a9964a7fc3
Added auth_url to the context we pass to castellan library. In a change [1] intended to deprecate the use of auth_endpoint passed as the oslo config, it actually completely removed the use of it[2], so this change became necessary or the integration is broken. [1] - https://review.openstack.org/#/c/483457 [2] - https://review.openstack.org/#/c/483457/6/castellan/key_manager/barbican_key_manager.py@143 Change-Id: I933367fa46aa0a3dc9aedf078b1be715bfa8c054
77 lines
3.7 KiB
Plaintext
77 lines
3.7 KiB
Plaintext
[keymaster]
|
|
# Sets the root secret from which encryption keys are derived. This must be set
|
|
# before first use to a value that is a base64 encoding of at least 32 bytes.
|
|
# The security of all encrypted data critically depends on this key, therefore
|
|
# it should be set to a high-entropy value. For example, a suitable value may
|
|
# be obtained by base-64 encoding a 32 byte (or longer) value generated by a
|
|
# cryptographically secure random number generator. Changing the root secret is
|
|
# likely to result in data loss. If this option is set, the root secret MUST
|
|
# NOT be set in proxy-server.conf.
|
|
# encryption_root_secret = changeme
|
|
|
|
[kms_keymaster]
|
|
# The kms_keymaster section is used for configuring a keymaster that retrieves
|
|
# the encryption root secret from an external key management system (kms),
|
|
# using the Castellan abstraction layer. Castellan can support various kms
|
|
# backends that use Keystone for authentication. Currently, the only
|
|
# implemented backend is for Barbican.
|
|
|
|
# The api_class tells Castellan which key manager to use to access the external
|
|
# key management system. The default value that accesses Barbican is
|
|
# castellan.key_manager.barbican_key_manager.BarbicanKeyManager.
|
|
# api_class = castellan.key_manager.barbican_key_manager.BarbicanKeyManager
|
|
|
|
# The configuration options below apply to a Barbican KMS being accessed using
|
|
# Castellan. If another KMS type is used (by specifying another value for
|
|
# api_class), then other configuration options may be required.
|
|
|
|
# The key_id is the identifier of the root secret stored in the KMS. For
|
|
# details of how to store an existing root secret in Barbican, or how to
|
|
# generate a new root secret in Barbican, see the 'overview_encryption'
|
|
# documentation.
|
|
# The key_id is the final part of the secret href returned in the
|
|
# output of an 'openstack secret order get' command after an order to store or
|
|
# create a key has been successfully completed. See the 'overview_encryption'
|
|
# documentation for more information on this command.
|
|
# key_id = changeme
|
|
|
|
# The Keystone username of the user used to access the key from the KMS. The
|
|
# username shall be set to match an existing user.
|
|
# username = changeme
|
|
|
|
# The password to go with the Keystone username above.
|
|
# password = changeme
|
|
|
|
# The Keystone project name. For security reasons, it is recommended to set
|
|
# the project_name to a project separate from the service project used by
|
|
# other OpenStack services. Thereby, if another service is compromised, it will
|
|
# not have access to the Swift root encryption secret. It is recommended that
|
|
# the swift user is the only one that has a role in this project.
|
|
# project_name = changeme
|
|
# Instead of the project name, the project id may also be used.
|
|
# project_id = changeme
|
|
|
|
# The Keystone URL to authenticate to. The value of auth_endpoint may be
|
|
# set according to the value of auth_uri in [filter:authtoken] in
|
|
# proxy-server.conf.
|
|
# auth_endpoint = http://keystonehost/identity
|
|
|
|
# The project and user domain names may optionally be specified. If they are
|
|
# not specified, the default values of 'Default' (for *_domain_name) and
|
|
# 'default' (for *_domain_id) are used (note the capitalization).
|
|
# project_domain_name = Default
|
|
# user_domain_name = Default
|
|
# Instead of the project domain name and user domain name, the project domain
|
|
# id and user domain id may also be specified.
|
|
# project_domain_id = default
|
|
# user_domain_id = default
|
|
|
|
# The following configuration options may also be used in addition to/instead
|
|
# of the above options. Refer to the Keystone documentation for more details
|
|
# on the usage of the options: https://docs.openstack.org/keystone/
|
|
# user_id = changeme
|
|
# trust_id = changeme
|
|
# reauthenticate = changeme
|
|
# domain_id = changeme
|
|
# domain_name = changeme
|