From 777b1cce100f0d523a135a7830c6679ad7c9ab41 Mon Sep 17 00:00:00 2001 From: Ellen Batbouta Date: Tue, 1 May 2018 12:22:20 -0400 Subject: [PATCH] Add config option for Barbican endpoint type This change willl allow the user to specify the endpoint type for Barbican. The allowed values are: public, internal, and admin. The default value will be 'public' since this is the current value. Change-Id: Ic89519ed3a9c347a9fff245ec231aa575b42f1ac Closes-bug: 1767473 --- castellan/key_manager/barbican_key_manager.py | 13 ++++++++++--- castellan/options.py | 8 +++++++- castellan/tests/unit/test_options.py | 5 +++++ 3 files changed, 22 insertions(+), 4 deletions(-) diff --git a/castellan/key_manager/barbican_key_manager.py b/castellan/key_manager/barbican_key_manager.py index 0a4bdd5e..bc756de1 100644 --- a/castellan/key_manager/barbican_key_manager.py +++ b/castellan/key_manager/barbican_key_manager.py @@ -70,6 +70,12 @@ barbican_opts = [ default=True, help='Specifies if insecure TLS (https) requests. If False, ' 'the server\'s certificate will not be validated'), + cfg.StrOpt('barbican_endpoint_type', + default='public', + choices=['public', 'internal', 'admin'], + help='Specifies the type of endpoint. Allowed values are: ' + 'public, private, and admin'), + ] BARBICAN_OPT_GROUP = 'barbican' @@ -183,12 +189,13 @@ class BarbicanKeyManager(key_manager.KeyManager): raise exception.Forbidden(reason=msg) def _get_barbican_endpoint(self, auth, sess): - if self.conf.barbican.barbican_endpoint: - return self.conf.barbican.barbican_endpoint + barbican = self.conf.barbican + if barbican.barbican_endpoint: + return barbican.barbican_endpoint else: service_parameters = {'service_type': 'key-manager', 'service_name': 'barbican', - 'interface': 'public'} + 'interface': barbican.barbican_endpoint_type} return auth.get_endpoint(sess, **service_parameters) def _create_base_url(self, auth, sess, endpoint): diff --git a/castellan/options.py b/castellan/options.py index e6bc2458..e748fd9f 100644 --- a/castellan/options.py +++ b/castellan/options.py @@ -40,7 +40,8 @@ def set_defaults(conf, backend=None, barbican_endpoint=None, barbican_api_version=None, auth_endpoint=None, retry_delay=None, number_of_retries=None, verify_ssl=None, api_class=None, vault_root_token_id=None, vault_url=None, - vault_ssl_ca_crt_file=None, vault_use_ssl=None): + vault_ssl_ca_crt_file=None, vault_use_ssl=None, + barbican_endpoint_type=None): """Set defaults for configuration values. Overrides the default options values. @@ -56,6 +57,8 @@ def set_defaults(conf, backend=None, barbican_endpoint=None, :param vault_url: Use this for the url for vault. :param vault_use_ssl: Use this to force vault driver to use ssl. :param vault_ssl_ca_crt_file: Use this for the CA file for vault. + :param barbican_endpoint_type: Use this to specify the type of URL. + : Valid values are: public, internal or admin. """ conf.register_opts(km.key_manager_opts, group='key_manager') if bkm: @@ -87,6 +90,9 @@ def set_defaults(conf, backend=None, barbican_endpoint=None, if verify_ssl is not None: conf.set_default('verify_ssl', verify_ssl, group=bkm.BARBICAN_OPT_GROUP) + if barbican_endpoint_type is not None: + conf.set_default('barbican_endpoint_type', barbican_endpoint_type, + group=bkm.BARBICAN_OPT_GROUP) if vkm is not None: if vault_root_token_id is not None: diff --git a/castellan/tests/unit/test_options.py b/castellan/tests/unit/test_options.py index e1ac3f3b..bd8c3ffa 100644 --- a/castellan/tests/unit/test_options.py +++ b/castellan/tests/unit/test_options.py @@ -66,3 +66,8 @@ class TestOptions(base.TestCase): options.set_defaults(conf, verify_ssl=True) self.assertEqual(verify_ssl, conf.get(bkm.BARBICAN_OPT_GROUP).verify_ssl) + + barbican_endpoint_type = 'internal' + options.set_defaults(conf, barbican_endpoint_type='internal') + result_type = conf.get(bkm.BARBICAN_OPT_GROUP).barbican_endpoint_type + self.assertEqual(barbican_endpoint_type, result_type)