Thanks John for providing the pointer to the fix and also thank all contributors for providing the quick fix.
Thanks and Regards, Asha Seshagiri On Fri, May 15, 2015 at 3:30 PM, John Vrbanac <john.vrba...@rackspace.com> wrote: > Asha, > We landed the fix in: https://review.openstack.org/#/c/183391/ > Hopefully, that should address the problem you've been seeing. > > Thanks! > > John Vrbanac > > > On Thu, 2015-05-14 at 18:14 -0500, Douglas Mendizábal wrote: > > Hi Asha, > > > > The reason we support an Unauthenticated Context in Barbican is purely > > for development purposes. We recommend that all production Barbican > > deployments use Keystone or an alternative AuthN/AuthZ service in > > front of Barbican. > > > > Setting up a working Keystone environment just to hack on Barbican is > > a steep requirement, which is why we need the Unauthenticated Context > > to work. > > > > - Douglas Mendizabal > > > > On 5/14/15 6:07 PM, Asha Seshagiri wrote: > > > Thanks a lot John for your response. But would like to know why do > > > would we have to fix the issue for creating the secret for > > > unauthenticated context for Barbican since it would be good to have > > > access control mechanism enforced to access secrets , orders and > > > other entities from Barbican. > > > > > > This should be the expected behavior from security perspective .And > > > also we are able to access secrets by providing the right token > > > from the Identity service (Keystone ). Looking forward for your > > > response. > > > > > > Thanks and Regards, Asha Seshagiri > > > > > > On Thu, May 14, 2015 at 4:43 PM, John Vrbanac > > > <john.vrba...@rackspace.com <mailto:john.vrba...@rackspace.com>> > > > wrote: > > > > > > __ Asha, I spent some time looking into this, It looks to be a > > > regression that occurred a few days ago when a CR was merged that > > > moved us over to oslo_context. I have reported the issue here: > > > https://bugs.launchpad.net/barbican/+bug/1455247 > > > > > > I have a couple ideas on how to fix it, so keep your eyes out for > > > a CR to resolve the issue. > > > > > > John Vrbanac > > > > > > > > > > > > On Thu, 2015-05-14 at 12:26 -0500, Asha Seshagiri wrote: > > >> Hi all , > > >> > > >> > > >> We are able to execute the curl commands on new barbican code > > >> provided we integrated it with keystone . I ran into this issue > > >> because I was trying to configure localhost to actual IP on a > > >> plain barbican server so that I would get the response and > > >> request objects with the actual IP rather than the local host . > > >> This configuration was required for seting up HA proxy for > > >> Barbican. > > >> > > >> And then I thought of integrating with the keystone and > > >> configure Babrican server to https. > > >> > > >> *Its a good learning to know that the latest code drop of > > >> Barbican enforces the authentication mechanism with the keystone > > >> which would not allow us to execute the curl command without > > >> providing the token of Identity service (Keystone ) in the > > >> request unlike the previous Barbican versions* > > >> > > >> Please find the curl command request and responses for > > >> uploading/reteriving the secets on Barbican Server > > >> > > >> root@Clientfor-HAProxy barbican]# curl -X POST -H > > >> 'content-type:application/json' -H 'X-Project-Id:12345' \ > > >>> -H "X-Auth-Token:c9ac81784e1e4e089fccbca19f862be2" -d > > >> '{"payload": "my-secret-here","payload_content_type": > > >> "text/plain"}' \ > > >>> -k https://localhost:9311/v1/secrets > > >> {"secret_ref": > > >> "https://localhost:9311/v1/secrets/02336016-623b-4deb-bca5-caedc0bf0e > > 35"}[root@Clientfor-HAProxy > > >> > > >> > > barbican]# > > >> > > >> [root@Clientfor-HAProxy barbican]# curl -H 'Accept: > > >> application/json' -H 'X-Project-Id:12345' \ > > >>> -H "X-Auth-Token:c9ac81784e1e4e089fccbca19f862be2" -k > > >> https://localhost:9311/v1/secrets {"secrets": [{"status": > > >> "ACTIVE", "secret_type": "opaque", "updated": > > >> "2015-05-14T16:35:44.109536", "name": null, "algorithm": null, > > >> "created": "2015-05-14T16:35:44.103982", "secret_ref": > > >> "https://localhost:9311/v1/secrets/02336016-623b-4deb-bca5-caedc0bf0e > > 35", > > >> > > >> > > "content_types": {"default": "text/plain"}, "creator_id": > > >> "cedd848a8a9e410196793c601c03b99a", "mode": null, "bit_length": > > >> null, "expiration": null}], "total": 1}[root@Clientfor-HAProxy > > >> barbican]# > > >> > > >> Thanks and Regards, Asha Seshagiri > > >> > > >> On Wed, May 13, 2015 at 4:26 PM, Asha Seshagiri > > >> <asha.seshag...@gmail.com <mailto:asha.seshag...@gmail.com>> > > >> wrote: > > >> > > >> Hi all , > > >> > > >> > > >> > > >> When I started debugging ,we find that default group is not > > >> used instead oslo_policy would be used > > >> > > >> Please find the logs below : > > >> > > >> > > >> *2015-05-13 15:59:34.393 13210 WARNING oslo_config.cfg [-] Option > > >> "policy_default_rule" from group "DEFAULT" is deprecated. Use > > >> option "policy_default_rule" from group "oslo_policy".* > > >> *2015-05-13 15:59:34.394 13210 WARNING oslo_config.cfg [-] Option > > >> "policy_file" from group "DEFAULT" is deprecated. Use option > > >> "policy_file" from group "oslo_policy".* 2015-05-13 15:59:34.395 > > >> 13210 DEBUG oslo_policy.openstack.common.fileutils > > >> [req-0c6d2db4-bc15-4752-93ca-5203cf742d79 - 12345 - - -] > > >> Reloading cached file /etc/barbican/policy.json read_cached_file > > >> /usr/lib/python2.7/site-packages/oslo_policy/openstack/common/fileuti > > ls.py:64 > > >> > > >> > > 2015-05-13 15:59:34.398 13210 DEBUG oslo_policy.policy > > >> [req-0c6d2db4-bc15-4752-93ca-5203cf742d79 - 12345 - - -] Reloaded > > >> policy file: /etc/barbican/policy.json _load_policy_file > > >> /usr/lib/python2.7/site-packages/oslo_policy/policy.py:424 > > >> 2015-05-13 15:59:34.399 13210 ERROR barbican.api.controllers > > >> [req-0c6d2db4-bc15-4752-93ca-5203cf742d79 - 12345 - - -] Secret > > >> creation attempt not allowed - please review your user/project > > >> privileges 2015-05-13 15:59:34.399 13210 TRACE > > >> barbican.api.controllers Traceback (most recent call last): > > >> 2015-05-13 15:59:34.399 13210 TRACE barbican.api.controllers File > > >> "/root/barbican/barbican/api/controllers/__init__.py", line 104, > > >> in handler 2015-05-13 15:59:34.399 13210 TRACE > > >> barbican.api.controllers return fn(inst, *args, **kwargs) > > >> 2015-05-13 15:59:34.399 13210 TRACE barbican.api.controllers File > > >> "/root/barbican/barbican/api/controllers/__init__.py", line 85, > > >> in enforcer 2015-05-13 15:59:34.399 13210 TRACE > > >> barbican.api.controllers _do_enforce_rbac(inst, > > >> pecan.request, action_name, ctx, **kwargs) 2015-05-13 > > >> 15:59:34.399 13210 TRACE barbican.api.controllers File > > >> "/root/barbican/barbican/api/controllers/__init__.py", line 68, > > >> in _do_enforce_rbac 2015-05-13 15:59:34.399 13210 TRACE > > >> barbican.api.controllers credentials, do_raise=True) > > >> 2015-05-13 15:59:34.399 13210 TRACE barbican.api.controllers File > > >> "/usr/lib/python2.7/site-packages/oslo_policy/policy.py", line > > >> 493, in enforce 2015-05-13 15:59:34.399 13210 TRACE > > >> barbican.api.controllers raise PolicyNotAuthorized(rule, > > >> target, creds) 2015-05-13 15:59:34.399 13210 TRACE > > >> barbican.api.controllers PolicyNotAuthorized: secrets:post on > > >> {u'payload': u'my-secret-here', u'payload_content_type': > > >> u'text/plain'} by {'project': '12345', 'user': None, 'roles': []} > > >> disallowed by policy 2015-05-13 15:59:34.399 13210 TRACE > > >> barbican.api.controllers 2015-05-13 15:59:34.400 13210 INFO > > >> barbican.api.middleware.context > > >> [req-0c6d2db4-bc15-4752-93ca-5203cf742d79 - 12345 - - -] > > >> req-556e8733-aea2-4acf-ac8b-30bc671a6f22 | Processed request: 403 > > >> Forbidden - POST http://localhost:9311/v1/secrets {address space > > >> usage: 364666880 bytes/347MB} {rss usage: 65622016 bytes/62MB} > > >> [pid: 13210|app: 0|req: 1/1] 127.0.0.1 () {30 vars in 358 bytes} > > >> [Wed May 13 15:59:34 2015] POST /v1/secrets => generated 134 > > >> bytes in 7 msecs (HTTP/1.1 403) 4 headers in 179 bytes (1 > > >> switches on core 0) announcing my loyalty to the Emperor... Wed > > >> May 13 15:59:34 2015 - [emperor] vassal barbican-api.ini is now > > >> loyal > > >> > > >> > > >> Hence I tried changing policy_default_rule value in the > > >> barbican.conf file to oslo_policy instead of default and then > > >> restarting it .It did not work . Please find the rule below : > > >> > > >> > > >> *# Rule checked when requested rule is not found (string value)* > > >> *policy_default_rule=oslo_policy* > > >> > > >> *[root@Clientfor-HAProxy ~]# curl -X POST -H > > >> 'content-type:application/json' -H 'X-Project-Id:12345' -d > > >> '{"payload": "my-secret-here", "payload_content_type": > > >> "text/plain"}' http://localhost:9311/v1/secrets* *{"code": 403, > > >> "description": "Secret creation attempt not allowed - please > > >> review your user/project privileges", "title": "Forbidden"}* > > >> > > >> > > >> It would be great if some one could help me out with this.Any > > >> help would be highly appreciated. > > >> > > >> Thanks in advance > > >> > > >> > > >> > > >> Thanks and Regards, > > >> > > >> Asha Seshagiri > > >> > > >> > > >> > > >> On Tue, May 12, 2015 at 6:31 PM, Asha Seshagiri > > >> <asha.seshag...@gmail.com <mailto:asha.seshag...@gmail.com>> > > >> wrote: > > >> > > >> Hi All , > > >> > > >> > > >> Installed the barbican today taking the source from github and > > >> executed the basic curl commands for retrieving and uploading the > > >> secrets. > > >> > > >> Was unable to execute the curl commands for retrieving and > > >> uploading the secrets. Please find the request and response for > > >> the command : > > >> > > >> [root@Clientfor-HAProxy ~]# curl -X POST -H > > >> 'content-type:application/json' -H 'X-Project-Id:12345' -d > > >> '{"payload": "my-secret-here", "payload_content_type": > > >> "text/plain"}' http://localhost:9311/v1/secrets *{"code": 403, > > >> "description": "Secret creation attempt not allowed - please > > >> review your user/project privileges", "title": "Forbidden"}* > > >> [root@Clientfor-HAProxy ~]# curl -H 'X-Project-Id: 12345' > > >> http://localhost:9311/v1/secrets *{"code": 403, "description": > > >> "Secret(s) retrieval attempt not allowed - please review your > > >> user/project privileges", "title": "Forbidden"}* > > >> > > >> > > >> Would like to know the changes that needs to be done in order to > > >> execute the basic curl commands for Barbican. > > >> > > >> Also noticed that admin config files are not loaded and only the > > >> APi file is loaded .Please find the logs below : > > >> > > >> > > >> *** Operational MODE: single process *** *** uWSGI is running in > > >> multiple interpreter mode *** spawned uWSGI master process (pid: > > >> 9299) Tue May 12 16:23:09 2015 - [emperor] vassal > > >> barbican-api.ini has been spawned spawned uWSGI worker 1 (pid: > > >> 9300, cores: 1) *Loading paste environment: > > >> config:/etc/barbican/barbican-api-paste.ini* 2015-05-12 > > >> 16:23:11.036 9300 INFO barbican.model.repositories [-] Setting up > > >> database engine and session factory 2015-05-12 16:23:11.044 9300 > > >> DEBUG sqlalchemy.pool.NullPool [-] Created new connection > > >> <sqlite3.Connection object at 0x53d8dc8> __connect > > >> /usr/lib64/python2.7/site-packages/sqlalchemy/pool.py:540 > > >> 2015-05-12 16:23:11.045 9300 DEBUG sqlalchemy.pool.NullPool [-] > > >> Connection <sqlite3.Connection object at 0x53d8dc8> checked out > > >> from pool checkout > > >> /usr/lib64/python2.7/site-packages/sqlalchemy/pool.py:458 > > >> 2015-05-12 16:23:11.046 9300 DEBUG sqlalchemy.pool.NullPool [-] > > >> Connection <sqlite3.Connection object at 0x53d8dc8> being > > >> returned to pool _finalize_fairy > > >> /usr/lib64/python2.7/site-packages/sqlalchemy/pool.py:562 > > >> 2015-05-12 16:23:11.046 9300 DEBUG sqlalchemy.pool.NullPool [-] > > >> Connection <sqlite3.Connection object at 0x53d8dc8> > > >> rollback-on-return _reset > > >> /usr/lib64/python2.7/site-packages/sqlalchemy/pool.py:698 > > >> 2015-05-12 16:23:11.046 9300 DEBUG sqlalchemy.pool.NullPool [-] > > >> Closing connection <sqlite3.Connection object at 0x53d8dc8> > > >> _close_connection > > >> /usr/lib64/python2.7/site-packages/sqlalchemy/pool.py:248 > > >> > > >> > > >> > > >> > > >> *Any help would be highly appreciated since this would impact my > > >> work on setting up HA proxy for Barbican* > > >> > > >> Thanks in advance ! > > >> > > >> > > >> -- > > >> > > >> /Thanks and Regards,/ > > >> > > >> /Asha Seshagiri/ > > >> > > >> > > >> > > >> > > >> -- > > >> > > >> /Thanks and Regards,/ > > >> > > >> /Asha Seshagiri/ > > >> > > >> > > >> > > >> > > >> -- /Thanks and Regards,/ /Asha Seshagiri/ > > >> _____________________________________________________________________ > > _____ > > >> > > >> > > OpenStack Development Mailing List (not for usage questions) > > >> Unsubscribe: openstack-dev-requ...@lists.openstack.org > > >> <mailto:openstack-dev-requ...@lists.openstack.org>?subject:unsubscrib > > e > > >> > > >> > > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > > > > > ______________________________________________________________________ > > ____ > > > > > > > > OpenStack Development Mailing List (not for usage questions) > > > Unsubscribe: > > > openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > > > <http://openstack-dev-requ...@lists.openstack.org?subject:unsubscribe> > > > > > > > > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > > > > > > > > > > > > > > -- /Thanks and Regards,/ /Asha Seshagiri/ > > > > > > > > > ______________________________________________________________________ > > ____ > > > > > > > > OpenStack Development Mailing List (not for usage questions) > > > Unsubscribe: > > > openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > > > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > > > > > __________________________________________________________________________ > > OpenStack Development Mailing List (not for usage questions) > > Unsubscribe: > openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > -- *Thanks and Regards,* *Asha Seshagiri*
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev