-
Notifications
You must be signed in to change notification settings - Fork 0
Middleware
This page documents the middleware approach for the barbican key management service.
Middleware components can perform processes in front of barbican API requests, enabling cross-cutting operations such as rate limiting, client authentication and authorization, translation, API validation, versioning and logging. These components can implemented as required for a given deployment. For example middleware components can leverage OpenStack's Keystone service.
As an alternative, the open source Repose service can be used to provide several of these cross-cutting processes by wrapping the barbican api service. Barbican middleware would then be reduced to specialized authorization processing (such as enforcing admin and non-admin tenants business rules).
Barbican will support adding middleware components using the 'paste' style, similar to OpenStack projects such as Glance. For example, the etc/barbican-api-paste.ini file might look like the following:
# Main pipeline for Barbican app.
[pipeline:barbican-api]
pipeline = authtoken barbican
[filter:authtoken]
paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory
auth_host = 127.0.0.1
auth_port = 35357
auth_protocol = https
admin_tenant_name = %SERVICE_TENANT_NAME%
admin_user = %SERVICE_USER%
admin_password = %SERVICE_PASSWORD%
[app:barbican]
paste.app_factory = barbican.api.app:create_appIn this example an OpenStack Keystone middleware component is configured to handle identity management for Tenants. This approach is further detailed on this page.