[openstack-dev] [barbican] Utilizing the KMIP plugin

Christopher N Solis cnsolis at us.ibm.com
Tue Apr 14 15:21:42 UTC 2015


Hey John.
Thanks!
You were right. It was reading the config from the /root directory because
I switched to the root user.
After switching back to the normal user it is reading the correct config
file again.
It is trying to use the kmip plugin now.

However, I cannot not make a request to the kmip plugin because of an ssl
error:

2015-04-14 10:02:26,219 - barbican.plugin.kmip_secret_store - ERROR - Error
opening or writing to client
Traceback (most recent call last):
  File "/home/swift/barbican/barbican/plugin/kmip_secret_store.py", line
167, in generate_symmetric_key
    self.client.open()
  File
"/home/swift/.pyenv/versions/barbican27/lib/python2.7/site-packages/kmip/services/kmip_client.py",
 line 86, in open
    self.socket.connect((self.host, self.port))
  File "/home/swift/.pyenv/versions/2.7.6/lib/python2.7/ssl.py", line 333,
in connect
    self._real_connect(addr, False)
  File "/home/swift/.pyenv/versions/2.7.6/lib/python2.7/ssl.py", line 314,
in _real_connect
    self.ca_certs, self.ciphers)
SSLError: [Errno 0] _ssl.c:343: error:00000000:lib(0):func(0):reason(0)

I believe there is a problem in the KMIP plugin part of the
barbican-api.conf file:
keyfile = '/path/to/certs/cert.key'
certfile = '/path/to/certs/cert.crt'
ca_certs = '/path/to/certs/LocalCA.crt'

What exactly is each variable suppose to contain?
I have keyfile and certfile being a self signed certificate and 2048 bit
RSA key respectively for barbican to use and
ca_certs is the kmip_plugins' certificate for barbican to trust. Does this
setup sound right?

Regards,
	Christopher Solis



From:	John Wood <john.wood at RACKSPACE.COM>
To:	"OpenStack Development Mailing List (not for usage questions)"
            <openstack-dev at lists.openstack.org>
Date:	04/10/2015 07:24 PM
Subject:	Re: [openstack-dev] [barbican] Utilizing the KMIP plugin



Hello Christopher,

It does seem that configs are being read for another location. Try to
remove that copy in you home directory (so just keep the /etc location). If
you see the same issue, try to rename your /etc/barbican/barbican-api.conf
file to something else. Barbican should crash, probably with a No SQL
connection error.

Also, double check the ‘kmip_plugin’ setting in setup.cfg as per below, and
try running ‘pip install -e .’ again in your virtual environment.

FWIW, this CR adds better logging of plugin errors once the loading problem
you have is figured out: https://review.openstack.org/#/c/171868/

Thanks,
John


From: Christopher N Solis <cnsolis at us.ibm.com>
Reply-To: "OpenStack Development Mailing List (not for usage questions)" <
openstack-dev at lists.openstack.org>
Date: Thursday, April 9, 2015 at 1:55 PM
To: "OpenStack Development Mailing List (not for usage questions)" <
openstack-dev at lists.openstack.org>
Subject: Re: [openstack-dev] [barbican] Utilizing the KMIP plugin



Hey John.
Thanks for letting me know about the error. But I think my configuration is
not seeing the kmip_plugin selection.
In my barbican-api.conf file in /etc/barbican I have set
enabled_secretstore_plugins = kmip_plugin

However, I don't think it is creating a KMIPSecretStore instance.
I edited the code in kmip_secret_store.py and put a breakpoint at the very
beginning of the init function.
When I make a barbican request to put a secret in there, it did not stop at
the breakpoint at all.
I put another breakpoint in the store_crypto.py file inside the init
function for the StoreCryptoAdapterPlugin and I
was able to enter the code at that breakpoint.

So even though in my barbican-api.conf file I specified kmip_plugin it
seems to be using the store_crypto plugin instead.

Is there something that might cause this to happen?
I also want to note that my code has the most up to date pull from the
community code.

Here's what my /etc/barbican/barbican-api.conf file has in it:

# ================= Secret Store Plugin ===================
[secretstore]
namespace = barbican.secretstore.plugin
enabled_secretstore_plugins = kmip_plugin
...
...
...
# ================== KMIP plugin =====================
[kmip_plugin]
username = '******'
password = '******'
host = 10.0.2.15
port = 5696
keyfile = '/etc/barbican/rootCA.key'
certfile = '/etc/barbican/rootCA.pem'
ca_certs = '/etc/barbican/rootCA.pem'


Regards,
Christopher Solis


Inactive hide details for John Wood ---04/08/2015 03:16:58 PM---Hello
Christopher, My local configuration is indeed seeing the John Wood
---04/08/2015 03:16:58 PM---Hello Christopher, My local configuration is
indeed seeing the kmip_plugin selection, but when steve

From: John Wood <john.wood at RACKSPACE.COM>
To: "OpenStack Development Mailing List (not for usage questions)" <
openstack-dev at lists.openstack.org>
Date: 04/08/2015 03:16 PM
Subject: Re: [openstack-dev] [barbican] Utilizing the KMIP plugin





Hello Christopher,

My local configuration is indeed seeing the kmip_plugin selection, but when
stevedore tries to load the KMIP plugin it crashes because required files
are missing in my local environment (see
https://github.com/openstack/barbican/blob/master/barbican/plugin/kmip_secret_store.py#L131
) for example.

Stevedore logs the exception but then doesn’t load this module, so when
Barbican asks for an available plugin it doesn’t see it and crashes as you
see. So the root exception from stevedore isn’t showing up in my logs for
some reason, and probably not in yours as well. We’ll try to put up a CR to
at least expose this exception in logs. In the mean time, make sure the
KMIP values checked via that link above are configured on your machine.

Sorry for the inconvenience,
John


From: Christopher N Solis <cnsolis at us.ibm.com>
Reply-To: "OpenStack Development Mailing List (not for usage questions)" <
openstack-dev at lists.openstack.org>
Date: Wednesday, April 8, 2015 at 11:27 AM
To: "OpenStack Development Mailing List (not for usage questions)" <
openstack-dev at lists.openstack.org>
Subject: Re: [openstack-dev] [barbican] Utilizing the KMIP plugin


Hey John.
I do have the barbican-api.conf file located in the /etc/barbican folder.
But that does not seem to be the one that barbican
reads from. It seems to be reading from the barbican-api.conf file locate
in my home directory.
Either way, both have the exact same configurations.

I also checked the setup.cfg file and it does have the line for
kmip_plugin .

Regards,

 CHRIS SOLIS

Inactive hide details for John Wood ---04/07/2015 10:39:18 AM---Hello
Christopher, Just checking, but is that barbican-api.confJohn Wood
---04/07/2015 10:39:18 AM---Hello Christopher, Just checking, but is that
barbican-api.conf file located in your local system's

From: John Wood <john.wood at RACKSPACE.COM>
To: "openstack-dev at lists.openstack.org" <openstack-dev at lists.openstack.org>
Date: 04/07/2015 10:39 AM
Subject: Re: [openstack-dev] [barbican] Utilizing the KMIP plugin





Hello Christopher,

Just checking, but is that barbican-api.conf file located in your local
system’s /etc/barbican folder? If not that is the preferred place for local
development. Modifying the copy that is in your local git repository will
have no effect.

Also, please double check that your local git repository’s setup.cfg has a
line like this in there (at/around #35):

   kmip_plugin = barbican.plugin.kmip_secret_store:KMIPSecretStore

Thanks,
John




From: Christopher N Solis <cnsolis at us.ibm.com>
Reply-To: "openstack-dev at lists.openstack.org" <
openstack-dev at lists.openstack.org>
Date: Monday, April 6, 2015 at 10:25 AM
To: "openstack-dev at lists.openstack.org" <openstack-dev at lists.openstack.org>
Subject: [openstack-dev] [barbican] Utilizing the KMIP plugin


Hello!

Sorry to Kaitlin Farr for not responding directly to your e-mail.
My openstack settings were misconfigured and I was not receiving e-mail
from the dev mailing list.
Thanks for looking into the issue.

I double checked the permissions at the bottom of the kmip_plugin part in
the barbican-api.conf file
and they are set to 400.

I would also like to note that I do not think the code ever actually
entered the __init__ function
of KMIPSecretStore. I put a breakpoint in the __init__ function but the
debugger never gets open.
The error occurs and returns without ever seeming to enter the init
function.

Here are the parts of the barbican-api.conf file that concern the
kmip_plugin:
.....................
[secretstore]
namespace = barbican.secretstore.plugin
enabled_secretstore_plugins = kmip_plugin
.....................
[kmip_plugin]
username = '**********'
password = '**********'
host = ********
port = ********
keyfile = '/etc/barbican/rootCA.key'
certfile = '/etc/barbican/rootCA.pem'
ca_certs = '/etc/barbican/rootCA.pem'
.......................

Thank You!!

Regards,
Christopher Solis
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

[attachment "graycol.gif" deleted by Christopher N Solis/Austin/IBM]
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

[attachment "graycol.gif" deleted by Christopher N Solis/Austin/IBM]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150414/8999a93e/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: graycol.gif
Type: image/gif
Size: 105 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150414/8999a93e/attachment.gif>


More information about the OpenStack-dev mailing list