Friday, 2025-05-02

opendevreviewkiran pawar proposed openstack/manila-specs master: Update spec for share encryption  https://review.opendev.org/c/openstack/manila-specs/+/94043710:33
opendevreviewkiran pawar proposed openstack/manila-specs master: Update spec for share encryption  https://review.opendev.org/c/openstack/manila-specs/+/94043710:51
opendevreviewHonorine Ndom Ndzah proposed openstack/manila master: added security_service for schema  https://review.opendev.org/c/openstack/manila/+/94870615:26
kpdevHi @gouthamr, 15:35
kpdevw.r.t. share encryption15:35
gouthamrkpdev: o/ during yesterday’s irc meeting, I proposed we could do a meeting regarding the encryption spec15:35
gouthamrwould you prefer an IRC conversation?15:35
kpdevwe can have meeting as it will involve other stakeholders too15:36
kpdevafter PTG we (I and Maurice) had meeting with netapp15:36
kpdevand agreed on basic approach 15:36
kpdev1. provide single option --encryption-key-ref to share create API15:36
kpdev2. it can be either share key or share server key, the share manager will decide it by talking with driver15:37
kpdev3. we will not be doing any work w.r.t. share key15:37
kpdev4. if its share server key, we validate quota limit and also increase/decrease quota during share server create/delete15:38
kpdev5. quota is 'server_encryption_keys' and it will be project level quota.15:38
kpdevwe will not do any changes in share_type or its extra-spec15:38
kpdevif encyption key is provided in share create request, it will be validated by manila-api by talking with barbican15:39
kpdevif valid forwarded in request_spec to manila scheduler15:39
kpdevsxheduler will have new filter called "EncryptionFilter", it will check host state or property "encryption_support" and accordingly filter hosts15:40
kpdevOnce landed in manila share manager, if backend support share server encryption support , this means key is server encryption key and all quota validation will be done. In case limit crossed, share will go in error state and message will be created15:41
kpdevIf all good, we create application credentails and pass share server alongwith key and application credentails to backedn driver15:41
kpdevAbove is implemnted in PR as of today..  The backedn driver implemetation is ongoing work by netapp team 15:42
kpdevthe netapp exrta-spec will be used by netapp to determine if it wants to do encryption or not15:42
kpdeve.g. if extra-spec is missing and encryption key is provided, netapp driver will created encrypted share server, but share is unencrypted15:44
kpdevif extra-spec is there and encryption-key is not provided (this is current behaviour), netapp driver will created encrupted share with share server default key15:45
kpdevhttps://etherpad.opendev.org/p/share-encryption-with-barbican-secret-ref from line 9515:47
kpdevlet me know if you have questions wr.t. above, and we can schedule meeting next week Wed/Thurs15:47
gouthamrsorry, am in meetings and can’t respond in-sync.. allow me to get back to this in a bit16:12
gouthamrregarding the meeting, how about 15.30 UTC on Thursday?16:12
gouthamri.e halfway through our weekly IRC meeting, we can hop onto a meetpad16:13
kpdevok, let me know your thoughts on spec PR and along-side we will have meeting on Thursday16:14
carthaca+1 to the meeting time18:27
gouthamrthanks i shared a note to the openstack-discuss ML: https://lists.openstack.org/archives/list/openstack-discuss@lists.openstack.org/thread/NBAOJELJAOH7B4H4LXWH33TXMPXXUEAI/22:10
opendevreviewHonorine Ndom Ndzah proposed openstack/manila master: updated security_service.py  https://review.opendev.org/c/openstack/manila/+/94873422:14
opendevreviewLogan Haskins proposed openstack/manila-ui master: Added UI page to manage and unmanage share servers  https://review.opendev.org/c/openstack/manila-ui/+/94873623:50

Generated by irclog2html.py 4.0.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!