Hello, I found the problem with “my” Apache2 WSGI script for Barbican API. I was referencing the wrong pipeline.
Mark From: Miller, Mark M (EB SW Cloud - R&D - Corvallis) Sent: Friday, March 07, 2014 9:38 AM To: Douglas Mendizabal; Ferreira, Rafael; Remo Mattei; Wyllys Ingersoll; openstack@lists.openstack.org Subject: Re: [Openstack] [Barbican] HTTPS Connection Question Hello Doug, I have been able to configure Barbican with Apache2 via WSGI thereby removing the middle “HTTPS -> uWSGI -> Barbican” step. By removing the middle “uWSGI” step, the insecure uwsgi connection is also removed. How do I contribute to the wiki page? I have also installed Keystone and attempted to configure Barbican to use Keystone for authentication but have been unsuccessful. Barbican performs the requested API without checking the token. What am I missing? Mark File barbican-api-paste.ini: # Use this pipeline for Barbican API - DEFAULT no authentication [pipeline:main] #pipeline = unauthenticated-context apiapp pipeline = keystone_v3_authtoken context apiapp ####pipeline = simple apiapp #Use this pipeline to activate a repoze.profile middleware and HTTP port, # to provide profiling information for the REST API processing. [pipeline:barbican-profile] pipeline = unauthenticated-context egg:Paste#cgitb egg:Paste#httpexceptions profile apiapp #Use this pipeline for keystone auth [pipeline:barbican-api-keystone] pipeline = keystone_authtoken context apiapp [app:apiapp] paste.app_factory = barbican.api.app:create_main_app [filter:simple] paste.filter_factory = barbican.api.middleware.simple:SimpleFilter.factory [filter:unauthenticated-context] paste.filter_factory = barbican.api.middleware.context:UnauthenticatedContextMiddleware.factory [filter:context] paste.filter_factory = barbican.api.middleware.context:ContextMiddleware.factory [filter:keystone_authtoken] paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory signing_dir = /tmp/barbican/cache auth_host = localhost #need ability to re-auth a token, thus admin url auth_port = 35357 auth_protocol = http admin_tenant_name = service admin_user = barbican admin_password = secret #admin_password = orange auth_version = v2.0 #delay failing perhaps to log the unauthorized request in barbican .. #delay_auth_decision = true [filter:keystone_v3_authtoken] paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory signing_dir = /tmp/barbican/cache auth_host = localhost #need ability to re-auth a token, thus admin url auth_port = 35357 auth_protocol = http admin_tenant_name = service admin_user = barbican admin_password = secret #admin_password = orange auth_version = v3.0 #delay failing perhaps to log the unauthorized request in barbican .. #delay_auth_decision = true [filter:profile] use = egg:repoze.profile log_filename = myapp.profile cachegrind_filename = cachegrind.out.myapp discard_first_request = true path = /__profile__ flush_at_shutdown = true unwind = false From: Douglas Mendizabal [mailto:douglas.mendiza...@rackspace.com] Sent: Tuesday, March 04, 2014 2:47 PM To: Miller, Mark M (EB SW Cloud - R&D - Corvallis); Ferreira, Rafael; Remo Mattei; Wyllys Ingersoll; openstack@lists.openstack.org<mailto:openstack@lists.openstack.org> Subject: Re: [Openstack] [Barbican] HTTPS Connection Question Hi Mark, I hope I can answer your questions: 1. HTTP support should be provided by the web server used to host barbican, not by barbican itself. The files where you noticed the “protocol = http” settings are uwsgi configuration files the Barbican team uses to run Barbican using uwsgi during development. The settings are just default development settings, and should be tuned to your particular situation. You can find more information about uwsgi config options on their official documentation. [1] In particular, you may be interested in enabling HTTPS support documentation. [2] 2. As I mentioned above, the dev team uses uwsgi to run Barbican, however there are no dependencies on uwsgi built into barbican. This means that, in theory, you should be able to run Barbican using Apache + mod_uwsgi, or Nginx + gunicorn, or any other web server capable of hosting a WSGI app. That said, we have not actually built environments with alternative web servers, so we don’t currently have any documentation on how to set that up. If you decide to deploy Barbican using Apache, we’d love to hear about your experience and help out in any way we can (join us at #openstack-barbican on Freenode). I would encourage you to contribute to our documentation wiki if you are successful. Regards, -Doug Mendizabal [1] http://uwsgi-docs.readthedocs.org/en/latest/Options.html [2] http://uwsgi-docs.readthedocs.org/en/latest/HTTPS.html?highlight=ssl#https-support-from-1-3 From: <Miller>, "Mark M (EB SW Cloud - R&D - Corvallis)" <mark.m.mil...@hp.com<mailto:mark.m.mil...@hp.com>> Date: Tuesday, March 4, 2014 at 12:44 PM To: "Ferreira, Rafael" <r...@io.com<mailto:r...@io.com>>, Remo Mattei <r...@italy1.com<mailto:r...@italy1.com>>, Wyllys Ingersoll <wyllys.ingers...@evault.com<mailto:wyllys.ingers...@evault.com>>, "openstack@lists.openstack.org<mailto:openstack@lists.openstack.org>" <openstack@lists.openstack.org<mailto:openstack@lists.openstack.org>> Subject: Re: [Openstack] [Barbican] HTTPS Connection Question Hello, I’ve been digging and digging and I have not been able to locate the following information: 1. Does Barbican provide support for HTTPS connections to it? I noticed “protocol=http” in several .ini files and a .conf file, but no information on how to configure Barbican to use it. 2. The quickstart wiki shows how to install Barbican behind the uwsgi server. Is it possible to install Barbican behind Apache2? Is there any documentation or example configuration guides? Thanks, Mark
_______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
