Reference¶
Client¶
- barbicanclient.client.Client(version=None, session=None, *args, **kwargs)¶
Barbican client used to interact with barbican service.
- Parameters:
version – The API version to use.
session – An instance of keystoneauth1.session.Session that can be either authenticated, or not authenticated. When using a non-authenticated Session, you must provide some additional parameters. When no session is provided it will default to a non-authenticated Session.
endpoint – Barbican endpoint url. Required when a session is not given, or when using a non-authenticated session. When using an authenticated session, the client will attempt to get an endpoint from the session.
project_id – The project ID used for context in Barbican. Required when a session is not given, or when using a non-authenticated session. When using an authenticated session, the project ID will be provided by the authentication mechanism.
verify – When a session is not given, the client will create a non-authenticated session. This parameter is passed to the session that is created. If set to False, it allows barbicanclient to perform “insecure” TLS (https) requests. The server’s certificate will not be verified against any certificate authorities. WARNING: This option should be used with caution.
service_type – Used as an endpoint filter when using an authenticated keystone session. Defaults to ‘key-manager’.
service_name – Used as an endpoint filter when using an authenticated keystone session.
interface – Used as an endpoint filter when using an authenticated keystone session. Defaults to ‘public’.
region_name – Used as an endpoint filter when using an authenticated keystone session.
Secrets¶
- class barbicanclient.v1.secrets.SecretManager(api)¶
Entity Manager for Secret entities
- create(name=None, payload=None, payload_content_type=None, payload_content_encoding=None, algorithm=None, bit_length=None, secret_type=None, mode=None, expiration=None)¶
Factory method for creating new Secret objects
Secrets returned by this method have not yet been stored in the Barbican service.
- Parameters:
name – A friendly name for the Secret
payload – The unencrypted secret data
payload_content_type – DEPRECATED: The format/type of the secret data. Setting this can lead to unexpected results. See Launchpad Bug #1419166.
payload_content_encoding – DEPRECATED: The encoding of the secret data. Setting this can lead to unexpected results. See Launchpad Bug #1419166.
algorithm – The algorithm associated with this secret key
bit_length – The bit length of this secret key
mode – The algorithm mode used with this secret key
secret_type – The secret type for this secret key
expiration – The expiration time of the secret in ISO 8601 format
- Returns:
A new Secret object
- Return type:
- Raises:
barbicanclient.exceptions.HTTPAuthError – 401 Responses
barbicanclient.exceptions.HTTPClientError – 4xx Responses
barbicanclient.exceptions.HTTPServerError – 5xx Responses
- delete(secret_ref)¶
Delete a Secret from Barbican
- Parameters:
secret_ref – Full HATEOAS reference to a Secret, or a UUID
- Raises:
barbicanclient.exceptions.HTTPAuthError – 401 Responses
barbicanclient.exceptions.HTTPClientError – 4xx Responses
barbicanclient.exceptions.HTTPServerError – 5xx Responses
- get(secret_ref, payload_content_type=None)¶
Retrieve an existing Secret from Barbican
- Parameters:
secret_ref (str) – Full HATEOAS reference to a Secret, or a UUID
payload_content_type (str) – DEPRECATED: Content type to use for payload decryption. Setting this can lead to unexpected results. See Launchpad Bug #1419166.
- Returns:
Secret object retrieved from Barbican
- Return type:
- Raises:
barbicanclient.exceptions.HTTPAuthError – 401 Responses
barbicanclient.exceptions.HTTPClientError – 4xx Responses
barbicanclient.exceptions.HTTPServerError – 5xx Responses
- list(limit=10, offset=0, name=None, algorithm=None, mode=None, bits=0, secret_type=None, created=None, updated=None, expiration=None, sort=None)¶
List Secrets for the project
This method uses the limit and offset parameters for paging, and also supports filtering.
The time filters (created, updated, and expiration) are expected to be an ISO 8601 formatted string, which can be prefixed with comparison operators: ‘gt:’ (greater-than), ‘gte:’ (greater-than-or-equal), ‘lt:’ (less-than), or ‘lte’: (less-than-or-equal).
- Parameters:
limit – Max number of secrets returned
offset – Offset secrets to begin list
name – Name filter for the list
algorithm – Algorithm filter for the list
mode – Mode filter for the list
bits – Bits filter for the list
secret_type – Secret type filter for the list
created – Created time filter for the list, an ISO 8601 format string, optionally prefixed with ‘gt:’, ‘gte:’, ‘lt:’, or ‘lte:’
updated – Updated time filter for the list, an ISO 8601 format string, optionally prefixed with ‘gt:’, ‘gte:’, ‘lt:’, or ‘lte:’
expiration – Expiration time filter for the list, an ISO 8601 format string, optionally prefixed with ‘gt:’, ‘gte:’, ‘lt:’, or ‘lte:’
sort – Determines the sorted order of the returned list, a string of comma-separated sort keys (‘created’, ‘expiration’, ‘mode’, ‘name’, ‘secret_type’, ‘status’, or ‘updated’) with a direction appended (‘:asc’ or ‘:desc’) to each key
- Returns:
list of Secret objects that satisfy the provided filter criteria.
- Return type:
list
- Raises:
barbicanclient.exceptions.HTTPAuthError – 401 Responses
barbicanclient.exceptions.HTTPClientError – 4xx Responses
barbicanclient.exceptions.HTTPServerError – 5xx Responses
- update(secret_ref, payload=None)¶
Update an existing Secret in Barbican
- Parameters:
secret_ref (str) – Full HATEOAS reference to a Secret, or a UUID
payload (str) – New payload to add to secret
- Raises:
barbicanclient.exceptions.HTTPAuthError – 401 Responses
barbicanclient.exceptions.HTTPClientError – 4xx Responses
barbicanclient.exceptions.HTTPServerError – 5xx Responses
- class barbicanclient.v1.secrets.Secret(api, name=None, expiration=None, algorithm=None, bit_length=None, mode=None, payload=None, payload_content_type=None, payload_content_encoding=None, secret_ref=None, created=None, updated=None, content_types=None, status=None, secret_type=None, creator_id=None)¶
Secrets managed by Barbican
Secrets represent keys, credentials, and other sensitive data that is stored by the Barbican service.
Secret objects should not be instantiated directly.
You should use the create or get methods of the
barbicanclient.secrets.SecretManager
instead.- property acls¶
Get ACL settings for this secret.
- delete()¶
Deletes the Secret from Barbican
- property payload¶
Lazy-loaded property that holds the unencrypted data
- store()¶
Stores the Secret in Barbican.
New Secret objects are not persisted in Barbican until this method is called.
- Raises:
PayloadException
- update()¶
Updates the secret in Barbican.
Orders¶
- class barbicanclient.v1.orders.OrderManager(api)¶
Entity Manager for Order entitites
- create_asymmetric(name=None, algorithm=None, bit_length=None, pass_phrase=None, payload_content_type=None, expiration=None)¶
Factory method for AsymmetricOrder objects
AsymmetricOrder objects returned by this method have not yet been submitted to the Barbican service.
- Parameters:
name – A friendly name for the container to be created
algorithm – The algorithm associated with this secret key
bit_length – The bit length of this secret key
pass_phrase – Optional passphrase
payload_content_type – The format/type of the secret data
expiration – The expiration time of the secret in ISO 8601 format
- Returns:
AsymmetricOrder
- Return type:
- Raises:
barbicanclient.exceptions.HTTPAuthError – 401 Responses
barbicanclient.exceptions.HTTPClientError – 4xx Responses
barbicanclient.exceptions.HTTPServerError – 5xx Responses
- create_certificate(name=None, request_type=None, subject_dn=None, source_container_ref=None, ca_id=None, profile=None, request_data=None)¶
Factory method for CertificateOrder objects
CertificateOrder objects returned by this method have not yet been submitted to the Barbican service.
- Parameters:
name – A friendly name for the container to be created
request_type – The type of the certificate request
subject_dn – A subject for the certificate
source_container_ref – A container with a public/private key pair to use as source for stored-key requests
ca_id – The identifier of the CA to use
profile – The profile of certificate to use
request_data – The CSR content
- Returns:
CertificateOrder
- Return type:
barbicanclient.v1.orders.CertificateOrder
- create_key(name=None, algorithm=None, bit_length=None, mode=None, payload_content_type=None, expiration=None)¶
Factory method for KeyOrder objects
KeyOrder objects returned by this method have not yet been submitted to the Barbican service.
- Parameters:
name – A friendly name for the secret to be created
algorithm – The algorithm associated with this secret key
bit_length – The bit length of this secret key
mode – The algorithm mode used with this secret key
payload_content_type – The format/type of the secret data
expiration – The expiration time of the secret in ISO 8601 format
- Returns:
KeyOrder
- Return type:
- Raises:
barbicanclient.exceptions.HTTPAuthError – 401 Responses
barbicanclient.exceptions.HTTPClientError – 4xx Responses
barbicanclient.exceptions.HTTPServerError – 5xx Responses
- delete(order_ref)¶
Delete an Order from Barbican
- Parameters:
order_ref – Full HATEOAS reference to an Order, or a UUID
- get(order_ref)¶
Retrieve an existing Order from Barbican
- Parameters:
order_ref – Full HATEOAS reference to an Order, or a UUID
- Returns:
An instance of the appropriate subtype of Order
- Raises:
barbicanclient.exceptions.HTTPAuthError – 401 Responses
barbicanclient.exceptions.HTTPClientError – 4xx Responses
barbicanclient.exceptions.HTTPServerError – 5xx Responses
- list(limit=10, offset=0)¶
List Orders for the project
This method uses the limit and offset parameters for paging.
- Parameters:
limit – Max number of orders returned
offset – Offset orders to begin list
- Returns:
list of Order objects
- Raises:
barbicanclient.exceptions.HTTPAuthError – 401 Responses
barbicanclient.exceptions.HTTPClientError – 4xx Responses
barbicanclient.exceptions.HTTPServerError – 5xx Responses
- class barbicanclient.v1.orders.Order(api, type, status=None, created=None, updated=None, meta=None, order_ref=None, error_status_code=None, error_reason=None, sub_status=None, sub_status_message=None, creator_id=None)¶
Base order object to hold common functionality
This should be considered an abstract class that should not be instantiated directly.
- delete()¶
Deletes the Order from Barbican
- submit()¶
Submit the Order to Barbican.
New Order objects are not persisted in Barbican until this method is called.
- class barbicanclient.v1.orders.KeyOrder(api, name=None, algorithm=None, bit_length=None, mode=None, expiration=None, payload_content_type=None, status=None, created=None, updated=None, order_ref=None, secret_ref=None, error_status_code=None, error_reason=None, sub_status=None, sub_status_message=None, creator_id=None)¶
KeyOrders can be used to request random key material from Barbican
- property mode¶
Encryption mode being used with this key
The mode could be set to “CBC” for example, when requesting a key that will be used for AES encryption in CBC mode.
- class barbicanclient.v1.orders.AsymmetricOrder(api, name=None, algorithm=None, bit_length=None, mode=None, passphrase=None, pass_phrase=None, expiration=None, payload_content_type=None, status=None, created=None, updated=None, order_ref=None, container_ref=None, error_status_code=None, error_reason=None, sub_status=None, sub_status_message=None, creator_id=None)¶
- property pass_phrase¶
Passphrase to be used for passphrase protected asymmetric keys
Containers¶
- class barbicanclient.v1.containers.ContainerManager(api)¶
EntityManager for Container entities
You should use the ContainerManager exposed by the Client and should not need to instantiate your own.
- create(name=None, secrets=None)¶
Factory method for Container objects
Container objects returned by this method have not yet been stored in Barbican.
- Parameters:
name – A friendly name for the Container
secrets – Secrets to populate when creating a Container
- Returns:
Container
- Return type:
- Raises:
barbicanclient.exceptions.HTTPAuthError – 401 Responses
barbicanclient.exceptions.HTTPClientError – 4xx Responses
barbicanclient.exceptions.HTTPServerError – 5xx Responses
- create_certificate(name=None, certificate=None, intermediates=None, private_key=None, private_key_passphrase=None)¶
Factory method for CertificateContainer objects
CertificateContainer objects returned by this method have not yet been stored in Barbican.
- Parameters:
name – A friendly name for the CertificateContainer
certificate – Secret object containing a Certificate
intermediates – Secret object containing Intermediate Certs
private_key – Secret object containing a Private Key
private_key_passphrase – Secret object containing a passphrase
- Returns:
CertificateContainer
- Return type:
- Raises:
barbicanclient.exceptions.HTTPAuthError – 401 Responses
barbicanclient.exceptions.HTTPClientError – 4xx Responses
barbicanclient.exceptions.HTTPServerError – 5xx Responses
- create_rsa(name=None, public_key=None, private_key=None, private_key_passphrase=None)¶
Factory method for RSAContainer objects
RSAContainer objects returned by this method have not yet been stored in Barbican.
- Parameters:
name – A friendly name for the RSAContainer
public_key – Secret object containing a Public Key
private_key – Secret object containing a Private Key
private_key_passphrase – Secret object containing a passphrase
- Returns:
RSAContainer
- Return type:
- Raises:
barbicanclient.exceptions.HTTPAuthError – 401 Responses
barbicanclient.exceptions.HTTPClientError – 4xx Responses
barbicanclient.exceptions.HTTPServerError – 5xx Responses
- delete(container_ref)¶
Delete a Container from Barbican
- Parameters:
container_ref – Full HATEOAS reference to a Container, or a UUID
- Raises:
barbicanclient.exceptions.HTTPAuthError – 401 Responses
barbicanclient.exceptions.HTTPClientError – 4xx Responses
barbicanclient.exceptions.HTTPServerError – 5xx Responses
- get(container_ref)¶
Retrieve an existing Container from Barbican
- Parameters:
container_ref – Full HATEOAS reference to a Container, or a UUID
- Returns:
Container object or a subclass of the appropriate type
- list(limit=10, offset=0, name=None, type=None)¶
List containers for the project.
This method uses the limit and offset parameters for paging.
- Parameters:
limit – Max number of containers returned
offset – Offset containers to begin list
name – Name filter for the list
type – Type filter for the list
- Returns:
list of Container metadata objects
- Raises:
barbicanclient.exceptions.HTTPAuthError – 401 Responses
barbicanclient.exceptions.HTTPClientError – 4xx Responses
barbicanclient.exceptions.HTTPServerError – 5xx Responses
- register_consumer(container_ref, name, url)¶
Add a consumer to the container
- Parameters:
container_ref – Full HATEOAS reference to a Container, or a UUID
name – Name of the consuming service
url – URL of the consuming resource
- Returns:
A container object per the get() method
- Raises:
barbicanclient.exceptions.HTTPAuthError – 401 Responses
barbicanclient.exceptions.HTTPClientError – 4xx Responses
barbicanclient.exceptions.HTTPServerError – 5xx Responses
- remove_consumer(container_ref, name, url)¶
Remove a consumer from the container
- Parameters:
container_ref – Full HATEOAS reference to a Container, or a UUID
name – Name of the previously consuming service
url – URL of the previously consuming resource
- Raises:
barbicanclient.exceptions.HTTPAuthError – 401 Responses
barbicanclient.exceptions.HTTPClientError – 4xx Responses
barbicanclient.exceptions.HTTPServerError – 5xx Responses
- class barbicanclient.v1.containers.Container(api, name=None, secrets=None, consumers=None, container_ref=None, created=None, updated=None, status=None, secret_refs=None)¶
Container is a generic grouping of Secrets
- property acls¶
Get ACL settings for this container.
- delete()¶
Delete container from Barbican
- property secrets¶
List of Secrets in Containers
- store()¶
Store Container in Barbican
- class barbicanclient.v1.containers.RSAContainer(api, name=None, public_key=None, private_key=None, private_key_passphrase=None, consumers=[], container_ref=None, created=None, updated=None, status=None, public_key_ref=None, private_key_ref=None, private_key_passphrase_ref=None)¶
- property private_key¶
Secret containing the Private Key
- property private_key_passphrase¶
Secret containing the Passphrase
- property public_key¶
Secret containing the Public Key
- class barbicanclient.v1.containers.CertificateContainer(api, name=None, certificate=None, intermediates=None, private_key=None, private_key_passphrase=None, consumers=[], container_ref=None, created=None, updated=None, status=None, certificate_ref=None, intermediates_ref=None, private_key_ref=None, private_key_passphrase_ref=None)¶
- property certificate¶
Secret containing the certificate
- property intermediates¶
Secret containing intermediate certificates
- property private_key¶
Secret containing the private key
- property private_key_passphrase¶
Secret containing the passphrase
ACLs¶
- class barbicanclient.v1.acls.ACLManager(api)¶
Entity Manager for Secret or Container ACL entities
- create(entity_ref=None, users=None, project_access=None, operation_type='read')¶
Factory method for creating ACL entity.
ACL object returned by this method have not yet been stored in Barbican.
Input entity_ref is used to determine whether ACL object type needs to be
barbicanclient.acls.SecretACL
orbarbicanclient.acls.ContainerACL
.- Parameters:
entity_ref (str) – Full HATEOAS reference to a secret or container
users (List or None) – List of Keystone userid(s) to be used in ACL.
project_access (bool) – Flag indicating project access behavior
operation_type (str) – Type indicating which class of Barbican operations this ACL is defined for e.g. ‘read’ operations
- Returns:
ACL object instance
- Return type:
barbicanclient.v1.acls.SecretACL
orbarbicanclient.v1.acls.ContainerACL
- get(entity_ref)¶
Retrieve existing ACLs for a secret or container found in Barbican
- Parameters:
entity_ref (str) – Full HATEOAS reference to a secret or container.
- Returns:
ACL entity object instance
- Return type:
barbicanclient.v1.acls.SecretACL
orbarbicanclient.v1.acls.ContainerACL
- Raises:
barbicanclient.exceptions.HTTPAuthError – 401 Responses
barbicanclient.exceptions.HTTPClientError – 4xx Responses
- class barbicanclient.v1.acls.SecretACL(api, entity_ref, users=None, project_access=None, operation_type='read', created=None, updated=None)¶
ACL entity for a secret
Base ACL entity instance for secret or container.
Provide ACL data arguments to set ACL setting for given operation_type.
To add ACL setting for other operation types, use add_operation_acl method.
- Parameters:
api – client instance reference
entity_ref (str) – Full HATEOAS reference to a secret or container
users (str List or None) – List of Keystone userid(s) to be used for ACL.
project_access (bool) – Flag indicating project access behavior
operation_type (str) – Type indicating which class of Barbican operations this ACL is defined for e.g. ‘read’ operations
created (str) – Time string indicating ACL create timestamp. This is populated only when populating data from api response. Not needed in client input.
updated (str) – Time string indicating ACL last update timestamp. This is populated only when populating data from api response. Not needed in client input.
- add_operation_acl(users=None, project_access=None, operation_type=None, created=None, updated=None)¶
Add ACL settings to entity for specific operation type.
If matching operation_type ACL already exists, then it replaces it with new PerOperationACL object using provided inputs. Otherwise it appends new PerOperationACL object to existing per operation ACL list.
This just adds to local entity and have not yet applied these changes to server.
- Parameters:
users (List or None) – List of Keystone userid(s) to be used in ACL.
project_access (bool) – Flag indicating project access behavior
operation_type (str) – Type indicating which class of Barbican operations this ACL is defined for e.g. ‘read’ operations
created (str) – Time string indicating ACL create timestamp. This is populated only when populating data from api response. Not needed in client input.
updated (str) – Time string indicating ACL last update timestamp. This is populated only when populating data from api response. Not needed in client input.
- property entity_ref¶
Entity URI reference.
- property entity_uuid¶
Entity UUID
- get(operation_type)¶
Get operation specific ACL instance.
- Parameters:
operation_type (str) – Type indicating which operation’s ACL setting is needed.
- load_acls_data()¶
Loads ACL entity from Barbican server using its acl_ref
Clears the existing list of per operation ACL settings if there. Populates current ACL entity with ACL settings received from Barbican server.
- Raises:
barbicanclient.exceptions.HTTPAuthError – 401 Responses
barbicanclient.exceptions.HTTPClientError – 4xx Responses
barbicanclient.exceptions.HTTPServerError – 5xx Responses
- property operation_acls¶
List of operation specific ACL settings.
- remove()¶
Remove Barbican ACLs setting defined for a secret or container
- Raises:
barbicanclient.exceptions.HTTPAuthError – 401 Responses
barbicanclient.exceptions.HTTPClientError – 4xx Responses
- submit()¶
Submits ACLs for a secret or a container defined in server
In existing ACL case, this overwrites the existing ACL setting with provided inputs. If input users are None or empty list, this will remove existing ACL users if there. If input project_access flag is None, then default project access behavior is enabled.
- Returns:
str acl_ref: Full HATEOAS reference to a secret or container ACL.
- Raises:
barbicanclient.exceptions.HTTPAuthError – 401 Responses
barbicanclient.exceptions.HTTPClientError – 4xx Responses
barbicanclient.exceptions.HTTPServerError – 5xx Responses
- class barbicanclient.v1.acls.ContainerACL(api, entity_ref, users=None, project_access=None, operation_type='read', created=None, updated=None)¶
ACL entity for a container
Base ACL entity instance for secret or container.
Provide ACL data arguments to set ACL setting for given operation_type.
To add ACL setting for other operation types, use add_operation_acl method.
- Parameters:
api – client instance reference
entity_ref (str) – Full HATEOAS reference to a secret or container
users (str List or None) – List of Keystone userid(s) to be used for ACL.
project_access (bool) – Flag indicating project access behavior
operation_type (str) – Type indicating which class of Barbican operations this ACL is defined for e.g. ‘read’ operations
created (str) – Time string indicating ACL create timestamp. This is populated only when populating data from api response. Not needed in client input.
updated (str) – Time string indicating ACL last update timestamp. This is populated only when populating data from api response. Not needed in client input.
- add_operation_acl(users=None, project_access=None, operation_type=None, created=None, updated=None)¶
Add ACL settings to entity for specific operation type.
If matching operation_type ACL already exists, then it replaces it with new PerOperationACL object using provided inputs. Otherwise it appends new PerOperationACL object to existing per operation ACL list.
This just adds to local entity and have not yet applied these changes to server.
- Parameters:
users (List or None) – List of Keystone userid(s) to be used in ACL.
project_access (bool) – Flag indicating project access behavior
operation_type (str) – Type indicating which class of Barbican operations this ACL is defined for e.g. ‘read’ operations
created (str) – Time string indicating ACL create timestamp. This is populated only when populating data from api response. Not needed in client input.
updated (str) – Time string indicating ACL last update timestamp. This is populated only when populating data from api response. Not needed in client input.
- property entity_ref¶
Entity URI reference.
- property entity_uuid¶
Entity UUID
- get(operation_type)¶
Get operation specific ACL instance.
- Parameters:
operation_type (str) – Type indicating which operation’s ACL setting is needed.
- load_acls_data()¶
Loads ACL entity from Barbican server using its acl_ref
Clears the existing list of per operation ACL settings if there. Populates current ACL entity with ACL settings received from Barbican server.
- Raises:
barbicanclient.exceptions.HTTPAuthError – 401 Responses
barbicanclient.exceptions.HTTPClientError – 4xx Responses
barbicanclient.exceptions.HTTPServerError – 5xx Responses
- property operation_acls¶
List of operation specific ACL settings.
- remove()¶
Remove Barbican ACLs setting defined for a secret or container
- Raises:
barbicanclient.exceptions.HTTPAuthError – 401 Responses
barbicanclient.exceptions.HTTPClientError – 4xx Responses
- submit()¶
Submits ACLs for a secret or a container defined in server
In existing ACL case, this overwrites the existing ACL setting with provided inputs. If input users are None or empty list, this will remove existing ACL users if there. If input project_access flag is None, then default project access behavior is enabled.
- Returns:
str acl_ref: Full HATEOAS reference to a secret or container ACL.
- Raises:
barbicanclient.exceptions.HTTPAuthError – 401 Responses
barbicanclient.exceptions.HTTPClientError – 4xx Responses
barbicanclient.exceptions.HTTPServerError – 5xx Responses
Exceptions¶
- exception barbicanclient.exceptions.BarbicanException¶
- exception barbicanclient.exceptions.HTTPAuthError(message, status_code=401)¶
Raised for 401 Unauthorized responses from the server.
- exception barbicanclient.exceptions.HTTPClientError(message, status_code=0)¶
Raised for 4xx responses from the server.
- exception barbicanclient.exceptions.HTTPError(message, status_code=0)¶
Base exception for HTTP errors.
- exception barbicanclient.exceptions.HTTPServerError(message, status_code=0)¶
Raised for 5xx responses from the server.
- exception barbicanclient.exceptions.PayloadException¶
- exception barbicanclient.exceptions.UnsupportedVersion¶
User is trying to use an unsupported version of the API.