[ceph.git] / ceph / doc / radosgw / barbican.rst

==============================
OpenStack Barbican Integration
==============================

OpenStack `Barbican`_ can be used as a secure key management service for
`Server-Side Encryption`_.

.. image:: ../images/rgw-encryption-barbican.png

#. `Configure Keystone`_
#. `Create a Keystone user`_
#. `Configure the Ceph Object Gateway`_
#. `Create a key in Barbican`_

Configure Keystone
==================

Barbican depends on Keystone for authorization and access control of its keys.

See `OpenStack Keystone Integration`_.

Create a Keystone user
======================

Create a new user that will be used by the Ceph Object Gateway to retrieve
keys.

For example::

   user = rgwcrypt-user
   pass = rgwcrypt-password
   tenant = rgwcrypt

See OpenStack documentation for `Manage projects, users, and roles`_.

Create a key in Barbican
========================

See Barbican documentation for `How to Create a Secret`_. Requests to
Barbican must include a valid Keystone token in the ``X-Auth-Token`` header.

Example request::

   POST /v1/secrets HTTP/1.1
   Host: barbican.example.com:9311
   Accept: */*
   Content-Type: application/json
   X-Auth-Token: 7f7d588dd29b44df983bc961a6b73a10
   Content-Length: 299
   
   {
       "name": "my-key",
       "expiration": "2016-12-28T19:14:44.180394",
       "algorithm": "aes",
       "bit_length": 256,
       "mode": "cbc",
       "payload": "6b+WOZ1T3cqZMxgThRcXAQBrS5mXKdDUphvpxptl9/4=",
       "payload_content_type": "application/octet-stream",
       "payload_content_encoding": "base64"
   }

Response::

   {"secret_ref": "http://barbican.example.com:9311/v1/secrets/d1e7ef3b-f841-4b7c-90b2-b7d90ca2d723"}

In the response, ``d1e7ef3b-f841-4b7c-90b2-b7d90ca2d723`` is the key id that
can be used in any `SSE-KMS`_ request.

This newly created key is not accessible by user ``rgwcrypt-user``. This
privilege must be added with an ACL.

Example request (assuming that the Keystone id of ``rgwcrypt-user`` is
``906aa90bd8a946c89cdff80d0869460f``)::

   PUT /v1/secrets/d1e7ef3b-f841-4b7c-90b2-b7d90ca2d723/acl HTTP/1.1
   Host: barbican.example.com:9311
   Accept: */*
   Content-Type: application/json
   X-Auth-Token: 7f7d588dd29b44df983bc961a6b73a10
   Content-Length: 101

   {
       "read":{
       "users":[ "906aa90bd8a946c89cdff80d0869460f" ],
       "project-access": true
       }
   }

Response::

   {"acl_ref": "http://barbican.example.com:9311/v1/secrets/d1e7ef3b-f841-4b7c-90b2-b7d90ca2d723/acl"}

Configure the Ceph Object Gateway
=================================

Edit the Ceph configuration file to add information about the Barbican server
and Keystone user::

   rgw barbican url = http://barbican.example.com:9311
   rgw keystone barbican user = rgwcrypt-user
   rgw keystone barbican password = rgwcrypt-password

When using Keystone API version 2::

   rgw keystone barbican tenant = rgwcrypt

When using API version 3::

   rgw keystone barbican project
   rgw keystone barbican domain


.. _Barbican: https://wiki.openstack.org/wiki/Barbican
.. _Server-Side Encryption: ../encryption
.. _OpenStack Keystone Integration: ../keystone
.. _Manage projects, users, and roles: https://docs.openstack.org/admin-guide/cli-manage-projects-users-and-roles.html#create-a-user
.. _How to Create a Secret: https://developer.openstack.org/api-guide/key-manager/secrets.html#how-to-create-a-secret
.. _SSE-KMS: http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingKMSEncryption.html
.. _How to Set/Replace ACL: https://developer.openstack.org/api-guide/key-manager/acls.html#how-to-set-replace-acl
Commit	Line	Data
7c673cae FG	1	==============================
	2	OpenStack Barbican Integration
	3	==============================
	4
	5	OpenStack `Barbican`_ can be used as a secure key management service for
	6	`Server-Side Encryption`_.
	7
	8	.. image:: ../images/rgw-encryption-barbican.png
	9
	10	#. `Configure Keystone`_
	11	#. `Create a Keystone user`_
	12	#. `Configure the Ceph Object Gateway`_
	13	#. `Create a key in Barbican`_
	14
	15	Configure Keystone
	16	==================
	17
	18	Barbican depends on Keystone for authorization and access control of its keys.
	19
	20	See `OpenStack Keystone Integration`_.
	21
	22	Create a Keystone user
	23	======================
	24
	25	Create a new user that will be used by the Ceph Object Gateway to retrieve
	26	keys.
	27
	28	For example::
	29
	30	user = rgwcrypt-user
	31	pass = rgwcrypt-password
	32	tenant = rgwcrypt
	33
	34	See OpenStack documentation for `Manage projects, users, and roles`_.
	35
	36	Create a key in Barbican
	37	========================
	38
	39	See Barbican documentation for `How to Create a Secret`_. Requests to
	40	Barbican must include a valid Keystone token in the ``X-Auth-Token`` header.
	41
	42	Example request::
	43
	44	POST /v1/secrets HTTP/1.1
	45	Host: barbican.example.com:9311
	46	Accept: /
	47	Content-Type: application/json
	48	X-Auth-Token: 7f7d588dd29b44df983bc961a6b73a10
	49	Content-Length: 299
	50
	51	{
	52	"name": "my-key",
	53	"expiration": "2016-12-28T19:14:44.180394",
	54	"algorithm": "aes",
	55	"bit_length": 256,
	56	"mode": "cbc",
	57	"payload": "6b+WOZ1T3cqZMxgThRcXAQBrS5mXKdDUphvpxptl9/4=",
	58	"payload_content_type": "application/octet-stream",
	59	"payload_content_encoding": "base64"
	60	}
	61
	62	Response::
	63
	64	{"secret_ref": "http://barbican.example.com:9311/v1/secrets/d1e7ef3b-f841-4b7c-90b2-b7d90ca2d723"}
65
66	In the response, ``d1e7ef3b-f841-4b7c-90b2-b7d90ca2d723`` is the key id that
67	can be used in any `SSE-KMS`_ request.
68
69	This newly created key is not accessible by user ``rgwcrypt-user``. This
70	privilege must be added with an ACL.
71
72	Example request (assuming that the Keystone id of ``rgwcrypt-user`` is
73	``906aa90bd8a946c89cdff80d0869460f``)::
74
75	PUT /v1/secrets/d1e7ef3b-f841-4b7c-90b2-b7d90ca2d723/acl HTTP/1.1
76	Host: barbican.example.com:9311
77	Accept: /
78	Content-Type: application/json
79	X-Auth-Token: 7f7d588dd29b44df983bc961a6b73a10
80	Content-Length: 101
81
82	{
83	"read":{
84	"users":[ "906aa90bd8a946c89cdff80d0869460f" ],
85	"project-access": true
86	}
87	}
88
89	Response::
90
91	{"acl_ref": "http://barbican.example.com:9311/v1/secrets/d1e7ef3b-f841-4b7c-90b2-b7d90ca2d723/acl"}
92
93	Configure the Ceph Object Gateway
94	=================================
95
96	Edit the Ceph configuration file to add information about the Barbican server
97	and Keystone user::
98
99	rgw barbican url = http://barbican.example.com:9311
100	rgw keystone barbican user = rgwcrypt-user
101	rgw keystone barbican password = rgwcrypt-password
102
103	When using Keystone API version 2::
104
105	rgw keystone barbican tenant = rgwcrypt
106
107	When using API version 3::
108
109	rgw keystone barbican project
110	rgw keystone barbican domain
111
112
113	.. _Barbican: https://wiki.openstack.org/wiki/Barbican
114	.. _Server-Side Encryption: ../encryption
115	.. _OpenStack Keystone Integration: ../keystone
116	.. _Manage projects, users, and roles: https://docs.openstack.org/admin-guide/cli-manage-projects-users-and-roles.html#create-a-user
117	.. _How to Create a Secret: https://developer.openstack.org/api-guide/key-manager/secrets.html#how-to-create-a-secret
118	.. _SSE-KMS: http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingKMSEncryption.html
119	.. _How to Set/Replace ACL: https://developer.openstack.org/api-guide/key-manager/acls.html#how-to-set-replace-acl