These were introduced in Bobcat but later reverted [1]. Add them now in
preparation for a future major version bump of Castellan.
[1] https://review.opendev.org/c/openstack/castellan/+/895502/
Change-Id: I7565523d052d48109c7e70490c2c31b9944d2fc1
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
Now that enough time has passed, the keymgr code that was
deprecated for removal can be removed.
Barbican is the default option for Castellan, but Barbican is not
part of default DevStack yet. Until Barbican is used by default in
the dsvm gates, ConfKeyManager (the fixed_key key manager) should
be set in DevStack, which was added with
I733279864ee1a4aaffc9c8eed81b5e12f8d8821b.
Change-Id: I82ee74f3d2629281dc8116af55f6a7b5398fc473
We can remove the hack associated with this TODO since devstack
is setting the config option value in change
I733279864ee1a4aaffc9c8eed81b5e12f8d8821b.
Depends-On: I733279864ee1a4aaffc9c8eed81b5e12f8d8821b
Change-Id: I89972b96ce2e1d06e24992d66026554b9a56d4dc
Closes-Bug: #1704875
The i18n team has decided not to translate the logs because it
seems like it not very useful; operators prefer to have them in
English so that they can search for those strings on the internet.
Partially fix on nova/keymgr, nova/network, nova/notifications,
nova/objects and nova/pci other paths will be fixed on next commits
Change-Id: Ie3a83fef0dc689b9d37ac43e047ce5d48f567adc
1. Deprecating barbican options as these are moved to
Castellan library.
2. Added new formatting
Blueprint centralize-config-options-newton
Change-Id: Ic8bd86e2652b7702c039ea1d2e15a7bf5a2a9586
Because key manager code is duplicated across several projects, a key
manager interface was moved into its own library. This patch goes back
to replace the old code with the new library.
Change-Id: Ib563b0ea4b8b4bc1833bf52bf49a68546c384996
Implements: blueprint use-castellan-key-manager
Generation of a guru medidation report fails with TypeError when
trying to serialize config group options. This is due to the fact,
that I018c3a408a8903be8d006760994de6947fb91168 registers `barbican`
options group incorrectly: an OptGroup instance is passed where a
string name is expected (keystoneauth1 wraps the passed value
into OptGroup unconditionally).
A follow up change to oslo.config will make sure we fail early in
case an incorrect value has been been passed to register_group().
Change-Id: I4c57127c7bc0098000ad18ba7bab12fbc66d8ac0
Closes-Bug: #1568208
The config options of the "nova.conf" section "keymgr" and
"barbican" got moved to the new central location "nova/conf/keymgr.py"
Change-Id: I018c3a408a8903be8d006760994de6947fb91168
Implements: blueprint centralize-config-options-newton
Uses codecs module in order to decode hex.
Enables keymgr unit tests for gate-nova-python34.
Enables volume.encryptors unit tests for gate-nova-python34.
Partially Implements: blueprint nova-python3-newton
Change-Id: I43504da03c42c6b684da0ca1c3640c31a9843a45
keystoneauth was split out last cycle as a library specifically to deal
with doing auth functions so that people who do not need to do keystone
CRUD operations can just consume only the auth session parts. As part
of modernizing keystone interactions, use keystoneauth instead of
keystoneclient.
A change to tests was made to stop checking how often the keystone auth
session is called. This could be broken in the future depending on how
the keystoneauth1 loader works. It is incorrect to mock out and check
how often Session is called when nova has no direct control over this.
The number of times barbican client is called is correctly in the
control of Nova and will continue to be tested.
bp: keystoneclient-to-keystoneauth
Co-Authored-By: Morgan Fainberg <morgan.fainberg@gmail.com>
Depends-On: I1f754a9a949ef92f4e427a91bbd1b1e73e86c8c4
Change-Id: I09a5da761bdc02c83b087f3cec40b7fa022a7a63
The key manager caches the value of barbican client to be reused,
saving an extra call to keystone. The cached value is only
applicable to the current context, so the context must be checked
before returning the cached value.
Closes-Bug: #1523646
Change-Id: I7cd7f1ba8a749b230c611e4fb20ccf4127354c35
Convert the use of the incubated version of the log module
to the new oslo.log library.
Sync oslo-incubator modules to update their imports as well.
Co-Authored-By: Doug Hellmann <doug@doughellmann.com>
Change-Id: Ic4932e3f58191869c30bd07a010a6e9fdcb2a12c
The oslo team is recommending everyone to switch to the
non-namespaced versions of libraries. Updating the hacking
rule to include a check to prevent oslo.* import from
creeping back in.
This commit includes:
- using oslo_utils instead of oslo.utils
- using oslo_serialization instead of oslo.serialization
- using oslo_db instead of oslo.db
- using oslo_i18n instead of oslo.i18n
- using oslo_middleware instead of oslo.middleware
- using oslo_config instead of oslo.config
- using oslo_messaging instead of "from oslo import messaging"
- using oslo_vmware instead of oslo.vmware
Change-Id: I3e2eb147b321ce3e928817b62abcb7d023c5f13f
Adds a barbican keymgr wrapper to the key manager interface in
nova. This allows barbican to be configured as the key manager
for encryption keys in nova. The wrapper translates calls from
the existing key manager interface to python-barbicanclient.
Change-Id: I110c7ceada48de28cee1169b643b12407f21b36c
Implements: blueprint encryption-with-barbican
DocImpact
oslo.i18n uses different marker functions to separate the
translatable messages into different catalogs, which the translation
teams can prioritize translating. For details, please refer to:
http://docs.openstack.org/developer/oslo.i18n/guidelines.html#guidelines-for-use-in-openstack
There were not marker fuctions some places in directory network.
This commit makes changes:
* Add missing marker functions
* Use ',' instead of '%' while adding variables to log messages
Added a hacking rule for the warning about checking
translation for it and checking logging level `warning` instead
alias `warn`.
Change-Id: I2bced49dc5a0408a94d5d20d85b20c682886edbe
oslo.utils library now provides the functionality previously in
oslo-incubator's excutils, importutils, network_utils, strutils
timeutils, units etc. Some modules already moved to oslo.utils
will still be around since other code in nova/openstack/common/
are using it and will be removed in a subsequent commit.
Change-Id: Idc716342535fdfa680963e0e073ddb46f5f1eb34
SEVERE: Unexpected section title.
ERROR: Unexpected indentation.
WARNING: Block quote ends without a blank line; unexpected unindent.
WARNING: Definition list ends without a blank line; unexpected unindent.
WARNING: Field list ends without a blank line; unexpected unindent.
WARNING: Inline emphasis start-string without end-string.
WARNING: Inline interpreted text or phrase reference start-string without end-string.
WARNING: Inline strong start-string without end-string.
Partial-Bug: #1351350
Change-Id: I661e0e32519f8e4de3325efd10242824015ed03d
oslo.i18n provides the i18n functions that were provided by
oslo-incubator's gettextutils module. Some tests that were
using internal details of the library were removed.
Change-Id: I44cfd5552e0dd86af21073419d31622f5fdb28e0
The NotAuthorized NovaException has an internal code of 403 which is
actually Forbidden, so rename it appropriately.
This patch doesn't change the external behavior, the status code in
responses will still be 403 but the exception is just named properly.
This is also necessary to create an actual Unauthorized NovaException
with code 401 for use in some Neutron API bug fixes for more granular
error handling from python-neutronclient.
Related-Bug: #1298075
Change-Id: I691fac2e2c797f47c04da7965d7b1c8685c74edb
This check indicates on comments in which multi line docstring should
start without a leading new line. This change fixed all violators of
said check.
Change-Id: Ic7357b8c7420767dba611f6fcee07b7700f3aea8
We don't need to have the vi modelines in each source file,
it can be set in a user's vimrc if required.
Also a check is added to hacking to detect if they are re-added.
Change-Id: I347307a5145b2760c69085b6ca850d6a9137ffc6
Closes-Bug: #1229324
The method _generate_key_id was duplicated in
nova/keymgr/mock_key_mgr.py
This patchset removes one of the duplicates.
Change-Id: Idb30fca9d392fe5f5b4063ba1b22a967329987f6
__metaclass__ cannot be used in python3.
six be used in general for python 3 compatibility.
Change-Id: I6d344b738cea7b9cda07cdc0e7e13fa73afa93b1
Closes-Bug: #1236648
Rename _get_hex_key to _generate_hex_key so that this
key manager works with the super class it extends.
In making this change we also need to initialize the hex key
in the constructor before initializing the super class. Not
doing so causes test failures.
Fixes bug: 1224602
Change-Id: I9a6bd9bf96bf74a08e607af811ebbe9622b994f3
Currently the Nova default keymgr implementation tries to
import classes from nova/tests. This could be a very bad
thing for production deployments which may not include
code from nova/tests.
This change moves two required modules (single_key_mgr and
mock_key_mgr) into the nova/keymgr tree.
Fixes bug: #1224526
Change-Id: I683b0245ab6b6acf8a4ba26f96d8c505f7c7cac8
Per feedback received on other patch sets, an example key manager
driver is required to support ephemeral storage encryption and
Cinder volume encryption. The ConfKeyManager class reads its key
from the project's configuration file and provides this key for
*all* requests. As such, this key manager is insecure but allows
the aforementioned encryption features to be used without further
integration effort.
To clarify the above statements, the configuration-based key
manager uses a single, fixed key. When used to encrypt data (e.g.,
by the Cinder volume encryption feature), the encryption provides
limited protection for the confidentiality of data. For example,
data cannot be read from a lost or stolen disk, and a volume's
contents cannot be reconstructed if an attacker intercepts the iSCSI
traffic between the compute and storage host. If the key is ever
compromised, then any data encrypted with the key can be decrypted.
Implements blueprint encrypt-cinder-volumes
SecurityImpact
Change-Id: Ia6f4c69e699e68065c0f767e769cd0a6f5cc623b
This change synchronizes the key manager interface with code that
has been accepted by Cinder. The default key manager (i.e.,
NotImplementedKeyManager) raises NotImplementedError for all
operations. A copy_key method has also been added to the key
manager interface so that keys may be deleted when the objects
that they encrypt (e.g., a volume) are deleted.
Implements blueprint encrypt-cinder-volumes
Change-Id: Ie9ab9578402e87338b6a4bd413bb9f875d3b3eb6
This interface provides a thin wrapper around an underlying key management
implementation such as Barbican or a KMIP server. The key manager interface is
used by the volume encryption code to retrieve keys for volumes.
Implements: blueprint encrypt-cinder-volumes
Change-Id: I9b0dcb7d648ee6809185c71ba457c8a8a6c90d50
SecurityImpact