1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
|
Authentication
==============
Keystone Authentication
-----------------------
The client defers authentication to `Keystone Sessions`_, which provide several
authentication plugins in the `keystoneauth1.identity` namespace. Below we give
examples of the most commonly used auth plugins.
.. _`Keystone Sessions`: https://docs.openstack.org/keystoneauth/latest/using-sessions.html
Keystone API Version 3 Authentication
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Authentication using Keystone API Version 3 can be achieved using the
`keystoneauth1.identity.V3Password` auth plugin.
Example:
.. code-block:: python
from barbicanclient import client
from keystoneauth1 import identity
from keystoneauth1 import session
auth = identity.V3Password(auth_url='http://localhost:5000/v3',
username='admin_user',
user_domain_name='Default',
password='password',
project_name='demo',
project_domain_name='Default')
sess = session.Session(auth=auth)
barbican = client.Client(session=sess)
Keystone API Version 2 Authentication
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Authentication using Keystone API Version 2 can be achieved using the
`keystoneauth1.identity.V2Password` auth plugin.
Example:
.. code-block:: python
from barbicanclient import client
from keystoneauth1 import identity
from keystoneauth1 import session
auth = identity.V2Password(auth_url='http://localhost:5000/v2.0',
username='admin_user',
password='password',
tenant_name='demo')
sess = session.Session(auth=auth)
barbican = client.Client(session=sess)
Unauthenticated Context
-----------------------
Sometimes it may be useful to work with the client in an unauthenticated
context, for example when using a development instance of Barbican that is
not yet configured to use Keystone for authentication. In this case, the
Barbican Service endpoint must be provided, in addition to the Project ID that
will be used for context (i.e. the project that owns the secrets you'll be
working with).
Example:
.. code-block:: python
from barbicanclient import client
barbican = client.Client(endpoint='http://localhost:9311',
project_id='123456')
CLI Authentication
==================
Keystone V3 Authentication
--------------------------
Barbican can be configured to use Keystone for authentication. The user's
credentials can be passed to Barbican via arguments.
.. code-block:: bash
$ barbican --os-auth-url <keystone-v3-url> --os-project-domain-id \
<domain id> --os-user-domain-id <user domain id> --os-username <username> \
--os-password <password> --os-project-name <project-name> secret list
This can become annoying and tedious, so authentication via Keystone can
also be configured by setting environment variables. Barbican uses the same env
variables as python-keystoneclient so if you already have keystone client
configured you can skip this section.
An example clientrc file is provided in the main python-barbicanclient
directory.
.. code-block:: bash
export OS_PROJECT_NAME=<YourProjectName>
# Either Project Domain ID or Project Domain Name is required
export OS_PROJECT_DOMAIN_ID=<YourProjectDomainID>
export OS_PROJECT_DOMAIN_NAME=<YourProjectDomainName>
# Either User Domain ID or User Domain Name is required
export OS_USER_DOMAIN_ID=<YourUserDomainID>
export OS_USER_DOMAIN_NAME=<YourUserDomainName>
# Either User ID or Username can be used
export OS_USER_ID =<YourUserID>
export OS_USERNAME=<YourUserName>
export OS_PASSWORD=<YourPassword>
# OS_AUTH_URL should be your location of Keystone
# Barbican Client defaults to Keystone V3
export OS_AUTH_URL="<YourAuthURL>:5000/v3/"
export BARBICAN_ENDPOINT="<YourBarbicanEndpoint>:9311"
Make any appropriate changes to this file.
You will need to source it into your environment on each load:
.. code-block:: bash
source ~/clientrc
If you would like, you can configure your bash to load the variables on
each login:
.. code-block:: bash
echo "source ~/clientrc" >> ~/.bashrc
Keystone Token Authentication
-----------------------------
Barbican can be configured to use Keystone tokens for authentication. The
user's credentials can be passed to Barbican via arguments.
.. code-block:: bash
$ barbican --os-auth-url <auth_endpoint> --os-auth-token <auth_token> \
--os-project-id <project_id> secret list
Much like normal password authentication you can specify these values via
environmental variables. Refer to `Keystone V3 authentication`_ for more
information.
No Auth Mode
------------
When working with a Barbican instance that does not use Keystone authentication
(e.g. during development) you can use the :code:`--no-auth` option. If you do
this, you'll have to specify the Barbican endpoint and project ID
:code:`--os-project-id`. This is because Barbican normally gets the endpoint
and tenant ID from Keystone.
|
