Cinder

Disallow unmanage for encrypted volumes

Bug #1731518 reported by Eric Harney on 2017-11-10

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Cinder	Fix Released	High	Eric Harney

Bug Description

Unmanaging an encrypted volume is currently a hazardous operation: Cinder unmanages the volume, but deletes the encryption key for the volume from Barbican, rendering it useless. This would result in data loss for a user expecting unmanage to be a "safe" operation, as it is with unencrypted volumes.

This scheme may have made sense when only using the conf key manager, but doesn't in a deployment with Barbican.

We should block unmanage operations for encrypted volumes, and only allow regular deletions.

https://git.openstack.org/cgit/openstack/cinder/tree/cinder/volume/api.py?h=12.0.0.0b1#n504

(I have not tested this behavior, just noticed while auditing the code.)

Tags:

Eric Harney (eharney) on 2017-11-10

Changed in cinder:
assignee:	nobody → Eric Harney (eharney)
importance:	Undecided → High

Omar Muhtaseb (omarm) on 2017-11-23

Changed in cinder:
status:	New → Confirmed

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-11-28: Fix proposed to cinder (master)

Fix proposed to branch: master
Review: https://review.openstack.org/523522

Changed in cinder:
status:	Confirmed → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-12-07: Fix merged to cinder (master)

Reviewed: https://review.openstack.org/523522
Committed: https://git.openstack.org/cgit/openstack/cinder/commit/?id=de584713d993e3fb3f68cf2ee8ce37186a9276d5
Submitter: Zuul
Branch: master

commit de584713d993e3fb3f68cf2ee8ce37186a9276d5
Author: Eric Harney <email address hidden>
Date: Tue Nov 28 14:13:21 2017 -0500

Disallow unmanaging encrypted volumes

    Unmanaging encrypted volumes is problematic because
    unmanage assumes that you will be able to manage the
    volume again for later use, but, we have no mechanism
    currently to keep track of the encryption key which
    would be required for using an encrypted volume again.

    While this may work out ok when using the conf_key
    manager, this patch does not distinguish between conf_key
    and barbican deployments.

Closes-Bug: #1731518
Change-Id: I7506fa36962404c80f1cc9c6370693728e5393a7

Changed in cinder:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-12-13: Fix proposed to cinder (stable/pike)

Fix proposed to branch: stable/pike
Review: https://review.openstack.org/527715

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-12-18: Fix merged to cinder (stable/pike)

Reviewed: https://review.openstack.org/527715
Committed: https://git.openstack.org/cgit/openstack/cinder/commit/?id=30ca90ffcc5be2cf2854a97cf55d54f98046cda5
Submitter: Zuul
Branch: stable/pike

commit 30ca90ffcc5be2cf2854a97cf55d54f98046cda5
Author: Eric Harney <email address hidden>
Date: Tue Nov 28 14:13:21 2017 -0500

Disallow unmanaging encrypted volumes

    While this may work out ok when using the conf_key
    manager, this patch does not distinguish between conf_key
    and barbican deployments.

    Closes-Bug: #1731518
    Change-Id: I7506fa36962404c80f1cc9c6370693728e5393a7
    (cherry picked from commit de584713d993e3fb3f68cf2ee8ce37186a9276d5)
    Conflicts:
     cinder/volume/api.py

tags:

added: in-stable-pike

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-12-18: Fix proposed to cinder (stable/ocata)

Fix proposed to branch: stable/ocata
Review: https://review.openstack.org/528758

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-12-21: Fix included in openstack/cinder 11.0.2

This issue was fixed in the openstack/cinder 11.0.2 release.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-12-29: Fix merged to cinder (stable/ocata)

Reviewed: https://review.openstack.org/528758
Committed: https://git.openstack.org/cgit/openstack/cinder/commit/?id=dd727943d060e9e32ad7a4390337560b8ced1529
Submitter: Zuul
Branch: stable/ocata

commit dd727943d060e9e32ad7a4390337560b8ced1529
Author: Eric Harney <email address hidden>
Date: Tue Nov 28 14:13:21 2017 -0500

Disallow unmanaging encrypted volumes

    While this may work out ok when using the conf_key
    manager, this patch does not distinguish between conf_key
    and barbican deployments.

    * The Ocata backport skips the async error message for
      this event due to refactoring of the messages system,
      to minimize risk.

    Closes-Bug: #1731518
    Change-Id: I7506fa36962404c80f1cc9c6370693728e5393a7
    (cherry picked from commit de584713d993e3fb3f68cf2ee8ce37186a9276d5)
    Conflicts:
     cinder/volume/api.py
    (cherry picked from commit 30ca90ffcc5be2cf2854a97cf55d54f98046cda5)
    Conflicts:
     cinder/message/message_field.py
            cinder/tests/unit/api/contrib/test_volume_unmanage.py
     cinder/tests/unit/volume/test_volume.py