openstack
/
castellan
Code Issues Proposed changes
Generic Key Manager interface for OpenStack
265 Commits 9 Branches 91 Tags 5.4 MiB
Python 99.4%
Shell 0.6%
Go to file
Alan Bishop fc0fc79eb6 Support handling legacy all-zeros key ID 
This patch addresses a specific use case, where a user has encrypted
volumes based on the fixed_key used by Cinder's and Nova's
ConfKeyManager. The user wishes to switch to Barbican, but existing
volumes must continue to function during the migration period.

The code conditionally adds a shim around the backend KeyManager when
both of these conditions are met:

1) The configuration contains a fixed_key value. This essentially
   signals the ConfKeyManager has been in use at one time
2) The current backend is *not* the ConfKeyManager

When the shim is active, a MigrationKeyManager class is dynamically
created that extends the backend's KeyManager class. The
MigrationKeyManager exists solely to override two functions:

o The KeyManager.get() function detects requests for the secret
  associated with the fixed_key, which is identified by an all-zeros
  key ID.

  - Requests for the all-zeros key ID are handled by mimicing the
    ConfKeyManager's response, which is a secret derived from the
    fixed_key.
  - Requests for any other key ID are passed on to the real backend.

o The KeyManager.delete() function is similar:

  - Requests to delete the all-zeros key ID are essentially ignored,
    just as is done by the ConfKeyManager.
  - Requests to delete any other key ID are passed on to the real
    backend.

All other KeyManager functions are not overridden, and will therefore be
handled directly by the real backend.

SecurityImpact
Change-Id: Ia5316490201c33e23a4206838d5a4fb3dd00f527
 		2017-11-21 09:23:09 -05:00
castellan Support handling legacy all-zeros key ID 2017-11-21 09:23:09 -05:00
doc/source allow redirects in .htaccess files on the static web servers 2017-08-03 15:39:17 +05:30
etc/castellan refactoring castellan configuration 2015-08-12 12:03:36 -04:00
releasenotes Support handling legacy all-zeros key ID 2017-11-21 09:23:09 -05:00
tools Support upper-constraints in tox.ini 2016-10-10 03:19:27 +00:00
.coveragerc remove obsolete oslo incubator code 2016-11-01 14:16:50 +00:00
.gitignore Add releasenotes for castellan 2017-09-05 13:40:42 +08:00
.gitreview Initial Cookiecutter Commit. 2014-11-20 15:39:45 -06:00
.mailmap Initial Cookiecutter Commit. 2014-11-20 15:39:45 -06:00
.testr.conf Move unit tests to unit test folder 2015-07-22 14:29:06 -04:00
CONTRIBUTING.rst Optimize the link address 2017-06-12 07:57:59 +00:00
HACKING.rst Update the doc URL in the documents 2017-07-11 13:38:04 +00:00
LICENSE Initial Cookiecutter Commit. 2014-11-20 15:39:45 -06:00
README.rst Update the doc URL in the documents 2017-07-11 13:38:04 +00:00
babel.cfg Initial Cookiecutter Commit. 2014-11-20 15:39:45 -06:00
requirements.txt Updated from global requirements 2017-09-11 21:34:53 +00:00
setup.cfg Use Stevedore for better extensions 2017-08-01 09:01:35 -04:00
setup.py Updated from global requirements 2017-03-02 11:43:02 +00:00
test-requirements.txt Updated from global requirements 2017-09-13 12:48:44 +00:00
tox.ini Add releasenotes for castellan 2017-09-05 13:40:42 +08:00

README.rst

Castellan

Generic Key Manager interface for OpenStack.

Team and repository tags

image