Cinder

Input validation for command encryption-type-create

Bug #1505113 reported by Lisa Li
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Cinder
Confirmed
Wishlist
Unassigned

Bug Description

Currently when creating a encryption type, it uses following command:
cinder encryption-type-create --cipher aes-xts-plain64 --key_size 512 \
  --control_location front-end LUKS nova.volume.encryptors.luks.LuksEncryptor

The problem is that cinder doesn't check the validation of the provider. Giving a invalid provider, the encryption type can be created successfully, and a volume can be created with the volume type. Only when attaching the volume to a VM, it fails.

This bug is raised to do validation check of the input.

Tags: encryption
Lisa Li (lisali)
tags: added: encryption
Revision history for this message
Joel Coffman (joel-coffman) wrote :

Validating the encryption provider is tricky because Cinder cannot verify that a module does or does not exist in Nova (e.g., nova.volume.encryptors.luks.LuksEncryptor).

Perhaps it would be better to move the encryptors to oslo so they can be shared more easily. In addition, assuming that Nova and Cinder both require some minimum version of the resulting oslo library (e.g., oslo.encryptors), then Cinder could validate the input immediately as suggested in this bug report.

Revision history for this message
wanghao (wanghao749) wrote :

Agree with Joel, If cinder also need to encrypt/decrypt volume which is attached to host like what nova did, we should share the code to oslo library.

Revision history for this message
Lisa Li (lisali) wrote :

Thanks, I am considering and talking to oslo people.

Revision history for this message
Duncan Thomas (duncan-thomas) wrote :

After discussion, we're leaning towards brick rather than OSLO.

Lisa Li (lisali)
Changed in cinder:
importance: Undecided → Medium
importance: Medium → Wishlist
status: New → Confirmed
Revision history for this message
Sean McGinnis (sean-mcginnis) wrote :

Lisa, is this still an issue?

Revision history for this message
Lisa Li (lisali) wrote :

I think this is still a problem, but it doesn't have a high severity.

The problem is that:

1. Create an encryption type with invalid encryptor "nova.volume.encryptors.luks.TestEncryptor", and it succeeds.

cinder encryption-type-create --cipher aes-xts-plain64 --key_size 512 --control_location front-end test nova.volume.encryptors.luks.TestEncryptor

2. Create a volume with the type, which also succeeds.

3. When attaching the volume to an instance, it fails with the error:

2016-10-08 09:17:31.040 ERROR nova.volume.encryptors [req-cd9220df-5a71-4751-b06b-c1aefbd0d3ce admin admin] Error instantiating nova.volume.encryptors.luks.TestEncryptor: Class TestEncryptor cannot be found (['Traceback (most recent call last):\n', ' File "/usr/local/lib/python2.7/dist-packages/oslo_utils/importutils.py", line 32, in import_class\n return getattr(sys.modules[mod_str], class_str)\n', "AttributeError: 'module' object has no attribute 'TestEncryptor'\n"])

I think we can prohibit the case in step 1.

Revision history for this message
Sean McGinnis (sean-mcginnis) wrote : Bug Assignee Expired

Unassigning due to no activity for > 6 months.

Changed in cinder:
assignee: Lisa Li (lisali) → nobody
M Shruthi (mshruthi98)
Changed in cinder:
assignee: nobody → M Shruthi (mshruthi98)
Sushma Gunda (sushma05)
Changed in cinder:
status: Confirmed → In Progress
M Shruthi (mshruthi98)
Changed in cinder:
assignee: M Shruthi (mshruthi98) → nobody
status: In Progress → Confirmed
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.