[Openstack] [Barbican] HTTPS Connection Question
Miller, Mark M (EB SW Cloud - R&D - Corvallis)
mark.m.miller at hp.com
Fri Mar 7 17:53:27 UTC 2014
Hello,
I want to ask the following question of the Barbican community:
“How does Barbican store secrets today? Does it rely on special hardware to assure encryption of secrets is done. Does it also have an option to use SW encryption before storing secrets.”
Thanks,
Mark
From: Miller, Mark M (EB SW Cloud - R&D - Corvallis)
Sent: Friday, March 07, 2014 9:38 AM
To: Douglas Mendizabal; Ferreira, Rafael; Remo Mattei; Wyllys Ingersoll; openstack at lists.openstack.org
Subject: Re: [Openstack] [Barbican] HTTPS Connection Question
Hello Doug,
I have been able to configure Barbican with Apache2 via WSGI thereby removing the middle “HTTPS -> uWSGI -> Barbican” step. By removing the middle “uWSGI” step, the insecure uwsgi connection is also removed. How do I contribute to the wiki page?
I have also installed Keystone and attempted to configure Barbican to use Keystone for authentication but have been unsuccessful. Barbican performs the requested API without checking the token. What am I missing?
Mark
File barbican-api-paste.ini:
# Use this pipeline for Barbican API - DEFAULT no authentication
[pipeline:main]
#pipeline = unauthenticated-context apiapp
pipeline = keystone_v3_authtoken context apiapp
####pipeline = simple apiapp
#Use this pipeline to activate a repoze.profile middleware and HTTP port,
# to provide profiling information for the REST API processing.
[pipeline:barbican-profile]
pipeline = unauthenticated-context egg:Paste#cgitb egg:Paste#httpexceptions profile apiapp
#Use this pipeline for keystone auth
[pipeline:barbican-api-keystone]
pipeline = keystone_authtoken context apiapp
[app:apiapp]
paste.app_factory = barbican.api.app:create_main_app
[filter:simple]
paste.filter_factory = barbican.api.middleware.simple:SimpleFilter.factory
[filter:unauthenticated-context]
paste.filter_factory = barbican.api.middleware.context:UnauthenticatedContextMiddleware.factory
[filter:context]
paste.filter_factory = barbican.api.middleware.context:ContextMiddleware.factory
[filter:keystone_authtoken]
paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory
signing_dir = /tmp/barbican/cache
auth_host = localhost
#need ability to re-auth a token, thus admin url
auth_port = 35357
auth_protocol = http
admin_tenant_name = service
admin_user = barbican
admin_password = secret
#admin_password = orange
auth_version = v2.0
#delay failing perhaps to log the unauthorized request in barbican ..
#delay_auth_decision = true
[filter:keystone_v3_authtoken]
paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory
signing_dir = /tmp/barbican/cache
auth_host = localhost
#need ability to re-auth a token, thus admin url
auth_port = 35357
auth_protocol = http
admin_tenant_name = service
admin_user = barbican
admin_password = secret
#admin_password = orange
auth_version = v3.0
#delay failing perhaps to log the unauthorized request in barbican ..
#delay_auth_decision = true
[filter:profile]
use = egg:repoze.profile
log_filename = myapp.profile
cachegrind_filename = cachegrind.out.myapp
discard_first_request = true
path = /__profile__
flush_at_shutdown = true
unwind = false
From: Douglas Mendizabal [mailto:douglas.mendizabal at RACKSPACE.COM]
Sent: Tuesday, March 04, 2014 2:47 PM
To: Miller, Mark M (EB SW Cloud - R&D - Corvallis); Ferreira, Rafael; Remo Mattei; Wyllys Ingersoll; openstack at lists.openstack.org<mailto:openstack at lists.openstack.org>
Subject: Re: [Openstack] [Barbican] HTTPS Connection Question
Hi Mark,
I hope I can answer your questions:
1. HTTP support should be provided by the web server used to host barbican, not by barbican itself. The files where you noticed the “protocol = http” settings are uwsgi configuration files the Barbican team uses to run Barbican using uwsgi during development. The settings are just default development settings, and should be tuned to your particular situation. You can find more information about uwsgi config options on their official documentation. [1] In particular, you may be interested in enabling HTTPS support documentation. [2]
2. As I mentioned above, the dev team uses uwsgi to run Barbican, however there are no dependencies on uwsgi built into barbican. This means that, in theory, you should be able to run Barbican using Apache + mod_uwsgi, or Nginx + gunicorn, or any other web server capable of hosting a WSGI app. That said, we have not actually built environments with alternative web servers, so we don’t currently have any documentation on how to set that up. If you decide to deploy Barbican using Apache, we’d love to hear about your experience and help out in any way we can (join us at #openstack-barbican on Freenode). I would encourage you to contribute to our documentation wiki if you are successful.
Regards,
-Doug Mendizabal
[1] http://uwsgi-docs.readthedocs.org/en/latest/Options.html
[2] http://uwsgi-docs.readthedocs.org/en/latest/HTTPS.html?highlight=ssl#https-support-from-1-3
From: <Miller>, "Mark M (EB SW Cloud - R&D - Corvallis)" <mark.m.miller at hp.com<mailto:mark.m.miller at hp.com>>
Date: Tuesday, March 4, 2014 at 12:44 PM
To: "Ferreira, Rafael" <raf at io.com<mailto:raf at io.com>>, Remo Mattei <remo at italy1.com<mailto:remo at italy1.com>>, Wyllys Ingersoll <wyllys.ingersoll at evault.com<mailto:wyllys.ingersoll at evault.com>>, "openstack at lists.openstack.org<mailto:openstack at lists.openstack.org>" <openstack at lists.openstack.org<mailto:openstack at lists.openstack.org>>
Subject: Re: [Openstack] [Barbican] HTTPS Connection Question
Hello,
I’ve been digging and digging and I have not been able to locate the following information:
1. Does Barbican provide support for HTTPS connections to it? I noticed “protocol=http” in several .ini files and a .conf file, but no information on how to configure Barbican to use it.
2. The quickstart wiki shows how to install Barbican behind the uwsgi server. Is it possible to install Barbican behind Apache2? Is there any documentation or example configuration guides?
Thanks,
Mark
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20140307/5700d715/attachment.html>
More information about the Openstack
mailing list