Commit Graph

33 Commits

Author SHA1 Message Date
Stephen Finucane 14972080fd Implement add_consumer, remove_consumer KeyManager APIs
These were introduced in Bobcat but later reverted [1]. Add them now in
preparation for a future major version bump of Castellan.

[1] https://review.opendev.org/c/openstack/castellan/+/895502/

Change-Id: I7565523d052d48109c7e70490c2c31b9944d2fc1
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
2023-09-21 14:30:03 +01:00
Kaitlin Farr f65d436c11 Remove deprecated keymgr code
Now that enough time has passed, the keymgr code that was
deprecated for removal can be removed.

Barbican is the default option for Castellan, but Barbican is not
part of default DevStack yet. Until Barbican is used by default in
the dsvm gates, ConfKeyManager (the fixed_key key manager) should
be set in DevStack, which was added with
I733279864ee1a4aaffc9c8eed81b5e12f8d8821b.

Change-Id: I82ee74f3d2629281dc8116af55f6a7b5398fc473
2017-09-11 15:48:30 -04:00
Jenkins 09ed3b5626 Merge "Remove translation of log messages" 2017-08-15 21:10:02 +00:00
Matt Riedemann 47528cd5c2 Remove key_manager.api_class hack
We can remove the hack associated with this TODO since devstack
is setting the config option value in change
I733279864ee1a4aaffc9c8eed81b5e12f8d8821b.

Depends-On: I733279864ee1a4aaffc9c8eed81b5e12f8d8821b

Change-Id: I89972b96ce2e1d06e24992d66026554b9a56d4dc
Closes-Bug: #1704875
2017-07-17 17:49:08 -04:00
Ngo Quoc Cuong 5a769f2a01 Remove translation of log messages
The i18n team has decided not to translate the logs because it
seems like it not very useful; operators prefer to have them in
English so that they can search for those strings on the internet.

Partially fix on nova/keymgr, nova/network, nova/notifications,
nova/objects and nova/pci other paths will be fixed on next commits

Change-Id: Ie3a83fef0dc689b9d37ac43e047ce5d48f567adc
2017-06-21 13:01:19 +07:00
Sarafraj Singh 899a140f32 Deprecate barbican options
1. Deprecating barbican options as these are moved to
Castellan library.
2. Added new formatting

Blueprint centralize-config-options-newton

Change-Id: Ic8bd86e2652b7702c039ea1d2e15a7bf5a2a9586
2016-07-29 15:36:28 -05:00
Kaitlin Farr f006ff4de7 Replace key manager with Castellan
Because key manager code is duplicated across several projects, a key
manager interface was moved into its own library. This patch goes back
to replace the old code with the new library.

Change-Id: Ib563b0ea4b8b4bc1833bf52bf49a68546c384996
Implements: blueprint use-castellan-key-manager
2016-04-27 14:37:06 -04:00
Roman Podoliaka acbf057d25 Fix generation of Guru Meditation Report
Generation of a guru medidation report fails with TypeError when
trying to serialize config group options. This is due to the fact,
that I018c3a408a8903be8d006760994de6947fb91168 registers `barbican`
options group incorrectly: an OptGroup instance is passed where a
string name is expected (keystoneauth1 wraps the passed value
into OptGroup unconditionally).

A follow up change to oslo.config will make sure we fail early in
case an incorrect value has been been passed to register_group().

Change-Id: I4c57127c7bc0098000ad18ba7bab12fbc66d8ac0
Closes-Bug: #1568208
2016-04-13 17:00:32 +03:00
Jenkins d38410ea6f Merge "Fixes hex decoding related unit tests" 2016-04-11 00:35:03 +00:00
Kevin_Zheng 8b0b54bd46 config options: centralize section: "keymgr"
The config options  of the "nova.conf" section "keymgr" and
"barbican" got moved to the new central location "nova/conf/keymgr.py"

Change-Id: I018c3a408a8903be8d006760994de6947fb91168
Implements: blueprint centralize-config-options-newton
2016-03-29 23:47:50 +08:00
Claudiu Belu c514065c70 Fixes hex decoding related unit tests
Uses codecs module in order to decode hex.
Enables keymgr unit tests for gate-nova-python34.
Enables volume.encryptors unit tests for gate-nova-python34.

Partially Implements: blueprint nova-python3-newton

Change-Id: I43504da03c42c6b684da0ca1c3640c31a9843a45
2016-03-21 14:38:15 +02:00
Monty Taylor f19ddc4c50 Migrate from keystoneclient to keystoneauth
keystoneauth was split out last cycle as a library specifically to deal
with doing auth functions so that people who do not need to do keystone
CRUD operations can just consume only the auth session parts. As part
of modernizing keystone interactions, use keystoneauth instead of
keystoneclient.

A change to tests was made to stop checking how often the keystone auth
session is called. This could be broken in the future depending on how
the keystoneauth1 loader works. It is incorrect to mock out and check
how often Session is called when nova has no direct control over this.
The number of times barbican client is called is correctly in the
control of Nova and will continue to be tested.

bp: keystoneclient-to-keystoneauth

Co-Authored-By: Morgan Fainberg <morgan.fainberg@gmail.com>
Depends-On: I1f754a9a949ef92f4e427a91bbd1b1e73e86c8c4
Change-Id: I09a5da761bdc02c83b087f3cec40b7fa022a7a63
2016-01-28 10:55:29 -06:00
Dave McCowan 676a53ce44 Check context before returning cached value
The key manager caches the value of barbican client to be reused,
saving an extra call to keystone.  The cached value is only
applicable to the current context, so the context must be checked
before returning the cached value.

Closes-Bug: #1523646

Change-Id: I7cd7f1ba8a749b230c611e4fb20ccf4127354c35
2015-12-14 17:45:33 -05:00
Davanum Srinivas a412e038dd Switch to uuidutils from oslo_utils library
Get rid of our copy of uuidutils.py from oslo-incubator

Change-Id: Idca3581475bcd4a04ce8d3420a1b7763db15b390
2015-02-25 20:05:49 -05:00
Davanum Srinivas 97d63d8745 Use oslo.log
Convert the use of the incubated version of the log module
to the new oslo.log library.

Sync oslo-incubator modules to update their imports as well.

Co-Authored-By: Doug Hellmann <doug@doughellmann.com>
Change-Id: Ic4932e3f58191869c30bd07a010a6e9fdcb2a12c
2015-02-22 07:56:40 -05:00
Davanum Srinivas af2d6c9576 Switch to using oslo_* instead of oslo.*
The oslo team is recommending everyone to switch to the
non-namespaced versions of libraries. Updating the hacking
rule to include a check to prevent oslo.* import from
creeping back in.

This commit includes:
- using oslo_utils instead of oslo.utils
- using oslo_serialization instead of oslo.serialization
- using oslo_db instead of oslo.db
- using oslo_i18n instead of oslo.i18n
- using oslo_middleware instead of oslo.middleware
- using oslo_config instead of oslo.config
- using oslo_messaging instead of "from oslo import messaging"
- using oslo_vmware instead of oslo.vmware

Change-Id: I3e2eb147b321ce3e928817b62abcb7d023c5f13f
2015-02-06 06:03:10 -05:00
Brianna Poulos fbf0806273 Adds barbican keymgr wrapper
Adds a barbican keymgr wrapper to the key manager interface in
nova.  This allows barbican to be configured as the key manager
for encryption keys in nova.  The wrapper translates calls from
the existing key manager interface to python-barbicanclient.

Change-Id: I110c7ceada48de28cee1169b643b12407f21b36c
Implements: blueprint encryption-with-barbican
DocImpact
2015-02-02 13:10:16 -05:00
Mike Durnosvistov e8c0b822f0 Replacement `_` on `_LW` in all LOG.warning part 1
oslo.i18n uses different marker functions to separate the
translatable messages into different catalogs, which the translation
teams can prioritize translating. For details, please refer to:
http://docs.openstack.org/developer/oslo.i18n/guidelines.html#guidelines-for-use-in-openstack

There were not marker fuctions some places in directory network.
This commit makes changes:
* Add missing marker functions
* Use ',' instead of '%' while adding variables to log messages

Added a hacking rule for the warning about checking
translation for it and checking logging level `warning` instead
alias `warn`.

Change-Id: I2bced49dc5a0408a94d5d20d85b20c682886edbe
2014-11-20 11:19:16 +02:00
Gary Kotton 2353719b6f Key manager: ensure exception reason is translated
Add missing translations to exceptions.

Change-Id: Id3ec185ab96693ce0b4f5c21e5a66e665959ad34
2014-11-16 01:53:03 -08:00
Davanum Srinivas 323fa6fef7 Use oslo.utils
oslo.utils library now provides the functionality previously in
oslo-incubator's excutils, importutils, network_utils, strutils
timeutils, units etc. Some modules already moved to oslo.utils
will still be around since other code in nova/openstack/common/
are using it and will be removed in a subsequent commit.

Change-Id: Idc716342535fdfa680963e0e073ddb46f5f1eb34
2014-10-06 21:41:17 -04:00
Davanum Srinivas 11aaf21d9e docs - Fix errors,warnings from document generation
SEVERE: Unexpected section title.
ERROR: Unexpected indentation.
WARNING: Block quote ends without a blank line; unexpected unindent.
WARNING: Definition list ends without a blank line; unexpected unindent.
WARNING: Field list ends without a blank line; unexpected unindent.
WARNING: Inline emphasis start-string without end-string.
WARNING: Inline interpreted text or phrase reference start-string without end-string.
WARNING: Inline strong start-string without end-string.

Partial-Bug: #1351350

Change-Id: I661e0e32519f8e4de3325efd10242824015ed03d
2014-08-08 22:07:31 +00:00
Davanum Srinivas 826aed0ec7 Use oslo.i18n
oslo.i18n provides the i18n functions that were provided by
oslo-incubator's gettextutils module. Some tests that were
using internal details of the library were removed.

Change-Id: I44cfd5552e0dd86af21073419d31622f5fdb28e0
2014-07-18 14:28:09 -04:00
Matt Riedemann c75a15a489 Rename NotAuthorized exception to Forbidden
The NotAuthorized NovaException has an internal code of 403 which is
actually Forbidden, so rename it appropriately.

This patch doesn't change the external behavior, the status code in
responses will still be 403 but the exception is just named properly.

This is also necessary to create an actual Unauthorized NovaException
with code 401 for use in some Neutron API bug fixes for more granular
error handling from python-neutronclient.

Related-Bug: #1298075

Change-Id: I691fac2e2c797f47c04da7965d7b1c8685c74edb
2014-04-25 12:37:07 -07:00
Alexander Bochkarev dd4032e9fb Enable flake8 H404 checking
This check indicates on comments in which multi line docstring should
start without a leading new line. This change fixed all violators of
said check.

Change-Id: Ic7357b8c7420767dba611f6fcee07b7700f3aea8
2014-02-27 11:15:55 +04:00
liu-sheng 74f953a1d7 Remove vi modelines
We don't need to have the vi modelines in each source file,
it can be set in a user's vimrc if required.

Also a check is added to hacking to detect if they are re-added.

Change-Id: I347307a5145b2760c69085b6ca850d6a9137ffc6
Closes-Bug: #1229324
2014-02-03 14:19:44 +00:00
Matthew Gilliard 7370ca5344 Remove duplicated method in mock_key_mgr
The method _generate_key_id was duplicated in
nova/keymgr/mock_key_mgr.py

This patchset removes one of the duplicates.

Change-Id: Idb30fca9d392fe5f5b4063ba1b22a967329987f6
2014-01-29 22:04:01 +00:00
fujioka yuuichi 30dead1425 Apply six for metaclass
__metaclass__ cannot be used in python3.
six be used in general for python 3 compatibility.

Change-Id: I6d344b738cea7b9cda07cdc0e7e13fa73afa93b1
Closes-Bug: #1236648
2013-10-23 15:00:42 +09:00
Dan Prince 2f43ba83b6 Wire in ConfKeyManager._generate_hex_key!
Rename _get_hex_key to _generate_hex_key so that this
key manager works with the super class it extends.

In making this change we also need to initialize the hex key
in the constructor before initializing the super class. Not
doing so causes test failures.

Fixes bug: 1224602

Change-Id: I9a6bd9bf96bf74a08e607af811ebbe9622b994f3
2013-09-13 07:08:51 -04:00
Dan Prince b869796847 Drop unused logger from keymgr/__init__.py
Change-Id: I930be566f68c206d94f0e42432fe93b4135bcd42
2013-09-13 07:08:51 -04:00
Dan Prince a0d785868c Move required keymgr classes out of nova/tests
Currently the Nova default keymgr implementation tries to
import classes from nova/tests. This could be a very bad
thing for production deployments which may not include
code from nova/tests.

This change moves two required modules (single_key_mgr and
mock_key_mgr) into the nova/keymgr tree.

Fixes bug: #1224526

Change-Id: I683b0245ab6b6acf8a4ba26f96d8c505f7c7cac8
2013-09-13 07:08:16 -04:00
Joel Coffman cf5645fdee Add key manager implementation with static key
Per feedback received on other patch sets, an example key manager
driver is required to support ephemeral storage encryption and
Cinder volume encryption. The ConfKeyManager class reads its key
from the project's configuration file and provides this key for
*all* requests. As such, this key manager is insecure but allows
the aforementioned encryption features to be used without further
integration effort.

To clarify the above statements, the configuration-based key
manager uses a single, fixed key. When used to encrypt data (e.g.,
by the Cinder volume encryption feature), the encryption provides
limited protection for the confidentiality of data. For example,
data cannot be read from a lost or stolen disk, and a volume's
contents cannot be reconstructed if an attacker intercepts the iSCSI
traffic between the compute and storage host. If the key is ever
compromised, then any data encrypted with the key can be decrypted.

Implements blueprint encrypt-cinder-volumes
SecurityImpact

Change-Id: Ia6f4c69e699e68065c0f767e769cd0a6f5cc623b
2013-09-11 06:43:13 -04:00
Joel Coffman 9469565689 Synchronize the key manager interface with Cinder
This change synchronizes the key manager interface with code that
has been accepted by Cinder. The default key manager (i.e.,
NotImplementedKeyManager) raises NotImplementedError for all
operations. A copy_key method has also been added to the key
manager interface so that keys may be deleted when the objects
that they encrypt (e.g., a volume) are deleted.

Implements blueprint encrypt-cinder-volumes

Change-Id: Ie9ab9578402e87338b6a4bd413bb9f875d3b3eb6
2013-09-05 09:12:26 -04:00
Joel Coffman fc8cb355db Create key manager interface
This interface provides a thin wrapper around an underlying key management
implementation such as Barbican or a KMIP server. The key manager interface is
used by the volume encryption code to retrieve keys for volumes.

Implements: blueprint encrypt-cinder-volumes
Change-Id: I9b0dcb7d648ee6809185c71ba457c8a8a6c90d50
SecurityImpact
2013-07-17 16:44:42 -04:00