Reference

Client

class barbicanclient.client.Client(session=None, *args, **kwargs)

Barbican client object used to interact with barbican service.

Parameters:
  • session – An instance of keystoneclient.session.Session that can be either authenticated, or not authenticated. When using a non-authenticated Session, you must provide some additional parameters. When no session is provided it will default to a non-authenticated Session.
  • endpoint – Barbican endpoint url. Required when a session is not given, or when using a non-authenticated session. When using an authenticated session, the client will attempt to get an endpoint from the session.
  • project_id – The project ID used for context in Barbican. Required when a session is not given, or when using a non-authenticated session. When using an authenticated session, the project ID will be provided by the authentication mechanism.
  • verify – When a session is not given, the client will create a non-authenticated session. This parameter is passed to the session that is created. If set to False, it allows barbicanclient to perform “insecure” TLS (https) requests. The server’s certificate will not be verified against any certificate authorities. WARNING: This option should be used with caution.
  • service_type – Used as an endpoint filter when using an authenticated keystone session. Defaults to ‘key-management’.
  • service_name – Used as an endpoint filter when using an authenticated keystone session.
  • interface – Used as an endpoint filter when using an authenticated keystone session. Defaults to ‘public’.
  • region_name – Used as an endpoint filter when using an authenticated keystone session.

Secrets

class barbicanclient.secrets.SecretManager(api)

Entity Manager for Secret entities

create(name=None, payload=None, payload_content_type=None, payload_content_encoding=None, algorithm=None, bit_length=None, secret_type=None, mode=None, expiration=None)

Factory method for creating new Secret objects

Secrets returned by this method have not yet been stored in the Barbican service.

Parameters:
  • name – A friendly name for the Secret
  • payload – The unencrypted secret data
  • payload_content_type – DEPRECATED: The format/type of the secret data. Setting this can lead to unexpected results. See Launchpad Bug #1419166.
  • payload_content_encoding – DEPRECATED: The encoding of the secret data. Setting this can lead to unexpected results. See Launchpad Bug #1419166.
  • algorithm – The algorithm associated with this secret key
  • bit_length – The bit length of this secret key
  • mode – The algorithm mode used with this secret key
  • secret_type – The secret type for this secret key
  • expiration – The expiration time of the secret in ISO 8601 format
Returns:

A new Secret object
Return type:

barbicanclient.secrets.Secret
Raises:
delete(secret_ref)

Delete a Secret from Barbican

Parameters:

secret_ref – The href for the secret to be deleted
Raises:
get(secret_ref, payload_content_type=None)

Retrieve an existing Secret from Barbican

Parameters:
  • secret_ref (str) – Full HATEOAS reference to a Secret
  • payload_content_type (str) – DEPRECATED: Content type to use for payload decryption. Setting this can lead to unexpected results. See Launchpad Bug #1419166.
Returns:

Secret object retrieved from Barbican
Return type:

barbicanclient.secrets.Secret
Raises:
list(limit=10, offset=0, name=None, algorithm=None, mode=None, bits=0)

List Secrets for the project

This method uses the limit and offset parameters for paging, and also supports filtering.

Parameters:
  • limit – Max number of secrets returned
  • offset – Offset secrets to begin list
  • name – Name filter for the list
  • algorithm – Algorithm filter for the list
  • mode – Mode filter for the list
  • bits – Bits filter for the list
Returns:

list of Secret objects that satisfy the provided filter criteria.
Return type:

list
Raises:
class barbicanclient.secrets.Secret(api, name=None, expiration=None, algorithm=None, bit_length=None, mode=None, payload=None, payload_content_type=None, payload_content_encoding=None, secret_ref=None, created=None, updated=None, content_types=None, status=None, secret_type=None, creator_id=None)

Secrets represent keys, credentials, and other sensitive data that is stored by the Barbican service.

Secret objects should not be instantiated directly. You should use the create or get methods of the barbicanclient.secrets.SecretManager instead.

delete()

Deletes the Secret from Barbican

payload

Lazy-loaded property that holds the unencrypted data

store(*args)

Stores the Secret in Barbican. New Secret objects are not persisted in Barbican until this method is called.

Raises:PayloadException

Orders

class barbicanclient.orders.OrderManager(api)

Entity Manager for Order entitites

create_asymmetric(name=None, algorithm=None, bit_length=None, pass_phrase=None, payload_content_type=None, expiration=None)

Factory method for AsymmetricOrder objects

AsymmetricOrder objects returned by this method have not yet been submitted to the Barbican service.

Parameters:
  • name – A friendly name for the container to be created
  • algorithm – The algorithm associated with this secret key
  • bit_length – The bit length of this secret key
  • pass_phrase – Optional passphrase
  • payload_content_type – The format/type of the secret data
  • expiration – The expiration time of the secret in ISO 8601 format
Returns:

AsymmetricOrder
Return type:

barbicanclient.orders.AsymmetricOrder
Raises:
create_certificate(name=None, request_type=None, subject_dn=None, source_container_ref=None, ca_id=None, profile=None, request_data=None)

Factory method for CertificateOrder objects

CertificateOrder objects returned by this method have not yet been submitted to the Barbican service.

Parameters:
  • name – A friendly name for the container to be created
  • request_type – The type of the certificate request
  • subject_dn – A subject for the certificate
  • source_container_ref – A container with a public/private key pair to use as source for stored-key requests
  • ca_id – The identifier of the CA to use
  • profile – The profile of certificate to use
  • request_data – The CSR content
Returns:

CertificateOrder
Return type:

barbicanclient.orders.CertificateOrder
create_key(name=None, algorithm=None, bit_length=None, mode=None, payload_content_type=None, expiration=None)

Factory method for KeyOrder objects

KeyOrder objects returned by this method have not yet been submitted to the Barbican service.

Parameters:
  • name – A friendly name for the secret to be created
  • algorithm – The algorithm associated with this secret key
  • bit_length – The bit length of this secret key
  • mode – The algorithm mode used with this secret key
  • payload_content_type – The format/type of the secret data
  • expiration – The expiration time of the secret in ISO 8601 format
Returns:

KeyOrder
Return type:

barbicanclient.orders.KeyOrder
Raises:
delete(order_ref)

Delete an Order from Barbican

Parameters:order_ref – The href for the order
get(order_ref)

Retrieve an existing Order from Barbican

Parameters:

order_ref – Full HATEOAS reference to an Order
Returns:

An instance of the appropriate subtype of Order
Raises:
list(limit=10, offset=0)

List Orders for the project

This method uses the limit and offset parameters for paging.

Parameters:
  • limit – Max number of orders returned
  • offset – Offset orders to begin list
Returns:

list of Order objects
Raises:
class barbicanclient.orders.Order(api, type, status=None, created=None, updated=None, meta=None, order_ref=None, error_status_code=None, error_reason=None, sub_status=None, sub_status_message=None, creator_id=None)

Base order object to hold common functionality

This should be considered an abstract class that should not be instantiated directly.

delete()

Deletes the Order from Barbican

submit(*args)

Submit the Order to Barbican. New Order objects are not persisted in Barbican until this method is called.

class barbicanclient.orders.KeyOrder(api, name=None, algorithm=None, bit_length=None, mode=None, expiration=None, payload_content_type=None, status=None, created=None, updated=None, order_ref=None, secret_ref=None, error_status_code=None, error_reason=None, sub_status=None, sub_status_message=None, creator_id=None)

KeyOrders can be used to request random key material from Barbican

mode

Encryption mode being used with this key

The mode could be set to “CBC” for example, when requesting a key that will be used for AES encryption in CBC mode.

class barbicanclient.orders.AsymmetricOrder(api, name=None, algorithm=None, bit_length=None, mode=None, pass_phrase=None, expiration=None, payload_content_type=None, status=None, created=None, updated=None, order_ref=None, container_ref=None, error_status_code=None, error_reason=None, sub_status=None, sub_status_message=None, creator_id=None)
pass_phrase

Passphrase to be used for passphrase protected asymmetric keys

Containers

class barbicanclient.containers.ContainerManager(api)

EntityManager for Container entities

You should use the ContainerManager exposed by the Client and should not need to instantiate your own.

create(name=None, secrets=None)

Factory method for Container objects

Container objects returned by this method have not yet been stored in Barbican.

Parameters:
  • name – A friendly name for the Container
  • secrets – Secrets to populate when creating a Container
Returns:

Container
Return type:

barbicanclient.containers.Container
Raises:
create_certificate(name=None, certificate=None, intermediates=None, private_key=None, private_key_passphrase=None)

Factory method for CertificateContainer objects

CertificateContainer objects returned by this method have not yet been stored in Barbican.

Parameters:
  • name – A friendly name for the CertificateContainer
  • certificate – Secret object containing a Certificate
  • intermediates – Secret object containing Intermediate Certs
  • private_key – Secret object containing a Private Key
  • private_key_passphrase – Secret object containing a passphrase
Returns:

CertificateContainer
Return type:

barbicanclient.containers.CertificateContainer
Raises:
create_rsa(name=None, public_key=None, private_key=None, private_key_passphrase=None)

Factory method for RSAContainer objects

RSAContainer objects returned by this method have not yet been stored in Barbican.

Parameters:
  • name – A friendly name for the RSAContainer
  • public_key – Secret object containing a Public Key
  • private_key – Secret object containing a Private Key
  • private_key_passphrase – Secret object containing a passphrase
Returns:

RSAContainer
Return type:

barbicanclient.containers.RSAContainer
Raises:
delete(container_ref)

Delete a Container from Barbican

Parameters:

container_ref – Full HATEOAS reference to a Container
Raises:
get(container_ref)

Retrieve an existing Container from Barbican

Parameters:container_ref (str) – Full HATEOAS reference to a Container
Returns:Container object or a subclass of the appropriate type
list(limit=10, offset=0, name=None, type=None)

List containers for the project. This method uses the limit and offset parameters for paging.

Parameters:
  • limit – Max number of containers returned
  • offset – Offset containers to begin list
  • name – Name filter for the list
  • type – Type filter for the list
Returns:

list of Container metadata objects
Raises:
register_consumer(container_ref, name, url)

Add a consumer to the container

Parameters:
  • container_ref – Full HATEOAS reference to a Container
  • name – Name of the consuming service
  • url – URL of the consuming resource
Returns:

A container object per the get() method
Raises:
remove_consumer(container_ref, name, url)

Remove a consumer from the container

Parameters:
  • container_ref – Full HATEOAS reference to a Container
  • name – Name of the previously consuming service
  • url – URL of the previously consuming resource
Raises:
class barbicanclient.containers.Container(api, name=None, secrets=None, consumers=None, container_ref=None, created=None, updated=None, status=None, secret_refs=None)

Container is a generic grouping of Secrets

delete()

Delete container from Barbican

secrets

List of Secrets in Containers

store(*args)

Store Container in Barbican

class barbicanclient.containers.RSAContainer(api, name=None, public_key=None, private_key=None, private_key_passphrase=None, consumers=, []container_ref=None, created=None, updated=None, status=None, public_key_ref=None, private_key_ref=None, private_key_passphrase_ref=None)
private_key

Secret containing the Private Key

private_key_passphrase

Secret containing the Passphrase

public_key

Secret containing the Public Key

class barbicanclient.containers.CertificateContainer(api, name=None, certificate=None, intermediates=None, private_key=None, private_key_passphrase=None, consumers=, []container_ref=None, created=None, updated=None, status=None, certificate_ref=None, intermediates_ref=None, private_key_ref=None, private_key_passphrase_ref=None)
certificate

Secret containing the certificate

intermediates

Secret containing intermediate certificates

private_key

Secret containing the private key

private_key_passphrase

Secret containing the passphrase

Certificate Authorities

class barbicanclient.cas.CAManager(api)

Entity Manager for Secret entities

get(ca_ref)

Retrieve an existing CA from Barbican

Parameters:

ca_ref (str) – Full HATEOAS reference to a CA
Returns:

CA object retrieved from Barbican
Return type:

barbicanclient.cas.CA
Raises:
list(limit=10, offset=0, name=None)

List CAs for the project

This method uses the limit and offset parameters for paging, and also supports filtering.

Parameters:
  • limit – Max number of CAs returned
  • offset – Offset secrets to begin list
  • name – Name filter for the list
Returns:

list of CA objects that satisfy the provided filter criteria.
Return type:

list
Raises:
class barbicanclient.cas.CA(api, meta=None, expiration=None, plugin_name=None, plugin_ca_id=None, ca_ref=None, created=None, updated=None, status=None, creator_id=None)

CAs represent certificate authorities or subCAs with which the Barbican service is configured to interact.

CA objects should not be instantiated directly. You should use the create or get methods of the barbicanclient.cas.CAManager instead.

Exceptions

exception barbicanclient.exceptions.HTTPAuthError(message, status_code=401)

Raised for 401 Unauthorized responses from the server.

exception barbicanclient.exceptions.HTTPClientError(message, status_code=0)

Raised for 4xx responses from the server.

exception barbicanclient.exceptions.HTTPError(message, status_code=0)

Base exception for HTTP errors.

exception barbicanclient.exceptions.HTTPServerError(message, status_code=0)

Raised for 5xx responses from the server.

Table Of Contents

Previous topic

CLI Usage

Next topic

Contributing

This Page

Navigation

© Copyright 2014, OpenStack Foundation. Created using Sphinx 1.2.2.