Hello Christopher, I’m glad you are making progress. I’m including two folks that worked on the KMIP plugin to see if they can help with your error diagnosis.
Thanks, John From: Christopher N Solis <cnso...@us.ibm.com<mailto:cnso...@us.ibm.com>> Reply-To: "OpenStack Development Mailing List (not for usage questions)" <openstack-dev@lists.openstack.org<mailto:openstack-dev@lists.openstack.org>> Date: Tuesday, April 14, 2015 at 10:21 AM To: "OpenStack Development Mailing List (not for usage questions)" <openstack-dev@lists.openstack.org<mailto:openstack-dev@lists.openstack.org>> Subject: Re: [openstack-dev] [barbican] Utilizing the KMIP plugin Hey John. Thanks! You were right. It was reading the config from the /root directory because I switched to the root user. After switching back to the normal user it is reading the correct config file again. It is trying to use the kmip plugin now. However, I cannot not make a request to the kmip plugin because of an ssl error: 2015-04-14 10:02:26,219 - barbican.plugin.kmip_secret_store - ERROR - Error opening or writing to client Traceback (most recent call last): File "/home/swift/barbican/barbican/plugin/kmip_secret_store.py", line 167, in generate_symmetric_key self.client.open() File "/home/swift/.pyenv/versions/barbican27/lib/python2.7/site-packages/kmip/services/kmip_client.py", line 86, in open self.socket.connect((self.host, self.port)) File "/home/swift/.pyenv/versions/2.7.6/lib/python2.7/ssl.py", line 333, in connect self._real_connect(addr, False) File "/home/swift/.pyenv/versions/2.7.6/lib/python2.7/ssl.py", line 314, in _real_connect self.ca_certs, self.ciphers) SSLError: [Errno 0] _ssl.c:343: error:00000000:lib(0):func(0):reason(0) I believe there is a problem in the KMIP plugin part of the barbican-api.conf file: keyfile = '/path/to/certs/cert.key' certfile = '/path/to/certs/cert.crt' ca_certs = '/path/to/certs/LocalCA.crt' What exactly is each variable suppose to contain? I have keyfile and certfile being a self signed certificate and 2048 bit RSA key respectively for barbican to use and ca_certs is the kmip_plugins' certificate for barbican to trust. Does this setup sound right? Regards, Christopher Solis [Inactive hide details for John Wood ---04/10/2015 07:24:59 PM---Hello Christopher, It does seem that configs are being read for]John Wood ---04/10/2015 07:24:59 PM---Hello Christopher, It does seem that configs are being read for another location. Try to remove that From: John Wood <john.w...@rackspace.com<mailto:john.w...@rackspace.com>> To: "OpenStack Development Mailing List (not for usage questions)" <openstack-dev@lists.openstack.org<mailto:openstack-dev@lists.openstack.org>> Date: 04/10/2015 07:24 PM Subject: Re: [openstack-dev] [barbican] Utilizing the KMIP plugin ________________________________ Hello Christopher, It does seem that configs are being read for another location. Try to remove that copy in you home directory (so just keep the /etc location). If you see the same issue, try to rename your /etc/barbican/barbican-api.conf file to something else. Barbican should crash, probably with a No SQL connection error. Also, double check the ‘kmip_plugin’ setting in setup.cfg as per below, and try running ‘pip install -e .’ again in your virtual environment. FWIW, this CR adds better logging of plugin errors once the loading problem you have is figured out: https://review.openstack.org/#/c/171868/ Thanks, John From: Christopher N Solis <cnso...@us.ibm.com<mailto:cnso...@us.ibm.com>> Reply-To: "OpenStack Development Mailing List (not for usage questions)" <openstack-dev@lists.openstack.org<mailto:openstack-dev@lists.openstack.org>> Date: Thursday, April 9, 2015 at 1:55 PM To: "OpenStack Development Mailing List (not for usage questions)" <openstack-dev@lists.openstack.org<mailto:openstack-dev@lists.openstack.org>> Subject: Re: [openstack-dev] [barbican] Utilizing the KMIP plugin Hey John. Thanks for letting me know about the error. But I think my configuration is not seeing the kmip_plugin selection. In my barbican-api.conf file in /etc/barbican I have set enabled_secretstore_plugins = kmip_plugin However, I don't think it is creating a KMIPSecretStore instance. I edited the code in kmip_secret_store.py and put a breakpoint at the very beginning of the init function. When I make a barbican request to put a secret in there, it did not stop at the breakpoint at all. I put another breakpoint in the store_crypto.py file inside the init function for the StoreCryptoAdapterPlugin and I was able to enter the code at that breakpoint. So even though in my barbican-api.conf file I specified kmip_plugin it seems to be using the store_crypto plugin instead. Is there something that might cause this to happen? I also want to note that my code has the most up to date pull from the community code. Here's what my /etc/barbican/barbican-api.conf file has in it: # ================= Secret Store Plugin =================== [secretstore] namespace = barbican.secretstore.plugin enabled_secretstore_plugins = kmip_plugin ... ... ... # ================== KMIP plugin ===================== [kmip_plugin] username = '******' password = '******' host = 10.0.2.15 port = 5696 keyfile = '/etc/barbican/rootCA.key' certfile = '/etc/barbican/rootCA.pem' ca_certs = '/etc/barbican/rootCA.pem' Regards, Christopher Solis [Inactive hide details for John Wood ---04/08/2015 03:16:58 PM---Hello Christopher, My local configuration is indeed seeing the]John Wood ---04/08/2015 03:16:58 PM---Hello Christopher, My local configuration is indeed seeing the kmip_plugin selection, but when steve From: John Wood <john.w...@rackspace.com<mailto:john.w...@rackspace.com>> To: "OpenStack Development Mailing List (not for usage questions)" <openstack-dev@lists.openstack.org<mailto:openstack-dev@lists.openstack.org>> Date: 04/08/2015 03:16 PM Subject: Re: [openstack-dev] [barbican] Utilizing the KMIP plugin ________________________________ Hello Christopher, My local configuration is indeed seeing the kmip_plugin selection, but when stevedore tries to load the KMIP plugin it crashes because required files are missing in my local environment (see https://github.com/openstack/barbican/blob/master/barbican/plugin/kmip_secret_store.py#L131) for example. Stevedore logs the exception but then doesn’t load this module, so when Barbican asks for an available plugin it doesn’t see it and crashes as you see. So the root exception from stevedore isn’t showing up in my logs for some reason, and probably not in yours as well. We’ll try to put up a CR to at least expose this exception in logs. In the mean time, make sure the KMIP values checked via that link above are configured on your machine. Sorry for the inconvenience, John From: Christopher N Solis <cnso...@us.ibm.com<mailto:cnso...@us.ibm.com>> Reply-To: "OpenStack Development Mailing List (not for usage questions)" <openstack-dev@lists.openstack.org<mailto:openstack-dev@lists.openstack.org>> Date: Wednesday, April 8, 2015 at 11:27 AM To: "OpenStack Development Mailing List (not for usage questions)" <openstack-dev@lists.openstack.org<mailto:openstack-dev@lists.openstack.org>> Subject: Re: [openstack-dev] [barbican] Utilizing the KMIP plugin Hey John. I do have the barbican-api.conf file located in the /etc/barbican folder. But that does not seem to be the one that barbican reads from. It seems to be reading from the barbican-api.conf file locate in my home directory. Either way, both have the exact same configurations. I also checked the setup.cfg file and it does have the line for kmip_plugin . Regards, CHRIS SOLIS [Inactive hide details for John Wood ---04/07/2015 10:39:18 AM---Hello Christopher, Just checking, but is that barbican-api.conf]John Wood ---04/07/2015 10:39:18 AM---Hello Christopher, Just checking, but is that barbican-api.conf file located in your local system's From: John Wood <john.w...@rackspace.com<mailto:john.w...@rackspace.com>> To: "openstack-dev@lists.openstack.org<mailto:openstack-dev@lists.openstack.org>" <openstack-dev@lists.openstack.org<mailto:openstack-dev@lists.openstack.org>> Date: 04/07/2015 10:39 AM Subject: Re: [openstack-dev] [barbican] Utilizing the KMIP plugin ________________________________ Hello Christopher, Just checking, but is that barbican-api.conf file located in your local system’s /etc/barbican folder? If not that is the preferred place for local development. Modifying the copy that is in your local git repository will have no effect. Also, please double check that your local git repository’s setup.cfg has a line like this in there (at/around #35): kmip_plugin = barbican.plugin.kmip_secret_store:KMIPSecretStore Thanks, John From: Christopher N Solis <cnso...@us.ibm.com<mailto:cnso...@us.ibm.com>> Reply-To: "openstack-dev@lists.openstack.org<mailto:openstack-dev@lists.openstack.org>" <openstack-dev@lists.openstack.org<mailto:openstack-dev@lists.openstack.org>> Date: Monday, April 6, 2015 at 10:25 AM To: "openstack-dev@lists.openstack.org<mailto:openstack-dev@lists.openstack.org>" <openstack-dev@lists.openstack.org<mailto:openstack-dev@lists.openstack.org>> Subject: [openstack-dev] [barbican] Utilizing the KMIP plugin Hello! Sorry to Kaitlin Farr for not responding directly to your e-mail. My openstack settings were misconfigured and I was not receiving e-mail from the dev mailing list. Thanks for looking into the issue. I double checked the permissions at the bottom of the kmip_plugin part in the barbican-api.conf file and they are set to 400. I would also like to note that I do not think the code ever actually entered the __init__ function of KMIPSecretStore. I put a breakpoint in the __init__ function but the debugger never gets open. The error occurs and returns without ever seeming to enter the init function. Here are the parts of the barbican-api.conf file that concern the kmip_plugin: ..................... [secretstore] namespace = barbican.secretstore.plugin enabled_secretstore_plugins = kmip_plugin ..................... [kmip_plugin] username = '**********' password = '**********' host = ******** port = ******** keyfile = '/etc/barbican/rootCA.key' certfile = '/etc/barbican/rootCA.pem' ca_certs = '/etc/barbican/rootCA.pem' ....................... Thank You!! Regards, Christopher Solis__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org<mailto:openstack-dev-requ...@lists.openstack.org>?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org<mailto:openstack-dev-requ...@lists.openstack.org>?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev [attachment "graycol.gif" deleted by Christopher N Solis/Austin/IBM] __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org<mailto:openstack-dev-requ...@lists.openstack.org>?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev [attachment "graycol.gif" deleted by Christopher N Solis/Austin/IBM]
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
