barbican encryption keys not handled during volume transfer
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Cinder |
Fix Released
|
Wishlist
|
Unassigned |
Bug Description
Cinder does not handle transferring ownership/ACLs for Barbican encryption keys when performing a volume transfer. This means that after a volume transfer, the volume is owned by the new user, but the Barbican key associated with the volume is not.
The easiest place to see this fail is during volume deletion, but it may have other impacts as well.
$ source ~/devstack/openrc user1
$ cinder create 1
$ cinder transfer-create 406a5beb-
$ source ~/devstack/openrc demo
$ cinder transfer-accept 13143e07-
$ cinder delete 406a5beb-
Delete for volume 406a5beb-
ERROR: Unable to delete any of the specified volumes.
tags: | added: encryption |
Changed in cinder: | |
importance: | Undecided → Wishlist |
status: | New → Confirmed |
Note: on the machine I tried this on, I modified the Barbican policy to allow any user to access "creator":
"creator": "",