<div dir="ltr"><div><div><div>Hi all ,<br></div><br></div><div>When I started debugging ,we find that default group is not used instead oslo_policy would be used<br></div><div>Please find the logs below : <br></div><div><br><b>2015-05-13 15:59:34.393 13210 WARNING oslo_config.cfg [-] Option "policy_default_rule" from group "DEFAULT" is deprecated. Use option "policy_default_rule" from group "oslo_policy".<br>2015-05-13 15:59:34.394 13210 WARNING oslo_config.cfg [-] Option "policy_file" from group "DEFAULT" is deprecated. Use option "policy_file" from group "oslo_policy".</b><br>2015-05-13 15:59:34.395 13210 DEBUG oslo_policy.openstack.common.fileutils [req-0c6d2db4-bc15-4752-93ca-5203cf742d79 - 12345 - - -] Reloading cached file /etc/barbican/policy.json read_cached_file /usr/lib/python2.7/site-packages/oslo_policy/openstack/common/fileutils.py:64<br>2015-05-13 15:59:34.398 13210 DEBUG oslo_policy.policy [req-0c6d2db4-bc15-4752-93ca-5203cf742d79 - 12345 - - -] Reloaded policy file: /etc/barbican/policy.json _load_policy_file /usr/lib/python2.7/site-packages/oslo_policy/policy.py:424<br>2015-05-13 15:59:34.399 13210 ERROR barbican.api.controllers [req-0c6d2db4-bc15-4752-93ca-5203cf742d79 - 12345 - - -] Secret creation attempt not allowed - please review your user/project privileges<br>2015-05-13 15:59:34.399 13210 TRACE barbican.api.controllers Traceback (most recent call last):<br>2015-05-13 15:59:34.399 13210 TRACE barbican.api.controllers File "/root/barbican/barbican/api/controllers/__init__.py", line 104, in handler<br>2015-05-13 15:59:34.399 13210 TRACE barbican.api.controllers return fn(inst, *args, **kwargs)<br>2015-05-13 15:59:34.399 13210 TRACE barbican.api.controllers File "/root/barbican/barbican/api/controllers/__init__.py", line 85, in enforcer<br>2015-05-13 15:59:34.399 13210 TRACE barbican.api.controllers _do_enforce_rbac(inst, pecan.request, action_name, ctx, **kwargs)<br>2015-05-13 15:59:34.399 13210 TRACE barbican.api.controllers File "/root/barbican/barbican/api/controllers/__init__.py", line 68, in _do_enforce_rbac<br>2015-05-13 15:59:34.399 13210 TRACE barbican.api.controllers credentials, do_raise=True)<br>2015-05-13 15:59:34.399 13210 TRACE barbican.api.controllers File "/usr/lib/python2.7/site-packages/oslo_policy/policy.py", line 493, in enforce<br>2015-05-13 15:59:34.399 13210 TRACE barbican.api.controllers raise PolicyNotAuthorized(rule, target, creds)<br>2015-05-13 15:59:34.399 13210 TRACE barbican.api.controllers PolicyNotAuthorized: secrets:post on {u'payload': u'my-secret-here', u'payload_content_type': u'text/plain'} by {'project': '12345', 'user': None, 'roles': []} disallowed by policy<br>2015-05-13 15:59:34.399 13210 TRACE barbican.api.controllers<br>2015-05-13 15:59:34.400 13210 INFO barbican.api.middleware.context [req-0c6d2db4-bc15-4752-93ca-5203cf742d79 - 12345 - - -] req-556e8733-aea2-4acf-ac8b-30bc671a6f22 | Processed request: 403 Forbidden - POST <a href="http://localhost:9311/v1/secrets">http://localhost:9311/v1/secrets</a><br>{address space usage: 364666880 bytes/347MB} {rss usage: 65622016 bytes/62MB} [pid: 13210|app: 0|req: 1/1] 127.0.0.1 () {30 vars in 358 bytes} [Wed May 13 15:59:34 2015] POST /v1/secrets => generated 134 bytes in 7 msecs (HTTP/1.1 403) 4 headers in 179 bytes (1 switches on core 0)<br>announcing my loyalty to the Emperor...<br>Wed May 13 15:59:34 2015 - [emperor] vassal barbican-api.ini is now loyal<br><br></div><div>Hence I tried changing policy_default_rule value in the barbican.conf file to oslo_policy instead of default and then restarting it .It did not work . Please find the rule below :<br><br><br><b># Rule checked when requested rule is not found (string value)<br>policy_default_rule=oslo_policy</b><br><br><b>[root@Clientfor-HAProxy ~]# curl -X POST -H 'content-type:application/json' -H 'X-Project-Id:12345' -d '{"payload": "my-secret-here", "payload_content_type": "text/plain"}' <a href="http://localhost:9311/v1/secrets">http://localhost:9311/v1/secrets</a><br>{"code": 403, "description": "Secret creation attempt not allowed - please review your user/project privileges", "title": "Forbidden"}</b><br><br></div><div>It would be great if some one could help me out with this.Any help would be highly appreciated.<br></div><div>Thanks in advance <br></div><div><br></div>Thanks and Regards,<br></div>Asha Seshagiri<br><div class="gmail_extra"><br><div class="gmail_quote">On Tue, May 12, 2015 at 6:31 PM, Asha Seshagiri <span dir="ltr"><<a href="mailto:asha.seshagiri@gmail.com" target="_blank">asha.seshagiri@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div><div><div><div>Hi All ,<br><br></div>Installed the barbican today taking the source from github and executed the basic curl commands for retrieving and uploading the secrets.<br></div>Was unable to execute the curl commands for retrieving and uploading the secrets. <br>Please find the request and response for the command :<br><br>[root@Clientfor-HAProxy ~]# curl -X POST -H
'content-type:application/json' -H 'X-Project-Id:12345' -d '{"payload":
"my-secret-here", "payload_content_type": "text/plain"}'
<a href="http://localhost:9311/v1/secrets" target="_blank">http://localhost:9311/v1/secrets</a><br>
<b>{"code": 403, "description": "Secret creation attempt not allowed -
please review your user/project privileges", "title": "Forbidden"}<br>
</b>[root@Clientfor-HAProxy ~]# curl -H 'X-Project-Id: 12345' <a href="http://localhost:9311/v1/secrets" target="_blank">http://localhost:9311/v1/secrets</a><br>
<b>{"code": 403, "description": "Secret(s) retrieval attempt not allowed -
please review your user/project privileges", "title": "Forbidden"}</b><br><br></div><div>Would like to know the changes that needs to be done in order to execute the basic curl commands for Barbican.<br></div><div>Also noticed that admin config files are not loaded and only the APi file is loaded .Please find the logs below :<br><br><b><br></b>*** Operational MODE: single process ***<br>*** uWSGI is running in multiple interpreter mode ***<br>spawned uWSGI master process (pid: 9299)<br>Tue May 12 16:23:09 2015 - [emperor] vassal barbican-api.ini has been spawned<br>spawned uWSGI worker 1 (pid: 9300, cores: 1)<b><br>Loading paste environment: config:/etc/barbican/barbican-api-paste.ini<br></b>2015-05-12 16:23:11.036 9300 INFO barbican.model.repositories [-] Setting up database engine and session factory<br>2015-05-12 16:23:11.044 9300 DEBUG sqlalchemy.pool.NullPool [-] Created new connection <sqlite3.Connection object at 0x53d8dc8> __connect /usr/lib64/python2.7/site-packages/sqlalchemy/pool.py:540<br>2015-05-12 16:23:11.045 9300 DEBUG sqlalchemy.pool.NullPool [-] Connection <sqlite3.Connection object at 0x53d8dc8> checked out from pool checkout /usr/lib64/python2.7/site-packages/sqlalchemy/pool.py:458<br>2015-05-12 16:23:11.046 9300 DEBUG sqlalchemy.pool.NullPool [-] Connection <sqlite3.Connection object at 0x53d8dc8> being returned to pool _finalize_fairy /usr/lib64/python2.7/site-packages/sqlalchemy/pool.py:562<br>2015-05-12 16:23:11.046 9300 DEBUG sqlalchemy.pool.NullPool [-] Connection <sqlite3.Connection object at 0x53d8dc8> rollback-on-return _reset /usr/lib64/python2.7/site-packages/sqlalchemy/pool.py:698<br>2015-05-12 16:23:11.046 9300 DEBUG sqlalchemy.pool.NullPool [-] Closing connection <sqlite3.Connection object at 0x53d8dc8> _close_connection /usr/lib64/python2.7/site-packages/sqlalchemy/pool.py:248<b><br><br></b></div><div><br></div><b>Any help would be highly appreciated since this would impact my work on setting up HA proxy for Barbican</b><br></div>Thanks in advance !<span class=""><font color="#888888"><br><div><div><div><div><div><div><div><br>-- <br><div><div><i>Thanks and Regards,</i></div>
<div><i>Asha Seshagiri</i></div></div>
</div></div></div></div></div></div></div></font></span></div>
</blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature"><div><i>Thanks and Regards,</i></div>
<div><i>Asha Seshagiri</i></div></div>
</div></div>