Barbican

store passphrase kmip one entry only

Bug #2033620 reported by Przemysław Kuczyński
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Barbican
New
Undecided
Unassigned

Bug Description

After configuring barbican

[secretstore]
enabled_secretstore_plugins = kmip_plugin

[kmip_plugin]
ca_certs = /opt/stack/devstack-certs/barbican-ca.pem
certfile = /opt/stack/devstack-certs/barbican-cert.pem
keyfile = /opt/stack/devstack-certs/barbican-key.pem
username = openstack
password = xxx
#host = kmip.ciphertrustmanager.local
host = xxx
port = 5696

I can store one entry
openstack secret store --name testSecret4 --payload 'TestPayload'

 +---------------+--------------------------------------------------------------------------------+
| Field | Value |
+---------------+--------------------------------------------------------------------------------+
| Secret href | http://xxx/key-manager/v1/secrets/b7a1d25d-f035-4958-9810-5d78db5a60a8 |
| Name | testSecret4 |
| Created | None |
| Status | None |
| Content types | None |
| Algorithm | aes |
| Bit length | 256 |
| Secret type | opaque |
| Mode | cbc |
| Expiration | None

On KMS side i see key with name Opaque Object and type OPAQUE
When i try create another secret

openstack secret store --name testSecret5 --payload 'TestPayload'
5xx Server error: Internal Server Error: Secret creation failure seen - please contact site administrator.
Internal Server Error: Secret creation failure seen - please contact site administrator

2023-08-31 10:12:22.282 DEBUG barbican.plugin.kmip_secret_store [req-c5184cb4-23f7-4bd5-a6a6-4b637cdb5ba0 demo admin] Opened connection to KMIP client from (pid=484511) store_secret /opt/stack/barbican/barbican/plugin/kmip_secret_store.py:373
2023-08-31 10:12:22.394 ERROR barbican.plugin.kmip_secret_store [req-c5184cb4-23f7-4bd5-a6a6-4b637cdb5ba0 demo admin] Error opening or writing to client: kmip.pie.exceptions.KmipOperationFailure: OPERATION_FAILED: INVALID_FIELD - [NCERRKeyAlreadyExists: could not create key as it already exists]:
2023-08-31 10:12:22.394 TRACE barbican.plugin.kmip_secret_store Traceback (most recent call last):
2023-08-31 10:12:22.394 TRACE barbican.plugin.kmip_secret_store File "/opt/stack/barbican/barbican/plugin/kmip_secret_store.py", line 374, in store_secret
2023-08-31 10:12:22.394 TRACE barbican.plugin.kmip_secret_store uuid = self.client.register(secret)
2023-08-31 10:12:22.394 TRACE barbican.plugin.kmip_secret_store File "/opt/stack/data/venv/lib/python3.8/site-packages/kmip/pie/client.py", line 41, in wrapper
2023-08-31 10:12:22.394 TRACE barbican.plugin.kmip_secret_store return function(self, *args, **kwargs)
2023-08-31 10:12:22.394 TRACE barbican.plugin.kmip_secret_store File "/opt/stack/data/venv/lib/python3.8/site-packages/kmip/pie/client.py", line 573, in register
2023-08-31 10:12:22.394 TRACE barbican.plugin.kmip_secret_store raise exceptions.KmipOperationFailure(status, reason, message)
2023-08-31 10:12:22.394 TRACE barbican.plugin.kmip_secret_store kmip.pie.exceptions.KmipOperationFailure: OPERATION_FAILED: INVALID_FIELD - [NCERRKeyAlreadyExists: could not create key as it already exists]:
2023-08-31 10:12:22.394 TRACE barbican.plugin.kmip_secret_store
2023-08-31 10:12:22.396 ERROR barbican.api.controllers [req-c5184cb4-23f7-4bd5-a6a6-4b637cdb5ba0 demo admin] Secret creation failure seen - please contact site administrator.: barbican.plugin.interface.secret_store.SecretGeneralException: Problem seen during crypto processing - Reason: OPERATION_FAILED: INVALID_FIELD - [NCERRKeyAlreadyExists: could not create key as it already exists]:
2023-08-31 10:12:22.396 TRACE barbican.api.controllers Traceback (most recent call last):
2023-08-31 10:12:22.396 TRACE barbican.api.controllers File "/opt/stack/barbican/barbican/plugin/kmip_secret_store.py", line 374, in store_secret
2023-08-31 10:12:22.396 TRACE barbican.api.controllers uuid = self.client.register(secret)
2023-08-31 10:12:22.396 TRACE barbican.api.controllers File "/opt/stack/data/venv/lib/python3.8/site-packages/kmip/pie/client.py", line 41, in wrapper
2023-08-31 10:12:22.396 TRACE barbican.api.controllers return function(self, *args, **kwargs)
2023-08-31 10:12:22.396 TRACE barbican.api.controllers File "/opt/stack/data/venv/lib/python3.8/site-packages/kmip/pie/client.py", line 573, in register
2023-08-31 10:12:22.396 TRACE barbican.api.controllers raise exceptions.KmipOperationFailure(status, reason, message)
2023-08-31 10:12:22.396 TRACE barbican.api.controllers kmip.pie.exceptions.KmipOperationFailure: OPERATION_FAILED: INVALID_FIELD - [NCERRKeyAlreadyExists: could not create key as it already exists]:
2023-08-31 10:12:22.396 TRACE barbican.api.controllers
2023-08-31 10:12:22.396 TRACE barbican.api.controllers During handling of the above exception, another exception occurred:
2023-08-31 10:12:22.396 TRACE barbican.api.controllers
2023-08-31 10:12:22.396 TRACE barbican.api.controllers Traceback (most recent call last):
2023-08-31 10:12:22.396 TRACE barbican.api.controllers File "/opt/stack/barbican/barbican/api/controllers/__init__.py", line 107, in handler
2023-08-31 10:12:22.396 TRACE barbican.api.controllers return fn(inst, *args, **kwargs)
2023-08-31 10:12:22.396 TRACE barbican.api.controllers File "/opt/stack/barbican/barbican/api/controllers/__init__.py", line 93, in enforcer
2023-08-31 10:12:22.396 TRACE barbican.api.controllers return fn(inst, *args, **kwargs)
2023-08-31 10:12:22.396 TRACE barbican.api.controllers File "/opt/stack/barbican/barbican/api/controllers/__init__.py", line 155, in content_types_enforcer
2023-08-31 10:12:22.396 TRACE barbican.api.controllers return fn(inst, *args, **kwargs)
2023-08-31 10:12:22.396 TRACE barbican.api.controllers File "/opt/stack/barbican/barbican/api/controllers/secrets.py", line 462, in on_post
2023-08-31 10:12:22.396 TRACE barbican.api.controllers new_secret, transport_key_model = plugin.store_secret(
2023-08-31 10:12:22.396 TRACE barbican.api.controllers File "/opt/stack/barbican/barbican/plugin/resources.py", line 108, in store_secret
2023-08-31 10:12:22.396 TRACE barbican.api.controllers secret_metadata = _store_secret_using_plugin(store_plugin, secret_dto,
2023-08-31 10:12:22.396 TRACE barbican.api.controllers File "/opt/stack/barbican/barbican/plugin/resources.py", line 281, in _store_secret_using_plugin
2023-08-31 10:12:22.396 TRACE barbican.api.controllers secret_metadata = store_plugin.store_secret(secret_dto)
2023-08-31 10:12:22.396 TRACE barbican.api.controllers File "/opt/stack/barbican/barbican/plugin/kmip_secret_store.py", line 379, in store_secret
2023-08-31 10:12:22.396 TRACE barbican.api.controllers raise ss.SecretGeneralException(e)
2023-08-31 10:12:22.396 TRACE barbican.api.controllers barbican.plugin.interface.secret_store.SecretGeneralException: Problem seen during crypto processing - Reason: OPERATION_FAILED: INVALID_FIELD - [NCERRKeyAlreadyExists: could not create key as it already exists]:
2023-08-31 10:12:22.396 TRACE barbican.api.controllers
2023-08-31 10:12:22.400 INFO barbican.api.middleware.context [req-c5184cb4-23f7-4bd5-a6a6-4b637cdb5ba0 demo admin] Processed request: 500 Internal Server Error - POST http://10.0.12.169/key-manager/v1/secrets/

Also could not delete secret

| http://10.0.12.169/key-manager/v1/secrets/b7a1d25d-f035-4958-9810-5d78db5a60a8 | testSecret4 | 2023-08-31T08:09:45+00:00 | ACTIVE | {'default': 'application/octet-stream'} | aes | 256 | opaque | cbc | None |
|

openstack secret delete http://10.0.12.169/key-manager/v1/secrets/b7a1d25d-f035-4958-9810-5d78db5a60a8
5xx Server error: Internal Server Error: Secret deletion failure seen - please contact site administrator.
Internal Server Error: Secret deletion failure seen - please contact site administrator.

2023-08-31 10:17:37.781 DEBUG barbican.plugin.kmip_secret_store [req-8a4ddf6d-0edb-4dc2-8c6d-88a18dd99bd9 demo admin] Opened connection to KMIP client from (pid=484510) delete_secret /opt/stack/barbican/barbican/plugin/kmip_secret_store.py:435
2023-08-31 10:17:37.955 ERROR barbican.plugin.kmip_secret_store [req-8a4ddf6d-0edb-4dc2-8c6d-88a18dd99bd9 demo admin] Error opening or writing to client: kmip.pie.exceptions.KmipOperationFailure: OPERATION_FAILED: PERMISSION_DENIED - Attempt to Destroy an 'Active' object
2023-08-31 10:17:37.955 TRACE barbican.plugin.kmip_secret_store Traceback (most recent call last):
2023-08-31 10:17:37.955 TRACE barbican.plugin.kmip_secret_store File "/opt/stack/barbican/barbican/plugin/kmip_secret_store.py", line 436, in delete_secret
2023-08-31 10:17:37.955 TRACE barbican.plugin.kmip_secret_store self.client.destroy(uuid)
2023-08-31 10:17:37.955 TRACE barbican.plugin.kmip_secret_store File "/opt/stack/data/venv/lib/python3.8/site-packages/kmip/pie/client.py", line 41, in wrapper
2023-08-31 10:17:37.955 TRACE barbican.plugin.kmip_secret_store return function(self, *args, **kwargs)
2023-08-31 10:17:37.955 TRACE barbican.plugin.kmip_secret_store File "/opt/stack/data/venv/lib/python3.8/site-packages/kmip/pie/client.py", line 1185, in destroy
2023-08-31 10:17:37.955 TRACE barbican.plugin.kmip_secret_store raise exceptions.KmipOperationFailure(status, reason, message)
2023-08-31 10:17:37.955 TRACE barbican.plugin.kmip_secret_store kmip.pie.exceptions.KmipOperationFailure: OPERATION_FAILED: PERMISSION_DENIED - Attempt to Destroy an 'Active' object
2023-08-31 10:17:37.955 TRACE barbican.plugin.kmip_secret_store
2023-08-31 10:17:37.958 ERROR barbican.api.controllers [req-8a4ddf6d-0edb-4dc2-8c6d-88a18dd99bd9 demo admin] Secret deletion failure seen - please contact site administrator.: barbican.plugin.interface.secret_store.SecretGeneralException: Problem seen during crypto processing - Reason: OPERATION_FAILED: PERMISSION_DENIED - Attempt to Destroy an 'Active' object
2023-08-31 10:17:37.958 TRACE barbican.api.controllers Traceback (most recent call last):
2023-08-31 10:17:37.958 TRACE barbican.api.controllers File "/opt/stack/barbican/barbican/plugin/kmip_secret_store.py", line 436, in delete_secret
2023-08-31 10:17:37.958 TRACE barbican.api.controllers self.client.destroy(uuid)
2023-08-31 10:17:37.958 TRACE barbican.api.controllers File "/opt/stack/data/venv/lib/python3.8/site-packages/kmip/pie/client.py", line 41, in wrapper
2023-08-31 10:17:37.958 TRACE barbican.api.controllers return function(self, *args, **kwargs)
2023-08-31 10:17:37.958 TRACE barbican.api.controllers File "/opt/stack/data/venv/lib/python3.8/site-packages/kmip/pie/client.py", line 1185, in destroy
2023-08-31 10:17:37.958 TRACE barbican.api.controllers raise exceptions.KmipOperationFailure(status, reason, message)
2023-08-31 10:17:37.958 TRACE barbican.api.controllers kmip.pie.exceptions.KmipOperationFailure: OPERATION_FAILED: PERMISSION_DENIED - Attempt to Destroy an 'Active' object
2023-08-31 10:17:37.958 TRACE barbican.api.controllers
2023-08-31 10:17:37.958 TRACE barbican.api.controllers During handling of the above exception, another exception occurred:
2023-08-31 10:17:37.958 TRACE barbican.api.controllers
2023-08-31 10:17:37.958 TRACE barbican.api.controllers Traceback (most recent call last):
2023-08-31 10:17:37.958 TRACE barbican.api.controllers File "/opt/stack/barbican/barbican/api/controllers/__init__.py", line 107, in handler
2023-08-31 10:17:37.958 TRACE barbican.api.controllers return fn(inst, *args, **kwargs)
2023-08-31 10:17:37.958 TRACE barbican.api.controllers File "/opt/stack/barbican/barbican/api/controllers/__init__.py", line 93, in enforcer
2023-08-31 10:17:37.958 TRACE barbican.api.controllers return fn(inst, *args, **kwargs)
2023-08-31 10:17:37.958 TRACE barbican.api.controllers File "/opt/stack/barbican/barbican/api/controllers/secrets.py", line 268, in on_delete
2023-08-31 10:17:37.958 TRACE barbican.api.controllers plugin.delete_secret(self.secret, external_project_id)
2023-08-31 10:17:37.958 TRACE barbican.api.controllers File "/opt/stack/barbican/barbican/plugin/resources.py", line 265, in delete_secret
2023-08-31 10:17:37.958 TRACE barbican.api.controllers delete_plugin.delete_secret(secret_metadata)
2023-08-31 10:17:37.958 TRACE barbican.api.controllers File "/opt/stack/barbican/barbican/plugin/kmip_secret_store.py", line 439, in delete_secret
2023-08-31 10:17:37.958 TRACE barbican.api.controllers raise ss.SecretGeneralException(e)
2023-08-31 10:17:37.958 TRACE barbican.api.controllers barbican.plugin.interface.secret_store.SecretGeneralException: Problem seen during crypto processing - Reason: OPERATION_FAILED: PERMISSION_DENIED - Attempt to Destroy an 'Active' object
2023-08-31 10:17:37.958 TRACE barbican.api.controllers

delete for other types works

Revision history for this message
Przemysław Kuczyński (przemekkuczynski) wrote :

UP

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.