コード例 #1
0
    def test_is_encrypted(self):
        volume_type = volume_types.create(self.ctxt, "type1")
        volume_type_id = volume_type.get("id")
        self.assertFalse(volume_types.is_encrypted(self.ctxt, volume_type_id))

        encryption = {"control_location": "front-end", "provider": "fake_provider"}
        db_api.volume_type_encryption_create(self.ctxt, volume_type_id, encryption)
        self.assertTrue(volume_types.is_encrypted(self.ctxt, volume_type_id))
コード例 #2
0
    def test_is_encrypted(self):
        volume_type = volume_types.create(self.ctxt, "type1")
        volume_type_id = volume_type.get('id')
        self.assertFalse(volume_types.is_encrypted(self.ctxt, volume_type_id))

        encryption = {
            'control_location': 'front-end',
            'provider': 'fake_provider',
        }
        db_api.volume_type_encryption_create(self.ctxt, volume_type_id,
                                             encryption)
        self.assertTrue(volume_types.is_encrypted(self.ctxt, volume_type_id))
コード例 #3
0
    def test_is_encrypted(self):
        volume_type = volume_types.create(self.ctxt, "type1")
        volume_type_id = volume_type.get('id')
        self.assertFalse(volume_types.is_encrypted(self.ctxt, volume_type_id))

        encryption = {
            'control_location': 'front-end',
            'provider': 'fake_provider',
        }
        db_api.volume_type_encryption_create(self.ctxt, volume_type_id,
                                             encryption)
        self.assertTrue(volume_types.is_encrypted(self.ctxt, volume_type_id))
コード例 #4
0
    def _get_encryption_key_id(self, key_manager, context, volume_type_id,
                               snapshot, source_volume, image_metadata):
        encryption_key_id = None
        if volume_types.is_encrypted(context, volume_type_id):
            if snapshot is not None:  # creating from snapshot
                encryption_key_id = snapshot['encryption_key_id']
            elif source_volume is not None:  # cloning volume
                encryption_key_id = source_volume['encryption_key_id']
            elif image_metadata is not None:
                # creating from image
                encryption_key_id = image_metadata.get(
                    'cinder_encryption_key_id')

            # NOTE(joel-coffman): References to the encryption key should *not*
            # be copied because the key is deleted when the volume is deleted.
            # Clone the existing key and associate a separate -- but
            # identical -- key with each volume.
            if encryption_key_id is not None:
                encryption_key_id = volume_utils.clone_encryption_key(
                    context, key_manager, encryption_key_id)
            else:
                encryption_key_id = volume_utils.create_encryption_key(
                    context, key_manager, volume_type_id)

        return encryption_key_id
コード例 #5
0
ファイル: create_volume.py プロジェクト: mahak/cinder
    def _get_encryption_key_id(self, key_manager, context, volume_type_id,
                               snapshot, source_volume,
                               image_metadata):
        encryption_key_id = None
        if volume_types.is_encrypted(context, volume_type_id):
            if snapshot is not None:  # creating from snapshot
                encryption_key_id = snapshot['encryption_key_id']
            elif source_volume is not None:  # cloning volume
                encryption_key_id = source_volume['encryption_key_id']
            elif image_metadata is not None:
                # creating from image
                encryption_key_id = image_metadata.get(
                    'cinder_encryption_key_id')

            # NOTE(joel-coffman): References to the encryption key should *not*
            # be copied because the key is deleted when the volume is deleted.
            # Clone the existing key and associate a separate -- but
            # identical -- key with each volume.
            if encryption_key_id is not None:
                encryption_key_id = vol_utils.clone_encryption_key(
                    context,
                    key_manager,
                    encryption_key_id)
            else:
                encryption_key_id = vol_utils.create_encryption_key(
                    context,
                    key_manager,
                    volume_type_id)

        return encryption_key_id
コード例 #6
0
ファイル: create_volume.py プロジェクト: yenai2009/cinder
    def _get_encryption_key_id(self, key_manager, context, volume_type_id,
                               snapshot, source_volume):
        encryption_key_id = None
        if volume_types.is_encrypted(context, volume_type_id):
            if snapshot is not None:  # creating from snapshot
                encryption_key_id = snapshot['encryption_key_id']
            elif source_volume is not None:  # cloning volume
                encryption_key_id = source_volume['encryption_key_id']

            # NOTE(joel-coffman): References to the encryption key should *not*
            # be copied because the key is deleted when the volume is deleted.
            # Clone the existing key and associate a separate -- but
            # identical -- key with each volume.
            if encryption_key_id is not None:
                encryption_key_id = key_manager.store(
                    context, key_manager.get(context, encryption_key_id))
            else:
                volume_type_encryption = (
                    volume_types.get_volume_type_encryption(
                        context, volume_type_id))
                cipher = volume_type_encryption.cipher
                length = volume_type_encryption.key_size

                # NOTE(kaitlin-farr): dm-crypt expects the cipher in a
                # hyphenated format (aes-xts-plain64). The algorithm needs
                # to be parsed out to pass to the key manager (aes).
                algorithm = cipher.split('-')[0] if cipher else None
                encryption_key_id = key_manager.create_key(context,
                                                           algorithm=algorithm,
                                                           length=length)

        return encryption_key_id
コード例 #7
0
ファイル: create_volume.py プロジェクト: openstack/cinder
    def _get_encryption_key_id(
            self, key_manager, context: context.RequestContext,
            volume_type_id: str, snapshot: Optional[objects.Snapshot],
            source_volume: Optional[objects.Volume],
            image_metadata: Optional[dict[str, Any]]) -> Optional[str]:
        if volume_types.is_encrypted(context, volume_type_id):
            encryption_key_id = None

            if snapshot is not None:  # creating from snapshot
                encryption_key_id = snapshot['encryption_key_id']
            elif source_volume is not None:  # cloning volume
                encryption_key_id = source_volume['encryption_key_id']
            elif image_metadata is not None:
                # creating from image
                encryption_key_id = image_metadata.get(
                    'cinder_encryption_key_id')

            # NOTE(joel-coffman): References to the encryption key should *not*
            # be copied because the key is deleted when the volume is deleted.
            # Clone the existing key and associate a separate -- but
            # identical -- key with each volume.
            new_encryption_key_id: Optional[str]
            if encryption_key_id is not None:
                new_encryption_key_id = volume_utils.clone_encryption_key(
                    context, key_manager, encryption_key_id)
            else:
                new_encryption_key_id = volume_utils.create_encryption_key(
                    context, key_manager, volume_type_id)

            return new_encryption_key_id
        else:
            return None
コード例 #8
0
ファイル: create_volume.py プロジェクト: NetApp/cinder
    def _get_encryption_key_id(self, key_manager, context, volume_type_id,
                               snapshot, source_volume):
        encryption_key_id = None
        if volume_types.is_encrypted(context, volume_type_id):
            if snapshot is not None:  # creating from snapshot
                encryption_key_id = snapshot['encryption_key_id']
            elif source_volume is not None:  # cloning volume
                encryption_key_id = source_volume['encryption_key_id']

            # NOTE(joel-coffman): References to the encryption key should *not*
            # be copied because the key is deleted when the volume is deleted.
            # Clone the existing key and associate a separate -- but
            # identical -- key with each volume.
            if encryption_key_id is not None:
                encryption_key_id = key_manager.store(
                    context, key_manager.get(context, encryption_key_id))
            else:
                volume_type_encryption = (
                    volume_types.get_volume_type_encryption(context,
                                                            volume_type_id))
                cipher = volume_type_encryption.cipher
                length = volume_type_encryption.key_size

                # NOTE(kaitlin-farr): dm-crypt expects the cipher in a
                # hyphenated format (aes-xts-plain64). The algorithm needs
                # to be parsed out to pass to the key manager (aes).
                algorithm = cipher.split('-')[0] if cipher else None
                encryption_key_id = key_manager.create_key(context,
                                                           algorithm=algorithm,
                                                           length=length)

        return encryption_key_id
コード例 #9
0
def create_encryption_key(context, key_manager, volume_type_id):
    encryption_key_id = None
    if volume_types.is_encrypted(context, volume_type_id):
        volume_type_encryption = (volume_types.get_volume_type_encryption(
            context, volume_type_id))
        cipher = volume_type_encryption.cipher
        length = volume_type_encryption.key_size
        algorithm = cipher.split('-')[0] if cipher else None
        encryption_key_id = key_manager.create_key(context,
                                                   algorithm=algorithm,
                                                   length=length)
    return encryption_key_id
コード例 #10
0
ファイル: utils.py プロジェクト: Nexenta/cinder
def create_encryption_key(context, key_manager, volume_type_id):
    encryption_key_id = None
    if volume_types.is_encrypted(context, volume_type_id):
        volume_type_encryption = (
            volume_types.get_volume_type_encryption(context,
                                                    volume_type_id))
        cipher = volume_type_encryption.cipher
        length = volume_type_encryption.key_size
        algorithm = cipher.split('-')[0] if cipher else None
        encryption_key_id = key_manager.create_key(
            context,
            algorithm=algorithm,
            length=length)
    return encryption_key_id
コード例 #11
0
    def _get_encryption_key_id(self, key_manager, context, volume_type_id,
                               snapshot, source_volume,
                               image_metadata):
        encryption_key_id = None
        if volume_types.is_encrypted(context, volume_type_id):
            if snapshot is not None:  # creating from snapshot
                encryption_key_id = snapshot['encryption_key_id']
            elif source_volume is not None:  # cloning volume
                encryption_key_id = source_volume['encryption_key_id']
            elif image_metadata is not None:
                # creating from image
                encryption_key_id = image_metadata.get(
                    'cinder_encryption_key_id')

            # NOTE(joel-coffman): References to the encryption key should *not*
            # be copied because the key is deleted when the volume is deleted.
            # Clone the existing key and associate a separate -- but
            # identical -- key with each volume.
            if encryption_key_id is not None:
                encryption_key_id = key_manager.store(
                    context, key_manager.get(context, encryption_key_id))
            else:
                volume_type_encryption = (
                    volume_types.get_volume_type_encryption(context,
                                                            volume_type_id))
                cipher = volume_type_encryption.cipher
                length = volume_type_encryption.key_size

                # NOTE(kaitlin-farr): dm-crypt expects the cipher in a
                # hyphenated format (aes-xts-plain64). The algorithm needs
                # to be parsed out to pass to the key manager (aes).
                algorithm = cipher.split('-')[0] if cipher else None
                try:
                    encryption_key_id = key_manager.create_key(
                        context,
                        algorithm=algorithm,
                        length=length)
                except castellan_exc.KeyManagerError:
                    # The messaging back to the client here is
                    # purposefully terse, so we don't leak any sensitive
                    # details.
                    LOG.exception("Key manager error")
                    raise exception.Invalid(message="Key manager error")

        return encryption_key_id
コード例 #12
0
ファイル: create_volume.py プロジェクト: Ericyuanhui/cinder
    def _get_encryption_key_id(self, key_manager, context, volume_type_id, snapshot, source_volume):
        encryption_key_id = None
        if volume_types.is_encrypted(context, volume_type_id):
            if snapshot is not None:  # creating from snapshot
                encryption_key_id = snapshot["encryption_key_id"]
            elif source_volume is not None:  # cloning volume
                encryption_key_id = source_volume["encryption_key_id"]

            # NOTE(joel-coffman): References to the encryption key should *not*
            # be copied because the key is deleted when the volume is deleted.
            # Clone the existing key and associate a separate -- but
            # identical -- key with each volume.
            if encryption_key_id is not None:
                encryption_key_id = key_manager.copy_key(context, encryption_key_id)
            else:
                encryption_key_id = key_manager.create_key(context)

        return encryption_key_id
コード例 #13
0
ファイル: utils.py プロジェクト: knitmesh/cinder
def create_encryption_key(context, key_manager, volume_type_id):
    encryption_key_id = None
    if volume_types.is_encrypted(context, volume_type_id):
        volume_type_encryption = (volume_types.get_volume_type_encryption(
            context, volume_type_id))
        cipher = volume_type_encryption.cipher
        length = volume_type_encryption.key_size
        algorithm = cipher.split('-')[0] if cipher else None
        try:
            encryption_key_id = key_manager.create_key(context,
                                                       algorithm=algorithm,
                                                       length=length)
        except castellan_exception.KeyManagerError:
            # The messaging back to the client here is
            # purposefully terse, so we don't leak any sensitive
            # details.
            LOG.exception("Key manager error")
            raise exception.Invalid(message="Key manager error")

    return encryption_key_id
コード例 #14
0
    def _get_encryption_key_id(self, key_manager, context, volume_type_id,
                               snapshot, source_volume, backup_source_volume):
        encryption_key_id = None
        if volume_types.is_encrypted(context, volume_type_id):
            if snapshot is not None:  # creating from snapshot
                encryption_key_id = snapshot['encryption_key_id']
            elif source_volume is not None:  # cloning volume
                encryption_key_id = source_volume['encryption_key_id']
            elif backup_source_volume is not None:  # creating from backup
                encryption_key_id = backup_source_volume['encryption_key_id']

            # NOTE(joel-coffman): References to the encryption key should *not*
            # be copied because the key is deleted when the volume is deleted.
            # Clone the existing key and associate a separate -- but
            # identical -- key with each volume.
            if encryption_key_id is not None:
                encryption_key_id = key_manager.copy_key(
                    context, encryption_key_id)
            else:
                encryption_key_id = key_manager.create_key(context)

        return encryption_key_id
コード例 #15
0
ファイル: utils.py プロジェクト: j-griffith/cinder
def create_encryption_key(context, key_manager, volume_type_id):
    encryption_key_id = None
    if volume_types.is_encrypted(context, volume_type_id):
        volume_type_encryption = (
            volume_types.get_volume_type_encryption(context,
                                                    volume_type_id))
        cipher = volume_type_encryption.cipher
        length = volume_type_encryption.key_size
        algorithm = cipher.split('-')[0] if cipher else None
        try:
            encryption_key_id = key_manager.create_key(
                context,
                algorithm=algorithm,
                length=length)
        except castellan_exception.KeyManagerError:
            # The messaging back to the client here is
            # purposefully terse, so we don't leak any sensitive
            # details.
            LOG.exception("Key manager error")
            raise exception.Invalid(message="Key manager error")

    return encryption_key_id
コード例 #16
0
 def _is_volume_type_encrypted(self, context, volume_id):
     volume_ref = db.volume_get(context, volume_id)
     volume_type_id = volume_ref["volume_type_id"]
     return volume_types.is_encrypted(context, volume_type_id)
コード例 #17
0
ファイル: create_volume.py プロジェクト: suman-d/cinder
    def execute(self, context, size, snapshot, image_id, source_volume,
                availability_zone, volume_type, metadata, key_manager,
                source_replica, consistencygroup, cgsnapshot):

        utils.check_exclusive_options(snapshot=snapshot,
                                      imageRef=image_id,
                                      source_volume=source_volume)
        policy.enforce_action(context, ACTION)

        # TODO(harlowja): what guarantee is there that the snapshot or source
        # volume will remain available after we do this initial verification??
        snapshot_id = self._extract_snapshot(snapshot)
        source_volid = self._extract_source_volume(source_volume)
        source_replicaid = self._extract_source_replica(source_replica)
        size = self._extract_size(size, source_volume, snapshot)
        consistencygroup_id = self._extract_consistencygroup(consistencygroup)
        cgsnapshot_id = self._extract_cgsnapshot(cgsnapshot)

        self._check_image_metadata(context, image_id, size)

        availability_zone = self._extract_availability_zone(availability_zone,
                                                            snapshot,
                                                            source_volume)

        # TODO(joel-coffman): This special handling of snapshots to ensure that
        # their volume type matches the source volume is too convoluted. We
        # should copy encryption metadata from the encrypted volume type to the
        # volume upon creation and propagate that information to each snapshot.
        # This strategy avoids any dependency upon the encrypted volume type.
        def_vol_type = volume_types.get_default_volume_type()
        if not volume_type and not source_volume and not snapshot:
            image_volume_type = self._get_image_volume_type(context, image_id)
            volume_type = (image_volume_type if image_volume_type else
                           def_vol_type)

        # When creating a clone of a replica (replication test), we can't
        # use the volume type of the replica, therefore, we use the default.
        # NOTE(ronenkat): this assumes the default type is not replicated.
        if source_replicaid:
            volume_type = def_vol_type

        volume_type_id = self._get_volume_type_id(volume_type,
                                                  source_volume, snapshot)

        if image_id and volume_types.is_encrypted(context, volume_type_id):
            msg = _('Create encrypted volumes with type %(type)s '
                    'from image %(image)s is not supported.')
            msg = msg % {'type': volume_type_id,
                         'image': image_id, }
            raise exception.InvalidInput(reason=msg)

        encryption_key_id = self._get_encryption_key_id(key_manager,
                                                        context,
                                                        volume_type_id,
                                                        snapshot,
                                                        source_volume)

        specs = {}
        if volume_type_id:
            qos_specs = volume_types.get_volume_type_qos_specs(volume_type_id)
            if qos_specs['qos_specs']:
                specs = qos_specs['qos_specs'].get('specs', {})
        if not specs:
            # to make sure we don't pass empty dict
            specs = None

        utils.check_metadata_properties(metadata)

        return {
            'size': size,
            'snapshot_id': snapshot_id,
            'source_volid': source_volid,
            'availability_zone': availability_zone,
            'volume_type': volume_type,
            'volume_type_id': volume_type_id,
            'encryption_key_id': encryption_key_id,
            'qos_specs': specs,
            'source_replicaid': source_replicaid,
            'consistencygroup_id': consistencygroup_id,
            'cgsnapshot_id': cgsnapshot_id,
        }
コード例 #18
0
 def _is_volume_type_encrypted(self, context, volume_id):
     volume_ref = db.volume_get(context, volume_id)
     volume_type_id = volume_ref['volume_type_id']
     return volume_types.is_encrypted(context, volume_type_id)