Key migration to Barbican needs to update Backup table

Bug #1757235 reported by Alan Bishop
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Cinder
High
Alan Bishop

Bug Description

Code was recently added to migrate encryption keys to Baribican [1]. However, a subsequent change now stores encryption key IDs in the Backup table [2].

[1] https://review.openstack.org/524720
[2] https://review.openstack.org/537462

Any all-zeros key ID stored in the Backup table also need to be migrated to Barbican. In other words, the key migration code needs to be updated to also handle the Backup table.

Changed in cinder:
assignee: nobody → Alan Bishop (alan-bishop)
Eric Harney (eharney)
Changed in cinder:
importance: Undecided → High
tags: added: encryption
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to cinder (master)

Fix proposed to branch: master
Review: https://review.openstack.org/555379

Changed in cinder:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to cinder (master)

Reviewed: https://review.openstack.org/555379
Committed: https://git.openstack.org/cgit/openstack/cinder/commit/?id=341dd44ba796e933920da6718a2891e35ed88506
Submitter: Zuul
Branch: master

commit 341dd44ba796e933920da6718a2891e35ed88506
Author: Alan Bishop <email address hidden>
Date: Tue Mar 20 15:10:28 2018 -0400

    Handle migrating encryption key IDs in Backup table

    Enhance the code that migrates the ConfKeyManager's fixed_key to
    Barbican to also consider the Backup table. When the original key
    migration feature was added, the encryption key ID was not stored in
    the Backup table. But now the Backup table contains that field, so
    the migration code needs to handle that table as well.

    Whereas the cinder-volume service is responsible for migrating keys
    in the Volume and Snapshot tables, the cinder-backup service handles
    migrating keys in the Backup table. Each instance of the service
    migrates its own entries by matching the "host" field in the
    corresponding tables.

    The Backup OVO now inherits from base.CinderComparableObject. This does
    not affect the object's hash signature, and so the version number does
    need to be incremented.

    Closes-Bug: #1757235
    Change-Id: Id4581eec80f82925c20c424847bff1baceda2349

Changed in cinder:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to cinder (stable/queens)

Fix proposed to branch: stable/queens
Review: https://review.openstack.org/558906

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to cinder (stable/queens)

Reviewed: https://review.openstack.org/558906
Committed: https://git.openstack.org/cgit/openstack/cinder/commit/?id=bc76abef28b34723abdbd29881553a1af94b024b
Submitter: Zuul
Branch: stable/queens

commit bc76abef28b34723abdbd29881553a1af94b024b
Author: Alan Bishop <email address hidden>
Date: Tue Mar 20 15:10:28 2018 -0400

    Handle migrating encryption key IDs in Backup table

    Enhance the code that migrates the ConfKeyManager's fixed_key to
    Barbican to also consider the Backup table. When the original key
    migration feature was added, the encryption key ID was not stored in
    the Backup table. But now the Backup table contains that field, so
    the migration code needs to handle that table as well.

    Whereas the cinder-volume service is responsible for migrating keys
    in the Volume and Snapshot tables, the cinder-backup service handles
    migrating keys in the Backup table. Each instance of the service
    migrates its own entries by matching the "host" field in the
    corresponding tables.

    The Backup OVO now inherits from base.CinderComparableObject. This does
    not affect the object's hash signature, and so the version number does
    need to be incremented.

    Closes-Bug: #1757235
    Change-Id: Id4581eec80f82925c20c424847bff1baceda2349
    (cherry picked from commit 341dd44ba796e933920da6718a2891e35ed88506)

tags: added: in-stable-queens
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/cinder 13.0.0.0b1

This issue was fixed in the openstack/cinder 13.0.0.0b1 development milestone.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/cinder 12.0.1

This issue was fixed in the openstack/cinder 12.0.1 release.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers