The client defers authentication to Keystone Sessions, which provide several authentication plugins in the keystoneclient.auth namespace. Below we give examples of the most commonly used auth plugins.
Authentication using Keystone API Version 3 can be achieved using the keystoneclient.auth.identity.v3.Password auth plugin.
Example:
from keystoneclient.auth import identity
from keystoneclient import session
from barbicanclient import client
auth = identity.v3.Password(auth_url='http://localhost:5000/v3',
username='admin_user',
user_domain_name='Default',
password='password',
project_name='demo'
project_domain_name='Default')
sess = session.Session(auth=auth)
barbican = client.Client(session=sess)
Authentication using Keystone API Version 2 can be achieved using the keystoneclient.auth.identity.v2.Password auth plugin.
Example:
from keystoneclient.auth import identity
from keystoneclient import session
from barbicanclient import client
auth = identity.v2.Password(auth_url='http://localhost:5000/v2.0',
username='admin_user',
password='password',
tenant_name='demo')
sess = session.Session(auth=auth)
barbican = client.Client(session=sess)
Sometimes it may be useful to work with the client in an unauthenticated context, for example when using a development instance of Barbican that is not yet configured to use Keystone for authentication. In this case, the Barbican Service endpoint must be provided, in addition to the Project ID that will be used for context (i.e. the project that owns the secrets you’ll be working with).
Example:
from barbicanclient import client
barbican = client.Client(endpoint='http://localhost:9311',
project_id='123456')
Barbican can be configured to use Keystone for authentication. The user’s credentials can be passed to Barbican via arguments.
$ barbican --os-auth-url <keystone-v3-url> --os-project-domain-id \
<domain id> --os-user-domain-id <user domain id> --os-username <username> \
--os-password <password> --os-project-name <project-name> secret list
This can become annoying and tedious, so authentication via Keystone can also be configured by setting environment variables. Barbican uses the same env variables as python-keystoneclient so if you already have keystone client configured you can skip this section.
An example clientrc file is provided in the main python-barbicanclient directory.
export OS_PROJECT_NAME=admin
# Either Project ID or Project Name is required
export OS_PROJECT_DOMAIN_ID=<YourProjectID>
export OS_PROJECT_DOMAIN_NAME=<YourProjectName>
# Either User ID or User Name is required
export OS_USER_DOMAIN_ID=<YourUserDomainID>
export OS_USER_DOMAIN_NAME=<YourUserDomainName>
export OS_USERNAME=admin
export OS_PASSWORD=password
# OS_AUTH_URL should be your location of Keystone
# Barbican Client defaults to Keystone V3
export OS_AUTH_URL="http://localhost:5000/v3/"
export BARBICAN_ENDPOINT="http://localhost:9311"
Make any appropriate changes to this file.
You will need to source it into your environment on each load:
source ~/clientrc
If you would like, you can configure your bash to load the variables on each login:
echo "source ~/clientrc" >> ~/.bashrc
Barbican can be configured to use Keystone tokens for authentication. The user’s credentials can be passed to Barbican via arguments.
$ barbican --os-auth-url <auth_endpoint> --os-auth-token <auth_token> \
--os-project-id <project_id> secret list
Much like normal password authentication you can specify these values via environmental variables. Refer to Keystone V3 authentication for more information.
When working with a Barbican instance that does not use Keystone authentication (e.g. during development) you can use the --no-auth option. If you do this, you’ll have to specify the Barbican endpoint and project ID --os-project-id. This is because Barbican normally gets the endpoint and tenant ID from Keystone.