Cinder

barbican encryption keys not handled during volume transfer

Bug #1735285 reported by Eric Harney on 2017-11-29

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Cinder	Fix Released	Wishlist	Unassigned

Bug Description

Cinder does not handle transferring ownership/ACLs for Barbican encryption keys when performing a volume transfer. This means that after a volume transfer, the volume is owned by the new user, but the Barbican key associated with the volume is not.

The easiest place to see this fail is during volume deletion, but it may have other impacts as well.

$ source ~/devstack/openrc user1
$ cinder create 1
$ cinder transfer-create 406a5beb-1f00-45cb-9f4d-68b30ae10ed8
$ source ~/devstack/openrc demo
$ cinder transfer-accept 13143e07-489f-4dbf-b4e7-f90bd71a7654 f1932001b66ac9fe

$ cinder delete 406a5beb-1f00-45cb-9f4d-68b30ae10ed8
Delete for volume 406a5beb-1f00-45cb-9f4d-68b30ae10ed8 failed: Invalid volume: Unable to delete encryption key for volume. (HTTP 400) (Request-ID: req-2adb4b86-e127-4422-afd0-d5af85499e95)
ERROR: Unable to delete any of the specified volumes.

Tags:

Revision history for this message

Eric Harney (eharney) wrote on 2017-11-29:

Note: on the machine I tried this on, I modified the Barbican policy to allow any user to access "creator":

"creator": "",

Eric Harney (eharney) on 2017-11-29

tags:

added: encryption

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-01-04: Related fix proposed to cinder (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/531200

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-01-18: Related fix merged to cinder (master)

Reviewed: https://review.openstack.org/531200
Committed: https://git.openstack.org/cgit/openstack/cinder/commit/?id=04d7e2d80d4cfe0d3a2cae477d9e09b6dc1071a2
Submitter: Zuul
Branch: master

commit 04d7e2d80d4cfe0d3a2cae477d9e09b6dc1071a2
Author: Alan Bishop <email address hidden>
Date: Thu Jan 4 16:26:25 2018 +0000

Block attempts to transfer encrypted volumes

Block attempts to transfer encrypted volumes until [1] gets resolved.

    [1] documents the fact that encryption keys are not properly transferred
    to the new volume owner. Resolving this will be tricky because Key
    Managers such as Barbican currently provide no API for transferring
    ownership, and Key Manager ACLs are insufficient because they don't
    allow the new volume owner to delete the key.

[1] https://bugs.launchpad.net/cinder/+bug/1735285

Related-Bug: #1735285
Change-Id: I5dbeb46adc9da1fce6359a96b981aa8d673d50c4

Matt Riedemann (mriedem) on 2018-09-11

Changed in cinder:
importance:	Undecided → Wishlist
status:	New → Confirmed

Revision history for this message

Brian Rosmaita (brian-rosmaita) wrote on 2022-08-17:

This is being addressed in the Zed development cycle by https://blueprints.launchpad.net/cinder/+spec/transfer-encrypted-volume

Revision history for this message

Brian Rosmaita (brian-rosmaita) wrote on 2022-08-17:

In the meantime, we've decided that the related-bug mentioned in comment #3 actually closes this bug. It was merged into Queens.

Changed in cinder:
status:	Confirmed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.