Friday, 2025-05-02

opendevreview	kiran pawar proposed openstack/manila-specs master: Update spec for share encryption https://review.opendev.org/c/openstack/manila-specs/+/940437	10:33
opendevreview	kiran pawar proposed openstack/manila-specs master: Update spec for share encryption https://review.opendev.org/c/openstack/manila-specs/+/940437	10:51
opendevreview	Honorine Ndom Ndzah proposed openstack/manila master: added security_service for schema https://review.opendev.org/c/openstack/manila/+/948706	15:26
kpdev	Hi @gouthamr,	15:35
kpdev	w.r.t. share encryption	15:35
gouthamr	kpdev: o/ during yesterday’s irc meeting, I proposed we could do a meeting regarding the encryption spec	15:35
gouthamr	would you prefer an IRC conversation?	15:35
kpdev	we can have meeting as it will involve other stakeholders too	15:36
kpdev	after PTG we (I and Maurice) had meeting with netapp	15:36
kpdev	and agreed on basic approach	15:36
kpdev	1. provide single option --encryption-key-ref to share create API	15:36
kpdev	2. it can be either share key or share server key, the share manager will decide it by talking with driver	15:37
kpdev	3. we will not be doing any work w.r.t. share key	15:37
kpdev	4. if its share server key, we validate quota limit and also increase/decrease quota during share server create/delete	15:38
kpdev	5. quota is 'server_encryption_keys' and it will be project level quota.	15:38
kpdev	we will not do any changes in share_type or its extra-spec	15:38
kpdev	if encyption key is provided in share create request, it will be validated by manila-api by talking with barbican	15:39
kpdev	if valid forwarded in request_spec to manila scheduler	15:39
kpdev	sxheduler will have new filter called "EncryptionFilter", it will check host state or property "encryption_support" and accordingly filter hosts	15:40
kpdev	Once landed in manila share manager, if backend support share server encryption support , this means key is server encryption key and all quota validation will be done. In case limit crossed, share will go in error state and message will be created	15:41
kpdev	If all good, we create application credentails and pass share server alongwith key and application credentails to backedn driver	15:41
kpdev	Above is implemnted in PR as of today.. The backedn driver implemetation is ongoing work by netapp team	15:42
kpdev	the netapp exrta-spec will be used by netapp to determine if it wants to do encryption or not	15:42
kpdev	e.g. if extra-spec is missing and encryption key is provided, netapp driver will created encrypted share server, but share is unencrypted	15:44
kpdev	if extra-spec is there and encryption-key is not provided (this is current behaviour), netapp driver will created encrupted share with share server default key	15:45
kpdev	https://etherpad.opendev.org/p/share-encryption-with-barbican-secret-ref from line 95	15:47
kpdev	let me know if you have questions wr.t. above, and we can schedule meeting next week Wed/Thurs	15:47
gouthamr	sorry, am in meetings and can’t respond in-sync.. allow me to get back to this in a bit	16:12
gouthamr	regarding the meeting, how about 15.30 UTC on Thursday?	16:12
gouthamr	i.e halfway through our weekly IRC meeting, we can hop onto a meetpad	16:13
kpdev	ok, let me know your thoughts on spec PR and along-side we will have meeting on Thursday	16:14
carthaca	+1 to the meeting time	18:27
gouthamr	thanks i shared a note to the openstack-discuss ML: https://lists.openstack.org/archives/list/openstack-discuss@lists.openstack.org/thread/NBAOJELJAOH7B4H4LXWH33TXMPXXUEAI/	22:10
opendevreview	Honorine Ndom Ndzah proposed openstack/manila master: updated security_service.py https://review.opendev.org/c/openstack/manila/+/948734	22:14
opendevreview	Logan Haskins proposed openstack/manila-ui master: Added UI page to manage and unmanage share servers https://review.opendev.org/c/openstack/manila-ui/+/948736	23:50

Generated by irclog2html.py 4.0.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!