Merge "Default to Keystone authentication"
This commit is contained in:
Jenkins
Gerrit Code Review
commit
9a6ee3fb60
|
|
@ -3,13 +3,15 @@ Using Keystone Middleware with Barbican
|
|||
|
||||
Prerequisites
|
||||
--------------
|
||||
To enable Keystone integration with Barbican you'll need a relatively
|
||||
current version of Keystone. If you don't have an instance of Keystone
|
||||
available, you can use one of the following ways to setup your own.
|
||||
To enable Keystone integration with Barbican you'll need a relatively current
|
||||
version of Keystone. It is sufficient if you are installing an OpenStack cloud
|
||||
where all services including Keystone and Barbican are from the same release.
|
||||
If you don't have an instance of Keystone available, you can use one of the
|
||||
following ways to setup your own.
|
||||
|
||||
#. `Simple Dockerized Keystone`_
|
||||
#. `Installing Keystone`_
|
||||
#. Devstack
|
||||
#. An OpenStack cloud with Keystone (Devstack in the simplest case)
|
||||
|
||||
.. _Simple Dockerized Keystone: https://registry.hub.docker.com/u/
|
||||
jmvrbanac/simple-keystone/
|
||||
|
|
@ -27,8 +29,10 @@ the get version call.
|
|||
1. Turn off any active instances of Barbican
|
||||
2. Edit ``/etc/barbican/barbican-api-paste.ini``
|
||||
|
||||
1. Change the pipeline ``/v1`` value from unauthenticated ``barbican-api``
|
||||
to the authenticated ``barbican-api-keystone``
|
||||
1. Change the pipeline ``/v1`` value from unauthenticated ``barbican_api``
|
||||
to the authenticated ``barbican-api-keystone``. This step will not be
|
||||
necessary on barbican from OpenStack Newton or higher, since barbican
|
||||
will default to using Keystone authentication as of OpenStack Newton.
|
||||
|
||||
.. code-block:: ini
|
||||
|
||||
|
|
@ -44,15 +48,36 @@ the get version call.
|
|||
|
||||
[filter:authtoken]
|
||||
paste.filter_factory = keystonemiddleware.auth_token:filter_factory
|
||||
signing_dir = /tmp/barbican/cache
|
||||
auth_uri = http://{YOUR_KEYSTONE_ENDPOINT}:5000/v3
|
||||
auth_url = http://{YOUR_KEYSTONE_ENDPOINT}:35357/v3
|
||||
auth_plugin = password
|
||||
username = {YOUR_KEYSTONE_USERNAME}
|
||||
password = {YOUR_KEYSTONE_PASSWORD}
|
||||
user_domain_id = {YOUR_KEYSTONE_USER_DOMAIN}
|
||||
project_name = {YOUR_KEYSTONE_PROJECT}
|
||||
project_domain_id = {YOUR_KEYSTONE_PROJECT_DOMAIN}
|
||||
auth_uri = http://{YOUR_KEYSTONE_ENDPOINT}:5000/v3
|
||||
auth_url = http://{YOUR_KEYSTONE_ENDPOINT}:35357/v3
|
||||
|
||||
Alternatively, you can shorten this to
|
||||
|
||||
.. code-block:: ini
|
||||
|
||||
[filter:authtoken]
|
||||
paste.filter_factory = keystonemiddleware.auth_token:filter_factory
|
||||
|
||||
and store Barbican's Keystone credentials in the ``[keystone_authtoken]``
|
||||
section of ``/etc/barbican/barbican.conf``
|
||||
|
||||
.. code-block:: ini
|
||||
|
||||
[keystone_authtoken]
|
||||
auth_plugin = password
|
||||
username = {YOUR_KEYSTONE_USERNAME}
|
||||
password = {YOUR_KEYSTONE_PASSWORD}
|
||||
user_domain_id = {YOUR_KEYSTONE_USER_DOMAIN}
|
||||
project_name = {YOUR_KEYSTONE_PROJECT}
|
||||
project_domain_id = {YOUR_KEYSTONE_PROJECT_DOMAIN}
|
||||
auth_uri = http://{YOUR_KEYSTONE_ENDPOINT}:5000/v3
|
||||
auth_url = http://{YOUR_KEYSTONE_ENDPOINT}:35357/v3
|
||||
|
||||
3. Start Barbican ``{barbican_home}/bin/barbican.sh start``
|
||||
|
||||
|
|
|
|||
|
|
@ -1,19 +1,35 @@
|
|||
No Auth Barbican
|
||||
No Auth barbican
|
||||
================
|
||||
|
||||
Generally barbican can be configured to use keystone like every other OpenStack
|
||||
services for identity and access control. Sometimes it may be useful to run
|
||||
barbican without any authentication service for development purpose.
|
||||
As of OpenStack Newton, barbican will default to using Keystone like every
|
||||
other OpenStack service for identity and access control. Nonetheless, sometimes
|
||||
it may be useful to run barbican without any authentication service for
|
||||
development purposes.
|
||||
|
||||
By default, configuration in :file:`barbican-api-paste.ini` sets barbican
|
||||
without any authentication (no auth mode), for example:
|
||||
To this end, `barbican-api-paste.ini` contains a filter pipeline
|
||||
without any authentication (no auth mode):
|
||||
|
||||
.. code-block:: ini
|
||||
|
||||
# Use this pipeline for Barbican API - DEFAULT no authentication
|
||||
# Use this pipeline for barbican API - DEFAULT no authentication
|
||||
[pipeline:barbican_api]
|
||||
pipeline = unauthenticated-context apiapp
|
||||
|
||||
To enable this pipe line proceed as follows:
|
||||
|
||||
1. Turn off any active instances of barbican
|
||||
|
||||
2. Edit ``/etc/barbican/barbican-api-paste.ini``
|
||||
|
||||
Change the pipeline ``/v1`` value from authenticated ``barbican-api-keystone``
|
||||
to the unauthenticated ``barbican_api``
|
||||
|
||||
.. code-block:: ini
|
||||
|
||||
[composite:main]
|
||||
use = egg:Paste#urlmap
|
||||
/: barbican_version
|
||||
/v1: barbican_api
|
||||
|
||||
With every OpenStack service integrated with keystone, its API requires access
|
||||
token to retireve certain information and validate user's information and
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
[composite:main]
|
||||
use = egg:Paste#urlmap
|
||||
/: barbican_version
|
||||
/v1: barbican_api
|
||||
/v1: barbican-api-keystone
|
||||
|
||||
# Use this pipeline for Barbican API - versions no authentication
|
||||
[pipeline:barbican_version]
|
||||
|
|
|
|||
Loading…
Reference in New Issue