[openstack-dev] Barbican : Unable to execute the curl command for uploading/retrieving the secrets with the latest Barbican code.
Douglas Mendizábal
douglas.mendizabal at rackspace.com
Thu May 14 23:14:37 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hi Asha,
The reason we support an Unauthenticated Context in Barbican is purely
for development purposes. We recommend that all production Barbican
deployments use Keystone or an alternative AuthN/AuthZ service in
front of Barbican.
Setting up a working Keystone environment just to hack on Barbican is
a steep requirement, which is why we need the Unauthenticated Context
to work.
- - Douglas Mendizabal
On 5/14/15 6:07 PM, Asha Seshagiri wrote:
> Thanks a lot John for your response. But would like to know why do
> would we have to fix the issue for creating the secret for
> unauthenticated context for Barbican since it would be good to have
> access control mechanism enforced to access secrets , orders and
> other entities from Barbican.
>
> This should be the expected behavior from security perspective .And
> also we are able to access secrets by providing the right token
> from the Identity service (Keystone ). Looking forward for your
> response.
>
> Thanks and Regards, Asha Seshagiri
>
> On Thu, May 14, 2015 at 4:43 PM, John Vrbanac
> <john.vrbanac at rackspace.com <mailto:john.vrbanac at rackspace.com>>
> wrote:
>
> __ Asha, I spent some time looking into this, It looks to be a
> regression that occurred a few days ago when a CR was merged that
> moved us over to oslo_context. I have reported the issue here:
> https://bugs.launchpad.net/barbican/+bug/1455247
>
> I have a couple ideas on how to fix it, so keep your eyes out for
> a CR to resolve the issue.
>
> John Vrbanac
>
>
>
> On Thu, 2015-05-14 at 12:26 -0500, Asha Seshagiri wrote:
>> Hi all ,
>>
>>
>> We are able to execute the curl commands on new barbican code
>> provided we integrated it with keystone . I ran into this issue
>> because I was trying to configure localhost to actual IP on a
>> plain barbican server so that I would get the response and
>> request objects with the actual IP rather than the local host .
>> This configuration was required for seting up HA proxy for
>> Barbican.
>>
>> And then I thought of integrating with the keystone and
>> configure Babrican server to https.
>>
>> *Its a good learning to know that the latest code drop of
>> Barbican enforces the authentication mechanism with the keystone
>> which would not allow us to execute the curl command without
>> providing the token of Identity service (Keystone ) in the
>> request unlike the previous Barbican versions*
>>
>> Please find the curl command request and responses for
>> uploading/reteriving the secets on Barbican Server
>>
>> root at Clientfor-HAProxy barbican]# curl -X POST -H
>> 'content-type:application/json' -H 'X-Project-Id:12345' \
>>> -H "X-Auth-Token:c9ac81784e1e4e089fccbca19f862be2" -d
>> '{"payload": "my-secret-here","payload_content_type":
>> "text/plain"}' \
>>> -k https://localhost:9311/v1/secrets
>> {"secret_ref":
>> "https://localhost:9311/v1/secrets/02336016-623b-4deb-bca5-caedc0bf0e
35"}[root at Clientfor-HAProxy
>>
>>
barbican]#
>>
>> [root at Clientfor-HAProxy barbican]# curl -H 'Accept:
>> application/json' -H 'X-Project-Id:12345' \
>>> -H "X-Auth-Token:c9ac81784e1e4e089fccbca19f862be2" -k
>> https://localhost:9311/v1/secrets {"secrets": [{"status":
>> "ACTIVE", "secret_type": "opaque", "updated":
>> "2015-05-14T16:35:44.109536", "name": null, "algorithm": null,
>> "created": "2015-05-14T16:35:44.103982", "secret_ref":
>> "https://localhost:9311/v1/secrets/02336016-623b-4deb-bca5-caedc0bf0e
35",
>>
>>
"content_types": {"default": "text/plain"}, "creator_id":
>> "cedd848a8a9e410196793c601c03b99a", "mode": null, "bit_length":
>> null, "expiration": null}], "total": 1}[root at Clientfor-HAProxy
>> barbican]#
>>
>> Thanks and Regards, Asha Seshagiri
>>
>> On Wed, May 13, 2015 at 4:26 PM, Asha Seshagiri
>> <asha.seshagiri at gmail.com <mailto:asha.seshagiri at gmail.com>>
>> wrote:
>>
>> Hi all ,
>>
>>
>>
>> When I started debugging ,we find that default group is not
>> used instead oslo_policy would be used
>>
>> Please find the logs below :
>>
>>
>> *2015-05-13 15:59:34.393 13210 WARNING oslo_config.cfg [-] Option
>> "policy_default_rule" from group "DEFAULT" is deprecated. Use
>> option "policy_default_rule" from group "oslo_policy".*
>> *2015-05-13 15:59:34.394 13210 WARNING oslo_config.cfg [-] Option
>> "policy_file" from group "DEFAULT" is deprecated. Use option
>> "policy_file" from group "oslo_policy".* 2015-05-13 15:59:34.395
>> 13210 DEBUG oslo_policy.openstack.common.fileutils
>> [req-0c6d2db4-bc15-4752-93ca-5203cf742d79 - 12345 - - -]
>> Reloading cached file /etc/barbican/policy.json read_cached_file
>> /usr/lib/python2.7/site-packages/oslo_policy/openstack/common/fileuti
ls.py:64
>>
>>
2015-05-13 15:59:34.398 13210 DEBUG oslo_policy.policy
>> [req-0c6d2db4-bc15-4752-93ca-5203cf742d79 - 12345 - - -] Reloaded
>> policy file: /etc/barbican/policy.json _load_policy_file
>> /usr/lib/python2.7/site-packages/oslo_policy/policy.py:424
>> 2015-05-13 15:59:34.399 13210 ERROR barbican.api.controllers
>> [req-0c6d2db4-bc15-4752-93ca-5203cf742d79 - 12345 - - -] Secret
>> creation attempt not allowed - please review your user/project
>> privileges 2015-05-13 15:59:34.399 13210 TRACE
>> barbican.api.controllers Traceback (most recent call last):
>> 2015-05-13 15:59:34.399 13210 TRACE barbican.api.controllers File
>> "/root/barbican/barbican/api/controllers/__init__.py", line 104,
>> in handler 2015-05-13 15:59:34.399 13210 TRACE
>> barbican.api.controllers return fn(inst, *args, **kwargs)
>> 2015-05-13 15:59:34.399 13210 TRACE barbican.api.controllers File
>> "/root/barbican/barbican/api/controllers/__init__.py", line 85,
>> in enforcer 2015-05-13 15:59:34.399 13210 TRACE
>> barbican.api.controllers _do_enforce_rbac(inst,
>> pecan.request, action_name, ctx, **kwargs) 2015-05-13
>> 15:59:34.399 13210 TRACE barbican.api.controllers File
>> "/root/barbican/barbican/api/controllers/__init__.py", line 68,
>> in _do_enforce_rbac 2015-05-13 15:59:34.399 13210 TRACE
>> barbican.api.controllers credentials, do_raise=True)
>> 2015-05-13 15:59:34.399 13210 TRACE barbican.api.controllers File
>> "/usr/lib/python2.7/site-packages/oslo_policy/policy.py", line
>> 493, in enforce 2015-05-13 15:59:34.399 13210 TRACE
>> barbican.api.controllers raise PolicyNotAuthorized(rule,
>> target, creds) 2015-05-13 15:59:34.399 13210 TRACE
>> barbican.api.controllers PolicyNotAuthorized: secrets:post on
>> {u'payload': u'my-secret-here', u'payload_content_type':
>> u'text/plain'} by {'project': '12345', 'user': None, 'roles': []}
>> disallowed by policy 2015-05-13 15:59:34.399 13210 TRACE
>> barbican.api.controllers 2015-05-13 15:59:34.400 13210 INFO
>> barbican.api.middleware.context
>> [req-0c6d2db4-bc15-4752-93ca-5203cf742d79 - 12345 - - -]
>> req-556e8733-aea2-4acf-ac8b-30bc671a6f22 | Processed request: 403
>> Forbidden - POST http://localhost:9311/v1/secrets {address space
>> usage: 364666880 bytes/347MB} {rss usage: 65622016 bytes/62MB}
>> [pid: 13210|app: 0|req: 1/1] 127.0.0.1 () {30 vars in 358 bytes}
>> [Wed May 13 15:59:34 2015] POST /v1/secrets => generated 134
>> bytes in 7 msecs (HTTP/1.1 403) 4 headers in 179 bytes (1
>> switches on core 0) announcing my loyalty to the Emperor... Wed
>> May 13 15:59:34 2015 - [emperor] vassal barbican-api.ini is now
>> loyal
>>
>>
>> Hence I tried changing policy_default_rule value in the
>> barbican.conf file to oslo_policy instead of default and then
>> restarting it .It did not work . Please find the rule below :
>>
>>
>> *# Rule checked when requested rule is not found (string value)*
>> *policy_default_rule=oslo_policy*
>>
>> *[root at Clientfor-HAProxy ~]# curl -X POST -H
>> 'content-type:application/json' -H 'X-Project-Id:12345' -d
>> '{"payload": "my-secret-here", "payload_content_type":
>> "text/plain"}' http://localhost:9311/v1/secrets* *{"code": 403,
>> "description": "Secret creation attempt not allowed - please
>> review your user/project privileges", "title": "Forbidden"}*
>>
>>
>> It would be great if some one could help me out with this.Any
>> help would be highly appreciated.
>>
>> Thanks in advance
>>
>>
>>
>> Thanks and Regards,
>>
>> Asha Seshagiri
>>
>>
>>
>> On Tue, May 12, 2015 at 6:31 PM, Asha Seshagiri
>> <asha.seshagiri at gmail.com <mailto:asha.seshagiri at gmail.com>>
>> wrote:
>>
>> Hi All ,
>>
>>
>> Installed the barbican today taking the source from github and
>> executed the basic curl commands for retrieving and uploading the
>> secrets.
>>
>> Was unable to execute the curl commands for retrieving and
>> uploading the secrets. Please find the request and response for
>> the command :
>>
>> [root at Clientfor-HAProxy ~]# curl -X POST -H
>> 'content-type:application/json' -H 'X-Project-Id:12345' -d
>> '{"payload": "my-secret-here", "payload_content_type":
>> "text/plain"}' http://localhost:9311/v1/secrets *{"code": 403,
>> "description": "Secret creation attempt not allowed - please
>> review your user/project privileges", "title": "Forbidden"}*
>> [root at Clientfor-HAProxy ~]# curl -H 'X-Project-Id: 12345'
>> http://localhost:9311/v1/secrets *{"code": 403, "description":
>> "Secret(s) retrieval attempt not allowed - please review your
>> user/project privileges", "title": "Forbidden"}*
>>
>>
>> Would like to know the changes that needs to be done in order to
>> execute the basic curl commands for Barbican.
>>
>> Also noticed that admin config files are not loaded and only the
>> APi file is loaded .Please find the logs below :
>>
>>
>> *** Operational MODE: single process *** *** uWSGI is running in
>> multiple interpreter mode *** spawned uWSGI master process (pid:
>> 9299) Tue May 12 16:23:09 2015 - [emperor] vassal
>> barbican-api.ini has been spawned spawned uWSGI worker 1 (pid:
>> 9300, cores: 1) *Loading paste environment:
>> config:/etc/barbican/barbican-api-paste.ini* 2015-05-12
>> 16:23:11.036 9300 INFO barbican.model.repositories [-] Setting up
>> database engine and session factory 2015-05-12 16:23:11.044 9300
>> DEBUG sqlalchemy.pool.NullPool [-] Created new connection
>> <sqlite3.Connection object at 0x53d8dc8> __connect
>> /usr/lib64/python2.7/site-packages/sqlalchemy/pool.py:540
>> 2015-05-12 16:23:11.045 9300 DEBUG sqlalchemy.pool.NullPool [-]
>> Connection <sqlite3.Connection object at 0x53d8dc8> checked out
>> from pool checkout
>> /usr/lib64/python2.7/site-packages/sqlalchemy/pool.py:458
>> 2015-05-12 16:23:11.046 9300 DEBUG sqlalchemy.pool.NullPool [-]
>> Connection <sqlite3.Connection object at 0x53d8dc8> being
>> returned to pool _finalize_fairy
>> /usr/lib64/python2.7/site-packages/sqlalchemy/pool.py:562
>> 2015-05-12 16:23:11.046 9300 DEBUG sqlalchemy.pool.NullPool [-]
>> Connection <sqlite3.Connection object at 0x53d8dc8>
>> rollback-on-return _reset
>> /usr/lib64/python2.7/site-packages/sqlalchemy/pool.py:698
>> 2015-05-12 16:23:11.046 9300 DEBUG sqlalchemy.pool.NullPool [-]
>> Closing connection <sqlite3.Connection object at 0x53d8dc8>
>> _close_connection
>> /usr/lib64/python2.7/site-packages/sqlalchemy/pool.py:248
>>
>>
>>
>>
>> *Any help would be highly appreciated since this would impact my
>> work on setting up HA proxy for Barbican*
>>
>> Thanks in advance !
>>
>>
>> --
>>
>> /Thanks and Regards,/
>>
>> /Asha Seshagiri/
>>
>>
>>
>>
>> --
>>
>> /Thanks and Regards,/
>>
>> /Asha Seshagiri/
>>
>>
>>
>>
>> -- /Thanks and Regards,/ /Asha Seshagiri/
>> _____________________________________________________________________
_____
>>
>>
OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe: OpenStack-dev-request at lists.openstack.org
>> <mailto:OpenStack-dev-request at lists.openstack.org>?subject:unsubscrib
e
>>
>>
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
> ______________________________________________________________________
____
>
>
OpenStack Development Mailing List (not for usage questions)
> Unsubscribe:
> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> <http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe>
>
>
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
>
>
> -- /Thanks and Regards,/ /Asha Seshagiri/
>
>
> ______________________________________________________________________
____
>
>
OpenStack Development Mailing List (not for usage questions)
> Unsubscribe:
> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org
iQIcBAEBCgAGBQJVVSxdAAoJEB7Z2EQgmLX7tZ4P/RmFMA/m95gU8rIHRSyAIlvN
4WHEiodC5afyss3VhHxhzaAAcZHDYnT2Xy6x0nOleITepnVEapNVHqezI8xlTDyR
2rQoM9isCNCuck4Nmw9t6eoXefBE+1S9/4PhAQZkFrWK5KiIo8YYGDxQ+2dE4/ga
xZWtG5E/9D0vUTkKnaKgjLRsIQff2jl+YMIheJCnlz8GBvOiA1W0KuJX2u9d7Ka0
p25M1YC/uUZ34tveQZde6zwSJ8G0hHayZZTQJeVeyR82vjqBSQKrwG0PXgIuewaO
opDHEfmTvOaLBUDe8uTU4REIiTf7fCsKMFvq34484ZPn6afXj6UKldRt3+mAx/fr
wPGNRtMepJCbkiJ2ez2AFSxJzOAtPDOMXRIiVGKdyFIf1mo5dTbvFYRH9y4VbhCA
fyMphB4TaAhTvpnNqO1m4NdLw9NHrCJro9dl0xvnOlzaYBAG7QOsPK6nhPw8rQuq
IWMAf/zqYSD1358O7d6bNw4LUproNMOdM/CSQc4oMaEwO4IbmaML8RaIiYLsvNfQ
v7wf9zBkSvRfAurXrCD5ycucsxmdX3tdH7YpAaOdLqujLmfPOtypY1c3tsK/q2hu
Shhrq57OvPPmaTk6dmgbivNWldHn3GjzGo/Eu+9gtBzeUi9mKrW0taWoSmyxmksB
slHw2tobVgi7Q2+e8vfY
=Vyfp
-----END PGP SIGNATURE-----
More information about the OpenStack-dev
mailing list