Merge "Implements KeyManager's option discovery."
Zuul authored 4 years ago
Gerrit Code Review committed 4 years ago
46 | 46 | from six.moves import urllib |
47 | 47 | |
48 | 48 | |
49 | barbican_opts = [ | |
49 | _barbican_opts = [ | |
50 | 50 | cfg.StrOpt('barbican_endpoint', |
51 | 51 | help='Use this endpoint to connect to Barbican, for example: ' |
52 | 52 | '"http://localhost:9311/"'), |
77 | 77 | |
78 | 78 | ] |
79 | 79 | |
80 | BARBICAN_OPT_GROUP = 'barbican' | |
80 | _BARBICAN_OPT_GROUP = 'barbican' | |
81 | 81 | |
82 | 82 | LOG = logging.getLogger(__name__) |
83 | 83 | |
97 | 97 | self._barbican_client = None |
98 | 98 | self._base_url = None |
99 | 99 | self.conf = configuration |
100 | self.conf.register_opts(barbican_opts, group=BARBICAN_OPT_GROUP) | |
101 | loading.register_session_conf_options(self.conf, BARBICAN_OPT_GROUP) | |
100 | self.conf.register_opts(_barbican_opts, group=_BARBICAN_OPT_GROUP) | |
101 | loading.register_session_conf_options(self.conf, _BARBICAN_OPT_GROUP) | |
102 | 102 | |
103 | 103 | def _get_barbican_client(self, context): |
104 | 104 | """Creates a client to connect to the Barbican service. |
633 | 633 | except (barbican_exceptions.HTTPAuthError, |
634 | 634 | barbican_exceptions.HTTPClientError, |
635 | 635 | barbican_exceptions.HTTPServerError) as e: |
636 | LOG.error(_("Error listing objects: %s"), e) | |
636 | LOG.error("Error listing objects: %s", e) | |
637 | 637 | raise exception.KeyManagerError(reason=e) |
638 | 638 | |
639 | 639 | for secret in secrets: |
643 | 643 | except (barbican_exceptions.HTTPAuthError, |
644 | 644 | barbican_exceptions.HTTPClientError, |
645 | 645 | barbican_exceptions.HTTPServerError) as e: |
646 | LOG.warning(_("Error occurred while retrieving object " | |
647 | "metadata, not adding it to the list: %s"), e) | |
646 | LOG.warning("Error occurred while retrieving object " | |
647 | "metadata, not adding it to the list: %s", e) | |
648 | 648 | |
649 | 649 | return objects |
650 | ||
651 | def list_options_for_discovery(self): | |
652 | return [(_BARBICAN_OPT_GROUP, _barbican_opts)] |
122 | 122 | found, an empty list should be returned instead. |
123 | 123 | """ |
124 | 124 | return [] |
125 | ||
126 | def list_options_for_discovery(self): | |
127 | """Lists the KeyManager's configure options. | |
128 | ||
129 | KeyManagers should advertise all supported options through this | |
130 | method for the purpose of sample generation by oslo-config-generator. | |
131 | Each item in the advertised list should be tuple composed by the group | |
132 | name and a list of options belonging to that group. None should be used | |
133 | as the group name for the DEFAULT group. | |
134 | ||
135 | :returns: the list of supported options of a KeyManager. | |
136 | """ | |
137 | return [] |
42 | 42 | from castellan.i18n import _ |
43 | 43 | from castellan.key_manager import key_manager |
44 | 44 | |
45 | DEFAULT_VAULT_URL = "http://127.0.0.1:8200" | |
46 | DEFAULT_MOUNTPOINT = "secret" | |
47 | ||
48 | vault_opts = [ | |
45 | _DEFAULT_VAULT_URL = "http://127.0.0.1:8200" | |
46 | _DEFAULT_MOUNTPOINT = "secret" | |
47 | ||
48 | _vault_opts = [ | |
49 | 49 | cfg.StrOpt('root_token_id', |
50 | 50 | help='root token for vault'), |
51 | 51 | cfg.StrOpt('approle_role_id', |
53 | 53 | cfg.StrOpt('approle_secret_id', |
54 | 54 | help='AppRole secret_id for authentication with vault'), |
55 | 55 | cfg.StrOpt('kv_mountpoint', |
56 | default=DEFAULT_MOUNTPOINT, | |
56 | default=_DEFAULT_MOUNTPOINT, | |
57 | 57 | help='Mountpoint of KV store in Vault to use, for example: ' |
58 | '{}'.format(DEFAULT_MOUNTPOINT)), | |
58 | '{}'.format(_DEFAULT_MOUNTPOINT)), | |
59 | 59 | cfg.StrOpt('vault_url', |
60 | default=DEFAULT_VAULT_URL, | |
60 | default=_DEFAULT_VAULT_URL, | |
61 | 61 | help='Use this endpoint to connect to Vault, for example: ' |
62 | '"%s"' % DEFAULT_VAULT_URL), | |
62 | '"%s"' % _DEFAULT_VAULT_URL), | |
63 | 63 | cfg.StrOpt('ssl_ca_crt_file', |
64 | 64 | help='Absolute path to ca cert file'), |
65 | 65 | cfg.BoolOpt('use_ssl', |
67 | 67 | help=_('SSL Enabled/Disabled')), |
68 | 68 | ] |
69 | 69 | |
70 | VAULT_OPT_GROUP = 'vault' | |
70 | _VAULT_OPT_GROUP = 'vault' | |
71 | 71 | |
72 | 72 | _EXCEPTIONS_BY_CODE = [ |
73 | 73 | requests.codes['internal_server_error'], |
93 | 93 | |
94 | 94 | def __init__(self, configuration): |
95 | 95 | self._conf = configuration |
96 | self._conf.register_opts(vault_opts, group=VAULT_OPT_GROUP) | |
97 | loading.register_session_conf_options(self._conf, VAULT_OPT_GROUP) | |
96 | self._conf.register_opts(_vault_opts, group=_VAULT_OPT_GROUP) | |
97 | loading.register_session_conf_options(self._conf, _VAULT_OPT_GROUP) | |
98 | 98 | self._session = requests.Session() |
99 | 99 | self._root_token_id = self._conf.vault.root_token_id |
100 | 100 | self._approle_role_id = self._conf.vault.approle_role_id |
411 | 411 | if object_type is None or isinstance(obj, object_type): |
412 | 412 | objects.append(obj) |
413 | 413 | except exception.ManagedObjectNotFoundError as e: |
414 | LOG.warning(_("Error occurred while retrieving object " | |
415 | "metadata, not adding it to the list: %s"), e) | |
414 | LOG.warning("Error occurred while retrieving object " | |
415 | "metadata, not adding it to the list: %s", e) | |
416 | 416 | pass |
417 | 417 | return objects |
418 | ||
419 | def list_options_for_discovery(self): | |
420 | return [(_VAULT_OPT_GROUP, _vault_opts)] |
11 | 11 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the |
12 | 12 | # License for the specific language governing permissions and limitations |
13 | 13 | # under the License. |
14 | from stevedore import ExtensionManager | |
15 | ||
14 | 16 | from oslo_config import cfg |
15 | 17 | from oslo_log import log |
16 | 18 | |
17 | from castellan import key_manager as km | |
19 | from castellan import key_manager | |
18 | 20 | try: |
19 | 21 | from castellan.key_manager import barbican_key_manager as bkm |
20 | 22 | except ImportError: |
65 | 67 | :param barbican_endpoint_type: Use this to specify the type of URL. |
66 | 68 | : Valid values are: public, internal or admin. |
67 | 69 | """ |
68 | conf.register_opts(km.key_manager_opts, group='key_manager') | |
69 | if bkm: | |
70 | conf.register_opts(bkm.barbican_opts, group=bkm.BARBICAN_OPT_GROUP) | |
71 | if vkm: | |
72 | conf.register_opts(vkm.vault_opts, group=vkm.VAULT_OPT_GROUP) | |
70 | conf.register_opts(key_manager.key_manager_opts, group='key_manager') | |
71 | ||
72 | ext_mgr = ExtensionManager( | |
73 | "castellan.drivers", | |
74 | invoke_on_load=True, | |
75 | invoke_args=[cfg.CONF]) | |
76 | ||
77 | for km in ext_mgr.names(): | |
78 | for group, opts in ext_mgr[km].obj.list_options_for_discovery(): | |
79 | conf.register_opts(opts, group=group) | |
73 | 80 | |
74 | 81 | # Use the new backend option if set or fall back to the older api_class |
75 | 82 | default_backend = backend or api_class |
79 | 86 | if bkm is not None: |
80 | 87 | if barbican_endpoint is not None: |
81 | 88 | conf.set_default('barbican_endpoint', barbican_endpoint, |
82 | group=bkm.BARBICAN_OPT_GROUP) | |
89 | group=bkm._BARBICAN_OPT_GROUP) | |
83 | 90 | if barbican_api_version is not None: |
84 | 91 | conf.set_default('barbican_api_version', barbican_api_version, |
85 | group=bkm.BARBICAN_OPT_GROUP) | |
92 | group=bkm._BARBICAN_OPT_GROUP) | |
86 | 93 | if auth_endpoint is not None: |
87 | 94 | conf.set_default('auth_endpoint', auth_endpoint, |
88 | group=bkm.BARBICAN_OPT_GROUP) | |
95 | group=bkm._BARBICAN_OPT_GROUP) | |
89 | 96 | if retry_delay is not None: |
90 | 97 | conf.set_default('retry_delay', retry_delay, |
91 | group=bkm.BARBICAN_OPT_GROUP) | |
98 | group=bkm._BARBICAN_OPT_GROUP) | |
92 | 99 | if number_of_retries is not None: |
93 | 100 | conf.set_default('number_of_retries', number_of_retries, |
94 | group=bkm.BARBICAN_OPT_GROUP) | |
101 | group=bkm._BARBICAN_OPT_GROUP) | |
95 | 102 | if verify_ssl is not None: |
96 | 103 | conf.set_default('verify_ssl', verify_ssl, |
97 | group=bkm.BARBICAN_OPT_GROUP) | |
104 | group=bkm._BARBICAN_OPT_GROUP) | |
98 | 105 | if barbican_endpoint_type is not None: |
99 | 106 | conf.set_default('barbican_endpoint_type', barbican_endpoint_type, |
100 | group=bkm.BARBICAN_OPT_GROUP) | |
107 | group=bkm._BARBICAN_OPT_GROUP) | |
101 | 108 | |
102 | 109 | if vkm is not None: |
103 | 110 | if vault_root_token_id is not None: |
150 | 157 | :returns: a list of (group_name, opts) tuples |
151 | 158 | """ |
152 | 159 | key_manager_opts = [] |
153 | key_manager_opts.extend(km.key_manager_opts) | |
160 | key_manager_opts.extend(key_manager.key_manager_opts) | |
154 | 161 | key_manager_opts.extend(utils.credential_opts) |
155 | 162 | opts = [('key_manager', key_manager_opts)] |
156 | 163 | |
157 | if bkm is not None: | |
158 | opts.append((bkm.BARBICAN_OPT_GROUP, bkm.barbican_opts)) | |
159 | if vkm is not None: | |
160 | opts.append((vkm.VAULT_OPT_GROUP, vkm.vault_opts)) | |
164 | ext_mgr = ExtensionManager( | |
165 | "castellan.drivers", | |
166 | invoke_on_load=True, | |
167 | invoke_args=[cfg.CONF]) | |
168 | ||
169 | for driver in ext_mgr.names(): | |
170 | opts.extend(ext_mgr[driver].obj.list_options_for_discovery()) | |
171 | ||
161 | 172 | return opts |
39 | 39 | barbican_endpoint = 'http://test-server.org:9311/' |
40 | 40 | options.set_defaults(conf, barbican_endpoint=barbican_endpoint) |
41 | 41 | self.assertEqual(barbican_endpoint, |
42 | conf.get(bkm.BARBICAN_OPT_GROUP).barbican_endpoint) | |
42 | conf.barbican.barbican_endpoint) | |
43 | 43 | |
44 | 44 | barbican_api_version = 'vSomething' |
45 | 45 | options.set_defaults(conf, barbican_api_version=barbican_api_version) |
46 | 46 | self.assertEqual(barbican_api_version, |
47 | conf.get(bkm.BARBICAN_OPT_GROUP).barbican_api_version) | |
47 | conf.barbican.barbican_api_version) | |
48 | 48 | |
49 | 49 | auth_endpoint = 'http://test-server.org/identity' |
50 | 50 | options.set_defaults(conf, auth_endpoint=auth_endpoint) |
51 | 51 | self.assertEqual(auth_endpoint, |
52 | conf.get(bkm.BARBICAN_OPT_GROUP).auth_endpoint) | |
52 | conf.barbican.auth_endpoint) | |
53 | 53 | |
54 | 54 | retry_delay = 3 |
55 | 55 | options.set_defaults(conf, retry_delay=retry_delay) |
56 | 56 | self.assertEqual(retry_delay, |
57 | conf.get(bkm.BARBICAN_OPT_GROUP).retry_delay) | |
57 | conf.barbican.retry_delay) | |
58 | 58 | |
59 | 59 | number_of_retries = 10 |
60 | 60 | options.set_defaults(conf, number_of_retries=number_of_retries) |
61 | 61 | self.assertEqual(number_of_retries, |
62 | conf.get(bkm.BARBICAN_OPT_GROUP).number_of_retries) | |
62 | conf.barbican.number_of_retries) | |
63 | 63 | |
64 | 64 | verify_ssl = True |
65 | 65 | options.set_defaults(conf, verify_ssl=True) |
66 | 66 | self.assertEqual(verify_ssl, |
67 | conf.get(bkm.BARBICAN_OPT_GROUP).verify_ssl) | |
67 | conf.barbican.verify_ssl) | |
68 | 68 | |
69 | 69 | barbican_endpoint_type = 'internal' |
70 | 70 | options.set_defaults(conf, barbican_endpoint_type='internal') |
71 | result_type = conf.get(bkm.BARBICAN_OPT_GROUP).barbican_endpoint_type | |
71 | result_type = conf.barbican.barbican_endpoint_type | |
72 | 72 | self.assertEqual(barbican_endpoint_type, result_type) |
0 | --- | |
1 | features: | |
2 | - | | |
3 | Enhance the global option listing to discover available key managers and | |
4 | their options. The purpose of this feature is to have a correct listing of | |
5 | the supported key managers, now each key manager is responsible for | |
6 | advertising the oslo.config groups/options they consume. | |
7 | other: | |
8 | - | | |
9 | The visibility of module variables and constants related to oslo.config | |
10 | options changed to private in both barbican and vault key managers. The | |
11 | key managers are only responsible for overloading the method | |
12 | list_options_for_discovery() in order to advertise their own options. | |
13 | This way, the global options doesn't need to know which variables to look | |
14 | for. |