specify a minor version number, because we do not
want to have to update the file every time we upgrade python.
We do not want to set the override once in testenv, because that
breaks the more specific versions used in default environments like
py35 and py36.
Change-Id: Id94e8d7db17059228e8957e74922a684043ed469
- Trivial: update url to new url
Change-Id: I83fd0fc733c1167dacff519bf81e6aa4995033b1
* Update barbican-specs from branch 'master'
- Specs rolling upgrade for Barbican
- Listed out detail work items in the specification document.
- Listed out detail primary assignee.
- Added assert "assert:supports-rolling-upgrade" tag for Barbican
Change-Id: If758e84b6aa9a86de46ce405d8e174ca56c76723
Project: openstack/barbican-specs e3cffc5bde3cd68fccea139dc67811a5f9e2211e
Ignore some files during running tox
When we run "tox" command, there are two
redundancy files named AUTHORS and ChangeLog.
They should be ignored.
Change-Id: Ia49bbe32f32054365f6380709edf55083693b019
Project: openstack/barbican-specs 60eded4f12f57293ea822d6b667641511c460573
Show team and repo badges on README
This patch adds the team's and repository's badges to the README file.
The motivation behind this is to communicate the project status and
features at first glance.
For more information about this effort, please read this email thread:
http://lists.openstack.org/pipermail/openstack-dev/2016-October/105562.html
To see an example of how this would look like check:
https://gist.github.com/25ec3803cb84c530b5d0bf7f44d01077
Change-Id: I47804903a4dbeebe69f406e1cef0709e91e30d00
Project: openstack/barbican-specs 6274b9b3df14795c173a56577a92c76fbd29286d
Changed the home-page of barbican-specs in setup.cfg
Instead of pointing to openstack.org, the homepage has been
changed to point to the homepage of barbican-specs.
Change-Id: Id245b7cd693b0fbebdceb809a93c7ebeb5ebde5d
Project: openstack/barbican-specs 8a56773a9b0e1f79bb58bb3d8c36261b7ee7cacf
Adding spec for supporting multiple secret store backends
Updated patch to clarify review comments and correct typos.
Added details around plugin name and how its used in secret_stores
'name' field.
Added changes related to how multiple plugin configuration is going to
be specified and used.
Added field to capture crypto_plugin name in addition to secret store plugin
name. This is done as both software only and pkcs11 plugin uses database
(store_crypto) as storage backend. Difference is in crypto plugin used
(simple crypto vs p11_crypto).
APIImpact
SecurityImpact
Change-Id: I02054d80f68f38145b399909d60db80a4d91c1ba
Project: openstack/barbican-specs 6f58e84a972dbb9c1d4ea098c2b6cb4965dc910d
Blueprint for adding Date filters to the Secrets API
Change-Id: I3112415fa71a948202972bf60ae924922565d766
Project: openstack/barbican-specs d93d91541a2414923b824e6dae0539758b1b8b27
Add support for modifying Generic Containers
The blueprint for this feature was approved in the Liberty cycle.
However, the feature was not implemented. This CR proposes a slightly
modified blueprint for the Newton cycle.
Change-Id: I6b27c7b2b73c429b53bd235b46f7ea753166406a
Project: openstack/barbican-specs 06b2585bb04bf55cbd211943e26f3474e2ce9b39
Blueprint for Deployer Secret Metadata
This blueprint discusses and defines the addition of deployer
secret metadata.
Change-Id: Icab28fdace6cb2d57d95a697a4f78268f8a5874f
Project: openstack/barbican-specs 4c4595ec49d99806af4caee9f13d3c816180790e
Add a KMIP key manager interface in Castellan
This blueprint discusses the creation of a new key manager wrapper
in Castellan for KMIP devices. This provides a way for Castellan
to interact with a KMIP device directly.
Change-Id: Ib77707a12dbfdb72a66c2bfbe9e17711cb7e9bcd
Depends-On: I34243c7a2523d9d0aa4e86d823dd28f1beed821a
Project: openstack/barbican-specs 8cabfb9aeaebc1cfea7c58647b35c76a3b21ea6f
Adding a barbican-manage command
This blueprint discuss and defines a new admin command called
"barbican-manage" which interacts with Barbican service for all
management operations. The initial implementation will consolidate
several existing admin commands into it.
Change-Id: I8a69b9ed4035a1a1ff9240d1124cdc7363376ed0
Project: openstack/barbican-specs 2753d16e1866841e77e6fa902a8e5e236cf436fd
Allow different Keystone Auth Support in Castellan
This blueprint discusses adding additional Keystone auth
types to Castellan for the Barbican Key manager.
This was discussed as a need in previous meeting, to allow
for future Castellan integration into Swift for Object
Encryption.
Change-Id: I2247abe5c04c740582fb11b281030532ef00b9bd
Project: openstack/barbican-specs 0cb352beb372d7c80f6cb78ed6aa92697118aa8d
Create Blueprint for database cleanup cron job
The barbican admin will be able to configure a cronjob to
clean up soft deletions in the database.
Change-Id: I96e42c2341206c52dc0ed86e2f98f4eefc7b65a6
Project: openstack/barbican-specs f67c177544d25948dabf5e52beb5435b5fe98b99
Blueprint defining user defined metadata for Barbican Secrets
This blueprint discusses and defines the ability for users to
add their own metadata to Secrets.
Change-Id: Ic670a560d4f06dabc720fc60025842bf2072d482
Project: openstack/barbican-specs b962fa73d742e80447143c3ddce98ca982dbabd5
Update Project Quotas design spec
Upon discovery and discussion, this commit brings three changes to the
design spec for project quotas.
1) Removal of quota support for transport keys. It turns out they
are not a project resource and should not be managed on a per
project basis.
2) New role for quota management. The management of project quotas
can not fall to project level admins. This must be the responsibility
of a service level admin. A new keystone role is introduced to
implement this change.
3) Clarification of paging support. The examples are updated to clarify
the paging support to be implemented for listing project quotas.
Change-Id: I4d5fb76e2868f63f623a8a3cd0b14d0bba31290a
Relates-to: blueprint quota-support-on-barbican-resources
Project: openstack/barbican-specs ffc727cde7a582e42f59d77d145726c070c7deda
Update template for client impact
Added section for client (python and CLI) impact as well as a
link near the top so that an API blueprint can point to its
related client blueprint.
Change-Id: I4bc22933f27efcd59363e9e09ca117ad01f001cb
Project: openstack/barbican-specs 8f7a6cc16d14d4a33ace60a8f6d0ea2d97d8af08
Update Quota Blueprint Spec with New Details
Changes to spec to treat configured project values as a REST object.
This implies some changes on how to handle specific CRUD operations.
Change the data model to move away from previous generic design
to a Barbican quota specific model.
Changes for specific use cases based on reviews, discussion, and and
community consensus.
Change-Id: Ie46eb9e7918c4e719437af7fc31d76db7aa8abb5
Relates-to: blueprint quota-support-on-barbican-resources
Project: openstack/barbican-specs 01f82ab0bc083b82dc6cd4f2eb05ee2fe9a7aacf
Reordering project spec list
The current order of the projects has oldest release listed first.
Reversing this order to minimize scrolling in the UI.
Change-Id: Ibe87c7ade02df49146ce68a1d36f6806b43cf783
Project: openstack/barbican-specs f31ceb754f6ac958f0a6a3a0e9aee7c2d1e1c49d
Use underscores instead of dashes as word separators in API resource names
Change project-quotas and project-id to project_quotas and project_id.
To be consistent with the OpenStack API WG recommendations: we should
use dashes in the resource names (the request URLs) and use underscores
in the field names (the JSON response).
Relates-to: blueprint quota-support-on-barbican-resources
Change-Id: Icebf327c3c3b52afb0f847d6ab626e6d8eda12aa
Project: openstack/barbican-specs 5ba18b8aaa8d007bf680c3df803929b792c61e21
Add List of Group-IDs to ACL for Secrets/Containers
The current access control list (ACL) approach in Barbican only allows
for adding user IDs for access to a given secret or container. This
blueprint proposes allowing group IDs to be added to ACLs to
accommodate users within specified groups access to
secrets/containers as well. Adding group support to ACLs would support
LDAP group based access to secrets/containers.
This blueprint depends on the approval of a Keystone blueprint:
https://review.openstack.org/#/c/188564/
Change-Id: I80b4d5506ad0cb289f77db8ad0d9632bea9ae474
Implements: blueprint api-acl-add-group-list
APIImpact: Update /v1/.../acls resource to add new 'groups' list
DocImpact: Update acls resource docs to mention a new 'groups' list
SecurityImpact: Adds a new means to access secrets and containers
Project: openstack/barbican-specs f9800e65da26558192f6d6bdd1a81ee8c75e84f3
Add PUT Support For the Generic Containers Resource
The original intent of the 'generic' container type was to support
arbitrary secrets to be collected and referenced, similar to a file
system folder. Hence it makes sense for an already-created 'generic'
container to support changing this collection after the fact. This
blueprint details how this API would look.
Implements: api-containers-add-put
APIImpact: Add PUT action to the containers resource
DocImpact: Add docs for the new PUT action for containers resource
Change-Id: Ia2c9758436937096ff7d4c5f4ea89c302cc6983a
Project: openstack/barbican-specs 5ec29b5c4cb1a8f09b1c89ed434e3c2f9e608449
Add Quota support for Barbican resources
This spec aims at implementing quota support for the Barbican resources
"secrets", "orders", "containers" and "transport keys". Moving the
spec from Kilo to Liberty directory.
Also: fixed some typos, updated assignee, and updated implementation
details based on current status of oslo.common.quotas.
Change-Id: Iff773fb4ab0814096156f58b1c9f7bb3fc43e681
Project: openstack/barbican-specs 902ff00f27689838c8c87cabbc1f41aa9ea40b98
Add Crypto/HSM MKEK Rotation Support (Light)
Currently Barbican has no means to migrate secrets encrypted with a
crypto/HSM-style plugin to a new master key encryption key (MKEK) and
its associated wrapped project KEKs. This blueprint proposes adding a
new Barbican service process that supports completing the rotation
process by re-wrapping the project KEKs with the new MKEK.
Note that unlike the similarly-named blueprint at
https://blueprints.launchpad.net/barbican/+spec/add-crypto-mkek-rotation-support,
this blueprint does *not* call for re-encrypting secrets and is
therefore this blueprint is a 'lightweight' alternative to that
blueprint.
Similar to the other blueprint, this process would be started after
deployers, out of band: (1) generate new MKEK and HMAC signing keys
with a binding to new labels, and then (2) replicate these keys to
other HSMs that may be in the high availability (HA) group, and then
(3) update Barbican's config file to reference these new labels, and
finally (4) restart the Barbican nodes. The proposed process would
then re-wrap the project KEKs with the new MKEKs, updating the
associated project KEK records with the new wrapped project KEKs.
Change-Id: Ic35dc0fbd98a38c560a2e9cf8bd0b01325914646
Project: openstack/barbican-specs eb5fc837e5ac6e569eac654a268f04668dc6dc8c
Drop incubating theme from docs
OpenStack has dropped the incubation notion, so labeling this as an
incubated project in the docs is confusing.
Change-Id: I5208ceebba4ce388039a7697fda8b5794db920c2
Project: openstack/barbican-specs 655ed3b259de5208c4020d8d6277556aed6a2c3b
Move data-remove-tenant-secret-assoc to Liberty
Change-Id: Ic068db2388404de0cef3d4eca82ff912303812ef
Project: openstack/barbican-specs f8ce095f9018276c6610a2306f42b906baa9c268
Move fix-version-api blueprint to Liberty
Change-Id: Ic8d03779c951f2d1843c62a71b185a75dfaa4496
Grzegorz Grasza