We are eager to announce the release of: barbican 3.0.0: UNKNOWN This release is part of the newton release series. For more details, please see below. 3.0.0 ^^^^^ Now within a single deployment, multiple secret store plugin backends can be configured and used. With this change, a project adminstrator can pre-define a preferred plugin backend for storing their secrets. New APIs are added to manage this project level secret store preference. New Features ************ * New feature to support multiple secret store plugin backends. This feature is not enabled by default. To use this feature, the relevant feature flag needs to be enabled and supporting configuration needs to be added in the service configuration. Once enabled, a project adminstrator will be able to specify one of the available secret store backends as a preferred secret store for their project secrets. This secret store preference applies only to new secrets (key material) created or stored within that project. Existing secrets are not impacted. See http://docs.openstack.org/developer/b arbican/setup/plugin_backends.html for instructions on how to setup Barbican multiple backends, and the API documentation for further details. Changes in barbican 2.0.0.0rc1..3.0.0 ------------------------------------- 88db8ce Adding reno release notes for multiple backend feature 845b3d0 Adding functional tests for multiple backend changes (Part 5) 6535e55 Adding rest API for secret-stores resource (Part 4) b05c4b6 Central logic to sync secret store data with conf data (Part 3) f414186 Changes for multiple backend conf and friendly plugin names (Part 2) 6c814fe Don't inspect oslo.context 25a702c typo fix db01c21 standardize release note page ordering 29edae6 Adding multiple backend db model and repository support (Part 1) 669a995 Adding API docs for multiple backend support changes. c98980a Imported Translations from Zanata 38ecf5b Remove consumer check for project_id to match containers a8d8981 Assigning unwrapped kek handle to new variable to avoid overwrite 20ffc77 Add Barbican Verification to Install Guide f44879a Fix typo in barbican/tests/keys.py 75dcd99 Updated from global requirements 9868241 Use more specific asserts in tests 78b0a41 Some minor code optimization in post_test_hook.sh 6f46088 Fix some typos in database_migrations.rst 043e8e2 Remove white space between print and () 7a80895 Support upper-constratints.txt in tox environments edb2c18 Add install guide 14df741 Fix test suite cleanup b6f2257 Clean imports in code b84434b Make 'url' references uppercase for consistency d529f3b Fix some typos 7fb709c Change LOG.warn to LOG.warning 20b790b Use international logging message 876e603 Remove "KEYSTONE_" URI settings for devsatck 80067d5 Updated from global requirements bfeb2b0 Imported Translations from Zanata bf19558 Add Python 3.5 classifier and venv 4b09adc Generate IV on HSM device for encrypt operations 8480f4e Add documentation for date-filters fb086bd Add seed random feature to seed HSM RNG 180ea7c Fix the typo 7af28c8 Fix jenkins failing on coverage report d1e39e0 modify the home-page info with the developer documentation ce6336f User with creator role can delete his/her own secret and container 8f76242 Fixed typo in ACL section of API Guide 2323fcf Marking database connection config property as secret. ea2dd06 Fix the typo in the files 5591238 Implement Date Filters for Secrets 1d99f27 dogtag: Only call initialize() if crypto is not None 55e2cea delete unused LOG 5ffbe25 Updated from global requirements d89e93b Imported Translations from Zanata 45032b2 Move rabbit configurations to oslo_messaging_rabbit section 22b22dc Insecure default PROTOCOL_TLSv1 version in KMIP plugin 26fb788 Correct reraising of exception 9df6e5b Barbican tests fail because of incomplete test dependencies 50b4a1a pkcs11-key-generation: convert mkek length to int 592cf2e Add support for modifying Generic Containers 2088caf Updated from global requirements cf0ffe7 Remove unnecessary executable permissions 427706d Updated from global requirements c5012af Port last test (test_secrets) to Python 3 b113f63 Port test_quotas to Python 3 7a9c13f Port 3 more unit tests to Python 3 c634203 Setup memory DB in test_cmd 8bef6b4 Change SecretAcceptNotSupportedException from exception.BarbicanException to exception.BarbicanHTTPException 0f7fbfc Correct a typo in apiary.apib 700d16f Don't supply auth_token information by default in paste 3d7600d Fixed typo in crypto plugin docs ea77fdc Remove unused oslo.concurrency requirement 4ccae1e Updated from global requirements 49becaf Do not count expired secrets toward quota 261b504 Updated from global requirements 88aac6e Add retry for recoverable PKCS11 errors 09ba305 Port API test_resources to Python 3 a0ca5c0 Port test_validators to Python 3 fbe084d Port snakeoil_ca to Python 3 0326a26 Updated from global requirements 6cba20e Python 3: replace the whitelist with a blacklist 4cd609f Port translations to Python 3 3169ac4 Fix doc warnings 8abb2c6 Use keystone auth plugin 813818b Fixed test suite cleanup b562b17 Updated from global requirements ab9d3f5 Updated from global requirements 79da750 Return 4xx error for invalid KMIP key spec. 97e3e22 Fix keystone_listener.py 66418ec Fix creation of notification server 5ef6c3e Added KMIP Secret Store to Devstack 03dcad3 Checking for input secret_ref to start with input request hostname c695dca Updated from global requirements 6ed906c Cleanup py34 tox tests abe30d7 [Trivial] Remove executable privilege of doc/source/conf.py c6fbe7f Replace tempest-lib with tempest.lib d8d1785 Code cleanup 57a36dd Issue warning for deployers trying to use simple_crypto a88e95a Python 3: fix barbican.tests.plugin.test_store_crypto ea8c4bb Python3: fix barbican.tests.plugin.test_kmip c0f68fa Python3: add tests that are already working 64e3fe4 Python3: fix barbican.tests.plugin.crypto.test_crypto 0c02b9c Python 3: use a string rather than bytes for "kek" eaf542c Python3: fix barbican.tests.api.controllers.test_cas 47d8775 Python3: HTTPServerError no longer has a "message" argument in its constructo a9d9055 Python3: base64.b64encode expects bytes. 7156131 Python3: exceptions no longer have a 'message' attribute. d69b793 Updated from global requirements e9b4cf9 Imported Translations from Zanata 6a079b9 use thread safe fnmatch 82a60ac migrate keystone_data to openstackclient e01141b Use set Literals for better performance a5f4fcf Updated from global requirements 4c6704e Fix circular dependency of certificate_manager module 19f69cc Adding support for barbican host href to be derived from wsgi request 5e9856f Barbican server logs Secret Payload contents 950c610 Fix skip message for dogtag plugins 56c82ce Handling json-home header for /v1 call d590380 Add skips for KMIP functional tests 6d1ea0a Updated from global requirements 6c85d2f Allow plugins to retrieve secrets 6c32622 Barbican server discloses password and X-auth 1668c32 Updated from global requirements fdf79c9 Add code coverage results for functional tests e84a810 Fix URL length for alembic migrations a6927f6 Updated from global requirements d9b5ac8 Return 404 when a secret does not have a payload acbdb03 Change Table name to correct name 0577340 Update project quota paging tests to run with existing project quotas 99397de Uses alembic migration when deploying devstack 1bd74d5 Fix typos in Barbican files 8142eb4 Remove outdated line in KMIP docstring 2ecc676 Change Table name to correct name d6412aa Removes redundants c68acb2 Add a configurable setting in barbican-functional.conf for SSL 3b0322f Update reno for stable/mitaka a261c7e Update .gitreview for stable/mitaka 295dba1 Add cleanup capability for secrets and containers f47ae83 Fix correct foreign key constraints 55298c4 Remove deprecated option 'DEFAULT/verbose' Diffstat (except docs and test files) ------------------------------------- api-guide/source/acls.rst | 2 +- api-guide/source/cas.rst | 4 +- api-guide/source/consumers.rst | 2 +- apiary.apib | 12 +- barbican/api/controllers/__init__.py | 13 +- barbican/api/controllers/cas.py | 8 +- barbican/api/controllers/consumers.py | 54 +- barbican/api/controllers/containers.py | 107 ++ barbican/api/controllers/orders.py | 10 +- barbican/api/controllers/secretmeta.py | 18 +- barbican/api/controllers/secrets.py | 105 +- barbican/api/controllers/secretstores.py | 214 +++ barbican/api/controllers/transportkeys.py | 6 +- barbican/api/controllers/versions.py | 7 +- barbican/api/hooks.py | 2 +- barbican/api/middleware/context.py | 2 - barbican/api/middleware/simple.py | 3 +- barbican/cmd/barbican_manage.py | 18 +- barbican/cmd/db_manage.py | 10 +- barbican/cmd/keystone_listener.py | 17 +- barbican/cmd/pkcs11_kek_rewrap.py | 10 +- barbican/cmd/pkcs11_key_generation.py | 13 +- barbican/cmd/pkcs11_migrate_kek_signatures.py | 0 barbican/cmd/retry_scheduler.py | 3 +- barbican/cmd/worker.py | 3 +- barbican/common/config.py | 19 +- barbican/common/exception.py | 81 +- barbican/common/hrefs.py | 9 +- barbican/common/resources.py | 3 +- barbican/common/utils.py | 36 +- barbican/common/validators.py | 43 +- barbican/context.py | 14 +- barbican/locale/barbican-log-error.pot | 148 -- barbican/locale/barbican-log-info.pot | 264 ---- barbican/locale/barbican-log-warning.pot | 35 - barbican/locale/barbican.pot | 1644 -------------------- .../locale/zh_CN/LC_MESSAGES/barbican-log-error.po | 36 +- .../locale/zh_CN/LC_MESSAGES/barbican-log-info.po | 231 +++ .../zh_CN/LC_MESSAGES/barbican-log-warning.po | 46 + barbican/locale/zh_CN/LC_MESSAGES/barbican.po | 1365 ++++++++++++++++ barbican/model/clean.py | 58 +- .../alembic_migrations/container_init_ops.py | 2 +- ...f2e645cba_model_for_multiple_backend_support.py | 62 + .../795737bb3c3_change_tenants_to_projects.py | 5 +- .../versions/d2780d5aa510_change_url_length.py | 2 +- barbican/model/migration/commands.py | 7 +- barbican/model/models.py | 122 +- barbican/model/repositories.py | 291 +++- barbican/plugin/crypto/crypto.py | 15 +- barbican/plugin/crypto/manager.py | 35 +- barbican/plugin/crypto/p11_crypto.py | 129 +- barbican/plugin/crypto/pkcs11.py | 79 +- barbican/plugin/crypto/simple_crypto.py | 17 +- barbican/plugin/dogtag.py | 16 +- barbican/plugin/interface/certificate_manager.py | 24 +- barbican/plugin/interface/secret_store.py | 81 +- barbican/plugin/kmip_secret_store.py | 95 +- barbican/plugin/resources.py | 17 +- barbican/plugin/snakeoil_ca.py | 34 +- barbican/plugin/store_crypto.py | 11 +- barbican/plugin/util/multiple_backends.py | 294 ++++ barbican/plugin/util/translations.py | 18 +- barbican/queue/__init__.py | 12 +- barbican/queue/client.py | 8 +- barbican/queue/keystone_listener.py | 9 +- barbican/queue/retry_scheduler.py | 4 +- barbican/tasks/certificate_resources.py | 5 +- barbican/tasks/keystone_consumer.py | 6 +- barbican/tasks/resources.py | 26 +- .../repositories/test_repositores_secret_stores.py | 426 +++++ .../repositories/test_repositories_secrets.py | 134 +- .../plugin/interface/test_certificate_manager.py | 2 +- bin/demo_requests.py | 4 +- bin/keystone_data.sh | 239 ++- devstack/lib/barbican | 92 +- devstack/plugin.sh | 12 + devstack/settings | 4 + etc/barbican/barbican-api-paste.ini | 19 +- etc/barbican/barbican-functional.conf | 13 + etc/barbican/barbican.conf | 29 +- etc/barbican/policy.json | 22 +- .../api/v1/behaviors/container_behaviors.py | 23 +- .../api/v1/behaviors/secret_behaviors.py | 20 +- .../api/v1/behaviors/secretstores_behaviors.py | 101 ++ .../api/v1/functional/test_acls_rbac.py | 12 +- .../api/v1/functional/test_certificate_orders.py | 3 + .../api/v1/functional/test_consumers.py | 1 + .../api/v1/functional/test_containers.py | 59 +- .../api/v1/functional/test_containers_rbac.py | 7 +- .../api/v1/functional/test_secrets_rbac.py | 7 +- .../api/v1/functional/test_secretstores.py | 213 +++ install-guide/source/barbican-backend.rst | 174 +++ install-guide/source/common_configure.rst | 92 ++ install-guide/source/common_prerequisites.rst | 87 ++ install-guide/source/conf.py | 302 ++++ install-guide/source/get_started.rst | 10 + install-guide/source/index.rst | 18 + install-guide/source/install-obs.rst | 34 + install-guide/source/install-rdo.rst | 62 + install-guide/source/install-ubuntu.rst | 31 + install-guide/source/install.rst | 25 + install-guide/source/next-steps.rst | 10 + install-guide/source/verify.rst | 73 + .../notes/multiple-backends-75f5b85c63b930b7.yaml | 17 + releasenotes/source/index.rst | 3 +- .../locale/zh_CN/LC_MESSAGES/releasenotes.po | 133 ++ releasenotes/source/mitaka.rst | 6 + requirements.txt | 25 +- setup.cfg | 3 +- test-requirements.txt | 21 +- tox.ini | 47 +- 188 files changed, 9950 insertions(+), 3197 deletions(-) Requirements updates -------------------- diff --git a/requirements.txt b/requirements.txt index 81e59fb..d35188b 100644 --- a/requirements.txt +++ b/requirements.txt @@ -4,2 +4,2 @@ -alembic>=0.8.0 # MIT -Babel>=1.3 # BSD +alembic>=0.8.4 # MIT +Babel>=2.3.4 # BSD @@ -7 +7 @@ cffi # MIT -cryptography>=1.0 # BSD/Apache-2.0 +cryptography!=1.3.0,>=1.0 # BSD/Apache-2.0 @@ -10,3 +10,2 @@ jsonschema!=2.5.0,<3.0.0,>=2.0.0 # MIT -oslo.concurrency>=3.5.0 # Apache-2.0 -oslo.config>=3.7.0 # Apache-2.0 -oslo.context>=0.2.0 # Apache-2.0 +oslo.config>=3.14.0 # Apache-2.0 +oslo.context>=2.9.0 # Apache-2.0 @@ -14 +13 @@ oslo.i18n>=2.1.0 # Apache-2.0 -oslo.messaging>=4.0.0 # Apache-2.0 +oslo.messaging>=5.2.0 # Apache-2.0 @@ -17 +16 @@ oslo.log>=1.14.0 # Apache-2.0 -oslo.policy>=0.5.0 # Apache-2.0 +oslo.policy>=1.9.0 # Apache-2.0 @@ -19,2 +18,2 @@ oslo.serialization>=1.10.0 # Apache-2.0 -oslo.service>=1.0.0 # Apache-2.0 -oslo.utils>=3.5.0 # Apache-2.0 +oslo.service>=1.10.0 # Apache-2.0 +oslo.utils>=3.16.0 # Apache-2.0 @@ -24 +23 @@ pbr>=1.6 # Apache-2.0 -pecan>=1.0.0 # BSD +pecan!=1.0.2,!=1.0.3,!=1.0.4,>=1.0.0 # BSD @@ -29 +28 @@ ldap3>=0.9.8.2 # LGPLv3 -keystonemiddleware!=4.1.0,>=4.0.0 # Apache-2.0 +keystonemiddleware!=4.1.0,!=4.5.0,>=4.0.0 # Apache-2.0 @@ -32 +31 @@ SQLAlchemy<1.1.0,>=1.0.10 # MIT -stevedore>=1.5.0 # Apache-2.0 +stevedore>=1.16.0 # Apache-2.0 diff --git a/test-requirements.txt b/test-requirements.txt index 4270b94..960782d 100644 --- a/test-requirements.txt +++ b/test-requirements.txt @@ -6 +6 @@ hacking<0.11,>=0.10.0 -mock>=1.2 # BSD +mock>=2.0 # BSD @@ -8 +8 @@ oslotest>=1.10.0 # Apache-2.0 -pykmip>=0.4.0 # Apache 2.0 License +pykmip>=0.5.0 # Apache 2.0 License @@ -11,4 +11,5 @@ testtools>=1.4.0 # MIT -fixtures>=1.3.1 # Apache-2.0/BSD -requests!=2.9.0,>=2.8.1 # Apache-2.0 -python-keystoneclient!=1.8.0,!=2.1.0,>=1.6.0 # Apache-2.0 -tempest-lib>=0.14.0 # Apache-2.0 +fixtures>=3.0.0 # Apache-2.0/BSD +requests>=2.10.0 # Apache-2.0 +WebTest>=2.0 # MIT +python-keystoneclient!=2.1.0,>=2.0.0 # Apache-2.0 +tempest>=12.1.0 # Apache-2.0 @@ -18 +19 @@ python-subunit>=0.0.18 # Apache-2.0/BSD -bandit>=0.17.3 # Apache-2.0 +bandit>=1.1.0 # Apache-2.0 @@ -21 +22 @@ bandit>=0.17.3 # Apache-2.0 -sphinx!=1.2.0,!=1.3b1,<1.3,>=1.1.2 # BSD +sphinx!=1.3b1,<1.3,>=1.2.1 # BSD @@ -23,2 +24,2 @@ oslosphinx!=3.4.0,>=2.5.0 # Apache-2.0 -reno>=0.1.1 # Apache2 -openstackdocstheme>=1.0.3 # Apache-2.0 +reno>=1.8.0 # Apache2 +openstackdocstheme>=1.5.0 # Apache-2.0