Barbican is a REST API for OpenStack designed to provide a secure management, provisioning and storage of secrets such as passwords, encryption keys and X.509 Certificates. The Barbican project is aimed at being useful for all environments, including large ephemeral Clouds. In this article we will perform the installation and configuration of Barbican Key Manager Service on OpenStack.
Setup Pre-requisites
Before you can start this installation there are some key pre-requisites:
- Working OpenStack Controller node installation (Keystone service, RabbitMQ, Memcache, MariaDB e.t.c)
- Configured OpenStack client command-line tool
- Configured OpenStack Repositories for the release you’ll be working on
I’m performing this setup on OpenStack Victoria release. The operating system I’m working on is CentOS 8.
Step 1: Create Barbican Keystone user, service and service entry
Get the services project by running the following command:
$ openstack project list
+----------------------------------+----------+
| ID | Name |
+----------------------------------+----------+
| 2c8e785c03784727810cbff8f72a3b8b | services |
| 7fdb463fda8e4d4ea0b185d940cff995 | admin |
+----------------------------------+----------+
Add a user for Barbican to Keystone on your OpenStack Control Node.
$ openstack user create --domain default --project services --password aa18be88b3bd4e1b barbican
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| default_project_id | 2c8e785c03784727810cbff8f72a3b8b |
| domain_id | default |
| enabled | True |
| id | 38de999274fb4dafb9ac39d611eca479 |
| name | barbican |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+
Add the created barbican user to the admin role:
$ openstack role add --project services --user barbican admin
Create service entry for Barbican with the following command:
$ openstack service create --name barbican --description "OpenStack Key Manager" key-manager
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | OpenStack Key Manager |
| enabled | True |
| id | 5ecb76475f2c48b9ae6f9d4b502d8b91 |
| name | barbican |
| type | key-manager |
+-------------+----------------------------------+
Before creating all the required endpoints save Barbican API Host to variable (usually Controller node):
export controller=controllerip
#example: export controller=192.168.30.11
Then proceed to create API endpoints
Public:
Create external API endpoint:
$ openstack endpoint create --region RegionOne key-manager public http://$controller:9311
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | e59505fd382f4cdda1f53aa6eba687b5 |
| interface | public |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 5ecb76475f2c48b9ae6f9d4b502d8b91 |
| service_name | barbican |
| service_type | key-manager |
| url | http://controllerip:9311 |
+--------------+----------------------------------+
Create an internal endpoint:
$ openstack endpoint create --region RegionOne key-manager internal http://$controller:9311
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | 88bdd17a5f5c43d7a709c0837d89e98e |
| interface | internal |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 5ecb76475f2c48b9ae6f9d4b502d8b91 |
| service_name | barbican |
| service_type | key-manager |
| url | http://controllerip:9311 |
+--------------+----------------------------------+
Create admin endpoint:
$ openstack endpoint create --region RegionOne key-manager admin http://$controller:9311
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | fffc8d9fd228498683f12b9f1dcf13ce |
| interface | admin |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 5ecb76475f2c48b9ae6f9d4b502d8b91 |
| service_name | barbican |
| service_type | key-manager |
| url | http://controllerip:9311 |
+--------------+----------------------------------+
Step 2: Configure database for Barbican
Login to MariaDB root user shell:
$ mysql -u root -p
Create database barbican and user with permissions granted:
create database barbican;
grant all privileges on barbican.* to barbican@'localhost' identified by '97e0b4b47ae44d5d';
grant all privileges on barbican.* to barbican@'%' identified by '97e0b4b47ae44d5d';
flush privileges;
\q
Test connectivity to the database:
$ mysql -u barbican -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 725850
Server version: 10.3.28-MariaDB MariaDB Server
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]>
Step 3: Install and Configure Barbican Key Manager Service
Install Barbican packages:
sudo yum -y install openstack-barbican
Backup the default configuration file for Barbican:
sudo mv /etc/barbican/barbican.conf /etc/barbican/barbican.conf.orig
Create new configuration file:
sudo vim /etc/barbican/barbican.conf
Configure like below while replacing variables accordingly:
[DEFAULT]
#API settings
bind_host = 0.0.0.0
bind_port = 9311
host_href = http://controllerip:9311
log_file = /var/log/barbican/api.log
#Database connection
sql_connection=mysql+pymysql://barbican:dbpassword@controllerip/barbican
#RabbitMQ connection
transport_url = rabbit://guest:guest@controllerip:5672/
[oslo_policy]
policy_file = /etc/barbican/policy.json
policy_default_rule = default
[secretstore]
namespace = barbican.secretstore.plugin
enabled_secretstore_plugins = store_crypto
[crypto]
namespace = barbican.crypto.plugin
enabled_crypto_plugins = simple_crypto
[simple_crypto_plugin]
kek = 'dGhpcnR5X3R3b19ieXRlX2tleWJsYWhibGFoYmxhaGg'
# Keystone Authentication
[keystone_authtoken]
www_authenticate_uri = http://controllerip:5000
auth_url = http://controllerip:5000
memcached_servers = controllerip:11211
auth_type = password
project_domain_name = default
user_domain_name = default
project_name = services #project name where keystone user is located
username = barbican #username as created in step 1
password = barbicanuserpassword #password set while creating keystone user
Set file permissions correctly:
sudo chmod 644 /etc/barbican/barbican.conf
Perform DB migration with below command:
$ su -s /bin/bash barbican -c "barbican-manage db upgrade"
2021-05-24 13:02:23.215 80247 INFO alembic.runtime.migration [-] Context impl MySQLImpl.
2021-05-24 13:02:23.215 80247 INFO alembic.runtime.migration [-] Will assume non-transactional DDL.
2021-05-24 13:02:23.219 80247 INFO alembic.runtime.migration [-] Running upgrade -> 39cf2e645cba, Ocata rebase
2021-05-24 13:02:23.412 80247 INFO alembic.runtime.migration [-] Running upgrade 39cf2e645cba -> 0f8c192a061f, Add Secret Consumers table
Start and enable barbican service:
sudo systemctl enable --now openstack-barbican-api
Check service status, it should show running.
$ systemctl status openstack-barbican-api -l
● openstack-barbican-api.service - Openstack Barbican API server
Loaded: loaded (/usr/lib/systemd/system/openstack-barbican-api.service; enabled; vendor preset: disabled)
Active: active (running) since Mon 2021-05-24 13:10:38 EAT; 21s ago
Process: 83251 ExecStop=/usr/bin/kill -s TERM $MAINPID (code=exited, status=0/SUCCESS)
Main PID: 83253 (gunicorn: maste)
Tasks: 25 (limit: 1647996)
Memory: 1.7G
CGroup: /system.slice/openstack-barbican-api.service
├─83253 gunicorn: master [/etc/barbican/barbican-api-paste.ini]
├─83256 gunicorn: worker [/etc/barbican/barbican-api-paste.ini]
├─83258 gunicorn: worker [/etc/barbican/barbican-api-paste.ini]
├─83259 gunicorn: worker [/etc/barbican/barbican-api-paste.ini]
├─83261 gunicorn: worker [/etc/barbican/barbican-api-paste.ini]
├─83262 gunicorn: worker [/etc/barbican/barbican-api-paste.ini]
├─83263 gunicorn: worker [/etc/barbican/barbican-api-paste.ini]
├─83266 gunicorn: worker [/etc/barbican/barbican-api-paste.ini]
├─83268 gunicorn: worker [/etc/barbican/barbican-api-paste.ini]
├─83270 gunicorn: worker [/etc/barbican/barbican-api-paste.ini]
├─83271 gunicorn: worker [/etc/barbican/barbican-api-paste.ini]
├─83273 gunicorn: worker [/etc/barbican/barbican-api-paste.ini]
├─83275 gunicorn: worker [/etc/barbican/barbican-api-paste.ini]
├─83278 gunicorn: worker [/etc/barbican/barbican-api-paste.ini]
├─83279 gunicorn: worker [/etc/barbican/barbican-api-paste.ini]
├─83282 gunicorn: worker [/etc/barbican/barbican-api-paste.ini]
├─83283 gunicorn: worker [/etc/barbican/barbican-api-paste.ini]
├─83284 gunicorn: worker [/etc/barbican/barbican-api-paste.ini]
├─83285 gunicorn: worker [/etc/barbican/barbican-api-paste.ini]
├─83286 gunicorn: worker [/etc/barbican/barbican-api-paste.ini]
├─83288 gunicorn: worker [/etc/barbican/barbican-api-paste.ini]
├─83290 gunicorn: worker [/etc/barbican/barbican-api-paste.ini]
├─83295 gunicorn: worker [/etc/barbican/barbican-api-paste.ini]
├─83296 gunicorn: worker [/etc/barbican/barbican-api-paste.ini]
└─83297 gunicorn: worker [/etc/barbican/barbican-api-paste.ini]
....
If you have Firewalld service running open the port required:
sudo firewall-cmd --add-port=9311/tcp --permanent
sudo firewall-cmd --reload
Create a test secret on Barbican service:
$ openstack secret store --name mysecret --payload mysecretkey
+---------------+-----------------------------------------------------------------------------+
| Field | Value |
+---------------+-----------------------------------------------------------------------------+
| Secret href | http://controllerip:9311/v1/secrets/47a212f2-015f-4d90-a58b-f5d0404a8d14 |
| Name | mysecret |
| Created | None |
| Status | None |
| Content types | None |
| Algorithm | aes |
| Bit length | 256 |
| Secret type | opaque |
| Mode | cbc |
| Expiration | None |
+---------------+-----------------------------------------------------------------------------+
Confirm secret creation:
$ openstack secret list
The secret printed href can be used to get the key value at later time:
$ openstack secret get http://controllerip:9311/v1/secrets/47a212f2-015f-4d90-a58b-f5d0404a8d14 --payload
+---------+-------------+
| Field | Value |
+---------+-------------+
| Payload | mysecretkey |
+---------+-------------+
That’s all on how to install and configure Barbican Key Management Service in your OpenStack cloud platform. If you have any feedback or encounter any issues please reach out to us using the comments section.
More on OpenStack:
- Generate Rocky Linux 8 Qcow2 Image for OpenStack / KVM / Qemu
- Install OKD OpenShift 4.8 Cluster on OpenStack
- Create Kubernetes Cluster on OpenStack Magnum with Fedora CoreOS