From 626967c1a4e7d9d8e1a19a330fc31327ec5be265 Mon Sep 17 00:00:00 2001
From: liyingjun <yingjun.li@kylin-cloud.com>
Date: Sun, 9 Oct 2016 14:57:29 +0800
Subject: [PATCH] Enable keystone authentication for Barbican

By default Barbican has not enabled the Keystone authentication:

[pipeline:barbican_api]
pipeline = cors unauthenticated-context apiapp

According to the Barbican install guide[1] this pipeline should be:

pipeline = cors authtoken context apiapp

[1]: http://docs.openstack.org/developer/barbican/setup/keystone.html

Change-Id: I941515a98772a72762b20507e100e7872f3b4ab8
Closes-bug: #1625337
---
 ansible/roles/barbican/tasks/config.yml       |  8 +++
 .../templates/barbican-api-paste.ini.j2       | 60 +++++++++++++++++++
 .../barbican/templates/barbican-api.json.j2   |  6 ++
 3 files changed, 74 insertions(+)
 create mode 100644 ansible/roles/barbican/templates/barbican-api-paste.ini.j2

diff --git a/ansible/roles/barbican/tasks/config.yml b/ansible/roles/barbican/tasks/config.yml
index 6385634730..38383d5448 100644
--- a/ansible/roles/barbican/tasks/config.yml
+++ b/ansible/roles/barbican/tasks/config.yml
@@ -26,6 +26,14 @@
       - "{{ node_custom_config }}/barbican-api/{{ inventory_hostname }}/barbican-api.ini"
     dest: "{{ node_config_directory }}/barbican-api/vassals/barbican-api.ini"
 
+- name: Copying over barbican-api-paste.ini
+  merge_configs:
+    sources:
+      - "{{ role_path }}/templates/barbican-api-paste.ini.j2"
+      - "{{ node_custom_config }}/barbican-api/barbican-api-paste.ini"
+      - "{{ node_custom_config }}/barbican-api/{{ inventory_hostname }}/barbican-api-paste.ini"
+    dest: "{{ node_config_directory }}/barbican-api/barbican-api-paste.ini"
+
 - name: Copying over barbican.conf
   merge_configs:
     vars:
diff --git a/ansible/roles/barbican/templates/barbican-api-paste.ini.j2 b/ansible/roles/barbican/templates/barbican-api-paste.ini.j2
new file mode 100644
index 0000000000..a1030a9f65
--- /dev/null
+++ b/ansible/roles/barbican/templates/barbican-api-paste.ini.j2
@@ -0,0 +1,60 @@
+[composite:main]
+use = egg:Paste#urlmap
+/: barbican_version
+/v1: barbican-api-keystone
+
+# Use this pipeline for Barbican API - versions no authentication
+[pipeline:barbican_version]
+pipeline = cors versionapp
+
+# Use this pipeline for Barbican API - DEFAULT no authentication
+[pipeline:barbican_api]
+pipeline = cors unauthenticated-context apiapp
+
+#Use this pipeline to activate a repoze.profile middleware and HTTP port,
+#  to provide profiling information for the REST API processing.
+[pipeline:barbican-profile]
+pipeline = cors unauthenticated-context egg:Paste#cgitb egg:Paste#httpexceptions profile apiapp
+
+#Use this pipeline for keystone auth
+[pipeline:barbican-api-keystone]
+pipeline = cors authtoken context apiapp
+
+#Use this pipeline for keystone auth with audit feature
+[pipeline:barbican-api-keystone-audit]
+pipeline = authtoken context audit apiapp
+
+[app:apiapp]
+paste.app_factory = barbican.api.app:create_main_app
+
+[app:versionapp]
+paste.app_factory = barbican.api.app:create_version_app
+
+[filter:simple]
+paste.filter_factory = barbican.api.middleware.simple:SimpleFilter.factory
+
+[filter:unauthenticated-context]
+paste.filter_factory = barbican.api.middleware.context:UnauthenticatedContextMiddleware.factory
+
+[filter:context]
+paste.filter_factory = barbican.api.middleware.context:ContextMiddleware.factory
+
+[filter:audit]
+paste.filter_factory = keystonemiddleware.audit:filter_factory
+audit_map_file = /etc/barbican/api_audit_map.conf
+
+[filter:authtoken]
+paste.filter_factory = keystonemiddleware.auth_token:filter_factory
+
+[filter:profile]
+use = egg:repoze.profile
+log_filename = myapp.profile
+cachegrind_filename = cachegrind.out.myapp
+discard_first_request = true
+path = /__profile__
+flush_at_shutdown = true
+unwind = false
+
+[filter:cors]
+paste.filter_factory = oslo_middleware.cors:filter_factory
+oslo_config_project = barbican
diff --git a/ansible/roles/barbican/templates/barbican-api.json.j2 b/ansible/roles/barbican/templates/barbican-api.json.j2
index 843f46e65f..fe8ba1b30e 100644
--- a/ansible/roles/barbican/templates/barbican-api.json.j2
+++ b/ansible/roles/barbican/templates/barbican-api.json.j2
@@ -12,6 +12,12 @@
             "dest": "/etc/barbican/vassals/barbican-api.ini",
             "owner": "barbican",
             "perm": "0600"
+        },
+        {
+            "source": "{{ container_config_directory }}/barbican-api-paste.ini",
+            "dest": "/etc/barbican/barbican-api-paste.ini",
+            "owner": "barbican",
+            "perm": "0600"
         }
     ]
 }