keys created with vault plugin aren't "normalized" and make payload retrieval fails in barbican
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
castellan |
Invalid
|
Undecided
|
Unassigned |
Bug Description
Castellan version: castellan-3.7.0
Openstack distro: devstack
devstack local.conf:
[[local|localrc]]
disable_
enable_plugin barbican https:/
enable_service rabbit mysql key
# Modify passwords as needed
DATABASE_
RABBIT_
ADMIN_PASSWORD=
SERVICE_
SERVICE_
Behaviour with default keymanager:
[stack@infraa-007 devstack]$ openstack secret order create --name swift_root_secret \
> --payload-
> --bit-length 256 --mode ctr key
+------
| Field | Value |
+------
| Order href | http://
| Type | Key |
| Container href | N/A |
| Secret href | None |
| Created | None |
| Status | None |
| Error code | None |
| Error message | None |
+------
[stack@infraa-007 devstack]$ openstack secret order get http://
+------
| Field | Value |
+------
| Order href | http://
| Type | Key |
| Container href | N/A |
| Secret href | http://
| Created | 2021-02-
| Status | ACTIVE |
| Error code | None |
| Error message | None |
+------
[stack@infraa-007 devstack]$ openstack secret get http://
+------
| Field | Value |
+------
| Payload | b'&G\xb6T\
+------
Behaviour with vault configured (repeat secret order create and secret order get):
[stack@infraa-007 ~]# openstack secret get http://
5xx Server error: Internal Server Error: Secret payload retrieval failure seen - please contact site administrator.
Internal Server Error: Secret payload retrieval failure seen - please contact site administrator.
The problem is that vault plugin manager store the created key as bytes without going through the normalize process from barbican translator. When retrieving the key, barbican try to decode the bytes, expecting base64 and fails with:
2021-02-24 15:17:01.360 TRACE barbican.
2021-02-24 15:17:01.360 TRACE barbican.
2021-02-24 15:17:01.360 TRACE barbican.
2021-02-24 15:17:01.360 TRACE barbican.
2021-02-24 15:17:01.360 TRACE barbican.
2021-02-24 15:17:01.360 TRACE barbican.
2021-02-24 15:17:01.360 TRACE barbican.
2021-02-24 15:17:01.360 TRACE barbican.
2021-02-24 15:17:01.360 TRACE barbican.
2021-02-24 15:17:01.360 TRACE barbican.
2021-02-24 15:17:01.360 TRACE barbican.
2021-02-24 15:17:01.360 TRACE barbican.
2021-02-24 15:17:01.360 TRACE barbican.
2021-02-24 15:17:01.360 TRACE barbican.
2021-02-24 15:17:01.360 TRACE barbican.
2021-02-24 15:17:01.360 TRACE barbican.
2021-02-24 15:17:01.360 TRACE barbican.
I can work around this for swift root key using a plain/text secret, but cinder/nova aren't playing nicely since the use the order method.
Wrapping the key_value using base64 from oslo_serialization in vault_key_
key_value = base64.
description: | updated |
tags: | added: vault |
Changed in castellan: | |
status: | New → Confirmed |
Changed in castellan: | |
status: | Confirmed → In Progress |
assignee: | nobody → Yoshi Kadokawa (yoshikadokawa) |
This also affects when creating an encrypted volume(following the steps described in the below URL) with Vault as a backend for Barbican. /docs.openstack .org/cinder/ latest/ configuration/ block-storage/ volume- encryption. html
https:/