Bug 1412823
Summary: | [RFE][cinder] Barbican for volume encryption | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat OpenStack | Reporter: | Eric Harney <eharney> | ||||
Component: | openstack-cinder | Assignee: | Eric Harney <eharney> | ||||
Status: | CLOSED ERRATA | QA Contact: | Avi Avraham <aavraham> | ||||
Severity: | unspecified | Docs Contact: | |||||
Priority: | high | ||||||
Version: | 11.0 (Ocata) | CC: | abishop, achernet, cschwede, eharney, jschluet, lyarwood, pgrist, scohen, srevivo, tshefi | ||||
Target Milestone: | Upstream M3 | Keywords: | FutureFeature, Triaged | ||||
Target Release: | 13.0 (Queens) | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
URL: | https://docs.openstack.org/cinder/pike/configuration/block-storage/volume-encryption.html | ||||||
Whiteboard: | |||||||
Fixed In Version: | openstack-cinder-12.0.1-0.20180418194613.c476898.el7ost | Doc Type: | Technology Preview | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2018-06-27 13:29:16 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | 1333141, 1481814, 1489514, 1558058 | ||||||
Bug Blocks: | 1191431, 1433715, 1525013 | ||||||
Attachments: |
|
Description
Eric Harney
2017-01-12 21:48:36 UTC
This bugzilla has been removed from the release and needs to be reviewed and Triaged for another Target Release. Added Volume encryption supported by Barbican key manager doc url Sean *** Bug 1525013 has been marked as a duplicate of this bug. *** Created attachment 1416249 [details]
Barbican logs
After installation we failed to create an encrypted volume with the following error Key manager error (HTTP 400) (Request-ID: req-78df2c6e-ad91-483f-9c0b-99d568b0cdac) In the barbican logs we see that the service fail to create the needed keys a log file attached to bug You need to use 256 bit keys in your Cinder encrypted types, not 512. 2018-04-02 12:02:32.229 1 ERROR barbican.tasks.resources CryptoPluginUnsupportedOperation: Could not find an enabled crypto plugin backend that supports the requested operation: store or generate a secret of type SYMMETRIC_KEY_GENERATION with algorithm aes, bit length 512, and mode None (In reply to Eric Harney from comment #11) > You need to use 256 bit keys in your Cinder encrypted types, not 512. > > 2018-04-02 12:02:32.229 1 ERROR barbican.tasks.resources > CryptoPluginUnsupportedOperation: Could not find an enabled crypto plugin > backend that supports the requested operation: store or generate a secret of > type SYMMETRIC_KEY_GENERATION with algorithm aes, bit length 512, and mode > None Can you please provide the command syntax since this is the parametes I got until this version. Under admin user/project created LUKS type. Tetsing LUKS volume is created fine. However I then create a demo user/project. When I try to create a LUKS volume under demo/demo we fail cinder --debug create 1 --volume-type LUKS --name DemoEncVol .. return self.request(url, method, **kwargs) File "/usr/lib/python2.7/site-packages/cinderclient/client.py", line 177, in request raise exceptions.from_response(resp, body) BadRequest: Key manager error (HTTP 400) (Request-ID: req-a5dd1daf-88a2-4896-8359-2ceae5e511bd) ERROR: Key manager error (HTTP 400) (Request-ID: req-a5dd1daf-88a2-4896-8359-2ceae5e511bd) Paste bin has full error -> http://pastebin.test.redhat.com/582657 Unsure if this problem is related/will be resolved by Eric's latest fix #14. Under admin user/project created LUKS type. Testing LUKS volume is created fine. However I then create a demo user/project. When I try to create a LUKS volume under demo/demo we fail cinder --debug create 1 --volume-type LUKS --name DemoEncVol .. return self.request(url, method, **kwargs) File "/usr/lib/python2.7/site-packages/cinderclient/client.py", line 177, in request raise exceptions.from_response(resp, body) BadRequest: Key manager error (HTTP 400) (Request-ID: req-a5dd1daf-88a2-4896-8359-2ceae5e511bd) ERROR: Key manager error (HTTP 400) (Request-ID: req-a5dd1daf-88a2-4896-8359-2ceae5e511bd) Paste bin has full error -> http://pastebin.test.redhat.com/582657 Unsure if this problem is related/will be resolved by Eric's latest fix #14. (In reply to Tzach Shefi from comment #16) > Under admin user/project created LUKS type. > Testing LUKS volume is created fine. > > However I then create a demo user/project. > When I try to create a LUKS volume under demo/demo we fail > > cinder --debug create 1 --volume-type LUKS --name DemoEncVol > .. > return self.request(url, method, **kwargs) > File "/usr/lib/python2.7/site-packages/cinderclient/client.py", line 177, > in request > raise exceptions.from_response(resp, body) > BadRequest: Key manager error (HTTP 400) (Request-ID: > req-a5dd1daf-88a2-4896-8359-2ceae5e511bd) > ERROR: Key manager error (HTTP 400) (Request-ID: > req-a5dd1daf-88a2-4896-8359-2ceae5e511bd) > > Paste bin has full error -> > http://pastebin.test.redhat.com/582657 > Seems to just be related to permissions -- probably the user doesn't have the "creator" role? cinder-api.log.1:2018-04-26 11:19:29.330 19 ERROR barbicanclient.client [req-a5dd1daf-88a2-4896-8359-2ceae5e511bd 92e64bb1cd3d48c1bb1c643dc00d7642 cff9bdfc6c8e4b4a8496db81ca49ed25 - default default] 4xx Client error: Forbidden: Order creation attempt not allowed - please review your user/project privileges Linking a related bz - provide creator role by default for users Which might explain #16's error https://bugzilla.redhat.com/show_bug.cgi?id=1566724 Thanks Eric for real time assistance! Your correct, issue was resolved after running this two: From admin user/project: #openstack role create creator #openstack role add --user demo creator --project demo Where demo is username and project, name in my case. Successfully created a LUKS volume under Demo user/project. Verified on: openstack-cinder-12.0.1-0.20180418194613.c476898.el7ost.noarch Most of the test cases passed, one problem found (probably not a bug) where an encrypted volume was uploaded to Glance, then from that image a new encrypted volume was created this new volume failed to attach to an instance. I'm guessing by doing so I probably encrypted the volume twice meaning I won't ever get to original data any way, so not a valid case to begin with. Opened bug about it here: https://bugzilla.redhat.com/show_bug.cgi?id=1573870 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2018:2086 |