移除 Barbican 资源 URI 中的项目 ID¶
https://blueprints.launchpad.net/barbican/+spec/api-remove-uri-tenant-id
OpenStack 项目似乎正在逐渐放弃在 URI 中强制要求项目 ID,因为在使用 Keystone 认证时,这部分信息是冗余的。所有 Barbican 资源 URI 都包含项目 ID 作为其 URI 的一部分。需要对此进行审查。
问题描述¶
所有 Barbican 资源在其 URI 中都包含一个项目 ID。这有助于将资源与指定的租户关联,尤其是在没有使用外部认证机制时。
然而,所有 Barbican 部署都会使用 Keystone 来认证 API 请求。使用 Keystone 后,项目 ID 信息已经在验证请求中的 X-Auth-Token 头时获得。这使得 URI 中的项目 ID 变得冗余。
需要一种解决方案来移除 URI 中的项目 ID。
提议的变更¶
所有 Barbican 资源 URI 将从其 URI 中删除项目 ID。例如,
/v1/<project-id>/secrets将变为/v1/secrets,/v1/<project-id>/secrets/<secret-ref>将变为/v1/secrets/<secret-ref>,依此类推。对于所有成功认证的客户端请求,项目 ID(又称租户 ID)将通过查找与请求关联的认证上下文来获取。如果未找到(未作用域的令牌),则请求将被拒绝,并返回 HTTP 401 错误。
如果 Barbican 部署未配置任何认证机制,则客户端预计会在请求头中传递一个“X-Project-Id”请求头,并将其设置为所需的项目 ID。如果未传递此头,则请求将被拒绝,并返回 HTTP 400 错误。换句话说,客户端预计会伪造通过
keystone.middleware.auth_token呈现给 Barbican 的数据,而 Barbican 信任这些数据。
向后兼容性说明
一旦此规范中提出的更改生效,API 的调用者不应再在 URI 中指定项目 ID。否则,请求将被拒绝,并返回 HTTP 404 错误。
备选方案¶
无。
数据模型影响¶
无。
REST API 影响¶
所有 Barbican REST 资源都将受到此更改的影响。但是,此更改仅限于从 URI 中删除项目 ID。所有其他请求参数(包括限制和过滤参数)将保持不变。如果 Barbican 配置为未认证请求流程,则调用者需要传递 X-Project-Id。
API¶
密钥
创建密钥:POST /v1/secrets
示例
Request:
Headers:
X-Auth-Token:<token>
Content-Type:application/json
POST /v1/secrets
{
"name": "AES key",
"expiration": "2014-02-28T19:14:44.180394",
"algorithm": "aes",
"bit_length": 256,
"mode": "cbc",
"payload": "gF6+lLoF3ohA9aPRpt+6bQ==",
"payload_content_type": "application/octet-stream",
"payload_content_encoding": "base64"
}
Response:
Status: 201 Created
{
"secret_ref": "https://:9311/v1/secrets/a8957047-16c6-4b05-ac57-8621edd0e9ee"
}
两步密钥创建:PUT /v1/secrets/<secret-id>
示例
Request:
Headers:
X-Auth-Token:<token>
Content-Type:text/plain
PUT /v1/secrets/a8957047-16c6-4b05-ac57-8621edd0e9ee
'mysecret'
Response:
Status: 201 Created
{
"secret_ref": "https://:9311/v1/secrets/a8957047-16c6-4b05-ac57-8621edd0e9ee"
}
列出密钥:GET /v1/secrets
示例
Request:
Headers:
X-Auth-Token:<token>
GET /v1/secrets
Response:
Status: 200 Ok
{
"secrets": [
{
"status": "ACTIVE",
"updated": "2013-06-28T15:23:30.668641",
"mode": "cbc",
"name": "Main Encryption Key",
"algorithm": "AES",
"created": "2013-06-28T15:23:30.668619",
"secret_ref": "https://:9311/v1/secrets/e171bb2d-f14f-433e-84f0-3dfcac7a7311",
"expiration": "2014-06-28T15:23:30.668619",
"bit_length": 256,
"content_types": {
"default": "application/octet-stream"
}
},
{
"status": "ACTIVE",
"updated": "2013-06-28T15:23:32.210474",
"mode": "cbc",
"name": "Backup Key",
"algorithm": "AES",
"created": "2013-06-28T15:23:32.210467",
"secret_ref": "https://:9311/v1/secrets/6dba7827-c232-4a2b-8f3d-f523ca3a3f99",
"expiration": null,
"bit_length": 256,
"content_types": {
"default": "application/octet-stream"
}
},
{
"status": "ACTIVE",
"updated": "2013-06-28T15:23:33.092660",
"mode": null,
"name": "PostgreSQL admin password",
"algorithm": null,
"created": "2013-06-28T15:23:33.092635",
"secret_ref": "https://:9311/v1/secrets/6dfa448d-c35a-4158-abaf-e4c249efb580",
"expiration": null,
"bit_length": null,
"content_types": {
"default": "text/plain"
}
}
],
"next": "https://:9311/v1/secrets?limit=3&offset=5",
"previous": "https://:9311/v1/secrets?limit=3&offset=0"
}
获取单个密钥:GET /v1/secrets/<secret-id>
示例
Request:
Headers:
X-Auth-Token:<token>
GET /v1/secrets/e171bb2d-f14f-433e-84f0-3dfcac7a7311
Response:
Status: 200 Ok
{
"status": "ACTIVE",
"updated": "2013-06-28T15:23:30.668641",
"mode": "cbc",
"name": "Main Encryption Key",
"algorithm": "AES",
"secret_ref": "https://:9311/v1/secrets/e171bb2d-f14f-433e-84f0-3dfcac7a7311",
"expiration": "2014-06-28T15:23:30.668619",
"bit_length": 256,
"content_types": {
"default": "application/octet-stream"
}
}
删除单个密钥:DELETE /v1/secrets/<secret-id>
示例
Request:
Headers:
X-Auth-Token:<token>
DELETE /v1/secrets/e171bb2d-f14f-433e-84f0-3dfcac7a7311
Response:
Status: 204 No Content
创建密钥(无认证):POST /v1/secrets
示例
Request:
Headers:
X-Project-Id:<project-id>
Content-Type:application/json
POST /v1/secrets
{
"name": "AES key",
"expiration": "2014-02-28T19:14:44.180394",
"algorithm": "aes",
"bit_length": 256,
"mode": "cbc",
"payload": "gF6+lLoF3ohA9aPRpt+6bQ==",
"payload_content_type": "application/octet-stream",
"payload_content_encoding": "base64"
}
Response:
Status: 201 Created
{
"secret_ref": "https://:9311/v1/secrets/a8957047-16c6-4b05-ac57-8621edd0e9ee"
}
订单
创建订单:POST /v1/orders
示例
Request:
Headers:
X-Auth-Token:<token>
Content-Type:application/json
POST /v1/orders
{
"secret": {
"name": "secretname",
"algorithm": "AES",
"bit_length": 256,
"mode": "cbc",
"payload_content_type": "application/octet-stream"
}
}
Response:
Status: 201 Created
{
"order_ref": "https://:9311/v1/orders/a8957047-16c6-4b05-ac57-8621edd0e9ee"
}
获取单个订单:GET /v1/orders/<order-id>
示例
Request:
Headers:
X-Auth-Token:<token>
GET /v1/orders/f9b633d8-fda5-4be8-b42c-5b2c9280289e
Response:
Status: 200 Ok
{
"secret": {
"name": "secretname",
"algorithm": "aes",
"bit_length": 256,
"mode": "cbc",
"payload_content_type": "application/octet-stream"
},
"order_ref": "https://:8080/v1/orders/f9b633d8-fda5-4be8-b42c-5b2c9280289e",
"secret_ref": "https://:8080/v1/secrets/888b29a4-c7cf-49d0-bfdf-bd9e6f26d718",
"status": "ERROR",
"error_status_code": "400 Bad Request",
"error_reason": "Secret creation issue seen - content-encoding of 'bogus' not supported."
}
获取每个租户的订单列表:GET /v1/orders
示例
Request:
Headers:
X-Auth-Token:<token>
GET /v1/orders
Response:
Status: 200 Ok
{
"orders": [
{
"status": "ACTIVE",
"secret_ref": "https://:9311/v1/secrets/bf2b33d5-5347-4afb-9009-b4597f415b7f",
"updated": "2013-06-28T18:29:37.058718",
"created": "2013-06-28T18:29:36.001750",
"secret": {
"name": "secretname",
"algorithm": "aes",
"bit_length": 256,
"mode": "cbc",
"payload_content_type": "application/octet-stream"
},
"order_ref": "https://:9311/v1/orders/3100078a-6ab1-4c3f-ab9f-295938c91733"
},
{
"status": "ACTIVE",
"secret_ref": "https://:9311/v1/secrets/fa71b143-f10e-4f7a-aa82-cc292dc33eb5",
"updated": "2013-06-28T18:29:37.058718",
"created": "2013-06-28T18:29:36.001750",
"secret": {
"name": "secretname",
"algorithm": "aes",
"bit_length": 256,
"mode": "cbc",
"payload_content_type": "application/octet-stream"
},
"order_ref": "https://:9311/v1/orders/30b3758a-7b8e-4f2c-b9f0-f590c6f8cc6d"
}
]
}
删除单个订单:DELETE /v1/orders/<order-id>
示例
Request:
Headers:
X-Auth-Token:<token>
DELETE /v1/orders/e171bb2d-f14f-433e-84f0-3dfcac7a7311
Response:
Status: 204 No Content
容器
创建容器:POST /v1/containers
示例
Request:
Headers:
X-Auth-Token:<token>
Content-Type:application/json
POST /v1/containers
{
"name": "container name",
"type": "rsa",
"secret_refs": [
{
"name": "private_key",
"secret_ref":"https://:9311/v1/secrets/05a47308-d045-43d6-bfe3-1dbcd0c3a97b"
},
{
"name": "public_key",
"secret_ref":"https://:9311/v1/secrets/05a47308-d045-43d6-bfe3-1dbcd0c3a97b"
},
{
"name": "private_key_passphrase",
"secret_ref":"https://:9311/v1/secrets/05a47308-d045-43d6-bfe3-1dbcd0c3a97b"
}
]
}
Response:
Status: 201 Created
{
"container_ref": "https://:9311/v1/containers/a8957047-16c6-4b05-ac57-8621edd0e9ee"
}
获取单个容器:GET /v1/containers/<container-id>
示例
Request:
Headers:
X-Auth-Token:<token>
GET /v1/containers/f9b633d8-fda5-4be8-b42c-5b2c9280289e
Response:
Status: 200 Ok
{
"name":"rsa container",
"secret_refs":[
{
"secret_ref":"https://:9311/v1/secrets/059805d5-b400-47da-abc5-cae7286d3ede",
"name":"private_key_passphrase"
},
{
"secret_ref":"https://:9311/v1/secrets/28704f0f-3273-40d4-bc40-4de2691135ea",
"name":"private_key"
},
{
"secret_ref":"https://:9311/v1/secrets/29d89344-10ad-4f92-8aa2-adebaf7556ee",
"name":"public_key"
}
],
"container_ref":"https://:9311/v1/containers/888b29a4-c7cf-49d0-bfdf-bd9e6f26d718",
"type":"rsa"
}
获取每个租户的容器列表:GET /v1/containers
示例
Request:
Headers:
X-Auth-Token:<token>
GET /v1/containers
Response:
Status: 200 Ok
{
"total":42,
"containers":[
{
"status":"ACTIVE",
"updated":"2014-02-11T18:05:58.909411",
"name":"generic container_updated",
"secret_refs":[
{
"secret_id":"123",
"name":"private_key"
},
{
"secret_id":"321",
"name":"public_key"
},
{
"secret_id":"456",
"name":"private_key_passphrase"
}
],
"created":"2014-02-11T18:05:58.909403",
"container_ref":"https://:9311/v1/containers/d4e06015-4f6e-4626-ac3d-4ece6621f96d",
"type":"rsa"
},
{
"status":"ACTIVE",
"updated":"2014-02-11T18:08:58.160557",
"name":"generic container_updated",
"secret_refs":[
{
"secret_id":"321",
"name":"public_key"
},
{
"secret_id":"456",
"name":"private_key_passphrase"
}
],
"created":"2014-02-11T18:08:58.160551",
"container_ref":"https://:9311/v1/containers/bb24fa61-0b5f-4d40-8990-846e95cd7b12",
"type":"rsa"
},
{
"status":"ACTIVE",
"updated":"2014-02-11T18:25:58.198072",
"name":"generic container_updated",
"secret_refs":[
{
"secret_id":"1df433d6-c2d4-480d-90fb-0bfd9c5da3dd",
"name":"private_key"
},
{
"secret_id":"321",
"name":"public_key"
},
{
"secret_id":"456",
"name":"private_key_passphrase"
}
],
"created":"2014-02-11T18:25:58.198063",
"container_ref":"https://:9311/v1/containers/38f58696-5013-4bd6-ab2b-fbea41dc957a",
"type":"rsa"
},
{
"status":"ACTIVE",
"updated":"2014-02-11T18:44:06.296957",
"name":"generic container_updated",
"secret_refs":[
{
"secret_id":"1df433d6-c2d4-480d-90fb-0bfd9c5da3dd",
"name":"private_key"
},
{
"secret_id":"321",
"name":"public_key"
},
{
"secret_id":"456",
"name":"private_key_passphrase"
}
],
"created":"2014-02-11T18:44:06.296947",
"container_ref":"https://:9311/v1/containers/a8d1adfd-0d36-4eb0-8762-99787eb4a7ff",
"type":"rsa"
}
],
"next":"https://:9311/v1/containers?limit=10&offset=10"
}
删除单个容器:DELETE /v1/containers/<container-id>
示例
Request:
Headers:
X-Auth-Token:<token>
DELETE /v1/containers/e171bb2d-f14f-433e-84f0-3dfcac7a7311
Response:
Status: 204 No Content
安全影响¶
此更改需要所有请求都具有有效的 Keystone 令牌,该令牌将用于授权。
没有令牌的请求将被视为未认证请求。
通知与审计影响¶
无。
其他最终用户影响¶
Barbican python 客户端需要进行修改以适应 API 更改。这项工作可以与服务器端任务并行进行。
性能影响¶
无。
其他部署者影响¶
无。
开发人员影响¶
无。
实现¶
负责人¶
Venkat Sundaram (tsv)
工作项¶
修改 PecanAPI 路由机制并移除解析 URI 中项目 ID 的逻辑(tsv)
增强控制器 enforce_rback 装饰器,以便在未传递时从认证上下文中获取 keystone_id(tsv)
更新 barbican/common/util 模块方法 hostname_for_refs,以从响应体中返回的 URI 链接中移除项目 ID(tsv)
修改 barbican 客户端并替换其调用的 URI 中所有租户 ID 引用(tsv)
增强测试(tsv)
依赖项¶
无。
测试¶
更新单元测试以从 uri 中删除项目 ID。
需要添加 Tempest 测试进行功能测试
文档影响¶
现有文档需要更新以从 uri 中删除项目 ID。
说明如何在没有使用认证机制时指定项目 ID。
