Bug 1412823

Summary: [RFE][cinder] Barbican for volume encryption
Product: Red Hat OpenStack Reporter: Eric Harney <eharney>
Component: openstack-cinderAssignee: Eric Harney <eharney>
Status: CLOSED ERRATA QA Contact: Avi Avraham <aavraham>
Severity: unspecified Docs Contact:
Priority: high    
Version: 11.0 (Ocata)CC: abishop, achernet, cschwede, eharney, jschluet, lyarwood, pgrist, scohen, srevivo, tshefi
Target Milestone: Upstream M3Keywords: FutureFeature, Triaged
Target Release: 13.0 (Queens)   
Hardware: Unspecified   
OS: Unspecified   
URL: https://docs.openstack.org/cinder/pike/configuration/block-storage/volume-encryption.html
Whiteboard:
Fixed In Version: openstack-cinder-12.0.1-0.20180418194613.c476898.el7ost Doc Type: Technology Preview
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-06-27 13:29:16 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1333141, 1481814, 1489514, 1558058    
Bug Blocks: 1191431, 1433715, 1525013    
Attachments:
Description Flags
Barbican logs none

Description Eric Harney 2017-01-12 21:48:36 UTC 
Add support for using barbican for volume encryption.
Comment 1 Red Hat Bugzilla Rules Engine 2017-03-09 17:19:58 UTC 
This bugzilla has been removed from the release and needs to be reviewed and Triaged for another Target Release.
Comment 6 Sean Cohen 2017-11-13 02:48:55 UTC 
Added Volume encryption supported by Barbican key manager doc url
Sean
Comment 7 Sean Cohen 2018-01-17 14:50:37 UTC 
*** Bug 1525013 has been marked as a duplicate of this bug. ***
Comment 9 Avi Avraham 2018-04-02 12:50:17 UTC 
Created attachment 1416249 [details]
Barbican logs
Comment 10 Avi Avraham 2018-04-02 12:55:28 UTC 
After installation we failed to create an encrypted volume with the following error Key manager error (HTTP 400) (Request-ID: req-78df2c6e-ad91-483f-9c0b-99d568b0cdac)
In the barbican logs we see that the service fail to create the needed keys 
a log file attached to bug
Comment 11 Eric Harney 2018-04-02 13:00:09 UTC 
You need to use 256 bit keys in your Cinder encrypted types, not 512.

2018-04-02 12:02:32.229 1 ERROR barbican.tasks.resources CryptoPluginUnsupportedOperation: Could not find an enabled crypto plugin backend that supports the requested operation: store or generate a secret of type SYMMETRIC_KEY_GENERATION with algorithm aes, bit length 512, and mode None
Comment 12 Avi Avraham 2018-04-02 13:09:11 UTC 
(In reply to Eric Harney from comment #11)
> You need to use 256 bit keys in your Cinder encrypted types, not 512.
> 
> 2018-04-02 12:02:32.229 1 ERROR barbican.tasks.resources
> CryptoPluginUnsupportedOperation: Could not find an enabled crypto plugin
> backend that supports the requested operation: store or generate a secret of
> type SYMMETRIC_KEY_GENERATION with algorithm aes, bit length 512, and mode
> None
Can you please provide the command syntax since this is the parametes I got until  this version.
Comment 15 Tzach Shefi 2018-04-26 11:31:02 UTC 
Under admin user/project created LUKS type. 
Tetsing LUKS volume is created fine. 

However I then create a demo user/project. 
When I try to create a LUKS volume under demo/demo we fail

cinder --debug create 1 --volume-type LUKS --name DemoEncVol
..
    return self.request(url, method, **kwargs)
  File "/usr/lib/python2.7/site-packages/cinderclient/client.py", line 177, in request
    raise exceptions.from_response(resp, body)
BadRequest: Key manager error (HTTP 400) (Request-ID: req-a5dd1daf-88a2-4896-8359-2ceae5e511bd)
ERROR: Key manager error (HTTP 400) (Request-ID: req-a5dd1daf-88a2-4896-8359-2ceae5e511bd)

Paste bin has full error ->
http://pastebin.test.redhat.com/582657

Unsure if this problem is related/will be resolved by Eric's latest fix #14.
Comment 16 Tzach Shefi 2018-04-26 11:31:26 UTC 
Under admin user/project created LUKS type. 
Testing LUKS volume is created fine. 

However I then create a demo user/project. 
When I try to create a LUKS volume under demo/demo we fail

cinder --debug create 1 --volume-type LUKS --name DemoEncVol
..
    return self.request(url, method, **kwargs)
  File "/usr/lib/python2.7/site-packages/cinderclient/client.py", line 177, in request
    raise exceptions.from_response(resp, body)
BadRequest: Key manager error (HTTP 400) (Request-ID: req-a5dd1daf-88a2-4896-8359-2ceae5e511bd)
ERROR: Key manager error (HTTP 400) (Request-ID: req-a5dd1daf-88a2-4896-8359-2ceae5e511bd)

Paste bin has full error ->
http://pastebin.test.redhat.com/582657

Unsure if this problem is related/will be resolved by Eric's latest fix #14.
Comment 17 Eric Harney 2018-04-26 12:08:48 UTC 
(In reply to Tzach Shefi from comment #16)
> Under admin user/project created LUKS type. 
> Testing LUKS volume is created fine. 
> 
> However I then create a demo user/project. 
> When I try to create a LUKS volume under demo/demo we fail
> 
> cinder --debug create 1 --volume-type LUKS --name DemoEncVol
> ..
>     return self.request(url, method, **kwargs)
>   File "/usr/lib/python2.7/site-packages/cinderclient/client.py", line 177,
> in request
>     raise exceptions.from_response(resp, body)
> BadRequest: Key manager error (HTTP 400) (Request-ID:
> req-a5dd1daf-88a2-4896-8359-2ceae5e511bd)
> ERROR: Key manager error (HTTP 400) (Request-ID:
> req-a5dd1daf-88a2-4896-8359-2ceae5e511bd)
> 
> Paste bin has full error ->
> http://pastebin.test.redhat.com/582657
> 

Seems to just be related to permissions -- probably the user doesn't have the "creator" role?

cinder-api.log.1:2018-04-26 11:19:29.330 19 ERROR barbicanclient.client [req-a5dd1daf-88a2-4896-8359-2ceae5e511bd 92e64bb1cd3d48c1bb1c643dc00d7642 cff9bdfc6c8e4b4a8496db81ca49ed25 - default default] 4xx Client error: Forbidden: Order creation attempt not allowed - please review your user/project privileges
Comment 18 Tzach Shefi 2018-04-26 12:27:18 UTC 
Linking a related bz - provide creator role by default for users
Which might explain #16's error 
https://bugzilla.redhat.com/show_bug.cgi?id=1566724   

Thanks Eric for real time assistance! 
Your correct, issue was resolved after running this two:
From admin user/project:
#openstack role create creator
#openstack role add --user demo creator  --project demo 

Where demo is username and project, name in my case. 

Successfully created a LUKS volume under Demo user/project.
Comment 21 Tzach Shefi 2018-05-02 12:34:22 UTC 
Verified on:
openstack-cinder-12.0.1-0.20180418194613.c476898.el7ost.noarch

Most of the test cases passed, one problem found (probably not a bug) where an encrypted volume was uploaded to Glance, then from that image a new encrypted volume was created this new volume failed to attach to an instance. I'm guessing by doing so I probably encrypted the volume twice meaning I won't ever get to original data any way, so not a valid case to begin with. 

Opened bug about it here:
https://bugzilla.redhat.com/show_bug.cgi?id=1573870
Comment 23 errata-xmlrpc 2018-06-27 13:29:16 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2018:2086