From 2e4359069e8a50f83fe0dca1103d935212dd2703 Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Wed, 21 Jun 2017 11:53:14 +0100 Subject: [PATCH] Barbican simple_crypto plugin broken - invalid key When using the simple_crypto plugin, barbican expects the [simple_crypto_plugin] kek config value to be a base64-encoded 32 byte value. However, kolla-ansible is providing a standard autogenerated password. There are two relevant variables in kolla-ansible - barbican_crypto_password (a standard password) and barbican_crypto_key (a HMAC-SHA256 key). There is no use of barbican_crypto_key other than when it is generated. barbican_crypto_password is used to set the [simple_crypto_plugin] kek config value but causes an error when the simple_crypto plugin is used as the value is not in the expected format. Using barbican_crypto_key instead resolves the error. Clearly there is a naming issue here and we should be using barbican_crypto_key instead of barbican_crypto_password. This change removes the barbican_crypto_password variable and uses barbican_crypto_key instead. Change-Id: I63e2b381c260265e5901ee88ca0a649d96952bda Closes-Bug: #1699014 Related-Bug: #1683216 Co-Authored-By: Stig Telfer --- .../roles/barbican/templates/barbican.conf.j2 | 2 +- etc/kolla/passwords.yml | 1 - ...an-simple-crypto-key-f3cd3b8b210ab237.yaml | 21 +++++++++++++++++++ 3 files changed, 22 insertions(+), 2 deletions(-) create mode 100644 releasenotes/notes/barbican-simple-crypto-key-f3cd3b8b210ab237.yaml diff --git a/ansible/roles/barbican/templates/barbican.conf.j2 b/ansible/roles/barbican/templates/barbican.conf.j2 index b0211174d3..343cb6b4db 100644 --- a/ansible/roles/barbican/templates/barbican.conf.j2 +++ b/ansible/roles/barbican/templates/barbican.conf.j2 @@ -40,7 +40,7 @@ hmac_label = 'kolla_hmac' {% if barbican_crypto_plugin == 'simple_crypto' %} [simple_crypto_plugin] # the kek should be a 32-byte value which is base64 encoded -kek = '{{ barbican_crypto_password }}' +kek = '{{ barbican_crypto_key }}' {% endif %} diff --git a/etc/kolla/passwords.yml b/etc/kolla/passwords.yml index c5c45a383c..50b99c5351 100644 --- a/etc/kolla/passwords.yml +++ b/etc/kolla/passwords.yml @@ -31,7 +31,6 @@ barbican_database_password: barbican_keystone_password: barbican_p11_password: barbican_crypto_key: -barbican_crypto_password: keystone_admin_password: keystone_database_password: diff --git a/releasenotes/notes/barbican-simple-crypto-key-f3cd3b8b210ab237.yaml b/releasenotes/notes/barbican-simple-crypto-key-f3cd3b8b210ab237.yaml new file mode 100644 index 0000000000..212571fde3 --- /dev/null +++ b/releasenotes/notes/barbican-simple-crypto-key-f3cd3b8b210ab237.yaml @@ -0,0 +1,21 @@ +--- +upgrade: + - | + Fixes an issue with the barbican service when using the ``simple_crypto`` + plugin whereby an invalid value is generated and used as the plugin's + encryption key. + + The encryption key is configured via the ``[simple_crypto_plugin]: kek`` + configuration option in ``barbican.conf``. This option was previously + configured using the kolla-ansible variable ``barbican_crypto_password``, + but is now configured using ``barbican_crypto_key`` which uses the correct + format. + + Operators that have set ``barbican_crypto_password`` to a valid value + to work around this issue should ensure that ``barbican_crypto_key`` + is configured in ``passwords.yml`` with the same value that was used for + ``barbican_crypto_password``. This will ensure that existing barbican + secrets can be decrypted. + + The variable ``barbican_crypto_password`` may safely be removed from + ``passwords.yml``.