)]}'
{"specs/train/approved/glance/barbican-secret-deletion-support.rst":[{"author":{"_account_id":9303,"name":"Abhishek Kekane","email":"akekane@redhat.com","username":"abhishekkekane"},"change_message_id":"2f880c982d02c2bede158d6ce861fde4f454a4bf","unresolved":false,"context_lines":[{"line_number":44,"context_line":"         \"description\": \"Identifier in the OpenStack Key Management Service for the encryption key for the Block Storage Service to use when mounting a volume created from this image\","},{"line_number":45,"context_line":"         \"type\": \"string\""},{"line_number":46,"context_line":"      },"},{"line_number":47,"context_line":"      \"cinder_encrpytion_key_deletion_policy\": {"},{"line_number":48,"context_line":"          \"description\": \"States the condition under which the Image Service will delete the object associated with the \u0027cinder_encryption_key_id\u0027 image property.  If this property is missing, the Image Service will take no action\","},{"line_number":49,"context_line":"          \"type\": \"string\","},{"line_number":50,"context_line":"          \"enum\": ["}],"source_content_type":"text/x-rst","patch_set":2,"id":"9fb8cfa7_7e036c10","line":47,"range":{"start_line":47,"start_character":7,"end_line":47,"end_character":44},"updated":"2019-06-07 09:07:11.000000000","message":"s/cinder_encrpytion_key_deletion_policy/cinder_encryption_key_deletion_policy","commit_id":"9bdbdfb0ec87adf2a203cc8d3ea45fe7f48937b4"},{"author":{"_account_id":9303,"name":"Abhishek Kekane","email":"akekane@redhat.com","username":"abhishekkekane"},"change_message_id":"e5cf940e76dd49259597ec5c4484a8afd4f6d084","unresolved":false,"context_lines":[{"line_number":211,"context_line":"   to make the current property Cinder uses, ``cinder_encryption_key_id``,"},{"line_number":212,"context_line":"   an official common image property."},{"line_number":213,"context_line":""},{"line_number":214,"context_line":"2. Implement the code to delete the secret in Barbican upon image deletion."},{"line_number":215,"context_line":""},{"line_number":216,"context_line":"Dependencies"},{"line_number":217,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":2,"id":"9fb8cfa7_3e0974dc","line":214,"range":{"start_line":214,"start_character":3,"end_line":214,"end_character":75},"updated":"2019-06-07 08:25:00.000000000","message":"glance internally uses cursive library to deal with Barbican. Cursive library doesn\u0027t have a public/private method to delete the secret_id [1], so we first need to add below public method to signature_utils module of cursive library.::\n\ndef delete_certificate(context, signature_certificate_uuid):\n    \"\"\"Delete the certificate object from the given certificate uuid.\n\n    :param context: the user context for authentication\n    :param signature_certificate_uuid: the uuid to use to delete the\n                                       certificate\n    \"\"\"\n    keymgr_api \u003d key_manager.API()\n\n    try:\n        # Delete the certificate\n        keymgr_api.delete(context, signature_certificate_uuid)\n    except ManagedObjectNotFoundError as e:\n        msg \u003d (_LE(\u0027Certificate not found with ID %(id)s: %(e)s\u0027)\n               % {\u0027id\u0027: signature_certificate_uuid,\n                  \u0027e\u0027: encodeutils.exception_to_unicode(e)})\n        LOG.error(msg)\n    except KeyManagerError as e:\n        # The problem encountered may be backend-specific, since castellan\n        # can use different backends.  Rather than importing all possible\n        # backends here, the generic \"Exception\" is used.\n        msg \u003d (_LE(\"Unable to retrieve certificate with ID %(id)s: %(e)s\")\n               % {\u0027id\u0027: signature_certificate_uuid,\n                  \u0027e\u0027: encodeutils.exception_to_unicode(e)})\n        LOG.error(msg)\n\n[1] https://github.com/openstack/cursive/blob/master/cursive/signature_utils.py","commit_id":"9bdbdfb0ec87adf2a203cc8d3ea45fe7f48937b4"},{"author":{"_account_id":9303,"name":"Abhishek Kekane","email":"akekane@redhat.com","username":"abhishekkekane"},"change_message_id":"e5cf940e76dd49259597ec5c4484a8afd4f6d084","unresolved":false,"context_lines":[{"line_number":212,"context_line":"   an official common image property."},{"line_number":213,"context_line":""},{"line_number":214,"context_line":"2. Implement the code to delete the secret in Barbican upon image deletion."},{"line_number":215,"context_line":""},{"line_number":216,"context_line":"Dependencies"},{"line_number":217,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":218,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"9fb8cfa7_1ed4b01f","line":215,"updated":"2019-06-07 08:25:00.000000000","message":"Or we can use castellan library to create barbican key manager API and use delete method directly in glance, but it will be against the standards of using common libraries IMO.\n\nFor example::\nfrom castellan.common.exception import KeyManagerError\nfrom castellan.common.exception import ManagedObjectNotFoundError\nfrom castellan import key_manager \n\nkey_manager \u003d key_manager.API()\n\nand then call key_manager.delete()\n\nIn short move delete_certificate method from above comment to glance/common/utils.py instead of adding it to cursive library.","commit_id":"9bdbdfb0ec87adf2a203cc8d3ea45fe7f48937b4"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"5a2cf04050698ba0eecbd8a5c68e90866909209a","unresolved":false,"context_lines":[{"line_number":212,"context_line":"   an official common image property."},{"line_number":213,"context_line":""},{"line_number":214,"context_line":"2. Implement the code to delete the secret in Barbican upon image deletion."},{"line_number":215,"context_line":""},{"line_number":216,"context_line":"Dependencies"},{"line_number":217,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":218,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"9fb8cfa7_68daa84c","line":215,"in_reply_to":"9fb8cfa7_1ed4b01f","updated":"2019-06-10 21:49:18.000000000","message":"Cinder is currently using the second pattern:\nhttps://opendev.org/openstack/cinder/src/commit/ad9eda63ace9a2dbd39bb6e5d277db6b46cfd066/cinder/volume/utils.py#L941-L962\n\nI think Glance, should, too.  Currently, the cursive library doesn\u0027t deal with certificate creation or deletion, it\u0027s focused on \"OpenStack-specific validation of digital signatures\".  Adding a delete_certificate method will change that focus (and will be asymmetric unless you also add a create_certificate method).  I think it makes sense to use the castellan key_manager interface to handle key deletion.","commit_id":"9bdbdfb0ec87adf2a203cc8d3ea45fe7f48937b4"}]}