Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be unavailable on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 1412823 - [RFE][cinder] Barbican for volume encryption
Summary: [RFE][cinder] Barbican for volume encryption
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-cinder
Version: 11.0 (Ocata)
Hardware: Unspecified
OS: Unspecified
high
unspecified
Target Milestone: Upstream M3
: 13.0 (Queens)
Assignee: Eric Harney
QA Contact: Avi Avraham
URL: https://docs.openstack.org/cinder/pik...
Whiteboard:
: 1525013 (view as bug list)
Depends On: 1333141 1481814 1489514 1558058
Blocks: 1191431 1433715 1525013
TreeView+ depends on / blocked
 
Reported: 2017-01-12 21:48 UTC by Eric Harney
Modified: 2018-06-27 13:31 UTC (History)
10 users (show)

Fixed In Version: openstack-cinder-12.0.1-0.20180418194613.c476898.el7ost
Doc Type: Technology Preview
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-06-27 13:29:16 UTC
Target Upstream Version:


Attachments (Terms of Use)
Barbican logs (12.29 KB, application/x-gzip)
2018-04-02 12:50 UTC, Avi Avraham
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1525013 0 high CLOSED Validate encrypted volume backup with Barbican 2021-02-22 00:41:40 UTC
Red Hat Product Errata RHEA-2018:2086 0 None None None 2018-06-27 13:31:13 UTC

Internal Links: 1525013

Description Eric Harney 2017-01-12 21:48:36 UTC
Add support for using barbican for volume encryption.

Comment 1 Red Hat Bugzilla Rules Engine 2017-03-09 17:19:58 UTC
This bugzilla has been removed from the release and needs to be reviewed and Triaged for another Target Release.

Comment 6 Sean Cohen 2017-11-13 02:48:55 UTC
Added Volume encryption supported by Barbican key manager doc url
Sean

Comment 7 Sean Cohen 2018-01-17 14:50:37 UTC
*** Bug 1525013 has been marked as a duplicate of this bug. ***

Comment 9 Avi Avraham 2018-04-02 12:50:17 UTC
Created attachment 1416249 [details]
Barbican logs

Comment 10 Avi Avraham 2018-04-02 12:55:28 UTC
After installation we failed to create an encrypted volume with the following error Key manager error (HTTP 400) (Request-ID: req-78df2c6e-ad91-483f-9c0b-99d568b0cdac)
In the barbican logs we see that the service fail to create the needed keys 
a log file attached to bug

Comment 11 Eric Harney 2018-04-02 13:00:09 UTC
You need to use 256 bit keys in your Cinder encrypted types, not 512.

2018-04-02 12:02:32.229 1 ERROR barbican.tasks.resources CryptoPluginUnsupportedOperation: Could not find an enabled crypto plugin backend that supports the requested operation: store or generate a secret of type SYMMETRIC_KEY_GENERATION with algorithm aes, bit length 512, and mode None

Comment 12 Avi Avraham 2018-04-02 13:09:11 UTC
(In reply to Eric Harney from comment #11)
> You need to use 256 bit keys in your Cinder encrypted types, not 512.
> 
> 2018-04-02 12:02:32.229 1 ERROR barbican.tasks.resources
> CryptoPluginUnsupportedOperation: Could not find an enabled crypto plugin
> backend that supports the requested operation: store or generate a secret of
> type SYMMETRIC_KEY_GENERATION with algorithm aes, bit length 512, and mode
> None
Can you please provide the command syntax since this is the parametes I got until  this version.

Comment 15 Tzach Shefi 2018-04-26 11:31:02 UTC
Under admin user/project created LUKS type. 
Tetsing LUKS volume is created fine. 

However I then create a demo user/project. 
When I try to create a LUKS volume under demo/demo we fail

cinder --debug create 1 --volume-type LUKS --name DemoEncVol
..
    return self.request(url, method, **kwargs)
  File "/usr/lib/python2.7/site-packages/cinderclient/client.py", line 177, in request
    raise exceptions.from_response(resp, body)
BadRequest: Key manager error (HTTP 400) (Request-ID: req-a5dd1daf-88a2-4896-8359-2ceae5e511bd)
ERROR: Key manager error (HTTP 400) (Request-ID: req-a5dd1daf-88a2-4896-8359-2ceae5e511bd)

Paste bin has full error ->
http://pastebin.test.redhat.com/582657

Unsure if this problem is related/will be resolved by Eric's latest fix #14.

Comment 16 Tzach Shefi 2018-04-26 11:31:26 UTC
Under admin user/project created LUKS type. 
Testing LUKS volume is created fine. 

However I then create a demo user/project. 
When I try to create a LUKS volume under demo/demo we fail

cinder --debug create 1 --volume-type LUKS --name DemoEncVol
..
    return self.request(url, method, **kwargs)
  File "/usr/lib/python2.7/site-packages/cinderclient/client.py", line 177, in request
    raise exceptions.from_response(resp, body)
BadRequest: Key manager error (HTTP 400) (Request-ID: req-a5dd1daf-88a2-4896-8359-2ceae5e511bd)
ERROR: Key manager error (HTTP 400) (Request-ID: req-a5dd1daf-88a2-4896-8359-2ceae5e511bd)

Paste bin has full error ->
http://pastebin.test.redhat.com/582657

Unsure if this problem is related/will be resolved by Eric's latest fix #14.

Comment 17 Eric Harney 2018-04-26 12:08:48 UTC
(In reply to Tzach Shefi from comment #16)
> Under admin user/project created LUKS type. 
> Testing LUKS volume is created fine. 
> 
> However I then create a demo user/project. 
> When I try to create a LUKS volume under demo/demo we fail
> 
> cinder --debug create 1 --volume-type LUKS --name DemoEncVol
> ..
>     return self.request(url, method, **kwargs)
>   File "/usr/lib/python2.7/site-packages/cinderclient/client.py", line 177,
> in request
>     raise exceptions.from_response(resp, body)
> BadRequest: Key manager error (HTTP 400) (Request-ID:
> req-a5dd1daf-88a2-4896-8359-2ceae5e511bd)
> ERROR: Key manager error (HTTP 400) (Request-ID:
> req-a5dd1daf-88a2-4896-8359-2ceae5e511bd)
> 
> Paste bin has full error ->
> http://pastebin.test.redhat.com/582657
> 

Seems to just be related to permissions -- probably the user doesn't have the "creator" role?

cinder-api.log.1:2018-04-26 11:19:29.330 19 ERROR barbicanclient.client [req-a5dd1daf-88a2-4896-8359-2ceae5e511bd 92e64bb1cd3d48c1bb1c643dc00d7642 cff9bdfc6c8e4b4a8496db81ca49ed25 - default default] 4xx Client error: Forbidden: Order creation attempt not allowed - please review your user/project privileges

Comment 18 Tzach Shefi 2018-04-26 12:27:18 UTC
Linking a related bz - provide creator role by default for users
Which might explain #16's error 
https://bugzilla.redhat.com/show_bug.cgi?id=1566724   

Thanks Eric for real time assistance! 
Your correct, issue was resolved after running this two:
From admin user/project:
#openstack role create creator
#openstack role add --user demo creator  --project demo 

Where demo is username and project, name in my case. 

Successfully created a LUKS volume under Demo user/project.

Comment 21 Tzach Shefi 2018-05-02 12:34:22 UTC
Verified on:
openstack-cinder-12.0.1-0.20180418194613.c476898.el7ost.noarch

Most of the test cases passed, one problem found (probably not a bug) where an encrypted volume was uploaded to Glance, then from that image a new encrypted volume was created this new volume failed to attach to an instance. I'm guessing by doing so I probably encrypted the volume twice meaning I won't ever get to original data any way, so not a valid case to begin with. 

Opened bug about it here:
https://bugzilla.redhat.com/show_bug.cgi?id=1573870

Comment 23 errata-xmlrpc 2018-06-27 13:29:16 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2018:2086


Note You need to log in before you can comment on or make changes to this bug.