This section describes how to install and configure the Key Manager service for Ubuntu 14.04 (LTS).
Before you install and configure the Key Manager service, you must create a database, service credentials, and API endpoints.
To create the database, complete these steps:
Use the database access client to connect to the database
server as the root
user:
$ mysql -u root -p
Create the barbican
database:
CREATE DATABASE barbican;
Grant proper access to the barbican
database:
GRANT ALL PRIVILEGES ON barbican.* TO 'barbican'@'localhost' \
IDENTIFIED BY 'BARBICAN_DBPASS';
GRANT ALL PRIVILEGES ON barbican.* TO 'barbican'@'%' \
IDENTIFIED BY 'BARBICAN_DBPASS';
Replace BARBICAN_DBPASS
with a suitable password.
Exit the database access client.
exit;
Source the admin
credentials to gain access to
admin-only CLI commands:
$ source admin-openrc
To create the service credentials, complete these steps:
Create the barbican
user:
$ openstack user create --domain default --password-prompt barbican
Add the admin
role to the barbican
user:
$ openstack role add --project service --user barbican admin
Create the creator
role:
$ openstack role create creator
Add the creator
role to the barbican
user:
$ openstack role add --project service --user barbican creator
Create the barbican service entities:
$ openstack service create --name barbican --description "Key Manager" key-manager
Create the Key Manager service API endpoints:
$ openstack endpoint create --region RegionOne \
key-manager public http://controller:9311/v1/%\(tenant_id\)s
$ openstack endpoint create --region RegionOne \
key-manager internal http://controller:9311/v1/%\(tenant_id\)s
$ openstack endpoint create --region RegionOne \
key-manager admin http://controller:9311/v1/%\(tenant_id\)s
Install the packages:
# apt-get update
# apt-get install
Edit the /etc/barbican/barbican.conf
file and complete the following
actions:
In the [database]
section, configure database access:
[database]
...
connection = mysql+pymysql://barbican:BARBICAN_DBPASS@controller/barbican
Replace BARBICAN_DBPASS
with the password you chose for the
Key Manager service database.
In the [DEFAULT]
and [oslo_messaging_rabbit]
sections,
configure RabbitMQ
message queue access:
[DEFAULT]
...
rpc_backend = rabbit
[oslo_messaging_rabbit]
...
rabbit_host = controller
rabbit_userid = openstack
rabbit_password = RABBIT_PASS
Replace RABBIT_PASS
with the password you chose for the
openstack
account in RabbitMQ
.
In the [keystone_authtoken]
section, configure Identity
service access:
[keystone_authtoken]
...
auth_uri = http://controller:5000
auth_url = http://controller:35357
memcached_servers = controller:11211
auth_type = password
project_domain_name = default
user_domain_name = default
project_name = service
username = barbican
password = BARBICAN_PASS
Replace BARBICAN_PASS
with the password you chose for the
barbican
user in the Identity service.
Note
Comment out or remove any other options in the
[keystone_authtoken]
section.
Edit the /etc/barbican/barbican-api-paste.ini
file and complete the
following actions:
In the [pipeline:barbican_api]
section, configure the pipeline to
use the Identity Service auth token.
[pipeline:barbican_api]
pipeline = cors authtoken context apiapp
Populate the Key Manager service database:
The Key Manager service database will be automatically populated
when the service is first started. To prevent this, and run the
database sync manually, edit the /etc/barbican/barbican.conf
file
and set db_auto_create in the [DEFAULT]
section to False.
Then populate the database as below:
$ su -s /bin/sh -c "barbican-manage db_sync" barbican
Note
Ignore any deprecation messages in this output.
Barbican has a plugin architecture which allows the deployer to store secrets in a number of different back-end secret stores. By default, Barbican is configured to store secrets in a basic file-based keystore. This key store is NOT safe for production use.
For a list of supported plugins and detailed instructions on how to configure them, see Secret Store Back-ends
Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.