<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:"Segoe UI";
panose-1:2 11 5 2 4 2 4 2 2 3;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
p.msochpdefault, li.msochpdefault, div.msochpdefault
{mso-style-name:msochpdefault;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Calibri","sans-serif";}
span.emailstyle17
{mso-style-name:emailstyle17;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.balloontextchar0
{mso-style-name:balloontextchar;
font-family:"Tahoma","sans-serif";}
span.rwrr
{mso-style-name:rwrr;}
span.apple-converted-space
{mso-style-name:apple-converted-space;}
span.EmailStyle25
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D">Hello John.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"> I have attached our barbican-api-paste.ini and barbican-admin-paste.ini files.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Thanks.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> John Wood [mailto:john.wood@RACKSPACE.COM]
<br>
<b>Sent:</b> Thursday, July 17, 2014 12:58 PM<br>
<b>To:</b> OpenStack Development Mailing List (not for usage questions)<br>
<b>Subject:</b> [openstack-dev] [barbican] RE: Barbican doesn't authenticate with Keystoine for one particular tenant<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black">Hello Robert,
<o:p></o:p></span></p>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black">You should get 400 errors for unauthenticated requests, so it seems barbican still isn't running with keystone. Can you reply back with your /etc/barbican/barbican-api-paste.ini
file (with passwords removed)?<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black">Thanks,<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black">John<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black"><o:p> </o:p></span></p>
<div>
<div class="MsoNormal" align="center" style="text-align:center"><span style="font-size:12.0pt;font-family:"Times New Roman","serif";color:black">
<hr size="3" width="100%" align="center">
</span></div>
<div id="divRpF490045">
<p class="MsoNormal" style="margin-bottom:12.0pt"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black"> Robert Marshall -X (robemars - TEKSYSTEMS
INC at Cisco) [robemars@cisco.com]<br>
<b>Sent:</b> Thursday, July 17, 2014 11:28 AM<br>
<b>To:</b> <a href="mailto:openstack-dev@lists.openstack.org">openstack-dev@lists.openstack.org</a><br>
<b>Subject:</b> [openstack-dev] Barbican doesn't authenticate with Keystoine for one particular tenant</span><span style="font-size:12.0pt;font-family:"Times New Roman","serif";color:black"><o:p></o:p></span></p>
</div>
<div>
<div>
<p class="MsoNormal"><span style="color:#1F497D">We have configure Barbican and Keystone according to the documentation and the direction provided by John Wood. We see Barbican authenticating with Keystone. The problem we see is that when we use the “service”
tenant, we can retrieve secrets without authenticating with Keystone, where the “service” tenant is the tenant that we associate with the “barbican” service in Keystone:</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"> </span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">(barbican27)[root@iac-int-ma15 ~]# curl -XGET -d '{}' -H "Content-type: application/json" -H "X_IDENTITY_STATUS: Confirmed" -H "X_AU</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">TH_TOKEN:" <a href="http://localhost:9311/v1/474bc6aec82f447ca5e4452516e0b2aa/secrets" target="_blank">
http://localhost:9311/v1/474bc6aec82f447ca5e4452516e0b2aa/secrets</a>
</span><span style="font-family:Wingdings;color:#1F497D">ç</span><span style="color:#1F497D">======= Empty token - “admin” tenant UID</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">{"secrets": [], "total": 0} </span><span style="font-family:Wingdings;color:#1F497D">ç</span><span style="color:#1F497D">=======
Doesn’t authenticate therefore no secrets</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"> </span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"> </span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">(barbican27)[root@iac-int-ma15 ~]# curl -XGET -d '{}' -H "Content-type: application/json" -H "X_IDENTITY_
</span><span style="font-family:Wingdings;color:#1F497D">ç</span><span style="color:#1F497D">======= Empty token - “service” tenant UID</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">TH_TOKEN:" <a href="http://localhost:9311/v1/4d9cc78fdd7746c1895d0c0fc37d8a24/secrets" target="_blank">
http://localhost:9311/v1/4d9cc78fdd7746c1895d0c0fc37d8a24/secrets</a>
</span><span style="font-family:Wingdings;color:#1F497D">ç</span><span style="color:#1F497D">======= Shouldn’t authenticate, but secrets returned</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">{"secrets": [{"status": "ACTIVE", "secret_ref": "http://localhost:9311/v1/4d9cc78fdd7746c1895d0c0fc37d8a24/secrets/88a99c9f-5c32-444</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">6-8868-f732ca0c8df3", "updated": "2014-07-09T14:21:53.845324", "name": "test", "algorithm": null, "created": "2014-07-09T14:21:53.84</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">5315", "content_types": {"default": "text/plain"}, "mode": null, "bit_length": null, "expiration": null}, {"status": "ACTIVE", "secr</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">et_ref": "<a href="http://localhost:9311/v1/4d9cc78fdd7746c1895d0c0fc37d8a24/secrets/005c4bba-959e-4deb-9be3-1115516ff20f" target="_blank">http://localhost:9311/v1/4d9cc78fdd7746c1895d0c0fc37d8a24/secrets/005c4bba-959e-4deb-9be3-1115516ff20f</a>",
"updated": "2014-</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">07-09T14:33:13.908756", "name": "ppm", "algorithm": null, "created": "2014-07-09T14:33:13.908746", "content_types": {"default": "tex</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">t/plain"}, "mode": null, "bit_length": null, "expiration": null}, {"status": "ACTIVE", "secret_ref": "http://localhost:9311/v1/4d9cc</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">78fdd7746c1895d0c0fc37d8a24/secrets/1c095c70-c8bb-452d-b4c4-db0685d448b5", "updated": "2014-07-09T14:34:44.042212", "name": "nsapi", <snip></span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"> </span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">The following comes from the “populate-data.sh” script that we use to populate the empty Keystone DB at Keystone/Barbican setup:</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"># Add Roles to Users in Tenants</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">keystone user-role-add --user $ADMIN_USER --role $ADMIN_ROLE --tenant-id $ADMIN_TENANT</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">keystone user-role-add --user $SERVICE_USER --role $SERVICE_ROLE --tenant-id $SERVICE_TENANT</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">keystone user-role-add --user $BARBICAN_USER --role $ADMIN_ROLE --tenant-id $SERVICE_TENANT</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"> </span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"># Create BARBICAN Service</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">BARBICAN_SERVICE=$(get_id keystone service-create --name=barbican --type="keystore" --description="Barbican Key Management Service")</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"> </span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"># Create BARBICAN Endpoint</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">keystone endpoint-create --region RegionOne --service_id $BARBICAN_SERVICE --publicurl "<a href="http://localhost:9311/v1" target="_blank">http://localhost:9311/v1</a>" --adminurl "<a href="http://localhost:9312/v1" target="_blank">http://localhost:9312/v1</a>"
--internalurl <a href="http://localhost:9313/v1" target="_blank">http://localhost:9313/v1</a></span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"> </span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"> </span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Some questions:</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoListParagraph" style="text-indent:-.25in"><span style="color:#1F497D">1.</span><span style="font-size:7.0pt;font-family:"Times New Roman","serif";color:#1F497D">
</span><span style="color:#1F497D">Should the “service” tenant bypass authentication and return secrets, due to its registered association with the Barbican Service?</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoListParagraph" style="text-indent:-.25in"><span style="color:#1F497D">2.</span><span style="font-size:7.0pt;font-family:"Times New Roman","serif";color:#1F497D">
</span><span style="color:#1F497D">If so, is there a way to turn this off, so that the service tenant can’t be used to gather secrets?</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoListParagraph" style="text-indent:-.25in"><span style="color:#1F497D">3.</span><span style="font-size:7.0pt;font-family:"Times New Roman","serif";color:#1F497D">
</span><span style="color:#1F497D">How do we turn on DEBUG in Keystone, so that we can see authentication occurring in Keystone in real time?</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"> </span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">We are planning on distributing Barbican and Keystone as a secure keystore in an upcoming release of Cisco Systems cloud automation software, and are hoping to nail this down soon to get this release ready, so
we are grateful for any help we can get to wrap this up.</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"> </span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Bob Marshall</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Cloud Developer</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Cisco Systems</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Austin Campus</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">210-853-7041</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"> </span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"> </span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black"> John Wood [<a href="mailto:john.wood@RACKSPACE.COM" target="_blank">mailto:john.wood@RACKSPACE.COM</a>]
<br>
<b>Sent:</b> Wednesday, July 16, 2014 5:30 PM<br>
<b>To:</b> Robert Marshall -X (robemars - TEKSYSTEMS INC at Cisco)<br>
<b>Cc:</b> Matt Brown -X (mattbro2 - KFORCE INC at Cisco); Yogi Porla -X (yporla - KFORCE INC at Cisco); Greg Brown (gbrown2)<br>
<b>Subject:</b> RE: Barbican issue: Failure to authenticate with Keystone: Security Issue?</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black">Hello Robert,
</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black"> </span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black">Please feel free to send such emails out to the public list at: </span><span class="rwrr"><u><span style="font-size:9.5pt;font-family:"Segoe UI","sans-serif";color:#408CD9;background:white"><a href="mailto:openstack-dev@lists.openstack.org" target="_blank">openstack-dev@lists.openstack.org</a></span></u></span><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black"> and
also add '[barbican]' before the subject name.</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black"> </span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black">To facilitate quick evaluation of the API, out of the box Barbican is not secured: <a href="https://github.com/cloudkeep/barbican/wiki/Developer-Guide#setup-insecure-development-environment" target="_blank">https://github.com/cloudkeep/barbican/wiki/Developer-Guide#setup-insecure-development-environment</a></span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black"> </span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black">In particular, Keystone authentication is not enabled. See this link to enable it: <a href="https://github.com/cloudkeep/barbican/wiki/Barbican-Options:-authentication-with-Keystone#running-openstack-keystone-authentication-middleware-on-the-barbican-api-node" target="_blank">https://github.com/cloudkeep/barbican/wiki/Barbican-Options:-authentication-with-Keystone#running-openstack-keystone-authentication-middleware-on-the-barbican-api-node</a></span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black"> </span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black">!!! Just a reminder as well that we are working on a production deployment of Barbican, but have not yet created one with this code base !!!</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black"> </span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black">Please let me know if this helps!</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black"> </span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black">Thanks,</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black">John</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black"> </span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black"> </span><span style="color:black"><o:p></o:p></span></p>
<div class="MsoNormal" align="center" style="text-align:center"><span style="font-size:12.0pt;font-family:"Times New Roman","serif";color:black">
<hr size="3" width="100%" align="center">
</span></div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black"> Robert Marshall -X (robemars - TEKSYSTEMS
INC at Cisco) [robemars@cisco.com]<br>
<b>Sent:</b> Wednesday, July 16, 2014 2:26 PM<br>
<b>To:</b> John Wood<br>
<b>Cc:</b> Matt Brown -X (mattbro2 - KFORCE INC at Cisco); Yogi Porla -X (yporla - KFORCE INC at Cisco); Greg Brown (gbrown2)<br>
<b>Subject:</b> Barbican issue: Failure to authenticate with Keystone: Security Issue?</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black">Hello John.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"> We are getting close to including Barbican and Keystone as a secure credential service in the next release of Cisco’s Intelligent Automation for Cloud (IAC) and an issue has arisen. Several of us have kicked
this issue around, and we are wondering if we are missing something important.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"> We are using Barbican and Keystone on a management appliance within the datacenter, and expect to use the Python client on a second VM to store and retrieve all the credentials for accessing all of the other
systems in the cloud that is managed by IAC. We think we have found a mode in which Barbican does not authenticate with Keystone and returns secrets to the requester.
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"> Our installation goes like this:<o:p></o:p></span></p>
<p class="MsoListParagraph" style="margin-left:.75in;text-indent:-.25in"><span style="color:black">1.</span><span style="font-size:7.0pt;font-family:"Times New Roman","serif";color:black">
</span><span style="color:black">Create <i>virtualenvs</i> for the Barbican and Keystone servers, and install the Barbican and Keystone servers therein.<o:p></o:p></span></p>
<p class="MsoListParagraph" style="margin-left:.75in;text-indent:-.25in"><span style="color:black">2.</span><span style="font-size:7.0pt;font-family:"Times New Roman","serif";color:black">
</span><span style="color:black">Create empty Barbican and Keystone databases (schemas) in PostgreSQL.<o:p></o:p></span></p>
<p class="MsoListParagraph" style="margin-left:.75in;text-indent:-.25in"><span style="color:black">3.</span><span style="font-size:7.0pt;font-family:"Times New Roman","serif";color:black">
</span><span style="color:black">Start Keystone with keystone-all, and run keystone-manage db_sync to create the (empty) tables in Keystone.<o:p></o:p></span></p>
<p class="MsoListParagraph" style="margin-left:.75in;text-indent:-.25in"><span style="color:black">4.</span><span style="font-size:7.0pt;font-family:"Times New Roman","serif";color:black">
</span><span style="color:black">Run Barbican.sh install to (among other things) create the (empty) tables in Barbican.<o:p></o:p></span></p>
<p class="MsoListParagraph" style="margin-left:.75in;text-indent:-.25in"><span style="color:black">5.</span><span style="font-size:7.0pt;font-family:"Times New Roman","serif";color:black">
</span><span style="color:black">Run a populate-data.sh script that uses the Keystone CLI to create tenants, users, roles, and the Barbican service and endpoint, as follows:<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.75in"><span style="font-size:9.0pt;color:black">#!/bin/bash</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.75in"><span style="font-size:9.0pt;color:black">ADMIN_PASSWORD=admin_gen_passwd</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.75in"><span style="font-size:9.0pt;color:black">SERVICE_PASSWORD=service_gen_passwd</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.75in"><span style="font-size:9.0pt;color:black">BARBICAN_PASSWORD=barbican_gen_passwd</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.75in"><span style="font-size:9.0pt;color:black"> </span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.75in"><span style="font-size:9.0pt;color:black">export OS_SERVICE_TOKEN=ADMIN</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.75in"><span style="font-size:9.0pt;color:black">export OS_SERVICE_ENDPOINT="<a href="http://localhost:35357/v2.0" target="_blank">http://localhost:35357/v2.0</a>"</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.75in"><span style="font-size:9.0pt;color:black"> </span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.75in"><span style="font-size:9.0pt;color:black">get_id () {</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.75in"><span style="font-size:9.0pt;color:black"> echo `$@ | awk '/ id / { print $4 }'`</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.75in"><span style="font-size:9.0pt;color:black">}</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.75in"><span style="font-size:9.0pt;color:black"> </span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.75in"><span style="font-size:9.0pt;color:black"># Tenants</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.75in"><span style="font-size:9.0pt;color:black">ADMIN_TENANT=$(get_id keystone tenant-create --name=admin)</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.75in"><span style="font-size:9.0pt;color:black">SERVICE_TENANT=$(get_id keystone tenant-create --name=service)</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.75in"><span style="font-size:9.0pt;color:black"> </span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.75in"><span style="font-size:9.0pt;color:black"># Users</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.75in"><span style="font-size:9.0pt;color:black">ADMIN_USER=$(get_id keystone user-create --name=admin --pass="$ADMIN_PASSWORD"
<a href="mailto:--email=user@localhost.com" target="_blank">--email=user@localhost.com</a>)</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.75in"><span style="font-size:9.0pt;color:black">SERVICE_USER=$(get_id keystone user-create --name=PPM --pass="$SERVICE_PASSWORD"
<a href="mailto:--email=user@localhost.com" target="_blank">--email=user@localhost.com</a>)</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.75in"><span style="font-size:9.0pt;color:black">BARBICAN_USER=$(get_id keystone user-create --name=barbican --pass="$BARBICAN_PASSWORD"
<a href="mailto:--email=user@localhost.com" target="_blank">--email=user@localhost.com</a>)</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.75in"><span style="font-size:9.0pt;color:black"> </span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.75in"><span style="font-size:9.0pt;color:black"># Roles</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.75in"><span style="font-size:9.0pt;color:black">ADMIN_ROLE=$(get_id keystone role-create --name=admin)</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.75in"><span style="font-size:9.0pt;color:black">SERVICE_ROLE=$(get_id keystone role-create --name=service)</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.75in"><span style="font-size:9.0pt;color:black"> </span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.75in"><span style="font-size:9.0pt;color:black"># Add Roles to Users in Tenants</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.75in"><span style="font-size:9.0pt;color:black">keystone user-role-add --user $ADMIN_USER --role $ADMIN_ROLE --tenant-id $ADMIN_TENANT</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.75in"><span style="font-size:9.0pt;color:black">keystone user-role-add --user $SERVICE_USER --role $SERVICE_ROLE --tenant-id $SERVICE_TENANT</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.75in"><span style="font-size:9.0pt;color:black">keystone user-role-add --user $BARBICAN_USER --role $ADMIN_ROLE --tenant-id $SERVICE_TENANT</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.75in"><span style="font-size:9.0pt;color:black"> </span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.75in"><span style="font-size:9.0pt;color:black"># Create BARBICAN Service</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.75in"><span style="font-size:9.0pt;color:black">BARBICAN_SERVICE=$(get_id keystone service-create --name=barbican --type="keystore" --description="Barbican Key Management Service")</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.75in"><span style="font-size:9.0pt;color:black"> </span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.75in"><span style="font-size:9.0pt;color:black"># Create BARBICAN Endpoint</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.75in"><span style="font-size:9.0pt;color:black">keystone endpoint-create --region RegionOne --service_id $BARBICAN_SERVICE --publicurl "<a href="http://localhost:9311/v1" target="_blank">http://localhost:9311/v1</a>"
--adminurl "<a href="http://localhost:9312/v1" target="_blank">http://localhost:9312/v1</a>" --internalurl
<a href="http://localhost:9313/v1" target="_blank">http://localhost:9313/v1</a></span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoListParagraph" style="margin-left:.75in;text-indent:-.25in"><span style="color:black">6.</span><span style="font-size:7.0pt;font-family:"Times New Roman","serif";color:black">
</span><span style="color:black">Restart Barbican using barbican.sh start<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black">What we are subsequently seeing is users being able to retrieve decrypted secrets by passing the SERVICE_TENANT value created in the populate-data.sh script. I’m including here a message from one of our people:<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.25in"><span style="font-size:10.0pt;color:#1F497D">Barbican is a server that stores data. Barbican uses keystone to authenticate users who wish to store and retrieve this data. Barbican should not permit any transaction
to occur unless a valid session has been created by a client authenticating against keystone:</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.25in"><span style="font-size:10.0pt;color:#1F497D"> </span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoListParagraph" style="margin-left:.75in;text-indent:-.25in"><span style="font-size:10.0pt;font-family:Symbol;color:#1F497D">·</span><span style="font-size:7.0pt;font-family:"Times New Roman","serif";color:#1F497D">
</span><span style="font-size:10.0pt;color:#1F497D">The client sends keystone a username, password and tenant combination. Keystone returns an authentication token.</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoListParagraph" style="margin-left:.75in;text-indent:-.25in"><span style="font-size:10.0pt;font-family:Symbol;color:#1F497D">·</span><span style="font-size:7.0pt;font-family:"Times New Roman","serif";color:#1F497D">
</span><span style="font-size:10.0pt;color:#1F497D">The client sends Barbican a request to retrieve some data, and provides the authentication token.
</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoListParagraph" style="margin-left:.75in;text-indent:-.25in"><span style="font-size:10.0pt;font-family:Symbol;color:#1F497D">·</span><span style="font-size:7.0pt;font-family:"Times New Roman","serif";color:#1F497D">
</span><span style="font-size:10.0pt;color:#1F497D">Barbican checks with Keystone to see if the authentication token is valid. If the authentication token is valid, it returns the requested data to the client.</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.25in"><span style="font-size:10.0pt;color:#1F497D"> </span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.25in"><span style="font-size:10.0pt;color:#1F497D">What is occurring is this:</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.25in"><span style="font-size:10.0pt;color:#1F497D"> </span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoListParagraph" style="margin-left:.75in;text-indent:-.25in"><span style="font-size:10.0pt;font-family:Symbol;color:#1F497D">·</span><span style="font-size:7.0pt;font-family:"Times New Roman","serif";color:#1F497D">
</span><span style="font-size:10.0pt;color:#1F497D">The client sends barbican a request to retrieve some data.</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoListParagraph" style="margin-left:.75in;text-indent:-.25in"><span style="font-size:10.0pt;font-family:Symbol;color:#1F497D">·</span><span style="font-size:7.0pt;font-family:"Times New Roman","serif";color:#1F497D">
</span><span style="font-size:10.0pt;color:#1F497D">Barbican returns the requested data to the client.</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.25in"><span style="font-size:10.0pt;color:#1F497D"> </span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.25in"><span style="font-size:10.0pt;color:#1F497D">The only security is that you have to know in advance a UID of the tenant that is holding the data you want to query. This is security through obscurity. Once you have
this UID of the tenant you can forever query all data stored in barbican for that tenant without any further authentication or security checks. This is bad because an employee can get this UID while working at the company, leave and there’s no way to revoke
access to the Barbican database.</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.25in"><span style="font-size:10.0pt;color:#1F497D"> </span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.25in"><span style="font-size:10.0pt;color:#1F497D">I don’t know how I can make it any clearer than this. I can demonstrate that barbican is configured to not use authentication and I can demonstrate that barbican is
not configured to use keystone. The configuration in the how to set up barbican with keystone guide was not followed. I can turn off keystone and drop its database and still retrieve data within barbican. This can’t be the intended operation of the system.
</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"> </span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black">This was after calls of this type were made:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"> <o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D">I’ve been doing some basic security testing on Barbican. The Barbican deployment that I received does not appear to be integrated to use Keystone authentication at all. It is returning
decrypted passwords without requiring authentication. This is why I was asking about all the default entries in the Barbican configuration files a few days ago. Can Bob and team please revisit this and provide a secure configuration that we can load into
the appliance?</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D"> </span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D">Here’s an example of me using the curl command to query Barbican for decrypted credentials using no authentication.</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D"> </span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><b><span style="color:#1F497D">List secrets for tenant a08a91ad5e9c473a844beafbd5deb31f</span></b><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D"> </span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D">curl '<a href="http://localhost:9311/v1/a08a91ad5e9c473a844beafbd5deb31f/secrets/'" target="_blank">http://localhost:9311/v1/a08a91ad5e9c473a844beafbd5deb31f/secrets/'</a></span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D"> </span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D">{"secrets": [{"status": "ACTIVE", "secret_ref": "<b><a href="http://localhost:9311/v1/a08a91ad5e9c473a844beafbd5deb31f/secrets/0c77cccd-7134-400d-aadf-e28af81df12f" target="_blank"><span style="color:purple">http://localhost:9311/v1/a08a91ad5e9c473a844beafbd5deb31f/secrets/0c77cccd-7134-400d-aadf-e28af81df12f</span></a></b>",
"updated": "2014-07-15T20:09:43.136984", "name": "assurance", "algorithm": null, "created": "2014-07-15T20:09:43.136962", "content_types": {"default": "text/plain"}, "mode": null, "bit_length": null, "expiration": null}, {"status": "ACTIVE", "secret_ref":
"<b><a href="http://localhost:9311/v1/a08a91ad5e9c473a844beafbd5deb31f/secrets/c43d57f2-7a56-47be-b9be-54b4e2b1fe85" target="_blank"><span style="color:purple">http://localhost:9311/v1/a08a91ad5e9c473a844beafbd5deb31f/secrets/c43d57f2-7a56-47be-b9be-54b4e2b1fe85</span></a></b>",
"updated": "2014-07-15T20:09:55.289725", "name": "assurance", "algorithm": null, "created": "2014-07-15T20:09:55.289707", "content_types": {"default": "text/plain"}, "mode": null, "bit_length": null, "expiration": null}], "total": 2}</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D"> </span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><b><span style="color:#1F497D">Query Barbican for those two secrets:</span></b><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D"> </span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D">curl -H 'Accept: text/plain'<span class="apple-converted-space"> </span><a href="http://localhost:9311/v1/a08a91ad5e9c473a844beafbd5deb31f/secrets/0c77cccd-7134-400d-aadf-e28af81df12f" target="_blank"><span style="color:purple">http://localhost:9311/v1/a08a91ad5e9c473a844beafbd5deb31f/secrets/0c77cccd-7134-400d-aadf-e28af81df12f</span></a></span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D">{"<b>password": "admin</b>", "url": "<a href="https://localhost:5001/" target="_blank"><span style="color:purple">https://localhost:5001</span></a>", "<b>login": "service</b>"}</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D"> </span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D">curl -H 'Accept: text/plain'<span class="apple-converted-space"> </span><a href="http://localhost:9311/v1/a08a91ad5e9c473a844beafbd5deb31f/secrets/c43d57f2-7a56-47be-b9be-54b4e2b1fe85" target="_blank"><span style="color:purple">http://localhost:9311/v1/a08a91ad5e9c473a844beafbd5deb31f/secrets/c43d57f2-7a56-47be-b9be-54b4e2b1fe85</span></a></span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D">{"<b>login": "gbrown2</b>", "<b>password": "test123</b>", "url": "<a href="https://localhost:5001/" target="_blank"><span style="color:purple">https://localhost:5001</span></a>"}</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black">Did we miss something in the setup?<br>
Thanks in advance,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black">Bob<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"> <o:p></o:p></span></p>
</div>
</div>
</div>
</div>
</div>
</div>
</body>
</html>