Bug 2121370
| Summary: | Not able to use KMS volume encryption ft. using APIkey created from service ID (HPCS KMS) | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Red Hat Storage] Red Hat OpenShift Data Foundation | Reporter: | Gayathri Menath <gmenath> | ||||
| Component: | rook | Assignee: | Rakshith <rar> | ||||
| Status: | CLOSED NOTABUG | QA Contact: | Neha Berry <nberry> | ||||
| Severity: | high | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 4.10 | CC: | madam, mrajanna, muagarwa, nigoyal, ocs-bugs, odf-bz-bot, rar, skatiyar, sostapov | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | All | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2022-11-02 10:35:42 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
`Also I am able to see error message - IBMKeyProtect as KMS provider or Vault authentication via Service Account is unsupported configuration for RGW KMS, hence skipping` --> this is not an error, it is an info log. `cephblockpool is in progressing state, cephcluster is ready` --> rbd storageclasses won't get created unless CephBlockPool is Ready. `I tried to use the APIKey created from a service ID which is restricted to KMS. I am able to use the same KMS instance if I use the user APIkey which is having no restriction.` --> this is unrelated to UI or ocs operator, it's better if it is confirmed by someone from ceph-csi/rook or noobaa side as it could/could not be internal implementation. Also, try to check why CephBlockPool is not getting Ready, must gather attached above are broken, there is nothing inside the folder. Just to reference, this BZ is regarding IBM HPCS KMS. Is there any update on this When can we expect this feature Moving it to rook, if you think this should be moved to CSI please do so Attached must-gather doesnt contains anything please attach the must-gather. Rakshith PTAL (In reply to Travis Nielsen from comment #10) > Rakshith PTAL okay, This BZ is still waiting for mustgather. I am closing this issue, as I am not able to reproduce this and the old clusters are removed, not able to collect any details |
Created attachment 1907516 [details] ocs mustgather Description of problem (please be detailed as possible and provide log snippests): I tried to use the APIKey created from a service ID which is restricted to KMS, ODF operator is not able to create the -encrypted class. It is showing not able to create because some prerequisites are not met. Also I am able to see error message - IBMKeyProtect as KMS provider or Vault authentication via Service Account is unsupported configuration for RGW KMS, hence skipping cephblockpool is in progressing state, cephcluster is ready. I am able to use the same KMS instance if I use the user APIkey which is having no restriction. It looks like a bug as using the user APIkey is not safe. Version of all relevant components (if applicable): ODF 4.10 Does this issue impact your ability to continue to work with the product (please explain in detail what is the user impact)? yes, KMS encryption is not usable Is there any workaround available to the best of your knowledge? yes, but providing the user api key is not recommended as it doesn't have any restriction. So KMS cannot use by the customer in prod. Rate from 1 - 5 the complexity of the scenario you performed that caused this bug (1 - very simple, 5 - very complex)? 2 Can this issue reproducible? yes Can this issue reproduce from the UI? yes If this is a regression, please provide more details to justify this: Steps to Reproduce: 1. Enable KMS volume encryption 2. Use the KMS apikey created from a service ID Actual results: encrypted class is not created, cephblockpool is in progressing state Expected results: encrypted class should be ready for use Additional info: