3 Key Management Service Administration #
3.1 Post-installation verification and administration #
In a production environment, you can verify your installation of the
barbican key management service by running the
barbican-status.yml
Ansible playbook on the Cloud Lifecycle Manager node.
ansible-playbook -i hosts/verb_hosts barbican-status.yml
In any non-production environment, along with the playbook, you can also verify the service by storing and retrieving the secret from barbican.
3.2 Updating the barbican Key Management Service #
Some barbican features and service configurations can be changed. This
is done using the Cloud Lifecycle Manager Reconfigure Ansible playbook. For example, the log
level can be changed from INFO to DEBUG and vice-versa. If needed, this
change can be restricted to a set of nodes via the playbook's host limit
option. barbican administration tasks should be performed by an admin
user with a token scoped to the default domain via the keystone identity
API. These settings are preconfigured in the
barbican.osrc
file. By default,
barbican.osrc
is configured with the admin endpoint. If
the admin endpoint is not accessible from your network, change
OS_AUTH_URL
to point to the public endpoint.
3.3 barbican Settings #
The following barbican configuration settings can be changed:
Anything in the main barbican configuration file:
/etc/barbican/barbican.conf
Anything in the main barbican worker configuration file:
/etc/barbican/barbican-worker.conf
You can also update the following configuration options and enable the following features. For example, you can:
Change the verbosity of logs written to barbican log files (
/var/log/barbican/
).Enable and disable auditing of the barbican key management service
Edit
barbican_secret_store
plug-ins. The two options are:store_crypto
used to store the secrets in the databasekmip_plugin
used to store the secrets into KMIP-enabled external devices
3.4 Enable or Disable Auditing of barbican Events #
Auditing of barbican key manager events can be disabled or enabled by following steps on the Cloud Lifecycle Manager node.
Edit the file
~/openstack/my_cloud/definition/cloudConfig.yml
.All audit-related configuration is defined under
audit-settings
section. Valid YAML syntax is required when specifying values.Service name defined under
enabled-services
ordisabled-services
override the default setting (that is,default: enabled
ordefault: disabled
)To enable auditing, make sure that the barbican service name is listed in the
enabled-services
list ofaudit-settings
section or is not listed in thedisabled-services
list when default: is set toenabled
.To disable auditing for the barbican service specifically, make sure that
barbican service name
is indisabled-services
list of theaudit-settings
section or is not present in theenabled-services
list when default: is set todisabled
. You should not specify the service name in both lists. If it is specified in both, the enabled-services list takes precedence.Commit the change in git repository.
cd ~/openstack/ardana/ansible git add -A git commit -m "My config"
Run the
configuration-processor-run
andready-deployment
playbooks, followed by thebarbican-reconfigure
playbook:cd ~/openstack/ardana/ansible/ ansible-playbook -i hosts/localhost config-processor-run.yml ansible-playbook -i hosts/localhost ready-deployment.yml cd ~/scratch/ansible/next/ardana/ansible ansible-playbook -i hosts/verb_hosts barbican-reconfigure.yml
3.5 Updating the barbican API Service Configuration File #
The barbican API service configuration file (
/etc/barbican/barbican.conf
), located on each control plane server (controller node) is generated from the following template file located on the Cloud Lifecycle Manager node:/var/lib/ardana/openstack/my_cloud/config/barbican/barbican.conf.j2
. Modify this template file as appropriate. This is a Jinja2 template, which expects certain template variables to be set. Do not change values inside double curly braces:{{ }}
.Once the template is modified, copy the files to
~/openstack/my_cloud/definition/
, and commit the change to the local git repository:cp -r ~/hp-ci/padawan/* ~/openstack/my_cloud/definition/ cd ~/openstack/ardana/ansible git add -A git commit -m "My config"
Then rerun the configuration processor and ready-deployment playbooks:
cd ~/openstack/ardana/ansible ansible-playbook -i hosts/localhost config-processor-run.yml ansible-playbook -i hosts/localhost ready-deployment.yml
Finally, run the
barbican-reconfigure
playbook in the deployment area:cd ~/scratch/ansible/next/ardana/ansible ansible-playbook -i hosts/verb_hosts barbican-reconfigure.yml
3.6 Starting and Stopping the barbican Service #
You can start or stop the barbican service from the Cloud Lifecycle Manager nodes by running the appropriate Ansible playbooks:
To stop the barbican service:
cd ~/scratch/ansible/next/ardana/ansible ansible-playbook -i hosts/verb_hosts barbican-stop.yml
To start the barbican service:
cd ~/scratch/ansible/next/ardana/ansible ansible-playbook -i hosts/verb_hosts barbican-start.yml
3.7 Changing or Resetting a Password #
To change the password for the barbican administrator:
Copy the file as shown below:
cp ~/openstack/my_cloud/info/private_data_metadata_ccp.yml \ ~/openstack/change_credentials/
Then edit
private_data_metadata_ccp.yml
found here:~/openstack/change_credentials/private_data_metadata_ccp.yml
Change credentials for the barbican admin user and/or barbican service user. Remove everything else. The file will look similar to this:
barbican_admin_password: value: 'testing_123' metadata: - clusters: - cluster1 component: barbican-api cp: ccp version: '2.0' barbican_service_password: value: 'testing_123' metadata: - clusters: - cluster1 component: barbican-api cp: ccp version: '2.0'
The value (shown in bold) is optional; it is used to set a user-chosen password. If left blank, the playbook will generate a random password.
Execute the following playbooks from
~/openstack/ardana/ansible/
:cd ~/openstack/ardana/ansible/ ansible-playbook -i hosts/localhost config-processor-run.yml -e encrypt="" -e rekey="" ansible-playbook -i hosts/localhost ready-deployment.yml cd ~/scratch/ansible/next/ardana/ansible ansible-playbook -i hosts/verb_hosts barbican-reconfigure-credentials-change.yml
SSH to the controller and make sure the password has been properly updated.
/etc/barbican# vi barbican-api-paste.ini
3.8 Checking Barbican Status #
You can check the status of barbican by running the
barbican-status.yml
Ansible playbook on the Cloud Lifecycle Manager node.
ansible-playbook -i hosts/verb_hosts barbican-status.yml
Make sure you remove/delete
~/openstack/change_credentials/private_data_metadata.yml
after successfully
changing the password.
3.9 Updating Logging Configuration #
All barbican logging is set to INFO by default. To change the level from the Cloud Lifecycle Manager, there are two options available
Edit the barbican configuration file,
/barbican_deploy_config.yml
, in the following directory.~/openstack/my_cloud/config/barbican/
To change log level entry (
barbican_loglevel
) to DEBUG, edit the entry:barbican_loglevel = {{ openstack_loglevel | default('DEBUG') }}
To change the log level to INFO, edit the entry:
barbican_loglevel = {{ openstack_loglevel | default('INFO') }}
Edit file
~/openstack/ardana/ansible/roles/KEYMGR-API/templates/api-logging.conf.j2
and update the log level accordingly.
Commit the change to the local git repository:
cd ~/openstack/ardana/ansible git add -A git commit -m "My config"
Run the configuration-processor-run and ready-deployment playbooks, followed
by the barbican-reconfigure
playbook:
ansible-playbook -i hosts/localhost config-processor-run.yml ansible-playbook -i hosts/localhost ready-deployment.yml cd ~/scratch/ansible/next/ardana/ansible ansible-playbook -i hosts/verb_hosts barbican-reconfigure.yml