def test_is_encrypted(self): volume_type = volume_types.create(self.ctxt, "type1") volume_type_id = volume_type.get("id") self.assertFalse(volume_types.is_encrypted(self.ctxt, volume_type_id)) encryption = {"control_location": "front-end", "provider": "fake_provider"} db_api.volume_type_encryption_create(self.ctxt, volume_type_id, encryption) self.assertTrue(volume_types.is_encrypted(self.ctxt, volume_type_id))
def test_is_encrypted(self): volume_type = volume_types.create(self.ctxt, "type1") volume_type_id = volume_type.get('id') self.assertFalse(volume_types.is_encrypted(self.ctxt, volume_type_id)) encryption = { 'control_location': 'front-end', 'provider': 'fake_provider', } db_api.volume_type_encryption_create(self.ctxt, volume_type_id, encryption) self.assertTrue(volume_types.is_encrypted(self.ctxt, volume_type_id))
def _get_encryption_key_id(self, key_manager, context, volume_type_id, snapshot, source_volume, image_metadata): encryption_key_id = None if volume_types.is_encrypted(context, volume_type_id): if snapshot is not None: # creating from snapshot encryption_key_id = snapshot['encryption_key_id'] elif source_volume is not None: # cloning volume encryption_key_id = source_volume['encryption_key_id'] elif image_metadata is not None: # creating from image encryption_key_id = image_metadata.get( 'cinder_encryption_key_id') # NOTE(joel-coffman): References to the encryption key should *not* # be copied because the key is deleted when the volume is deleted. # Clone the existing key and associate a separate -- but # identical -- key with each volume. if encryption_key_id is not None: encryption_key_id = volume_utils.clone_encryption_key( context, key_manager, encryption_key_id) else: encryption_key_id = volume_utils.create_encryption_key( context, key_manager, volume_type_id) return encryption_key_id
def _get_encryption_key_id(self, key_manager, context, volume_type_id, snapshot, source_volume, image_metadata): encryption_key_id = None if volume_types.is_encrypted(context, volume_type_id): if snapshot is not None: # creating from snapshot encryption_key_id = snapshot['encryption_key_id'] elif source_volume is not None: # cloning volume encryption_key_id = source_volume['encryption_key_id'] elif image_metadata is not None: # creating from image encryption_key_id = image_metadata.get( 'cinder_encryption_key_id') # NOTE(joel-coffman): References to the encryption key should *not* # be copied because the key is deleted when the volume is deleted. # Clone the existing key and associate a separate -- but # identical -- key with each volume. if encryption_key_id is not None: encryption_key_id = vol_utils.clone_encryption_key( context, key_manager, encryption_key_id) else: encryption_key_id = vol_utils.create_encryption_key( context, key_manager, volume_type_id) return encryption_key_id
def _get_encryption_key_id(self, key_manager, context, volume_type_id, snapshot, source_volume): encryption_key_id = None if volume_types.is_encrypted(context, volume_type_id): if snapshot is not None: # creating from snapshot encryption_key_id = snapshot['encryption_key_id'] elif source_volume is not None: # cloning volume encryption_key_id = source_volume['encryption_key_id'] # NOTE(joel-coffman): References to the encryption key should *not* # be copied because the key is deleted when the volume is deleted. # Clone the existing key and associate a separate -- but # identical -- key with each volume. if encryption_key_id is not None: encryption_key_id = key_manager.store( context, key_manager.get(context, encryption_key_id)) else: volume_type_encryption = ( volume_types.get_volume_type_encryption( context, volume_type_id)) cipher = volume_type_encryption.cipher length = volume_type_encryption.key_size # NOTE(kaitlin-farr): dm-crypt expects the cipher in a # hyphenated format (aes-xts-plain64). The algorithm needs # to be parsed out to pass to the key manager (aes). algorithm = cipher.split('-')[0] if cipher else None encryption_key_id = key_manager.create_key(context, algorithm=algorithm, length=length) return encryption_key_id
def _get_encryption_key_id( self, key_manager, context: context.RequestContext, volume_type_id: str, snapshot: Optional[objects.Snapshot], source_volume: Optional[objects.Volume], image_metadata: Optional[dict[str, Any]]) -> Optional[str]: if volume_types.is_encrypted(context, volume_type_id): encryption_key_id = None if snapshot is not None: # creating from snapshot encryption_key_id = snapshot['encryption_key_id'] elif source_volume is not None: # cloning volume encryption_key_id = source_volume['encryption_key_id'] elif image_metadata is not None: # creating from image encryption_key_id = image_metadata.get( 'cinder_encryption_key_id') # NOTE(joel-coffman): References to the encryption key should *not* # be copied because the key is deleted when the volume is deleted. # Clone the existing key and associate a separate -- but # identical -- key with each volume. new_encryption_key_id: Optional[str] if encryption_key_id is not None: new_encryption_key_id = volume_utils.clone_encryption_key( context, key_manager, encryption_key_id) else: new_encryption_key_id = volume_utils.create_encryption_key( context, key_manager, volume_type_id) return new_encryption_key_id else: return None
def _get_encryption_key_id(self, key_manager, context, volume_type_id, snapshot, source_volume): encryption_key_id = None if volume_types.is_encrypted(context, volume_type_id): if snapshot is not None: # creating from snapshot encryption_key_id = snapshot['encryption_key_id'] elif source_volume is not None: # cloning volume encryption_key_id = source_volume['encryption_key_id'] # NOTE(joel-coffman): References to the encryption key should *not* # be copied because the key is deleted when the volume is deleted. # Clone the existing key and associate a separate -- but # identical -- key with each volume. if encryption_key_id is not None: encryption_key_id = key_manager.store( context, key_manager.get(context, encryption_key_id)) else: volume_type_encryption = ( volume_types.get_volume_type_encryption(context, volume_type_id)) cipher = volume_type_encryption.cipher length = volume_type_encryption.key_size # NOTE(kaitlin-farr): dm-crypt expects the cipher in a # hyphenated format (aes-xts-plain64). The algorithm needs # to be parsed out to pass to the key manager (aes). algorithm = cipher.split('-')[0] if cipher else None encryption_key_id = key_manager.create_key(context, algorithm=algorithm, length=length) return encryption_key_id
def create_encryption_key(context, key_manager, volume_type_id): encryption_key_id = None if volume_types.is_encrypted(context, volume_type_id): volume_type_encryption = (volume_types.get_volume_type_encryption( context, volume_type_id)) cipher = volume_type_encryption.cipher length = volume_type_encryption.key_size algorithm = cipher.split('-')[0] if cipher else None encryption_key_id = key_manager.create_key(context, algorithm=algorithm, length=length) return encryption_key_id
def create_encryption_key(context, key_manager, volume_type_id): encryption_key_id = None if volume_types.is_encrypted(context, volume_type_id): volume_type_encryption = ( volume_types.get_volume_type_encryption(context, volume_type_id)) cipher = volume_type_encryption.cipher length = volume_type_encryption.key_size algorithm = cipher.split('-')[0] if cipher else None encryption_key_id = key_manager.create_key( context, algorithm=algorithm, length=length) return encryption_key_id
def _get_encryption_key_id(self, key_manager, context, volume_type_id, snapshot, source_volume, image_metadata): encryption_key_id = None if volume_types.is_encrypted(context, volume_type_id): if snapshot is not None: # creating from snapshot encryption_key_id = snapshot['encryption_key_id'] elif source_volume is not None: # cloning volume encryption_key_id = source_volume['encryption_key_id'] elif image_metadata is not None: # creating from image encryption_key_id = image_metadata.get( 'cinder_encryption_key_id') # NOTE(joel-coffman): References to the encryption key should *not* # be copied because the key is deleted when the volume is deleted. # Clone the existing key and associate a separate -- but # identical -- key with each volume. if encryption_key_id is not None: encryption_key_id = key_manager.store( context, key_manager.get(context, encryption_key_id)) else: volume_type_encryption = ( volume_types.get_volume_type_encryption(context, volume_type_id)) cipher = volume_type_encryption.cipher length = volume_type_encryption.key_size # NOTE(kaitlin-farr): dm-crypt expects the cipher in a # hyphenated format (aes-xts-plain64). The algorithm needs # to be parsed out to pass to the key manager (aes). algorithm = cipher.split('-')[0] if cipher else None try: encryption_key_id = key_manager.create_key( context, algorithm=algorithm, length=length) except castellan_exc.KeyManagerError: # The messaging back to the client here is # purposefully terse, so we don't leak any sensitive # details. LOG.exception("Key manager error") raise exception.Invalid(message="Key manager error") return encryption_key_id
def _get_encryption_key_id(self, key_manager, context, volume_type_id, snapshot, source_volume): encryption_key_id = None if volume_types.is_encrypted(context, volume_type_id): if snapshot is not None: # creating from snapshot encryption_key_id = snapshot["encryption_key_id"] elif source_volume is not None: # cloning volume encryption_key_id = source_volume["encryption_key_id"] # NOTE(joel-coffman): References to the encryption key should *not* # be copied because the key is deleted when the volume is deleted. # Clone the existing key and associate a separate -- but # identical -- key with each volume. if encryption_key_id is not None: encryption_key_id = key_manager.copy_key(context, encryption_key_id) else: encryption_key_id = key_manager.create_key(context) return encryption_key_id
def create_encryption_key(context, key_manager, volume_type_id): encryption_key_id = None if volume_types.is_encrypted(context, volume_type_id): volume_type_encryption = (volume_types.get_volume_type_encryption( context, volume_type_id)) cipher = volume_type_encryption.cipher length = volume_type_encryption.key_size algorithm = cipher.split('-')[0] if cipher else None try: encryption_key_id = key_manager.create_key(context, algorithm=algorithm, length=length) except castellan_exception.KeyManagerError: # The messaging back to the client here is # purposefully terse, so we don't leak any sensitive # details. LOG.exception("Key manager error") raise exception.Invalid(message="Key manager error") return encryption_key_id
def _get_encryption_key_id(self, key_manager, context, volume_type_id, snapshot, source_volume, backup_source_volume): encryption_key_id = None if volume_types.is_encrypted(context, volume_type_id): if snapshot is not None: # creating from snapshot encryption_key_id = snapshot['encryption_key_id'] elif source_volume is not None: # cloning volume encryption_key_id = source_volume['encryption_key_id'] elif backup_source_volume is not None: # creating from backup encryption_key_id = backup_source_volume['encryption_key_id'] # NOTE(joel-coffman): References to the encryption key should *not* # be copied because the key is deleted when the volume is deleted. # Clone the existing key and associate a separate -- but # identical -- key with each volume. if encryption_key_id is not None: encryption_key_id = key_manager.copy_key( context, encryption_key_id) else: encryption_key_id = key_manager.create_key(context) return encryption_key_id
def create_encryption_key(context, key_manager, volume_type_id): encryption_key_id = None if volume_types.is_encrypted(context, volume_type_id): volume_type_encryption = ( volume_types.get_volume_type_encryption(context, volume_type_id)) cipher = volume_type_encryption.cipher length = volume_type_encryption.key_size algorithm = cipher.split('-')[0] if cipher else None try: encryption_key_id = key_manager.create_key( context, algorithm=algorithm, length=length) except castellan_exception.KeyManagerError: # The messaging back to the client here is # purposefully terse, so we don't leak any sensitive # details. LOG.exception("Key manager error") raise exception.Invalid(message="Key manager error") return encryption_key_id
def _is_volume_type_encrypted(self, context, volume_id): volume_ref = db.volume_get(context, volume_id) volume_type_id = volume_ref["volume_type_id"] return volume_types.is_encrypted(context, volume_type_id)
def execute(self, context, size, snapshot, image_id, source_volume, availability_zone, volume_type, metadata, key_manager, source_replica, consistencygroup, cgsnapshot): utils.check_exclusive_options(snapshot=snapshot, imageRef=image_id, source_volume=source_volume) policy.enforce_action(context, ACTION) # TODO(harlowja): what guarantee is there that the snapshot or source # volume will remain available after we do this initial verification?? snapshot_id = self._extract_snapshot(snapshot) source_volid = self._extract_source_volume(source_volume) source_replicaid = self._extract_source_replica(source_replica) size = self._extract_size(size, source_volume, snapshot) consistencygroup_id = self._extract_consistencygroup(consistencygroup) cgsnapshot_id = self._extract_cgsnapshot(cgsnapshot) self._check_image_metadata(context, image_id, size) availability_zone = self._extract_availability_zone(availability_zone, snapshot, source_volume) # TODO(joel-coffman): This special handling of snapshots to ensure that # their volume type matches the source volume is too convoluted. We # should copy encryption metadata from the encrypted volume type to the # volume upon creation and propagate that information to each snapshot. # This strategy avoids any dependency upon the encrypted volume type. def_vol_type = volume_types.get_default_volume_type() if not volume_type and not source_volume and not snapshot: image_volume_type = self._get_image_volume_type(context, image_id) volume_type = (image_volume_type if image_volume_type else def_vol_type) # When creating a clone of a replica (replication test), we can't # use the volume type of the replica, therefore, we use the default. # NOTE(ronenkat): this assumes the default type is not replicated. if source_replicaid: volume_type = def_vol_type volume_type_id = self._get_volume_type_id(volume_type, source_volume, snapshot) if image_id and volume_types.is_encrypted(context, volume_type_id): msg = _('Create encrypted volumes with type %(type)s ' 'from image %(image)s is not supported.') msg = msg % {'type': volume_type_id, 'image': image_id, } raise exception.InvalidInput(reason=msg) encryption_key_id = self._get_encryption_key_id(key_manager, context, volume_type_id, snapshot, source_volume) specs = {} if volume_type_id: qos_specs = volume_types.get_volume_type_qos_specs(volume_type_id) if qos_specs['qos_specs']: specs = qos_specs['qos_specs'].get('specs', {}) if not specs: # to make sure we don't pass empty dict specs = None utils.check_metadata_properties(metadata) return { 'size': size, 'snapshot_id': snapshot_id, 'source_volid': source_volid, 'availability_zone': availability_zone, 'volume_type': volume_type, 'volume_type_id': volume_type_id, 'encryption_key_id': encryption_key_id, 'qos_specs': specs, 'source_replicaid': source_replicaid, 'consistencygroup_id': consistencygroup_id, 'cgsnapshot_id': cgsnapshot_id, }
def _is_volume_type_encrypted(self, context, volume_id): volume_ref = db.volume_get(context, volume_id) volume_type_id = volume_ref['volume_type_id'] return volume_types.is_encrypted(context, volume_type_id)