In a production environment, you can verify your installation of the
Barbican key management service by running the
barbican-status.yml
Ansible playbook on the Cloud Lifecycle Manager node.
ansible-playbook -i hosts/verb_hosts barbican-status.yml
In any non-production environment, along with the playbook, you can also verify the service by storing and retrieving the secret from Barbican.
Some Barbican features and service configurations can be changed. This
is done using the Cloud Lifecycle Manager Reconfigure Ansible playbook. For example, the log
level can be changed from INFO to DEBUG and vice-versa. If needed, this
change can be restricted to a set of nodes via the playbook's host limit
option. Barbican administration tasks should be performed by an admin
user with a token scoped to the default domain via the Keystone identity
API. These settings are preconfigured in the
barbican.osrc
file. By default,
barbican.osrc
is configured with the admin endpoint. If
the admin endpoint is not accessible from your network, change
OS_AUTH_URL
to point to the public endpoint.
The following Barbican configuration settings can be changed:
Anything in the main Barbican configuration file:
/etc/barbican/barbican.conf
Anything in the main Barbican worker configuration file:
/etc/barbican/barbican-worker.conf
You can also update the following configuration options and enable the following features. For example, you can:
Change the verbosity of logs written to Barbican log files
(var/log/barbican/
).
Enable and disable auditing of the Barbican key management service
Edit barbican_secret_store
plug-ins. The two options
are:
store_crypto
used to store the secrets in the
database
kmip_plugin
used to store the secrets into
KMIP-enabled external devices
Auditing of Barbican key manager events can be disabled or enabled by following steps on the Cloud Lifecycle Manager node.
Edit the file
~/openstack/my_cloud/definition/cloudConfig.yml
.
All audit-related configuration is defined under
audit-settings
section. Valid YAML syntax is required
when specifying values.
Service name defined under enabled-services
or
disabled-services
override the default setting (that is,
default: enabled
or default:
disabled
)
To enable auditing, make sure that the barbican service
name is listed in the enabled-services
list
of audit-settings
section or is not listed in the
disabled-services
list when default: is set to
enabled
.
To disable auditing for the Barbican service specifically, make sure
that barbican service name
is in
disabled-services
list of the
audit-settings
section or is not present in the
enabled-services
list when default: is set to
disabled
. You should not specify the service name in
both lists. If it is specified in both, the enabled-services list takes
precedence.
Commit the change in git repository.
cd ~/openstack/ardana/ansible git add -A git commit -m "My config"
Run the configuration-processor-run
and
ready-deployment
playbooks, followed by the
barbican-reconfigure
playbook:
cd ~/openstack/ardana/ansible/ ansible-playbook -i hosts/localhost config-processor-run.yml ansible-playbook -i hosts/localhost ready-deployment.yml cd ~/scratch/ansible/next/ardana/ansible ansible-playbook -i hosts/verb_hosts barbican-reconfigure.yml
The Barbican API service configuration file
(/etc/barbican/barbican.conf
), located on each control
plane server (controller node) is generated from the following template
file located on the Cloud Lifecycle Manager node:
/var/lib/ardana/openstack/my_cloud/config/barbican/barbican.conf.j2
.
Modify this template file as appropriate. This is a Jinja2 template, which
expects certain template variables to be set. Do not change values inside
double curly braces: {{ }}
.
Once the template is modified, copy the files to
~/openstack/my_cloud/definition/
, and commit the change to
the local git repository:
cp -r ~/hp-ci/padawan/* ~/openstack/my_cloud/definition/ cd ~/openstack/ardana/ansible git add -A git commit -m "My config"
Then rerun the configuration processor and ready-deployment playbooks:
cd ~/openstack/ardana/ansible ansible-playbook -i hosts/localhost config-processor-run.yml ansible-playbook -i hosts/localhost ready-deployment.yml
Finally, run the barbican-reconfigure
playbook in the
deployment area:
cd ~/scratch/ansible/next/ardana/ansible ansible-playbook -i hosts/verb_hosts barbican-reconfigure.yml
You can start or stop the Barbican service from the Cloud Lifecycle Manager nodes by running the appropriate Ansible playbooks:
To stop the Barbican service:
cd ~/scratch/ansible/next/ardana/ansible ansible-playbook -i hosts/verb_hosts barbican-stop.yml
To start the Barbican service:
cd ~/scratch/ansible/next/ardana/ansible ansible-playbook -i hosts/verb_hosts barbican-start.yml
To change the password for the Barbican administrator:
Copy the file as shown below:
cp ~/openstack/my_cloud/info/private_data_metadata_ccp.yml \ ~/openstack/change_credentials/
Then edit private_data_metadata_ccp.yml
found here:
~/openstack/change_credentials/private_data_metadata_ccp.yml
Change credentials for the Barbican admin user and/or Barbican service user. Remove everything else. The file will look similar to this:
barbican_admin_password: value: 'testing_123' metadata: - clusters: - cluster1 component: barbican-api cp: ccp version: '2.0' barbican_service_password: value: 'testing_123' metadata: - clusters: - cluster1 component: barbican-api cp: ccp version: '2.0'
The value (shown in bold) is optional; it is used to set a user-chosen password. If left blank, the playbook will generate a random password.
Execute the following playbooks from
~/openstack/ardana/ansible/
:
cd ~/openstack/ardana/ansible/ ansible-playbook -i hosts/localhost config-processor-run.yml -e encrypt="" -e rekey="" ansible-playbook -i hosts/localhost ready-deployment.yml cd ~/scratch/ansible/next/ardana/ansible ansible-playbook -i hosts/verb_hosts barbican-reconfigure-credentials-change.yml
SSH to the controller and make sure the password has been properly updated.
/etc/barbican# vi barbican-api-paste.ini
You can check the status of Barbican by running the
barbican-status.yml
Ansible playbook on the Cloud Lifecycle Manager node.
ansible-playbook -i hosts/verb_hosts barbican-status.yml
Make sure you remove/delete
~/openstack/change_credentials/private_data_metadata.yml
after successfully
changing the password.
All Barbican logging is set to INFO by default. To change the level from the Cloud Lifecycle Manager, there are two options available
Edit the Barbican configuration file,
/barbican_deploy_config.yml
, in the following
directory.
~/openstack/my_cloud/config/barbican/
To change log level entry (barbican_loglevel
) to DEBUG,
edit the entry:
barbican_loglevel = {{ openstack_loglevel | default('DEBUG') }}
To change the log level to INFO, edit the entry:
barbican_loglevel = {{ openstack_loglevel | default('INFO') }}
Edit file
~/openstack/ardana/ansible/roles/KEYMGR-API/templates/api-logging.conf.j2
and update the log level accordingly.
Commit the change to the local git repository:
cd ~/openstack/ardana/ansible git add -A git commit -m "My config"
Run the configuration-processor-run and ready-deployment playbooks, followed
by the barbican-reconfigure
playbook:
ansible-playbook -i hosts/localhost config-processor-run.yml ansible-playbook -i hosts/localhost ready-deployment.yml cd ~/scratch/ansible/next/ardana/ansible ansible-playbook -i hosts/verb_hosts barbican-reconfigure.yml