Enable keystone authentication for Barbican

By default Barbican has not enabled the Keystone authentication: [pipeline:barbican_api] pipeline = cors unauthenticated-context apiapp According to the Barbican install guide[1] this pipeline should be: pipeline = cors authtoken context apiapp [1]: http://docs.openstack.org/developer/barbican/setup/keystone.html Change-Id: I941515a98772a72762b20507e100e7872f3b4ab8 Closes-bug: #1625337
2016-10-09 14:57:29 +08:00 · 2016-10-09 14:57:29 +08:00 · 626967c1a4
commit 626967c1a4
parent cd0336658f
3 changed files with 74 additions and 0 deletions
--- a/ansible/roles/barbican/tasks/config.yml
+++ b/ansible/roles/barbican/tasks/config.yml
@ -26,6 +26,14 @@
      - "{{ node_custom_config }}/barbican-api/{{ inventory_hostname }}/barbican-api.ini"
    dest: "{{ node_config_directory }}/barbican-api/vassals/barbican-api.ini"
 - name: Copying over barbican-api-paste.ini
  merge_configs:
    sources:
      - "{{ role_path }}/templates/barbican-api-paste.ini.j2"
      - "{{ node_custom_config }}/barbican-api/barbican-api-paste.ini"
      - "{{ node_custom_config }}/barbican-api/{{ inventory_hostname }}/barbican-api-paste.ini"
    dest: "{{ node_config_directory }}/barbican-api/barbican-api-paste.ini"
 - name: Copying over barbican.conf
  merge_configs:
    vars:
--- a/ansible/roles/barbican/templates/barbican-api-paste.ini.j2
+++ b/ansible/roles/barbican/templates/barbican-api-paste.ini.j2
@ -0,0 +1,60 @@
 [composite:main]
 use = egg:Paste#urlmap
 /: barbican_version
 /v1: barbican-api-keystone
 # Use this pipeline for Barbican API - versions no authentication
 [pipeline:barbican_version]
 pipeline = cors versionapp
 # Use this pipeline for Barbican API - DEFAULT no authentication
 [pipeline:barbican_api]
 pipeline = cors unauthenticated-context apiapp
 #Use this pipeline to activate a repoze.profile middleware and HTTP port,
 #  to provide profiling information for the REST API processing.
 [pipeline:barbican-profile]
 pipeline = cors unauthenticated-context egg:Paste#cgitb egg:Paste#httpexceptions profile apiapp
 #Use this pipeline for keystone auth
 [pipeline:barbican-api-keystone]
 pipeline = cors authtoken context apiapp
 #Use this pipeline for keystone auth with audit feature
 [pipeline:barbican-api-keystone-audit]
 pipeline = authtoken context audit apiapp
 [app:apiapp]
 paste.app_factory = barbican.api.app:create_main_app
 [app:versionapp]
 paste.app_factory = barbican.api.app:create_version_app
 [filter:simple]
 paste.filter_factory = barbican.api.middleware.simple:SimpleFilter.factory
 [filter:unauthenticated-context]
 paste.filter_factory = barbican.api.middleware.context:UnauthenticatedContextMiddleware.factory
 [filter:context]
 paste.filter_factory = barbican.api.middleware.context:ContextMiddleware.factory
 [filter:audit]
 paste.filter_factory = keystonemiddleware.audit:filter_factory
 audit_map_file = /etc/barbican/api_audit_map.conf
 [filter:authtoken]
 paste.filter_factory = keystonemiddleware.auth_token:filter_factory
 [filter:profile]
 use = egg:repoze.profile
 log_filename = myapp.profile
 cachegrind_filename = cachegrind.out.myapp
 discard_first_request = true
 path = /__profile__
 flush_at_shutdown = true
 unwind = false
 [filter:cors]
 paste.filter_factory = oslo_middleware.cors:filter_factory
 oslo_config_project = barbican
--- a/ansible/roles/barbican/templates/barbican-api.json.j2
+++ b/ansible/roles/barbican/templates/barbican-api.json.j2
@ -12,6 +12,12 @@
            "dest": "/etc/barbican/vassals/barbican-api.ini",
            "owner": "barbican",
            "perm": "0600"
        },
        {
            "source": "{{ container_config_directory }}/barbican-api-paste.ini",
            "dest": "/etc/barbican/barbican-api-paste.ini",
            "owner": "barbican",
            "perm": "0600"
        }
    ]
 }