Merge "Fix can't find /usr/lib/libCryptoki2_64.so in barbican"

2017-03-22 14:11:11 +00:00 · 2017-03-22 14:11:11 +00:00 · e2d60f5264
commit e2d60f5264
parent 43965ea0dd 6d0e31f232
5 changed files with 34 additions and 3 deletions
--- a/ansible/group_vars/all.yml
+++ b/ansible/group_vars/all.yml
@ -442,6 +442,13 @@ ceilometer_database_type: "mongodb"
 ceilometer_event_type: "mongodb"


+#######################
+# Barbican options
+#######################
+# Valid options are [ simple_crypto, p11_crypto ]
+barbican_crypto_plugin: "simple_crypto"
+barbican_library_path: "/usr/lib/libCryptoki2_64.so"
+
 ########################
 ### Panko options
 ########################
--- a/ansible/roles/barbican/templates/barbican.conf.j2
+++ b/ansible/roles/barbican/templates/barbican.conf.j2
@ -2,7 +2,6 @@
 debug = {{ barbican_logging_debug }}
 log_dir = /var/log/kolla/barbican

-
 bind_port = {{ barbican_api_port }}
 bind_host = {{ hostvars[inventory_hostname]['ansible_' + api_interface]['ipv4']['address'] }}
 host_href = {{ public_protocol }}://{{ kolla_external_fqdn }}:{{ barbican_api_port }}
@ -23,11 +22,12 @@ enabled_secretstore_plugins = store_crypto
 # ================= Crypto plugin ===================
 [crypto]
 namespace = barbican.crypto.plugin
-enabled_crypto_plugins = p11_crypto
+enabled_crypto_plugins = {{ barbican_crypto_plugin }}

+{% if barbican_crypto_plugin == 'p11_crypto' %}
 [p11_crypto_plugin]
 # Path to vendor PKCS11 library
-library_path = '/usr/lib/libCryptoki2_64.so'
+library_path = {{ barbican_library_path }}
 # Password to login to PKCS11 session
 login = '{{ barbican_p11_password }}'
 # Label to identify master KEK in the HSM (must not be the same as HMAC label)
@ -36,6 +36,12 @@ mkek_label = 'kolla_master_kek'
 mkek_length = 32
 # Label to identify HMAC key in the HSM (must not be the same as MKEK label)
 hmac_label = 'kolla_hmac'
+{% endif %}
+{% if barbican_crypto_plugin == 'simple_crypto' %}
+[simple_crypto_plugin]
+# the kek should be a 32-byte value which is base64 encoded
+kek = '{{ barbican_crypto_password }}'
+{% endif %}


 [keystone_notifications]
--- a/etc/kolla/globals.yml
+++ b/etc/kolla/globals.yml
@ -241,6 +241,14 @@ kolla_internal_vip_address: "10.10.10.254"
 # Valid options are [ mongodb, gnocchi, panko ]
 #ceilometer_event_type: "mongodb"

+
+#######################
+# Barbican options
+#######################
+# Valid options are [ simple_crypto, p11_crypto ]
+#barbican_crypto_plugin: "simple_crypto"
+#barbican_library_path: "/usr/lib/libCryptoki2_64.so"
+
 #######################
 ## Panko options
 #######################
--- a/etc/kolla/passwords.yml
+++ b/etc/kolla/passwords.yml
@ -30,6 +30,8 @@ aodh_keystone_password:
 barbican_database_password:
 barbican_keystone_password:
 barbican_p11_password:
+barbican_crypto_key:
+

 keystone_admin_password:
 keystone_database_password:
--- a/kolla_ansible/cmd/genpwd.py
+++ b/kolla_ansible/cmd/genpwd.py
@ -21,6 +21,7 @@ import sys

 from Crypto.PublicKey import RSA
 from hashlib import md5
+from hashlib import sha256
 from oslo_utils import uuidutils
 import yaml

@ -70,6 +71,9 @@ def main():
    # HMAC-MD5 keys
    hmac_md5_keys = ['designate_rndc_key']

+    # HMAC-SHA256 keys
+    hmac_sha256_keys = ['barbican_crypto_key']
+
    # length of password
    length = 40

@ -96,6 +100,10 @@ def main():
                passwords[k] = (hmac.new(
                    uuidutils.generate_uuid(), '', md5)
                    .digest().encode('base64')[:-1])
+            elif k in hmac_sha256_keys:
+                passwords[k] = (hmac.new(
+                    uuidutils.generate_uuid(), '', sha256)
+                    .digest().encode('base64')[:-1])
            else:
                passwords[k] = ''.join([
                    random.SystemRandom().choice(