Stein Series Release Notes¶
Add a new parameter,
verify_ssl_path, that can be used to configure the path to CA certs when verifying requests to Barbican.
Fixed VaultKeyManager.create_key() to consider the length param as bits instead of bytes for the key length. This was causing a discrepancy between keys generated by the HashiCorp Vault backend and the OpenStack Barbican backend. Considering km as an instance of a key manager, the following code km.create_key(ctx, “AES”, 256) was generating a 256 bit AES key when Barbican is configured as the backend, but generating a 2048 bit AES key when Vault was configured as the backend.
Added support for AppRole based authentication to the Vault key manager configured using new approle_role_id and optional approle_secret_id options. (https://www.vaultproject.io/docs/auth/approle.html)
Added configuration option to the Vault key manager to allow the KV store mountpoint in Vault to be specified; the existing default of ‘secret’ is maintained.