12 Commits

Author SHA1 Message Date
Ionut Balutoiu
e3fccdfa65 Fix Python3 compatibility for kolla-genpwd
The method `Fernet.generate_key()` generates a binary string in Python 3:
```
>>> Fernet.generate_key()
b'qSMZlOK23pZUw_Uyy-ZRPUfPskMXKGCGmhG6AHCFiV8='
```

Unless properly written as a string to the Kolla `passwords.yml` file,
the Fernet key will end up in the final Barbican config like this:
```
[simple_crypto_plugin]
kek = b'qSMZlOK23pZUw_Uyy-ZRPUfPskMXKGCGmhG6AHCFiV8='
```

Due to the fact that the key is incorrectly written to the barbican
config file (it should be written as a string), every barbican secret
store fails with:

```
barbican.api.controllers   File "/var/lib/kolla/venv/lib/python3.6/site-packages/barbican/plugin/store_crypto.py", line 83, in store_secret
barbican.api.controllers     encrypting_plugin, context.project_model)
barbican.api.controllers   File "/var/lib/kolla/venv/lib/python3.6/site-packages/barbican/plugin/store_crypto.py", line 290, in _find_or_create_kek_objects
barbican.api.controllers     kek_meta_dto = plugin_inst.bind_kek_metadata(kek_meta_dto)
barbican.api.controllers   File "/var/lib/kolla/venv/lib/python3.6/site-packages/barbican/plugin/crypto/simple_crypto.py", line 104, in bind_kek_metadata
barbican.api.controllers     encryptor = fernet.Fernet(self.master_kek)
barbican.api.controllers   File "/var/lib/kolla/venv/lib/python3.6/site-packages/cryptography/fernet.py", line 38, in __init__
barbican.api.controllers     "Fernet key must be 32 url-safe base64-encoded bytes."
barbican.api.controllers ValueError: Fernet key must be 32 url-safe base64-encoded bytes.
```

This commit fixes the issue described above by properly writing
the Fernet key as a string to the Kolla `passwords.yml` file.

Closes-Bug: #1848191
Change-Id: I27fc0159c889bc2e1576fdd69b7d02a320b620f8
2019-10-15 11:27:07 +00:00
Maciej Kucia
89e91b69bd cmd: Extract methods to allow import from external
When methods for passwords generation and merge are
extracted then external apps and scripts can use
those methods without resolving to subprocess execution
or injecting sys.argv.

Change-Id: I99aff7852180534129fa36859075306eea776ba9
Signed-off-by: Maciej Kucia <maciej@kucia.net>
2019-03-10 21:02:38 +01:00
Eduardo Gonzalez
b80a63f33f Use fernet for barbican crypto key
Sha password is not always valid for barbican cripto key.
Use a fernet key so it always gets valid.

Not need release note for upgrade, users with a working
barbican not regenerate passwords, only new passwords will
get new type.

Change-Id: Ic8c4ca63219295d697062cff9cbf30fadbe49bf3
2018-07-26 22:01:30 +02:00
Borne Mace
f1768ef7ab Updated genpwd to work with python35
Due to the changes in hmac.new and how binary strings
are dumped in yaml.safe_dump some changes were needed to
make sure that we dumped only strings, not binary strings.

Change-Id: Ic2fbcf2347023c1e9e666203dfe40dbeaf24ce5f
2018-05-22 16:33:40 -07:00
Christian Berendt
bc0f52cdc7 Add missing dot to help string in genpwd.py script
Change-Id: I87df49939f600cfa1041193808ce6bdcf4620ffc
2017-09-14 00:16:19 +02:00
Jenkins
1529d4e54e Merge "Use cryptography instead of pycrypto" 2017-06-19 10:44:53 +00:00
Eduardo Gonzalez
ab4b1ff785 Support OSprofile usage
OSprofile allows user/devs trace OpenStack requests.

Implements: blueprint enable-osprofiler
Co-Authored-By: Bertrand Lallau <bertrand.lallau@gmail.com>
Change-Id: I82ea85d726011ef6cbf99380f395452d6d7f8053
2017-06-02 22:41:33 +02:00
Rui Yuan Dou
43d42d07df Use cryptography instead of pycrypto
pycrypto is no longer maintained [1]. This patch rewrites functions
using pycrypto and replaces them with the cryptography equivalent

[1] http://lists.openstack.org/pipermail/openstack-dev/2017-March/113568.html

Change-Id: I375b5876ec2f4c4f32b9f6b3f41d209a59a0f615
2017-04-24 17:30:13 +08:00
zhuzeyu
a1e2901c30 Use yaml.safe_dump() instead of yaml.dump()
Remove Python specific types from YAML output
Produce only basic YAML tags

Change-Id: Ib6a4c18663897efb7243ed1ff84df1c9f2abf8bf
2017-03-30 16:54:05 +08:00
zhubingbing
6d0e31f232
Fix can't find /usr/lib/libCryptoki2_64.so in barbican
Link https://docs.openstack.org/project-install-guide/key-manager/newton/barbican-backend.html#simple-crypto-plugin

Change-Id: I351738c2a98090c56ac69e477fbe5ddec4cc5b26
Closes-Bug: #1672001
2017-03-22 20:43:14 +08:00
Jeffrey Zhang
d06efcecc5 Fix booting from volume failure
Booting from volume require cinder's ceph client secret now. Move cinder
before nova in site.yml, because nova depends on cinder ceph client key
now.

Change-Id: I01c9ed80843d98305b8963894c4917c21a35d3ac
Closes-Bug: #1670676
2017-03-08 21:16:06 +08:00
Jeffrey Zhang
177fbea79a Rename kolla namespace to kolla_ansible
* Rename kolla namespace to kolla_ansible
* remove oslo.config.opts entry points which is uesless
* delete useless tools/version-check.py script

Change-Id: I005dd7223ff23afbb2ce8cbfd0ebec0969102798
2017-02-15 16:34:51 +08:00