opendevreview | kiran pawar proposed openstack/manila-specs master: Update spec for share encryption https://review.opendev.org/c/openstack/manila-specs/+/940437 | 10:33 |
---|---|---|
opendevreview | kiran pawar proposed openstack/manila-specs master: Update spec for share encryption https://review.opendev.org/c/openstack/manila-specs/+/940437 | 10:51 |
opendevreview | Honorine Ndom Ndzah proposed openstack/manila master: added security_service for schema https://review.opendev.org/c/openstack/manila/+/948706 | 15:26 |
kpdev | Hi @gouthamr, | 15:35 |
kpdev | w.r.t. share encryption | 15:35 |
gouthamr | kpdev: o/ during yesterday’s irc meeting, I proposed we could do a meeting regarding the encryption spec | 15:35 |
gouthamr | would you prefer an IRC conversation? | 15:35 |
kpdev | we can have meeting as it will involve other stakeholders too | 15:36 |
kpdev | after PTG we (I and Maurice) had meeting with netapp | 15:36 |
kpdev | and agreed on basic approach | 15:36 |
kpdev | 1. provide single option --encryption-key-ref to share create API | 15:36 |
kpdev | 2. it can be either share key or share server key, the share manager will decide it by talking with driver | 15:37 |
kpdev | 3. we will not be doing any work w.r.t. share key | 15:37 |
kpdev | 4. if its share server key, we validate quota limit and also increase/decrease quota during share server create/delete | 15:38 |
kpdev | 5. quota is 'server_encryption_keys' and it will be project level quota. | 15:38 |
kpdev | we will not do any changes in share_type or its extra-spec | 15:38 |
kpdev | if encyption key is provided in share create request, it will be validated by manila-api by talking with barbican | 15:39 |
kpdev | if valid forwarded in request_spec to manila scheduler | 15:39 |
kpdev | sxheduler will have new filter called "EncryptionFilter", it will check host state or property "encryption_support" and accordingly filter hosts | 15:40 |
kpdev | Once landed in manila share manager, if backend support share server encryption support , this means key is server encryption key and all quota validation will be done. In case limit crossed, share will go in error state and message will be created | 15:41 |
kpdev | If all good, we create application credentails and pass share server alongwith key and application credentails to backedn driver | 15:41 |
kpdev | Above is implemnted in PR as of today.. The backedn driver implemetation is ongoing work by netapp team | 15:42 |
kpdev | the netapp exrta-spec will be used by netapp to determine if it wants to do encryption or not | 15:42 |
kpdev | e.g. if extra-spec is missing and encryption key is provided, netapp driver will created encrypted share server, but share is unencrypted | 15:44 |
kpdev | if extra-spec is there and encryption-key is not provided (this is current behaviour), netapp driver will created encrupted share with share server default key | 15:45 |
kpdev | https://etherpad.opendev.org/p/share-encryption-with-barbican-secret-ref from line 95 | 15:47 |
kpdev | let me know if you have questions wr.t. above, and we can schedule meeting next week Wed/Thurs | 15:47 |
gouthamr | sorry, am in meetings and can’t respond in-sync.. allow me to get back to this in a bit | 16:12 |
gouthamr | regarding the meeting, how about 15.30 UTC on Thursday? | 16:12 |
gouthamr | i.e halfway through our weekly IRC meeting, we can hop onto a meetpad | 16:13 |
kpdev | ok, let me know your thoughts on spec PR and along-side we will have meeting on Thursday | 16:14 |
carthaca | +1 to the meeting time | 18:27 |
gouthamr | thanks i shared a note to the openstack-discuss ML: https://lists.openstack.org/archives/list/openstack-discuss@lists.openstack.org/thread/NBAOJELJAOH7B4H4LXWH33TXMPXXUEAI/ | 22:10 |
opendevreview | Honorine Ndom Ndzah proposed openstack/manila master: updated security_service.py https://review.opendev.org/c/openstack/manila/+/948734 | 22:14 |
opendevreview | Logan Haskins proposed openstack/manila-ui master: Added UI page to manage and unmanage share servers https://review.opendev.org/c/openstack/manila-ui/+/948736 | 23:50 |
Generated by irclog2html.py 4.0.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!