)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"1b1157bc503ce90ed613c36477be769751ff3d26","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"70b244ae_9db651d0","updated":"2024-04-12 12:40:37.000000000","message":"@Tobias, I just noticed that you seem to be using a Pull Request kind of strategy with your patches.  With Gerrit, what you do to revise a patch is to make the changes and then do a \u0027git commit --amend\u0027, because we want your patch to ultimately be a single commit.  Gerrit will track the different patch sets for you, and can display the differences between them in the UI.","commit_id":"acbd671fcd3471637898c6b9f4a256cc2c9727b5"},{"author":{"_account_id":27665,"name":"Markus Hentsch","email":"markus.hentsch@cloudandheat.com","username":"mhen"},"change_message_id":"af72f4a4251670cc7f6f7ee3c38132f5c740f8d5","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"c30d4ea6_4ed60c30","updated":"2024-04-11 17:32:30.000000000","message":"Good starting point! I added a few remarks on the spec that I think we still need to address.","commit_id":"acbd671fcd3471637898c6b9f4a256cc2c9727b5"},{"author":{"_account_id":28271,"name":"Josephine Seifert","email":"josephine.seifert@cloudandheat.com","username":"josei"},"change_message_id":"bda8bdb08e74d2fccf2d7881b6e95a83516d5491","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"d7d224b1_872f7f30","updated":"2024-04-15 08:21:05.000000000","message":"I agree with Brians and Markus\u0027 comments.","commit_id":"acbd671fcd3471637898c6b9f4a256cc2c9727b5"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"9a8e3074a57e4441953ba0306c22a7a13c7c3995","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"0cf08187_29fdd590","updated":"2024-04-12 12:35:51.000000000","message":"My primary concern is that the way cinder handles keys and secrets may not address some of the use cases you describe, so it would be good to have more clarity on that.  See comments inline.","commit_id":"acbd671fcd3471637898c6b9f4a256cc2c9727b5"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"be93e8f503411102f80ce58be1c41de930d69d6f","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"a32e8959_0d137ac8","updated":"2024-04-11 14:11:50.000000000","message":"some comments inline from a quick look","commit_id":"acbd671fcd3471637898c6b9f4a256cc2c9727b5"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"5430cc745aa6e444b71935a51695ae4aa2e32f20","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"6110956a_081d2014","updated":"2024-06-08 17:45:00.000000000","message":"I may have missed it, but you should look over Josephine\u0027s spec, and her discussion of the Barbican \u0027symmetric\u0027 and \u0027passphrase\u0027 secret types.  It may help you address the issues mentioned in my previous comment.\n\nhttps://review.opendev.org/c/openstack/cinder-specs/+/919499","commit_id":"8c0e2c3ca523f2e8e4e19e388e0813636c252e9c"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"560b93c07928b8bd60640b9f3a3dc959ebc97504","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"bbee0f93_dd940583","updated":"2024-06-08 17:39:06.000000000","message":"I think there are still 2 open issues:\n\n1. Markus: if cinder wants/expects a 512 bit length secret, and the user gives cinder the ID of a 128 bit length secret, what should we do?  See\nhttps://review.opendev.org/c/openstack/cinder-specs/+/914513/comment/d1eb44fc_09423c37/\n\n2. Me: cinder is constantly creating/storing new barbican secrets when you snapshot or clone an encrypted volume.  So you may create a volume with secret-id K, but when you clone it, the clone will have a new secret-id that it uses ... is that OK for your use cases?  See\nhttps://review.opendev.org/c/openstack/cinder-specs/+/914513/comment/a4f3aa7e_b4fda64c/","commit_id":"8c0e2c3ca523f2e8e4e19e388e0813636c252e9c"},{"author":{"_account_id":36790,"name":"NotTheEvilOne","display_name":"Tobias \"NotTheEvilOne\" Wolf","email":"ubuntu-NTEO@vplace.de","username":"NotTheEvilOne"},"change_message_id":"46110e387408b153d58ad2f31d4a7aff869feaf2","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":4,"id":"a20f6291_0423fbe2","updated":"2024-07-04 06:59:27.000000000","message":"Thanks for the valuable feedback. Most changes are integrated into the spec. Some questions need further discussion I guess.","commit_id":"4ae7e6798258e9aef709862eabaa7f3a370dcd39"}],"specs/2024.2/byok-for-cinder.rst":[{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"9a8e3074a57e4441953ba0306c22a7a13c7c3995","unresolved":true,"context_lines":[{"line_number":15,"context_line":"Problem description"},{"line_number":16,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":17,"context_line":""},{"line_number":18,"context_line":"Encryption keys are currently generated completely transparent for end-users. Most features are already implemented and tested therefore. What\u0027s missing is the possibility to use a user defined key, known as \"bring your own keys\", for encryption. This may be useful for certain legal requirements or specifications to be fulfilled."},{"line_number":19,"context_line":""},{"line_number":20,"context_line":"Use Cases"},{"line_number":21,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":1,"id":"710a0bf6_c929c836","line":18,"range":{"start_line":18,"start_character":247,"end_line":18,"end_character":331},"updated":"2024-04-12 12:35:51.000000000","message":"It would be helpful if you could point to some legal requirements or security specifications that require this so that we can understand exactly what is needed, because this may entail a complete redesign of the way cinder does key handling.  (See my comment below in the \"Proposed change\" section.)","commit_id":"acbd671fcd3471637898c6b9f4a256cc2c9727b5"},{"author":{"_account_id":36790,"name":"NotTheEvilOne","display_name":"Tobias \"NotTheEvilOne\" Wolf","email":"ubuntu-NTEO@vplace.de","username":"NotTheEvilOne"},"change_message_id":"46110e387408b153d58ad2f31d4a7aff869feaf2","unresolved":false,"context_lines":[{"line_number":15,"context_line":"Problem description"},{"line_number":16,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":17,"context_line":""},{"line_number":18,"context_line":"Encryption keys are currently generated completely transparent for end-users. Most features are already implemented and tested therefore. What\u0027s missing is the possibility to use a user defined key, known as \"bring your own keys\", for encryption. This may be useful for certain legal requirements or specifications to be fulfilled."},{"line_number":19,"context_line":""},{"line_number":20,"context_line":"Use Cases"},{"line_number":21,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":1,"id":"b0e8a486_1be3a9d4","line":18,"range":{"start_line":18,"start_character":247,"end_line":18,"end_character":331},"in_reply_to":"710a0bf6_c929c836","updated":"2024-07-04 06:59:27.000000000","message":"Done","commit_id":"acbd671fcd3471637898c6b9f4a256cc2c9727b5"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"9a8e3074a57e4441953ba0306c22a7a13c7c3995","unresolved":true,"context_lines":[{"line_number":28,"context_line":"Proposed change"},{"line_number":29,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":30,"context_line":""},{"line_number":31,"context_line":"Most pieces are already in place and do not to be changed for that feature to be implemented. The KeyManager implementation holds the key provided by the end user."},{"line_number":32,"context_line":""},{"line_number":33,"context_line":"- The most visible change is to be able to provide an encryption key ID to create volume."},{"line_number":34,"context_line":"- ``cinder.volume.volume_utils.clone_encryption_key()`` must be used to ensure keys can be deleted when the volume is deleted"}],"source_content_type":"text/x-rst","patch_set":1,"id":"a4f3aa7e_b4fda64c","line":31,"range":{"start_line":31,"start_character":0,"end_line":31,"end_character":57},"updated":"2024-04-12 12:35:51.000000000","message":"Actually, we have a Big Problem here, namely, that cinder assumes that there is a 1-1 correspondence between a Secret in the Key Manager and a cinder resource (e.g., a volume, but also a volume uploaded to Glance as an image).  The reason for this is so that cinder (or glance) can delete the Secret when the resource is deleted (otherwise, the Key Manager gets filled up with Secrets that aren\u0027t being used for anything).\n\nSo we need to distinguish between a Secret and the Key (that is, a Secret is a thing in Barbican that has a uuid, the *value* of the Secret, which is the Key).  When you Bring Your Own Key to create a volume, we can use the Key value that is in Barbican, but we will create a *different* Secret that is specific to this volume (but which has the value you specified).  So it will have the same Key, just identified by a different Secret uuid.\n\nWhat this means for your proposal is that an end user is not going to be able to tell from the encryption_key_id that\u0027s returned by the mv 3.64+ volume-show call what Key is being used.  So you need to review the Use Cases you identified above and see which ones are not possible given the current way cinder does key handling, and whether it\u0027s acceptable to address fewer use cases, or whether we need to re-design the way cinder does key handling.\n\nI am especially interested in whether any legal requirements or security specifications that require Bring Your Own Key would find the current scheme acceptable.","commit_id":"acbd671fcd3471637898c6b9f4a256cc2c9727b5"},{"author":{"_account_id":36790,"name":"NotTheEvilOne","display_name":"Tobias \"NotTheEvilOne\" Wolf","email":"ubuntu-NTEO@vplace.de","username":"NotTheEvilOne"},"change_message_id":"46110e387408b153d58ad2f31d4a7aff869feaf2","unresolved":false,"context_lines":[{"line_number":28,"context_line":"Proposed change"},{"line_number":29,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":30,"context_line":""},{"line_number":31,"context_line":"Most pieces are already in place and do not to be changed for that feature to be implemented. The KeyManager implementation holds the key provided by the end user."},{"line_number":32,"context_line":""},{"line_number":33,"context_line":"- The most visible change is to be able to provide an encryption key ID to create volume."},{"line_number":34,"context_line":"- ``cinder.volume.volume_utils.clone_encryption_key()`` must be used to ensure keys can be deleted when the volume is deleted"}],"source_content_type":"text/x-rst","patch_set":1,"id":"4f814044_67e2a780","line":31,"range":{"start_line":31,"start_character":0,"end_line":31,"end_character":57},"in_reply_to":"50ed4fd9_8d118aea","updated":"2024-07-04 06:59:27.000000000","message":"Acknowledged","commit_id":"acbd671fcd3471637898c6b9f4a256cc2c9727b5"},{"author":{"_account_id":28271,"name":"Josephine Seifert","email":"josephine.seifert@cloudandheat.com","username":"josei"},"change_message_id":"bda8bdb08e74d2fccf2d7881b6e95a83516d5491","unresolved":true,"context_lines":[{"line_number":28,"context_line":"Proposed change"},{"line_number":29,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":30,"context_line":""},{"line_number":31,"context_line":"Most pieces are already in place and do not to be changed for that feature to be implemented. The KeyManager implementation holds the key provided by the end user."},{"line_number":32,"context_line":""},{"line_number":33,"context_line":"- The most visible change is to be able to provide an encryption key ID to create volume."},{"line_number":34,"context_line":"- ``cinder.volume.volume_utils.clone_encryption_key()`` must be used to ensure keys can be deleted when the volume is deleted"}],"source_content_type":"text/x-rst","patch_set":1,"id":"50ed4fd9_8d118aea","line":31,"range":{"start_line":31,"start_character":0,"end_line":31,"end_character":57},"in_reply_to":"a4f3aa7e_b4fda64c","updated":"2024-04-15 08:21:05.000000000","message":"Maybe a Life-Cycle description of the Key / Secret would be good to have in here. So it is clear, where and when keys or secrets are used and how they should be deleted.\n\nWhat also might be of interest for you Tobias is the work on Secret Consumers in Barbican.","commit_id":"acbd671fcd3471637898c6b9f4a256cc2c9727b5"},{"author":{"_account_id":27665,"name":"Markus Hentsch","email":"markus.hentsch@cloudandheat.com","username":"mhen"},"change_message_id":"af72f4a4251670cc7f6f7ee3c38132f5c740f8d5","unresolved":true,"context_lines":[{"line_number":32,"context_line":""},{"line_number":33,"context_line":"- The most visible change is to be able to provide an encryption key ID to create volume."},{"line_number":34,"context_line":"- ``cinder.volume.volume_utils.clone_encryption_key()`` must be used to ensure keys can be deleted when the volume is deleted"},{"line_number":35,"context_line":""},{"line_number":36,"context_line":"Alternatives"},{"line_number":37,"context_line":"------------"},{"line_number":38,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"fa847f46_03ee4aba","line":35,"updated":"2024-04-11 17:32:30.000000000","message":"Things that I think need to be addressed as well:\n\nWhen receiving the API request with BYOK, cinder-api should verify the Barbican secret:\n1. Does the secret referenced by ID exist and is it retrievable using the requesting user\u0027s auth token? Usually secrets are project-bound and cannot be retrieved by users of another project.\n2. Does the secret\u0027s metadata specify a secret type that can be processed by Cinder with the specified volume type? Currently it expects secret_type to be \"symmetric\". Also the other secret attributes (cipher, mode, bit length) may need to be put in relation to the target volume type\u0027s encryption specification.\n\nIn my opinion we should avoid this failing later in cinder-volume as the feedback loop to the user is lengthy and less obvious (volume will enter error state etc.). We should fail early in cinder-api wherever possible.","commit_id":"acbd671fcd3471637898c6b9f4a256cc2c9727b5"},{"author":{"_account_id":36790,"name":"NotTheEvilOne","display_name":"Tobias \"NotTheEvilOne\" Wolf","email":"ubuntu-NTEO@vplace.de","username":"NotTheEvilOne"},"change_message_id":"46110e387408b153d58ad2f31d4a7aff869feaf2","unresolved":false,"context_lines":[{"line_number":32,"context_line":""},{"line_number":33,"context_line":"- The most visible change is to be able to provide an encryption key ID to create volume."},{"line_number":34,"context_line":"- ``cinder.volume.volume_utils.clone_encryption_key()`` must be used to ensure keys can be deleted when the volume is deleted"},{"line_number":35,"context_line":""},{"line_number":36,"context_line":"Alternatives"},{"line_number":37,"context_line":"------------"},{"line_number":38,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"48a4b5fa_321504d2","line":35,"in_reply_to":"fa847f46_03ee4aba","updated":"2024-07-04 06:59:27.000000000","message":"Acknowledged","commit_id":"acbd671fcd3471637898c6b9f4a256cc2c9727b5"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"be93e8f503411102f80ce58be1c41de930d69d6f","unresolved":true,"context_lines":[{"line_number":46,"context_line":"REST API impact"},{"line_number":47,"context_line":"---------------"},{"line_number":48,"context_line":""},{"line_number":49,"context_line":"- ``/v3/{project_id}/volumes``"},{"line_number":50,"context_line":""},{"line_number":51,"context_line":"  * Create a volume: POST"},{"line_number":52,"context_line":"  * Normal http response code(s): 202"}],"source_content_type":"text/x-rst","patch_set":1,"id":"3f91112a_9ddc1328","line":49,"updated":"2024-04-11 14:11:50.000000000","message":"maybe prefix a POST ?","commit_id":"acbd671fcd3471637898c6b9f4a256cc2c9727b5"},{"author":{"_account_id":36790,"name":"NotTheEvilOne","display_name":"Tobias \"NotTheEvilOne\" Wolf","email":"ubuntu-NTEO@vplace.de","username":"NotTheEvilOne"},"change_message_id":"46110e387408b153d58ad2f31d4a7aff869feaf2","unresolved":false,"context_lines":[{"line_number":46,"context_line":"REST API impact"},{"line_number":47,"context_line":"---------------"},{"line_number":48,"context_line":""},{"line_number":49,"context_line":"- ``/v3/{project_id}/volumes``"},{"line_number":50,"context_line":""},{"line_number":51,"context_line":"  * Create a volume: POST"},{"line_number":52,"context_line":"  * Normal http response code(s): 202"}],"source_content_type":"text/x-rst","patch_set":1,"id":"330f0ac0_ee2c4c9f","line":49,"in_reply_to":"3f91112a_9ddc1328","updated":"2024-07-04 06:59:27.000000000","message":"Done","commit_id":"acbd671fcd3471637898c6b9f4a256cc2c9727b5"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"be93e8f503411102f80ce58be1c41de930d69d6f","unresolved":true,"context_lines":[{"line_number":47,"context_line":"---------------"},{"line_number":48,"context_line":""},{"line_number":49,"context_line":"- ``/v3/{project_id}/volumes``"},{"line_number":50,"context_line":""},{"line_number":51,"context_line":"  * Create a volume: POST"},{"line_number":52,"context_line":"  * Normal http response code(s): 202"},{"line_number":53,"context_line":"  * New optional ``parameter encryption_key_id`` indicates which encryption key ID from the KeyManager implementation should be used"}],"source_content_type":"text/x-rst","patch_set":1,"id":"8ac56267_b1a4fb86","line":50,"updated":"2024-04-11 14:11:50.000000000","message":"can we also mention how the new parameter looks in the request body?","commit_id":"acbd671fcd3471637898c6b9f4a256cc2c9727b5"},{"author":{"_account_id":36790,"name":"NotTheEvilOne","display_name":"Tobias \"NotTheEvilOne\" Wolf","email":"ubuntu-NTEO@vplace.de","username":"NotTheEvilOne"},"change_message_id":"46110e387408b153d58ad2f31d4a7aff869feaf2","unresolved":false,"context_lines":[{"line_number":47,"context_line":"---------------"},{"line_number":48,"context_line":""},{"line_number":49,"context_line":"- ``/v3/{project_id}/volumes``"},{"line_number":50,"context_line":""},{"line_number":51,"context_line":"  * Create a volume: POST"},{"line_number":52,"context_line":"  * Normal http response code(s): 202"},{"line_number":53,"context_line":"  * New optional ``parameter encryption_key_id`` indicates which encryption key ID from the KeyManager implementation should be used"}],"source_content_type":"text/x-rst","patch_set":1,"id":"552bb998_af0e9c3a","line":50,"in_reply_to":"8ac56267_b1a4fb86","updated":"2024-07-04 06:59:27.000000000","message":"Done","commit_id":"acbd671fcd3471637898c6b9f4a256cc2c9727b5"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"9a8e3074a57e4441953ba0306c22a7a13c7c3995","unresolved":true,"context_lines":[{"line_number":51,"context_line":"  * Create a volume: POST"},{"line_number":52,"context_line":"  * Normal http response code(s): 202"},{"line_number":53,"context_line":"  * New optional ``parameter encryption_key_id`` indicates which encryption key ID from the KeyManager implementation should be used"},{"line_number":54,"context_line":"  * Maybe a new use of response code 409 may be needed if e.g. a encrypted snapshot volume should be copied with a different key"},{"line_number":55,"context_line":"  * 409 may be used to indicate if the volume type chosen does not support encryption at all as well, alternatively 400 is suitable in that case"},{"line_number":56,"context_line":""},{"line_number":57,"context_line":"Security impact"}],"source_content_type":"text/x-rst","patch_set":1,"id":"b2a17fce_bae9f895","line":54,"range":{"start_line":54,"start_character":4,"end_line":54,"end_character":128},"updated":"2024-04-12 12:35:51.000000000","message":"This is a good point and we need to think it through some more.  Check with Eric Harney about this, he was working on re-keying encrypted volumes under specific circumstances.  I\u0027m not sure if the current code would support creating a volume and giving the source_volid of an existing encrypted volume and being able to change the key value of the new volume.","commit_id":"acbd671fcd3471637898c6b9f4a256cc2c9727b5"},{"author":{"_account_id":27665,"name":"Markus Hentsch","email":"markus.hentsch@cloudandheat.com","username":"mhen"},"change_message_id":"af72f4a4251670cc7f6f7ee3c38132f5c740f8d5","unresolved":true,"context_lines":[{"line_number":52,"context_line":"  * Normal http response code(s): 202"},{"line_number":53,"context_line":"  * New optional ``parameter encryption_key_id`` indicates which encryption key ID from the KeyManager implementation should be used"},{"line_number":54,"context_line":"  * Maybe a new use of response code 409 may be needed if e.g. a encrypted snapshot volume should be copied with a different key"},{"line_number":55,"context_line":"  * 409 may be used to indicate if the volume type chosen does not support encryption at all as well, alternatively 400 is suitable in that case"},{"line_number":56,"context_line":""},{"line_number":57,"context_line":"Security impact"},{"line_number":58,"context_line":"---------------"}],"source_content_type":"text/x-rst","patch_set":1,"id":"159ede71_bfa4da2b","line":55,"updated":"2024-04-11 17:32:30.000000000","message":"We should also take into account that the Key Manager API (Barbican) can either be unreachable, failing or does not even exist in the infrastructure at the time of the API request and return an appropriate error response code and message in such case.","commit_id":"acbd671fcd3471637898c6b9f4a256cc2c9727b5"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"9a8e3074a57e4441953ba0306c22a7a13c7c3995","unresolved":true,"context_lines":[{"line_number":52,"context_line":"  * Normal http response code(s): 202"},{"line_number":53,"context_line":"  * New optional ``parameter encryption_key_id`` indicates which encryption key ID from the KeyManager implementation should be used"},{"line_number":54,"context_line":"  * Maybe a new use of response code 409 may be needed if e.g. a encrypted snapshot volume should be copied with a different key"},{"line_number":55,"context_line":"  * 409 may be used to indicate if the volume type chosen does not support encryption at all as well, alternatively 400 is suitable in that case"},{"line_number":56,"context_line":""},{"line_number":57,"context_line":"Security impact"},{"line_number":58,"context_line":"---------------"}],"source_content_type":"text/x-rst","patch_set":1,"id":"326d8f9e_c7199981","line":55,"in_reply_to":"159ede71_bfa4da2b","updated":"2024-04-12 12:35:51.000000000","message":"I agree with Markus, maybe a failure to contact Barbican should return a 503 (Service Unvailable) with a message like \"Key Manager Service is Unavailable\".\n\nFor the case where the specified volume type doesn\u0027t support encryption, I think a 400 (not 409) is correct, because the user needs to make a different request (not retry later when the resource is in a different state).","commit_id":"acbd671fcd3471637898c6b9f4a256cc2c9727b5"},{"author":{"_account_id":36790,"name":"NotTheEvilOne","display_name":"Tobias \"NotTheEvilOne\" Wolf","email":"ubuntu-NTEO@vplace.de","username":"NotTheEvilOne"},"change_message_id":"46110e387408b153d58ad2f31d4a7aff869feaf2","unresolved":false,"context_lines":[{"line_number":52,"context_line":"  * Normal http response code(s): 202"},{"line_number":53,"context_line":"  * New optional ``parameter encryption_key_id`` indicates which encryption key ID from the KeyManager implementation should be used"},{"line_number":54,"context_line":"  * Maybe a new use of response code 409 may be needed if e.g. a encrypted snapshot volume should be copied with a different key"},{"line_number":55,"context_line":"  * 409 may be used to indicate if the volume type chosen does not support encryption at all as well, alternatively 400 is suitable in that case"},{"line_number":56,"context_line":""},{"line_number":57,"context_line":"Security impact"},{"line_number":58,"context_line":"---------------"}],"source_content_type":"text/x-rst","patch_set":1,"id":"669e780e_9d1a468e","line":55,"in_reply_to":"326d8f9e_c7199981","updated":"2024-07-04 06:59:27.000000000","message":"Done","commit_id":"acbd671fcd3471637898c6b9f4a256cc2c9727b5"},{"author":{"_account_id":27665,"name":"Markus Hentsch","email":"markus.hentsch@cloudandheat.com","username":"mhen"},"change_message_id":"af72f4a4251670cc7f6f7ee3c38132f5c740f8d5","unresolved":true,"context_lines":[{"line_number":57,"context_line":"Security impact"},{"line_number":58,"context_line":"---------------"},{"line_number":59,"context_line":""},{"line_number":60,"context_line":"No direct security impact changes are connected with the proposed change. For the alternative solution sensitive encryption keys are handled by ``.Create()``."},{"line_number":61,"context_line":""},{"line_number":62,"context_line":"Active/Active HA impact"},{"line_number":63,"context_line":"-----------------------"}],"source_content_type":"text/x-rst","patch_set":1,"id":"d1eb44fc_09423c37","line":60,"updated":"2024-04-11 17:32:30.000000000","message":"I don\u0027t agree that there is no impact at all. Currently, Cinder instructs Barbican to create a key for encrypted volumes (via secret order API) with a specified bit length. Barbican might use an HSM or something similar as a backend. So there are some assumptions/guarantees around entropy and strength of the key generated there.\n\nIf users are able to specify *any* passphrase with BYOK, they are also free to use very weak ones when creating volumes. Images, snapshots or clones created from such volumes will then inherit the LUKS encryption and key, thus the weak passphrase would be passed on further.\n\nI think we could consider educating users (documentation) and/or checking the lengths of the BYOK secrets at some point.","commit_id":"acbd671fcd3471637898c6b9f4a256cc2c9727b5"},{"author":{"_account_id":36790,"name":"NotTheEvilOne","display_name":"Tobias \"NotTheEvilOne\" Wolf","email":"ubuntu-NTEO@vplace.de","username":"NotTheEvilOne"},"change_message_id":"46110e387408b153d58ad2f31d4a7aff869feaf2","unresolved":false,"context_lines":[{"line_number":57,"context_line":"Security impact"},{"line_number":58,"context_line":"---------------"},{"line_number":59,"context_line":""},{"line_number":60,"context_line":"No direct security impact changes are connected with the proposed change. For the alternative solution sensitive encryption keys are handled by ``.Create()``."},{"line_number":61,"context_line":""},{"line_number":62,"context_line":"Active/Active HA impact"},{"line_number":63,"context_line":"-----------------------"}],"source_content_type":"text/x-rst","patch_set":1,"id":"26dd7cd8_42f60890","line":60,"in_reply_to":"d1eb44fc_09423c37","updated":"2024-07-04 06:59:27.000000000","message":"Done","commit_id":"acbd671fcd3471637898c6b9f4a256cc2c9727b5"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"be93e8f503411102f80ce58be1c41de930d69d6f","unresolved":true,"context_lines":[{"line_number":58,"context_line":"---------------"},{"line_number":59,"context_line":""},{"line_number":60,"context_line":"No direct security impact changes are connected with the proposed change. For the alternative solution sensitive encryption keys are handled by ``.Create()``."},{"line_number":61,"context_line":""},{"line_number":62,"context_line":"Active/Active HA impact"},{"line_number":63,"context_line":"-----------------------"},{"line_number":64,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"4328eef8_13fc0c4b","line":61,"updated":"2024-04-11 14:11:50.000000000","message":"maybe mention here or somewhere that the passphrase used by user in barbican will not be able to decrypt the volume since cinder hexifies the barbican passphrase to encrypt the volume.","commit_id":"acbd671fcd3471637898c6b9f4a256cc2c9727b5"},{"author":{"_account_id":36790,"name":"NotTheEvilOne","display_name":"Tobias \"NotTheEvilOne\" Wolf","email":"ubuntu-NTEO@vplace.de","username":"NotTheEvilOne"},"change_message_id":"46110e387408b153d58ad2f31d4a7aff869feaf2","unresolved":false,"context_lines":[{"line_number":58,"context_line":"---------------"},{"line_number":59,"context_line":""},{"line_number":60,"context_line":"No direct security impact changes are connected with the proposed change. For the alternative solution sensitive encryption keys are handled by ``.Create()``."},{"line_number":61,"context_line":""},{"line_number":62,"context_line":"Active/Active HA impact"},{"line_number":63,"context_line":"-----------------------"},{"line_number":64,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"0cabf92a_21d51623","line":61,"in_reply_to":"4328eef8_13fc0c4b","updated":"2024-07-04 06:59:27.000000000","message":"Acknowledged","commit_id":"acbd671fcd3471637898c6b9f4a256cc2c9727b5"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"be93e8f503411102f80ce58be1c41de930d69d6f","unresolved":true,"context_lines":[{"line_number":73,"context_line":"---------------------"},{"line_number":74,"context_line":""},{"line_number":75,"context_line":"For ``python-cinderclient`` a new optional attribute may be added."},{"line_number":76,"context_line":""},{"line_number":77,"context_line":"Performance Impact"},{"line_number":78,"context_line":"------------------"},{"line_number":79,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"7632bc51_f371890b","line":76,"updated":"2024-04-11 14:11:50.000000000","message":"need client support in OSC as well","commit_id":"acbd671fcd3471637898c6b9f4a256cc2c9727b5"},{"author":{"_account_id":36790,"name":"NotTheEvilOne","display_name":"Tobias \"NotTheEvilOne\" Wolf","email":"ubuntu-NTEO@vplace.de","username":"NotTheEvilOne"},"change_message_id":"46110e387408b153d58ad2f31d4a7aff869feaf2","unresolved":false,"context_lines":[{"line_number":73,"context_line":"---------------------"},{"line_number":74,"context_line":""},{"line_number":75,"context_line":"For ``python-cinderclient`` a new optional attribute may be added."},{"line_number":76,"context_line":""},{"line_number":77,"context_line":"Performance Impact"},{"line_number":78,"context_line":"------------------"},{"line_number":79,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"40a38e2e_10f26675","line":76,"in_reply_to":"7632bc51_f371890b","updated":"2024-07-04 06:59:27.000000000","message":"Done","commit_id":"acbd671fcd3471637898c6b9f4a256cc2c9727b5"}]}