Bug 2130505
| Summary: | [KMIP] The keys created in CipherTrust by ODF have Global usage enabled which is not recommended | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Red Hat Storage] Red Hat OpenShift Data Foundation | Reporter: | Rachael <rgeorge> | ||||
| Component: | rook | Assignee: | Rakshith <rar> | ||||
| Status: | CLOSED NOTABUG | QA Contact: | Rachael <rgeorge> | ||||
| Severity: | high | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 4.12 | CC: | hchiramm, madam, muagarwa, ocs-bugs, odf-bz-bot, rar, tnielsen | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2022-10-07 08:14:29 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
Created attachment 1914843 [details] Key for OSD in CipherTrust Manager Description of problem (please be detailed as possible and provide log snippets): When Thales CipherTrust Manager is used as KMS for clusterwide encryption in ODF, the keys created have global usage enabled. The following warning is displayed for the keys in the CipherTrust console: "Global keys are accessible without authentication via the NAE and KMIP interface and their use is not recommended." It would be better to have keys that can be used without having to enable global usage. Version of all relevant components (if applicable): --------------------------------------------------- OCP: 4.12.0-0.nightly-2022-09-26-111919 ODF: odf-operator.v4.12.0 full_version=4.12.0-66 Does this issue impact your ability to continue to work with the product (please explain in detail what is the user impact)? No Is there any workaround available to the best of your knowledge? No Rate from 1 - 5 the complexity of the scenario you performed that caused this bug (1 - very simple, 5 - very complex)? 2 Can this issue reproducible? Yes Can this issue reproduce from the UI? Yes If this is a regression, please provide more details to justify this: No Steps to Reproduce: ------------------- 1. Deploy ODF with clusterwide encryption enabled using Thales CipherTrust Manager (using KMIP) 2. Check the CipherTrust Manager console for the keys created for OSDs and NooBaa(MCG) Actual results: --------------- The keys created have global usage enabled, which is not recommended Expected results: ----------------- It would be better to have keys that can be used without having to enable global usage. Additional info: ---------------- For PV encryption, the creation of PVC fails if the global usage for the key is not enabled.