Cinder encrypted vol connection info include full nova internal class name
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Cinder |
New
|
Undecided
|
Unassigned | ||
os-brick |
Confirmed
|
Undecided
|
Unassigned | ||
tempest |
Invalid
|
Undecided
|
Unassigned |
Bug Description
When making an API call to Cinder to get the volume encryption metadata:
2016-10-25 05:30:47.048 6699 DEBUG cinderclient.
The reply from cinder includes a fully qualified name of a nova private class:
2016-10-25 05:30:47.100 6699 DEBUG cinderclient.
RESP BODY: {"cipher": "aes-xts-plain64", "encryption_
_http_log_response /usr/lib/
THis is very bad for a number of reasons
- If nova renames its classes, existing encryption breaks because the classs names no longer match what cinder is sending
- It allows out of tree extensions to nova for different encryption impls, which consume Nova private data structures in method calls. THis is against Nova policy - all such other extension points have been deprected, then removed.
- If nova wants to implement encryption in a different way (eg by delegating to QEMU), then the concept of an encryptor class does not even apply.
This is actually even worse than Cinder merely passing class names across. Cinder in fact exposes this in its public REST API to tenant users, letting tenants specify arbitrary encryptor classname for nova to use:
http://
$ cinder encryption-
--control_
The idea of having the tenant user specify arbitrary nova private class names needs to be removed entirely. Instead we should have an enum of encryption *formats*. Any given format may be implemented by Nova in a variety of ways. Nova will look at the format and decide which encryptor class to use (if any), or decide how to configure QEMU natively to use that format.
For back compat we can't drop use of class names immediately, so we'll need a deprecation period.
In Ocata:
- Cinder and Nova should allow an encryption format enum to be used in the 'provider' field instead of a class name. The format would be one of
'plain' - corresponds to CryptsetupEncryptor
'luks' - corresponds to LukEncryptor
This would be the preferred approach going forward
- Nova should issue a warning if it receives a 'provider' class name that does not correspond to an existing in-tree encryptor class
- Cinder should re-write class names to the format enum for the built-in classes - out of tree classnames should be left alone.
In Pike
- Cinder should continue re-writing class names to enums for in-tree classes, but reject out of tree class names with fatal error
- The cinder v3 should have a microversion added to indicate the point at which 'provider' will be strictly validated against the 'enum'.
- Nova should raise an error if it receives a 'provider' class name that does not correspond to an existing in-tree encryptor class
In Qxxx
- Nova will stop accepting class names from cinder entirely - cinder should exclusively be reporting the format enum to Nova, rewriting legacy data if needed.
Changed in nova: | |
assignee: | nobody → Lee Yarwood (lyarwood) |
Changed in nova: | |
importance: | Undecided → High |
Changed in os-brick: | |
assignee: | nobody → Lee Yarwood (lyarwood) |
no longer affects: | nova |
Changed in tempest: | |
assignee: | nobody → Lee Yarwood (lyarwood) |
Changed in os-brick: | |
status: | New → Confirmed |
Changed in tempest: | |
status: | New → Confirmed |
Fix proposed to branch: master /review. openstack. org/393901
Review: https:/