[openstack-dev] Barbican : Unable to execute the curl command for uploading/retrieving the secrets with the latest Barbican code.

Asha Seshagiri asha.seshagiri at gmail.com
Thu May 14 17:26:33 UTC 2015


Hi all ,

 We are able to execute the curl commands on new barbican code provided we
integrated it with keystone .
I ran into this issue because I was trying to configure localhost to actual
IP on a plain barbican server so that I would get the response and request
objects with the actual IP rather than the local host .
This configuration was required for seting up HA proxy for Barbican.

And then I thought of integrating with the keystone and configure Babrican
server to https.

*Its a good learning to know that the latest code drop of Barbican enforces
the authentication mechanism with the keystone which would not allow us to
execute the curl command without providing the token of Identity service
(Keystone ) in the request unlike the previous Ba**rbican **versions*

Please find the curl command request and responses for uploading/reteriving
the secets on Barbican Server

root at Clientfor-HAProxy barbican]# curl -X POST -H
'content-type:application/json' -H 'X-Project-Id:12345' \
> -H "X-Auth-Token:c9ac81784e1e4e089fccbca19f862be2" -d '{"payload":
"my-secret-here","payload_content_type": "text/plain"}' \
> -k https://localhost:9311/v1/secrets
{"secret_ref": "
https://localhost:9311/v1/secrets/02336016-623b-4deb-bca5-caedc0bf0e35
"}[root at Clientfor-HAProxy barbican]#

[root at Clientfor-HAProxy barbican]# curl -H 'Accept: application/json' -H
'X-Project-Id:12345' \
> -H "X-Auth-Token:c9ac81784e1e4e089fccbca19f862be2" -k
https://localhost:9311/v1/secrets
{"secrets": [{"status": "ACTIVE", "secret_type": "opaque", "updated":
"2015-05-14T16:35:44.109536", "name": null, "algorithm": null, "created":
"2015-05-14T16:35:44.103982", "secret_ref": "
https://localhost:9311/v1/secrets/02336016-623b-4deb-bca5-caedc0bf0e35",
"content_types": {"default": "text/plain"}, "creator_id":
"cedd848a8a9e410196793c601c03b99a", "mode": null, "bit_length": null,
"expiration": null}], "total": 1}[root at Clientfor-HAProxy barbican]#

Thanks and Regards,
Asha Seshagiri

On Wed, May 13, 2015 at 4:26 PM, Asha Seshagiri <asha.seshagiri at gmail.com>
wrote:

> Hi all ,
>
> When I started  debugging ,we find that default group  is not used instead
> oslo_policy would be used
> Please find the logs below :
>
>
> *2015-05-13 15:59:34.393 13210 WARNING oslo_config.cfg [-] Option
> "policy_default_rule" from group "DEFAULT" is deprecated. Use option
> "policy_default_rule" from group "oslo_policy".2015-05-13 15:59:34.394
> 13210 WARNING oslo_config.cfg [-] Option "policy_file" from group "DEFAULT"
> is deprecated. Use option "policy_file" from group "oslo_policy".*
> 2015-05-13 15:59:34.395 13210 DEBUG oslo_policy.openstack.common.fileutils
> [req-0c6d2db4-bc15-4752-93ca-5203cf742d79 - 12345 - - -] Reloading cached
> file /etc/barbican/policy.json read_cached_file
> /usr/lib/python2.7/site-packages/oslo_policy/openstack/common/fileutils.py:64
> 2015-05-13 15:59:34.398 13210 DEBUG oslo_policy.policy
> [req-0c6d2db4-bc15-4752-93ca-5203cf742d79 - 12345 - - -] Reloaded policy
> file: /etc/barbican/policy.json _load_policy_file
> /usr/lib/python2.7/site-packages/oslo_policy/policy.py:424
> 2015-05-13 15:59:34.399 13210 ERROR barbican.api.controllers
> [req-0c6d2db4-bc15-4752-93ca-5203cf742d79 - 12345 - - -] Secret creation
> attempt not allowed - please review your user/project privileges
> 2015-05-13 15:59:34.399 13210 TRACE barbican.api.controllers Traceback
> (most recent call last):
> 2015-05-13 15:59:34.399 13210 TRACE barbican.api.controllers   File
> "/root/barbican/barbican/api/controllers/__init__.py", line 104, in handler
> 2015-05-13 15:59:34.399 13210 TRACE barbican.api.controllers     return
> fn(inst, *args, **kwargs)
> 2015-05-13 15:59:34.399 13210 TRACE barbican.api.controllers   File
> "/root/barbican/barbican/api/controllers/__init__.py", line 85, in enforcer
> 2015-05-13 15:59:34.399 13210 TRACE barbican.api.controllers
> _do_enforce_rbac(inst, pecan.request, action_name, ctx, **kwargs)
> 2015-05-13 15:59:34.399 13210 TRACE barbican.api.controllers   File
> "/root/barbican/barbican/api/controllers/__init__.py", line 68, in
> _do_enforce_rbac
> 2015-05-13 15:59:34.399 13210 TRACE barbican.api.controllers
> credentials, do_raise=True)
> 2015-05-13 15:59:34.399 13210 TRACE barbican.api.controllers   File
> "/usr/lib/python2.7/site-packages/oslo_policy/policy.py", line 493, in
> enforce
> 2015-05-13 15:59:34.399 13210 TRACE barbican.api.controllers     raise
> PolicyNotAuthorized(rule, target, creds)
> 2015-05-13 15:59:34.399 13210 TRACE barbican.api.controllers
> PolicyNotAuthorized: secrets:post on {u'payload': u'my-secret-here',
> u'payload_content_type': u'text/plain'} by {'project': '12345', 'user':
> None, 'roles': []} disallowed by policy
> 2015-05-13 15:59:34.399 13210 TRACE barbican.api.controllers
> 2015-05-13 15:59:34.400 13210 INFO barbican.api.middleware.context
> [req-0c6d2db4-bc15-4752-93ca-5203cf742d79 - 12345 - - -]
> req-556e8733-aea2-4acf-ac8b-30bc671a6f22 | Processed request: 403 Forbidden
> - POST http://localhost:9311/v1/secrets
> {address space usage: 364666880 bytes/347MB} {rss usage: 65622016
> bytes/62MB} [pid: 13210|app: 0|req: 1/1] 127.0.0.1 () {30 vars in 358
> bytes} [Wed May 13 15:59:34 2015] POST /v1/secrets => generated 134 bytes
> in 7 msecs (HTTP/1.1 403) 4 headers in 179 bytes (1 switches on core 0)
> announcing my loyalty to the Emperor...
> Wed May 13 15:59:34 2015 - [emperor] vassal barbican-api.ini is now loyal
>
> Hence I tried changing  policy_default_rule value in the barbican.conf
> file to oslo_policy instead of default  and then restarting it .It did not
> work . Please find the rule below :
>
>
>
> *# Rule checked when requested rule is not found (string
> value)policy_default_rule=oslo_policy*
>
>
> *[root at Clientfor-HAProxy ~]# curl -X POST -H
> 'content-type:application/json' -H 'X-Project-Id:12345' -d '{"payload":
> "my-secret-here", "payload_content_type": "text/plain"}'
> http://localhost:9311/v1/secrets <http://localhost:9311/v1/secrets>{"code":
> 403, "description": "Secret creation attempt not allowed - please review
> your user/project privileges", "title": "Forbidden"}*
>
> It would be great if some one could help me out with this.Any help would
> be highly appreciated.
> Thanks in advance
>
> Thanks and Regards,
> Asha Seshagiri
>
>
> On Tue, May 12, 2015 at 6:31 PM, Asha Seshagiri <asha.seshagiri at gmail.com>
> wrote:
>
>> Hi All ,
>>
>> Installed the barbican today taking the source from github and executed
>> the basic curl commands for retrieving and uploading the secrets.
>> Was unable to  execute the curl commands for retrieving and uploading the
>> secrets.
>> Please find the request and response for the command :
>>
>> [root at Clientfor-HAProxy ~]# curl -X POST -H
>> 'content-type:application/json' -H 'X-Project-Id:12345' -d '{"payload":
>> "my-secret-here", "payload_content_type": "text/plain"}'
>> http://localhost:9311/v1/secrets
>>
>> *{"code": 403, "description": "Secret creation attempt not allowed -
>> please review your user/project privileges", "title": "Forbidden"} *
>> [root at Clientfor-HAProxy ~]# curl -H 'X-Project-Id: 12345'
>> http://localhost:9311/v1/secrets
>> *{"code": 403, "description": "Secret(s) retrieval attempt not allowed -
>> please review your user/project privileges", "title": "Forbidden"}*
>>
>> Would like to know the changes that needs to be done in order to execute
>> the basic curl commands for Barbican.
>> Also noticed that admin config files are not loaded and only the APi file
>> is loaded .Please find the logs below :
>>
>>
>> *** Operational MODE: single process ***
>> *** uWSGI is running in multiple interpreter mode ***
>> spawned uWSGI master process (pid: 9299)
>> Tue May 12 16:23:09 2015 - [emperor] vassal barbican-api.ini has been
>> spawned
>> spawned uWSGI worker 1 (pid: 9300, cores: 1)
>>
>> *Loading paste environment: config:/etc/barbican/barbican-api-paste.ini*2015-05-12
>> 16:23:11.036 9300 INFO barbican.model.repositories [-] Setting up database
>> engine and session factory
>> 2015-05-12 16:23:11.044 9300 DEBUG sqlalchemy.pool.NullPool [-] Created
>> new connection <sqlite3.Connection object at 0x53d8dc8> __connect
>> /usr/lib64/python2.7/site-packages/sqlalchemy/pool.py:540
>> 2015-05-12 16:23:11.045 9300 DEBUG sqlalchemy.pool.NullPool [-]
>> Connection <sqlite3.Connection object at 0x53d8dc8> checked out from pool
>> checkout /usr/lib64/python2.7/site-packages/sqlalchemy/pool.py:458
>> 2015-05-12 16:23:11.046 9300 DEBUG sqlalchemy.pool.NullPool [-]
>> Connection <sqlite3.Connection object at 0x53d8dc8> being returned to pool
>> _finalize_fairy /usr/lib64/python2.7/site-packages/sqlalchemy/pool.py:562
>> 2015-05-12 16:23:11.046 9300 DEBUG sqlalchemy.pool.NullPool [-]
>> Connection <sqlite3.Connection object at 0x53d8dc8> rollback-on-return
>> _reset /usr/lib64/python2.7/site-packages/sqlalchemy/pool.py:698
>> 2015-05-12 16:23:11.046 9300 DEBUG sqlalchemy.pool.NullPool [-] Closing
>> connection <sqlite3.Connection object at 0x53d8dc8> _close_connection
>> /usr/lib64/python2.7/site-packages/sqlalchemy/pool.py:248
>>
>>
>> *Any help would be highly appreciated since this would impact my work on
>> setting up HA proxy for Barbican*
>> Thanks in advance !
>>
>> --
>> *Thanks and Regards,*
>> *Asha Seshagiri*
>>
>
>
>
> --
> *Thanks and Regards,*
> *Asha Seshagiri*
>



-- 
*Thanks and Regards,*
*Asha Seshagiri*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150514/715087e0/attachment-0001.html>


More information about the OpenStack-dev mailing list