Codebase list python-castellan / ec76047
Merge "Implements KeyManager's option discovery." Zuul authored 4 years ago Gerrit Code Review committed 4 years ago
6 changed file(s) with 90 addition(s) and 45 deletion(s). Raw diff Collapse all Expand all
+10
-7
castellan/key_manager/barbican_key_manager.py less more
4646 from six.moves import urllib
4747
4848
49 barbican_opts = [
49 _barbican_opts = [
5050 cfg.StrOpt('barbican_endpoint',
5151 help='Use this endpoint to connect to Barbican, for example: '
5252 '"http://localhost:9311/"'),
7777
7878 ]
7979
80 BARBICAN_OPT_GROUP = 'barbican'
80 _BARBICAN_OPT_GROUP = 'barbican'
8181
8282 LOG = logging.getLogger(__name__)
8383
9797 self._barbican_client = None
9898 self._base_url = None
9999 self.conf = configuration
100 self.conf.register_opts(barbican_opts, group=BARBICAN_OPT_GROUP)
101 loading.register_session_conf_options(self.conf, BARBICAN_OPT_GROUP)
100 self.conf.register_opts(_barbican_opts, group=_BARBICAN_OPT_GROUP)
101 loading.register_session_conf_options(self.conf, _BARBICAN_OPT_GROUP)
102102
103103 def _get_barbican_client(self, context):
104104 """Creates a client to connect to the Barbican service.
633633 except (barbican_exceptions.HTTPAuthError,
634634 barbican_exceptions.HTTPClientError,
635635 barbican_exceptions.HTTPServerError) as e:
636 LOG.error(_("Error listing objects: %s"), e)
636 LOG.error("Error listing objects: %s", e)
637637 raise exception.KeyManagerError(reason=e)
638638
639639 for secret in secrets:
643643 except (barbican_exceptions.HTTPAuthError,
644644 barbican_exceptions.HTTPClientError,
645645 barbican_exceptions.HTTPServerError) as e:
646 LOG.warning(_("Error occurred while retrieving object "
647 "metadata, not adding it to the list: %s"), e)
646 LOG.warning("Error occurred while retrieving object "
647 "metadata, not adding it to the list: %s", e)
648648
649649 return objects
650
651 def list_options_for_discovery(self):
652 return [(_BARBICAN_OPT_GROUP, _barbican_opts)]
+13
-0
castellan/key_manager/key_manager.py less more
122122 found, an empty list should be returned instead.
123123 """
124124 return []
125
126 def list_options_for_discovery(self):
127 """Lists the KeyManager's configure options.
128
129 KeyManagers should advertise all supported options through this
130 method for the purpose of sample generation by oslo-config-generator.
131 Each item in the advertised list should be tuple composed by the group
132 name and a list of options belonging to that group. None should be used
133 as the group name for the DEFAULT group.
134
135 :returns: the list of supported options of a KeyManager.
136 """
137 return []
+16
-13
castellan/key_manager/vault_key_manager.py less more
4242 from castellan.i18n import _
4343 from castellan.key_manager import key_manager
4444
45 DEFAULT_VAULT_URL = "http://127.0.0.1:8200"
46 DEFAULT_MOUNTPOINT = "secret"
47
48 vault_opts = [
45 _DEFAULT_VAULT_URL = "http://127.0.0.1:8200"
46 _DEFAULT_MOUNTPOINT = "secret"
47
48 _vault_opts = [
4949 cfg.StrOpt('root_token_id',
5050 help='root token for vault'),
5151 cfg.StrOpt('approle_role_id',
5353 cfg.StrOpt('approle_secret_id',
5454 help='AppRole secret_id for authentication with vault'),
5555 cfg.StrOpt('kv_mountpoint',
56 default=DEFAULT_MOUNTPOINT,
56 default=_DEFAULT_MOUNTPOINT,
5757 help='Mountpoint of KV store in Vault to use, for example: '
58 '{}'.format(DEFAULT_MOUNTPOINT)),
58 '{}'.format(_DEFAULT_MOUNTPOINT)),
5959 cfg.StrOpt('vault_url',
60 default=DEFAULT_VAULT_URL,
60 default=_DEFAULT_VAULT_URL,
6161 help='Use this endpoint to connect to Vault, for example: '
62 '"%s"' % DEFAULT_VAULT_URL),
62 '"%s"' % _DEFAULT_VAULT_URL),
6363 cfg.StrOpt('ssl_ca_crt_file',
6464 help='Absolute path to ca cert file'),
6565 cfg.BoolOpt('use_ssl',
6767 help=_('SSL Enabled/Disabled')),
6868 ]
6969
70 VAULT_OPT_GROUP = 'vault'
70 _VAULT_OPT_GROUP = 'vault'
7171
7272 _EXCEPTIONS_BY_CODE = [
7373 requests.codes['internal_server_error'],
9393
9494 def __init__(self, configuration):
9595 self._conf = configuration
96 self._conf.register_opts(vault_opts, group=VAULT_OPT_GROUP)
97 loading.register_session_conf_options(self._conf, VAULT_OPT_GROUP)
96 self._conf.register_opts(_vault_opts, group=_VAULT_OPT_GROUP)
97 loading.register_session_conf_options(self._conf, _VAULT_OPT_GROUP)
9898 self._session = requests.Session()
9999 self._root_token_id = self._conf.vault.root_token_id
100100 self._approle_role_id = self._conf.vault.approle_role_id
411411 if object_type is None or isinstance(obj, object_type):
412412 objects.append(obj)
413413 except exception.ManagedObjectNotFoundError as e:
414 LOG.warning(_("Error occurred while retrieving object "
415 "metadata, not adding it to the list: %s"), e)
414 LOG.warning("Error occurred while retrieving object "
415 "metadata, not adding it to the list: %s", e)
416416 pass
417417 return objects
418
419 def list_options_for_discovery(self):
420 return [(_VAULT_OPT_GROUP, _vault_opts)]
+29
-18
castellan/options.py less more
1111 # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
1212 # License for the specific language governing permissions and limitations
1313 # under the License.
14 from stevedore import ExtensionManager
15
1416 from oslo_config import cfg
1517 from oslo_log import log
1618
17 from castellan import key_manager as km
19 from castellan import key_manager
1820 try:
1921 from castellan.key_manager import barbican_key_manager as bkm
2022 except ImportError:
6567 :param barbican_endpoint_type: Use this to specify the type of URL.
6668 : Valid values are: public, internal or admin.
6769 """
68 conf.register_opts(km.key_manager_opts, group='key_manager')
69 if bkm:
70 conf.register_opts(bkm.barbican_opts, group=bkm.BARBICAN_OPT_GROUP)
71 if vkm:
72 conf.register_opts(vkm.vault_opts, group=vkm.VAULT_OPT_GROUP)
70 conf.register_opts(key_manager.key_manager_opts, group='key_manager')
71
72 ext_mgr = ExtensionManager(
73 "castellan.drivers",
74 invoke_on_load=True,
75 invoke_args=[cfg.CONF])
76
77 for km in ext_mgr.names():
78 for group, opts in ext_mgr[km].obj.list_options_for_discovery():
79 conf.register_opts(opts, group=group)
7380
7481 # Use the new backend option if set or fall back to the older api_class
7582 default_backend = backend or api_class
7986 if bkm is not None:
8087 if barbican_endpoint is not None:
8188 conf.set_default('barbican_endpoint', barbican_endpoint,
82 group=bkm.BARBICAN_OPT_GROUP)
89 group=bkm._BARBICAN_OPT_GROUP)
8390 if barbican_api_version is not None:
8491 conf.set_default('barbican_api_version', barbican_api_version,
85 group=bkm.BARBICAN_OPT_GROUP)
92 group=bkm._BARBICAN_OPT_GROUP)
8693 if auth_endpoint is not None:
8794 conf.set_default('auth_endpoint', auth_endpoint,
88 group=bkm.BARBICAN_OPT_GROUP)
95 group=bkm._BARBICAN_OPT_GROUP)
8996 if retry_delay is not None:
9097 conf.set_default('retry_delay', retry_delay,
91 group=bkm.BARBICAN_OPT_GROUP)
98 group=bkm._BARBICAN_OPT_GROUP)
9299 if number_of_retries is not None:
93100 conf.set_default('number_of_retries', number_of_retries,
94 group=bkm.BARBICAN_OPT_GROUP)
101 group=bkm._BARBICAN_OPT_GROUP)
95102 if verify_ssl is not None:
96103 conf.set_default('verify_ssl', verify_ssl,
97 group=bkm.BARBICAN_OPT_GROUP)
104 group=bkm._BARBICAN_OPT_GROUP)
98105 if barbican_endpoint_type is not None:
99106 conf.set_default('barbican_endpoint_type', barbican_endpoint_type,
100 group=bkm.BARBICAN_OPT_GROUP)
107 group=bkm._BARBICAN_OPT_GROUP)
101108
102109 if vkm is not None:
103110 if vault_root_token_id is not None:
150157 :returns: a list of (group_name, opts) tuples
151158 """
152159 key_manager_opts = []
153 key_manager_opts.extend(km.key_manager_opts)
160 key_manager_opts.extend(key_manager.key_manager_opts)
154161 key_manager_opts.extend(utils.credential_opts)
155162 opts = [('key_manager', key_manager_opts)]
156163
157 if bkm is not None:
158 opts.append((bkm.BARBICAN_OPT_GROUP, bkm.barbican_opts))
159 if vkm is not None:
160 opts.append((vkm.VAULT_OPT_GROUP, vkm.vault_opts))
164 ext_mgr = ExtensionManager(
165 "castellan.drivers",
166 invoke_on_load=True,
167 invoke_args=[cfg.CONF])
168
169 for driver in ext_mgr.names():
170 opts.extend(ext_mgr[driver].obj.list_options_for_discovery())
171
161172 return opts
+7
-7
castellan/tests/unit/test_options.py less more
3939 barbican_endpoint = 'http://test-server.org:9311/'
4040 options.set_defaults(conf, barbican_endpoint=barbican_endpoint)
4141 self.assertEqual(barbican_endpoint,
42 conf.get(bkm.BARBICAN_OPT_GROUP).barbican_endpoint)
42 conf.barbican.barbican_endpoint)
4343
4444 barbican_api_version = 'vSomething'
4545 options.set_defaults(conf, barbican_api_version=barbican_api_version)
4646 self.assertEqual(barbican_api_version,
47 conf.get(bkm.BARBICAN_OPT_GROUP).barbican_api_version)
47 conf.barbican.barbican_api_version)
4848
4949 auth_endpoint = 'http://test-server.org/identity'
5050 options.set_defaults(conf, auth_endpoint=auth_endpoint)
5151 self.assertEqual(auth_endpoint,
52 conf.get(bkm.BARBICAN_OPT_GROUP).auth_endpoint)
52 conf.barbican.auth_endpoint)
5353
5454 retry_delay = 3
5555 options.set_defaults(conf, retry_delay=retry_delay)
5656 self.assertEqual(retry_delay,
57 conf.get(bkm.BARBICAN_OPT_GROUP).retry_delay)
57 conf.barbican.retry_delay)
5858
5959 number_of_retries = 10
6060 options.set_defaults(conf, number_of_retries=number_of_retries)
6161 self.assertEqual(number_of_retries,
62 conf.get(bkm.BARBICAN_OPT_GROUP).number_of_retries)
62 conf.barbican.number_of_retries)
6363
6464 verify_ssl = True
6565 options.set_defaults(conf, verify_ssl=True)
6666 self.assertEqual(verify_ssl,
67 conf.get(bkm.BARBICAN_OPT_GROUP).verify_ssl)
67 conf.barbican.verify_ssl)
6868
6969 barbican_endpoint_type = 'internal'
7070 options.set_defaults(conf, barbican_endpoint_type='internal')
71 result_type = conf.get(bkm.BARBICAN_OPT_GROUP).barbican_endpoint_type
71 result_type = conf.barbican.barbican_endpoint_type
7272 self.assertEqual(barbican_endpoint_type, result_type)
+15
-0
releasenotes/notes/implements-keymanager-option-discovery-13a46c1dfc036a3f.yaml less more
0 ---
1 features:
2 - |
3 Enhance the global option listing to discover available key managers and
4 their options. The purpose of this feature is to have a correct listing of
5 the supported key managers, now each key manager is responsible for
6 advertising the oslo.config groups/options they consume.
7 other:
8 - |
9 The visibility of module variables and constants related to oslo.config
10 options changed to private in both barbican and vault key managers. The
11 key managers are only responsible for overloading the method
12 list_options_for_discovery() in order to advertise their own options.
13 This way, the global options doesn't need to know which variables to look
14 for.