Barbican simple_crypto plugin broken - invalid key

When using the simple_crypto plugin, barbican expects the
[simple_crypto_plugin] kek config value to be a base64-encoded 32 byte
value. However, kolla-ansible is providing a standard autogenerated
password.

There are two relevant variables in kolla-ansible -
barbican_crypto_password (a standard password) and barbican_crypto_key
(a HMAC-SHA256 key). There is no use of barbican_crypto_key other than
when it is generated. barbican_crypto_password is used to set the
[simple_crypto_plugin] kek config value but causes an error when the
simple_crypto plugin is used as the value is not in the expected format.
Using barbican_crypto_key instead resolves the error. Clearly there is a
naming issue here and we should be using barbican_crypto_key instead of
barbican_crypto_password.

This change removes the barbican_crypto_password variable and uses
barbican_crypto_key instead.

Change-Id: I63e2b381c260265e5901ee88ca0a649d96952bda
Closes-Bug: #1699014
Related-Bug: #1683216
Co-Authored-By: Stig Telfer <stig@stackhpc.com>
This commit is contained in:
Mark Goddard 2017-06-21 11:53:14 +01:00
parent 339b27c7fe
commit 2e4359069e
3 changed files with 22 additions and 2 deletions

View File

@ -40,7 +40,7 @@ hmac_label = 'kolla_hmac'
{% if barbican_crypto_plugin == 'simple_crypto' %} {% if barbican_crypto_plugin == 'simple_crypto' %}
[simple_crypto_plugin] [simple_crypto_plugin]
# the kek should be a 32-byte value which is base64 encoded # the kek should be a 32-byte value which is base64 encoded
kek = '{{ barbican_crypto_password }}' kek = '{{ barbican_crypto_key }}'
{% endif %} {% endif %}

View File

@ -31,7 +31,6 @@ barbican_database_password:
barbican_keystone_password: barbican_keystone_password:
barbican_p11_password: barbican_p11_password:
barbican_crypto_key: barbican_crypto_key:
barbican_crypto_password:
keystone_admin_password: keystone_admin_password:
keystone_database_password: keystone_database_password:

View File

@ -0,0 +1,21 @@
---
upgrade:
- |
Fixes an issue with the barbican service when using the ``simple_crypto``
plugin whereby an invalid value is generated and used as the plugin's
encryption key.
The encryption key is configured via the ``[simple_crypto_plugin]: kek``
configuration option in ``barbican.conf``. This option was previously
configured using the kolla-ansible variable ``barbican_crypto_password``,
but is now configured using ``barbican_crypto_key`` which uses the correct
format.
Operators that have set ``barbican_crypto_password`` to a valid value
to work around this issue should ensure that ``barbican_crypto_key``
is configured in ``passwords.yml`` with the same value that was used for
``barbican_crypto_password``. This will ensure that existing barbican
secrets can be decrypted.
The variable ``barbican_crypto_password`` may safely be removed from
``passwords.yml``.