openstack-manuals/doc/cli-reference/source/barbican.rst
KATO Tomoyuki 06be0d440d Publish RST Command-Line Interface Reference
Change-Id: I40d746c330fdcc0dc4ccf81096e26ef4c287586f
Implements: blueprint cli-ref-rst
2016-01-15 00:03:26 +09:00

17 KiB

Key Manager service command-line client

The barbican client is the command-line interface (CLI) for the Key Manager service API and its extensions.

This chapter documents barbican version 3.3.0.

For help on a specific barbican command, enter:

$ barbican help COMMAND

barbican usage

usage: barbican [--version] [-v] [--log-file LOG_FILE] [-q] [-h] [--debug]
                [--no-auth] [--os-identity-api-version <identity-api-version>]
                [--os-auth-url <auth-url>] [--os-username <auth-user-name>]
                [--os-user-id <auth-user-id>] [--os-password <auth-password>]
                [--os-user-domain-id <auth-user-domain-id>]
                [--os-user-domain-name <auth-user-domain-name>]
                [--os-tenant-name <auth-tenant-name>]
                [--os-tenant-id <tenant-id>]
                [--os-project-id <auth-project-id>]
                [--os-project-name <auth-project-name>]
                [--os-project-domain-id <auth-project-domain-id>]
                [--os-project-domain-name <auth-project-domain-name>]
                [--os-auth-token <auth-token>] [--endpoint <barbican-url>]
                [--interface <barbican-interface>]
                [--service-type <barbican-service-type>]
                [--service-name <barbican-service-name>]
                [--region-name <barbican-region-name>]
                [--barbican-api-version <barbican-api-version>] [--insecure]
                [--os-cacert <ca-certificate>] [--os-cert <certificate>]
                [--os-key <key>] [--timeout <seconds>]

barbican optional arguments

--version

show program's version number and exit

-v, --verbose

Increase verbosity of output. Can be repeated.

--log-file LOG_FILE

Specify a file to log output. Disabled by default.

-q, --quiet

Suppress output except warnings and errors.

-h, --help

Show help message and exit.

--debug

Show tracebacks on errors.

--no-auth, -N

Do not use authentication.

--os-identity-api-version <identity-api-version>

Specify Identity API version to use. Defaults to env[OS_IDENTITY_API_VERSION] or 3.0.

--os-auth-url <auth-url>, -A <auth-url>

Defaults to env[OS_AUTH_URL].

--os-username <auth-user-name>, -U <auth-user-name>

Defaults to env[OS_USERNAME].

--os-user-id <auth-user-id>

Defaults to env[OS_USER_ID].

--os-password <auth-password>, -P <auth-password>

Defaults to env[OS_PASSWORD].

--os-user-domain-id <auth-user-domain-id>

Defaults to env[OS_USER_DOMAIN_ID].

--os-user-domain-name <auth-user-domain-name>

Defaults to env[OS_USER_DOMAIN_NAME].

--os-tenant-name <auth-tenant-name>, -T <auth-tenant-name>

Defaults to env[OS_TENANT_NAME].

--os-tenant-id <tenant-id>, -I <tenant-id>

Defaults to env[OS_TENANT_ID].

--os-project-id <auth-project-id>

Another way to specify tenant ID. This option is mutually exclusive with --os-tenant-id. Defaults to env[OS_PROJECT_ID].

--os-project-name <auth-project-name>

Another way to specify tenant name. This option is mutually exclusive with --os-tenant-name. Defaults to env[OS_PROJECT_NAME].

--os-project-domain-id <auth-project-domain-id>

Defaults to env[OS_PROJECT_DOMAIN_ID].

--os-project-domain-name <auth-project-domain-name>

Defaults to env[OS_PROJECT_DOMAIN_NAME].

--os-auth-token <auth-token>

Defaults to env[OS_AUTH_TOKEN].

--endpoint <barbican-url>, -E <barbican-url>

Defaults to env[BARBICAN_ENDPOINT].

--interface <barbican-interface>

Defaults to env[BARBICAN_INTERFACE].

--service-type <barbican-service-type>

Defaults to env[BARBICAN_SERVICE_TYPE].

--service-name <barbican-service-name>

Defaults to env[BARBICAN_SERVICE_NAME].

--region-name <barbican-region-name>

Defaults to env[BARBICAN_REGION_NAME].

--barbican-api-version <barbican-api-version>

Defaults to env[BARBICAN_API_VERSION].

--insecure

Explicitly allow client to perform "insecure" TLS (https) requests. The server's certificate will not be verified against any certificate authorities. This option should be used with caution.

--os-cacert <ca-certificate>

Specify a CA bundle file to use in verifying a TLS (https) server certificate. Defaults to env[OS_CACERT].

--os-cert <certificate>

Defaults to env[OS_CERT].

--os-key <key>

Defaults to env[OS_KEY].

--timeout <seconds>

Set request timeout (in seconds).

barbican ca get

usage: barbican ca get [-h] [-f {html,json,json,shell,table,value,yaml,yaml}]
                       [-c COLUMN] [--max-width <integer>] [--noindent]
                       [--prefix PREFIX]
                       URI

Retrieve a CA by providing its URI.

Positional arguments

URI

The URI reference for the CA.

Optional arguments

-h, --help

show this help message and exit

barbican ca list

usage: barbican ca list [-h] [-f {csv,html,json,json,table,value,yaml,yaml}]
                        [-c COLUMN] [--max-width <integer>] [--noindent]
                        [--quote {all,minimal,none,nonnumeric}]
                        [--limit LIMIT] [--offset OFFSET] [--name NAME]

List cas.

Optional arguments

-h, --help

show this help message and exit

--limit LIMIT, -l LIMIT

specify the limit to the number of items to list per page (default: 10; maximum: 100)

--offset OFFSET, -o OFFSET

specify the page offset (default: 0)

--name NAME, -n NAME

specify the secret name (default: None)

barbican container create

usage: barbican container create [-h]
                                 [-f {html,json,json,shell,table,value,yaml,yaml}]
                                 [-c COLUMN] [--max-width <integer>]
                                 [--noindent] [--prefix PREFIX] [--name NAME]
                                 [--type TYPE] [--secret SECRET]

Store a container in Barbican.

Optional arguments

-h, --help

show this help message and exit

--name NAME, -n NAME

a human-friendly name.

--type TYPE

type of container to create (default: generic).

--secret SECRET, -s SECRET

one secret to store in a container (can be set multiple times). Example: --secret "private_key=https://url.test/v1/secrets/1-2-3-4"

barbican container delete

usage: barbican container delete [-h] URI

Delete a container by providing its href.

Positional arguments

URI

The URI reference for the container

Optional arguments

-h, --help

show this help message and exit

barbican container get

usage: barbican container get [-h]
                              [-f {html,json,json,shell,table,value,yaml,yaml}]
                              [-c COLUMN] [--max-width <integer>] [--noindent]
                              [--prefix PREFIX]
                              URI

Retrieve a container by providing its URI.

Positional arguments

URI

The URI reference for the container.

Optional arguments

-h, --help

show this help message and exit

barbican container list

usage: barbican container list [-h]
                               [-f {csv,html,json,json,table,value,yaml,yaml}]
                               [-c COLUMN] [--max-width <integer>]
                               [--noindent]
                               [--quote {all,minimal,none,nonnumeric}]
                               [--limit LIMIT] [--offset OFFSET] [--name NAME]
                               [--type TYPE]

List containers.

Optional arguments

-h, --help

show this help message and exit

--limit LIMIT, -l LIMIT

specify the limit to the number of items to list per page (default: 10; maximum: 100)

--offset OFFSET, -o OFFSET

specify the page offset (default: 0)

--name NAME, -n NAME

specify the container name (default: None)

--type TYPE, -t TYPE

specify the type filter for the list (default: None).

barbican order create

usage: barbican order create [-h]
                             [-f {html,json,json,shell,table,value,yaml,yaml}]
                             [-c COLUMN] [--max-width <integer>] [--noindent]
                             [--prefix PREFIX] [--name NAME] [--type TYPE]
                             [--algorithm ALGORITHM] [--bit-length BIT_LENGTH]
                             [--mode MODE]
                             [--payload-content-type PAYLOAD_CONTENT_TYPE]
                             [--expiration EXPIRATION]
                             [--request-type REQUEST_TYPE]
                             [--subject-dn SUBJECT_DN]
                             [--source-container-ref SOURCE_CONTAINER_REF]
                             [--ca-id CA_ID] [--profile PROFILE]
                             [--request-file REQUEST_FILE]

Create a new order.

Optional arguments

-h, --help

show this help message and exit

--name NAME, -n NAME

a human-friendly name.

--type TYPE, -p TYPE

the type of the order to create.

--algorithm ALGORITHM, -a ALGORITHM

the algorithm to be used with the requested key (default: aes).

--bit-length BIT_LENGTH, -b BIT_LENGTH

the bit length of the requested secret key (default: 256).

--mode MODE, -m MODE

the algorithm mode to be used with the requested key (default: cbc).

--payload-content-type PAYLOAD_CONTENT_TYPE, -t PAYLOAD_CONTENT_TYPE

the type/format of the secret to be generated (default: application/octet-stream).

--expiration EXPIRATION, -x EXPIRATION

the expiration time for the secret in ISO 8601 format.

--request-type REQUEST_TYPE

the type of the certificate request.

--subject-dn SUBJECT_DN

the subject of the certificate.

--source-container-ref SOURCE_CONTAINER_REF

the source of the certificate when using stored-key requests.

--ca-id CA_ID

the identifier of the CA to use for the certificate request.

--profile PROFILE

the profile of certificate to use.

--request-file REQUEST_FILE

the file containing the CSR.

barbican order delete

usage: barbican order delete [-h] URI

Delete an order by providing its href.

Positional arguments

URI

The URI reference for the order

Optional arguments

-h, --help

show this help message and exit

barbican order get

usage: barbican order get [-h]
                          [-f {html,json,json,shell,table,value,yaml,yaml}]
                          [-c COLUMN] [--max-width <integer>] [--noindent]
                          [--prefix PREFIX]
                          URI

Retrieve an order by providing its URI.

Positional arguments

URI

The URI reference order.

Optional arguments

-h, --help

show this help message and exit

barbican order list

usage: barbican order list [-h]
                           [-f {csv,html,json,json,table,value,yaml,yaml}]
                           [-c COLUMN] [--max-width <integer>] [--noindent]
                           [--quote {all,minimal,none,nonnumeric}]
                           [--limit LIMIT] [--offset OFFSET]

List orders.

Optional arguments

-h, --help

show this help message and exit

--limit LIMIT, -l LIMIT

specify the limit to the number of items to list per page (default: 10; maximum: 100)

--offset OFFSET, -o OFFSET

specify the page offset (default: 0)

barbican secret delete

usage: barbican secret delete [-h] URI

Delete a secret by providing its URI.

Positional arguments

URI

The URI reference for the secret

Optional arguments

-h, --help

show this help message and exit

barbican secret get

usage: barbican secret get [-h]
                           [-f {html,json,json,shell,table,value,yaml,yaml}]
                           [-c COLUMN] [--max-width <integer>] [--noindent]
                           [--prefix PREFIX] [--decrypt] [--payload]
                           [--payload_content_type PAYLOAD_CONTENT_TYPE]
                           URI

Retrieve a secret by providing its URI.

Positional arguments

URI

The URI reference for the secret.

Optional arguments

-h, --help

show this help message and exit

--decrypt, -d

if specified, retrieve the unencrypted secret data; the data type can be specified with --payload-content- type.

--payload, -p

if specified, retrieve the unencrypted secret data; the data type can be specified with --payload-content- type. If the user wishes to only retrieve the value of the payload they must add "-f value" to format returning only the value of the payload

--payload_content_type PAYLOAD_CONTENT_TYPE, -t PAYLOAD_CONTENT_TYPE

the content type of the decrypted secret (default: text/plain.

barbican secret list

usage: barbican secret list [-h]
                            [-f {csv,html,json,json,table,value,yaml,yaml}]
                            [-c COLUMN] [--max-width <integer>] [--noindent]
                            [--quote {all,minimal,none,nonnumeric}]
                            [--limit LIMIT] [--offset OFFSET] [--name NAME]
                            [--algorithm ALGORITHM] [--bit-length BIT_LENGTH]
                            [--mode MODE]

List secrets.

Optional arguments

-h, --help

show this help message and exit

--limit LIMIT, -l LIMIT

specify the limit to the number of items to list per page (default: 10; maximum: 100)

--offset OFFSET, -o OFFSET

specify the page offset (default: 0)

--name NAME, -n NAME

specify the secret name (default: None)

--algorithm ALGORITHM, -a ALGORITHM

the algorithm filter for the list(default: None).

--bit-length BIT_LENGTH, -b BIT_LENGTH

the bit length filter for the list (default: 0).

--mode MODE, -m MODE

the algorithm mode filter for the list (default: None).

barbican secret store

usage: barbican secret store [-h]
                             [-f {html,json,json,shell,table,value,yaml,yaml}]
                             [-c COLUMN] [--max-width <integer>] [--noindent]
                             [--prefix PREFIX] [--name NAME]
                             [--payload PAYLOAD] [--secret-type SECRET_TYPE]
                             [--payload-content-type PAYLOAD_CONTENT_TYPE]
                             [--payload-content-encoding PAYLOAD_CONTENT_ENCODING]
                             [--algorithm ALGORITHM] [--bit-length BIT_LENGTH]
                             [--mode MODE] [--expiration EXPIRATION]

Store a secret in Barbican.

Optional arguments

-h, --help

show this help message and exit

--name NAME, -n NAME

a human-friendly name.

--payload PAYLOAD, -p PAYLOAD

the unencrypted secret; if provided, you must also provide a payload_content_type

--secret-type SECRET_TYPE, -s SECRET_TYPE

the secret type; must be one of symmetric, public, private, certificate, passphrase, opaque (default)

--payload-content-type PAYLOAD_CONTENT_TYPE, -t PAYLOAD_CONTENT_TYPE

the type/format of the provided secret data; "text/plain" is assumed to be UTF-8; required when --payload is supplied.

--payload-content-encoding PAYLOAD_CONTENT_ENCODING,

-e PAYLOAD_CONTENT_ENCODING

required if --payload-content-type is "application /octet-stream".

--algorithm ALGORITHM, -a ALGORITHM

the algorithm (default: aes).

--bit-length BIT_LENGTH, -b BIT_LENGTH

the bit length (default: 256).

--mode MODE, -m MODE

the algorithm mode; used only for reference (default: cbc)

--expiration EXPIRATION, -x EXPIRATION

the expiration time for the secret in ISO 8601 format.