Bug 2051599 - Use AAD while unwrapping the KEY from HPCS/Key Protect KMS
Summary: Use AAD while unwrapping the KEY from HPCS/Key Protect KMS
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenShift Data Foundation
Classification: Red Hat Storage
Component: csi-driver
Version: 4.10
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: ODF 4.10.0
Assignee: Humble Chirammal
QA Contact: Joy John Pinto
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-02-07 15:22 UTC by Humble Chirammal
Modified: 2023-12-08 04:27 UTC (History)
6 users (show)

Fixed In Version: 4.10.0-148
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-04-13 18:52:48 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github ceph ceph-csi pull 2865 0 None open rbd: add AAD(additionalauthdata) while unwrapping the DEK 2022-02-07 15:38:23 UTC
Github red-hat-storage ceph-csi pull 75 0 None open Bug 2051599: [release-4.10] rbd: add AAD(additionalAuthData) while unwrapping the DEK 2022-02-08 05:22:27 UTC
Red Hat Product Errata RHSA-2022:1372 0 None None None 2022-04-13 18:52:58 UTC

Description Humble Chirammal 2022-02-07 15:22:04 UTC 
Description of problem (please be detailed as possible and provide log
snippests):

Recently we have added an enhancement to the wrap function while we use HPCS/Key protect KMS service to have AAD ( additional auth data). Eventhough it has been added and PVC claim works, while unwrapping we were not sending the AAD to the KMS and it caused the unwrapping to fail. 




Version of all relevant components (if applicable):

ODF 4.10

Does this issue impact your ability to continue to work with the product
(please explain in detail what is the user impact)?


Is there any workaround available to the best of your knowledge?


Rate from 1 - 5 the complexity of the scenario you performed that caused this
bug (1 - very simple, 5 - very complex)?


Can this issue reproducible?


Can this issue reproduce from the UI?


If this is a regression, please provide more details to justify this:


Steps to Reproduce:
1.
2.
3.


Actual results:


Expected results:


Additional info:
Comment 7 Joy John Pinto 2022-02-24 11:22:43 UTC 
Hi Humble, 

Can you please share verification steps and tests that need to be covered to close this bug

Thanks,
Joy
Comment 8 Joy John Pinto 2022-03-18 06:03:21 UTC 
Verified by running tier1 test suite on KMS enabled cluster and no failures were seen except namespace creation tests (which is due to community edition of vault instance)

OCS version: 4.10.0-0.nightly-2022-03-16-041611
OCP version: 4.10.0-0.nightly-2022-03-16-165813

Jenkins job link: https://ocs4-jenkins-csb-odf-qe.apps.ocp-c1.prod.psi.redhat.com/job/qe-deploy-ocs-cluster/10878/
Logs for job id 10878 are located at-http://magna002.ceph.redhat.com/ocsci-jenkins/openshift-clusters/jopinto-bugkms/jopinto-bugkms_20220316T130317/
Rerun jenkins job link : https://ocs4-jenkins-csb-odf-qe.apps.ocp-c1.prod.psi.redhat.com/job/qe-deploy-ocs-cluster/10888/testReport/
Logs for job id 10888 are located at- http://magna002.ceph.redhat.com/ocsci-jenkins/openshift-clusters/jopinto-bugkmsrerun/jopinto-bugkmsrerun_20220317T022450/

Hence closing the bug.
Comment 10 errata-xmlrpc 2022-04-13 18:52:48 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: Red Hat OpenShift Data Foundation 4.10.0 enhancement, security & bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:1372
Comment 11 Red Hat Bugzilla 2023-12-08 04:27:42 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days
Note You need to log in before you can comment on or make changes to this bug.