)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"8e15f94276c73e47157fce357de64a24b0371f08","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"18aebdcf_8b834797","updated":"2023-11-16 14:15:15.000000000","message":"Adding NetApp folks for review/suggestions.","commit_id":"f1ba397a9f817c00c1cf6f1ed65b606760a5c24d"},{"author":{"_account_id":30407,"name":"haixin","email":"haixin_haixin@qq.com","username":"haixin"},"change_message_id":"5ce474c498eb22f44336c2a4646c22efdecfb4f0","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":4,"id":"fb8099e7_6fdfd705","updated":"2023-12-04 07:41:11.000000000","message":"hi, Kiran Pawar.\nthanks for your idea about share encryption.\nhere are some comments about this.","commit_id":"7e375d234c48fb3e6c33584ea12452ec0e29ee60"},{"author":{"_account_id":29632,"name":"Carlos Eduardo","email":"ces.eduardo98@gmail.com","username":"silvacarlos"},"change_message_id":"cf0f723e26a2554b4c8fd8e4e76db9253cc2b033","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":5,"id":"473e08ab_df7090c2","updated":"2024-01-09 13:38:24.000000000","message":"Thank you for working on the spec, Kiran and sorry for making you wait for reviews. Please take a look at the suggestions and questions inline.\n\nAlso, it is getting somehow confusing to read through the spec with some unresolved comments. Could you please mark the resolved comments as resolved so they don\u0027t show up?","commit_id":"7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc"},{"author":{"_account_id":18816,"name":"Maurice Escher","display_name":"carthaca","email":"maurice.escher@sap.com","username":"mapocace"},"change_message_id":"e98d005ee75ca348729f7d46ddd50b538bd96cbd","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":5,"id":"20368812_36ba28e5","updated":"2024-01-17 12:46:51.000000000","message":"Thanks for the work and the feedback, see my comments inline","commit_id":"7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"ce20c78e714389377989ae85331fa97b39517469","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":5,"id":"eeafb32f_a082e67d","updated":"2024-01-18 01:01:42.000000000","message":"Thanks for your work on this Kiran; please take a look at my comments inline","commit_id":"7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"98202b8ba82f526be262b75ce604289cfab7f930","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":6,"id":"4503683f_67068ce0","updated":"2024-02-05 23:38:14.000000000","message":"Thanks Kiran, \n\nthis looks better. I have a comment regarding capability, and several nit pick comments that you can choose to address.","commit_id":"02fc22953ffcf3e31a89bc5fe9bd1697a70830c5"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"1e32701c2b7ac51c6ae6c709a7f75f527c97a0b4","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":7,"id":"e706b973_7c38cba3","updated":"2024-02-08 04:37:45.000000000","message":"LGTM; thanks. This is cutting it close to the Caracal release feature freeze. Are you still targeting this for Caracal?","commit_id":"78fe49cc3d0342bf8d54166a55db80297c5aaa0d"},{"author":{"_account_id":18816,"name":"Maurice Escher","display_name":"carthaca","email":"maurice.escher@sap.com","username":"mapocace"},"change_message_id":"5f4902b049086fa41501aa886a5a09ee3479389b","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":7,"id":"ba9d4199_7b60f659","updated":"2024-02-08 12:29:40.000000000","message":"just some nits 😊","commit_id":"78fe49cc3d0342bf8d54166a55db80297c5aaa0d"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"c6764bd8c653e827ca0bb19ebbb38e24c3ccce61","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":7,"id":"0b7d204a_5c348c27","in_reply_to":"e706b973_7c38cba3","updated":"2024-02-08 11:12:41.000000000","message":"We can consider this as approved-caracal and implemented-D release most likely. But getting spec merged would be better as its conclude agree of API interfaces.","commit_id":"78fe49cc3d0342bf8d54166a55db80297c5aaa0d"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"771167b160640b21c47a62db79c9b79192227898","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":9,"id":"a61ef486_3a97b0a1","updated":"2024-02-08 23:12:40.000000000","message":"Please re-target to D if that\u0027s the conclusion here. I\u0027m good with the content.. Thanks Kiran!","commit_id":"66543e2c10a49c88458fd62f11bc07ef0abfdeab"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"5163f37a3c71cd4c4bb67282f3136e5d335a0328","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":9,"id":"9d61d850_ca800b9a","in_reply_to":"a61ef486_3a97b0a1","updated":"2024-02-13 09:49:59.000000000","message":"moved to D","commit_id":"66543e2c10a49c88458fd62f11bc07ef0abfdeab"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"5cad2a4910b6f325002a2d14853fe49204960159","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":10,"id":"eefa633c_3acc5d21","updated":"2024-02-13 17:25:06.000000000","message":"Thanks for moving the spec; i see a couple of doc build improvements that can be made before merging this","commit_id":"bcfdc98cbc88fc7f82b5ee395e75aa221d20fd68"},{"author":{"_account_id":30407,"name":"haixin","email":"haixin_haixin@qq.com","username":"haixin"},"change_message_id":"238273bd10313a7dcd1a07c806be029ef71fd780","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":16,"id":"446b3c79_060d0fae","updated":"2024-03-06 07:58:37.000000000","message":"I read the spec again and it looks good to me, thanks.","commit_id":"dcfd3ad11f24298e826b59878f1d880beb8f6473"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"57bd2119324d43783821477e9efd3970e83addcf","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":16,"id":"cd328ca3_e5a04288","updated":"2024-03-05 11:33:49.000000000","message":"instead of adding encryption_key_id to shares and share_snapshots table, changed to add in share_instances and share_snapshot_instances since share_instance is what we pass to backend driver to create share. So we will pass encryption_key_id as part of share_instance object itself.","commit_id":"dcfd3ad11f24298e826b59878f1d880beb8f6473"},{"author":{"_account_id":29632,"name":"Carlos Eduardo","email":"ces.eduardo98@gmail.com","username":"silvacarlos"},"change_message_id":"0ce2b8a69612304e35b2cbdb10f4f99eb17e61a7","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":17,"id":"97eff75e_abf0ccc9","updated":"2024-03-14 13:16:07.000000000","message":"LGTM, thank you! :)","commit_id":"969ea2db9bc34cc24763efd47f6c4bb1492d8079"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"e7c3160255877cb9b8d18412b26bf3e3f952e3bd","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":17,"id":"444cec11_cc0aae35","updated":"2024-03-14 15:03:31.000000000","message":"Thanks for the updates!","commit_id":"969ea2db9bc34cc24763efd47f6c4bb1492d8079"}],"specs/caracal/share_encryption.rst":[{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"2b9218d44af55b9312f606fa02a619b2223fb157","unresolved":true,"context_lines":[{"line_number":66,"context_line":"  When creating a share type, user can specify encryption information such as"},{"line_number":67,"context_line":"  cipher, key_size, provider, control location."},{"line_number":68,"context_line":""},{"line_number":69,"context_line":"* Changes in backend driver"},{"line_number":70,"context_line":""},{"line_number":71,"context_line":"  A backend driver will fetch information related to share encryption and"},{"line_number":72,"context_line":"  perform the encryption."},{"line_number":73,"context_line":"  1. In case encryption based share type is used to create share, backend"},{"line_number":74,"context_line":"  driver will get encryption key id from manila-api and it will then"},{"line_number":75,"context_line":"  fetch encryption key data from key store."},{"line_number":76,"context_line":"  2. In case encyption ref is provided, backend driver will fetch encryption"},{"line_number":77,"context_line":"  key data from key store using that ref."},{"line_number":78,"context_line":""},{"line_number":79,"context_line":"  The fetched key data then will be used to encrypt share. In this case, the"},{"line_number":80,"context_line":"  backend driver will configured at the manila share service node, and provide"},{"line_number":81,"context_line":"  the basic abilities to talk with Key store e.g. Barbican using KMIP."},{"line_number":82,"context_line":""},{"line_number":83,"context_line":""},{"line_number":84,"context_line":"Alternatives"}],"source_content_type":"text/x-rst","patch_set":2,"id":"3690f89f_fbe74dcb","line":81,"range":{"start_line":69,"start_character":27,"end_line":81,"end_character":70},"updated":"2023-10-25 00:03:02.000000000","message":"this is a bit unclear; what is the \"backend driver\" here? \n\nwe use that terminology for share backend drivers such as the CephFS driver, or the NetApp ONTAP driver.. \n\ndo you mean the share manager will have a barbican client layer?","commit_id":"e64af4d2075bc78bbe7801856ca1bfbcafadbf5d"},{"author":{"_account_id":18816,"name":"Maurice Escher","display_name":"carthaca","email":"maurice.escher@sap.com","username":"mapocace"},"change_message_id":"fec16decbdbb75914bf883a2026626fb8f82d0a1","unresolved":true,"context_lines":[{"line_number":66,"context_line":"  When creating a share type, user can specify encryption information such as"},{"line_number":67,"context_line":"  cipher, key_size, provider, control location."},{"line_number":68,"context_line":""},{"line_number":69,"context_line":"* Changes in backend driver"},{"line_number":70,"context_line":""},{"line_number":71,"context_line":"  A backend driver will fetch information related to share encryption and"},{"line_number":72,"context_line":"  perform the encryption."},{"line_number":73,"context_line":"  1. In case encryption based share type is used to create share, backend"},{"line_number":74,"context_line":"  driver will get encryption key id from manila-api and it will then"},{"line_number":75,"context_line":"  fetch encryption key data from key store."},{"line_number":76,"context_line":"  2. In case encyption ref is provided, backend driver will fetch encryption"},{"line_number":77,"context_line":"  key data from key store using that ref."},{"line_number":78,"context_line":""},{"line_number":79,"context_line":"  The fetched key data then will be used to encrypt share. In this case, the"},{"line_number":80,"context_line":"  backend driver will configured at the manila share service node, and provide"},{"line_number":81,"context_line":"  the basic abilities to talk with Key store e.g. Barbican using KMIP."},{"line_number":82,"context_line":""},{"line_number":83,"context_line":""},{"line_number":84,"context_line":"Alternatives"}],"source_content_type":"text/x-rst","patch_set":2,"id":"a1c9d241_d64ec2fd","line":81,"range":{"start_line":69,"start_character":27,"end_line":81,"end_character":70},"in_reply_to":"3690f89f_fbe74dcb","updated":"2023-10-27 08:23:33.000000000","message":"Something like https://review.opendev.org/c/openstack/cinder/+/39292, I think","commit_id":"e64af4d2075bc78bbe7801856ca1bfbcafadbf5d"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"9c6beba3aae488334596c7f7eb293db38764a7c4","unresolved":false,"context_lines":[{"line_number":66,"context_line":"  When creating a share type, user can specify encryption information such as"},{"line_number":67,"context_line":"  cipher, key_size, provider, control location."},{"line_number":68,"context_line":""},{"line_number":69,"context_line":"* Changes in backend driver"},{"line_number":70,"context_line":""},{"line_number":71,"context_line":"  A backend driver will fetch information related to share encryption and"},{"line_number":72,"context_line":"  perform the encryption."},{"line_number":73,"context_line":"  1. In case encryption based share type is used to create share, backend"},{"line_number":74,"context_line":"  driver will get encryption key id from manila-api and it will then"},{"line_number":75,"context_line":"  fetch encryption key data from key store."},{"line_number":76,"context_line":"  2. In case encyption ref is provided, backend driver will fetch encryption"},{"line_number":77,"context_line":"  key data from key store using that ref."},{"line_number":78,"context_line":""},{"line_number":79,"context_line":"  The fetched key data then will be used to encrypt share. In this case, the"},{"line_number":80,"context_line":"  backend driver will configured at the manila share service node, and provide"},{"line_number":81,"context_line":"  the basic abilities to talk with Key store e.g. Barbican using KMIP."},{"line_number":82,"context_line":""},{"line_number":83,"context_line":""},{"line_number":84,"context_line":"Alternatives"}],"source_content_type":"text/x-rst","patch_set":2,"id":"39b7cef5_36bb72e5","line":81,"range":{"start_line":69,"start_character":27,"end_line":81,"end_character":70},"in_reply_to":"a1c9d241_d64ec2fd","updated":"2023-10-27 12:07:11.000000000","message":"Added reference of key manager.\n\n1. manila API (talks with key manager to get encryption key)\n2. manila API gets encryption key ref from user\n\nin both case, it will be passed to backend as it is. The backend then using either key or key ref talks with key store and does encryption.","commit_id":"e64af4d2075bc78bbe7801856ca1bfbcafadbf5d"},{"author":{"_account_id":29632,"name":"Carlos Eduardo","email":"ces.eduardo98@gmail.com","username":"silvacarlos"},"change_message_id":"c8d0fa4179f2dbe878fa02f6661020b72afba2d5","unresolved":true,"context_lines":[{"line_number":108,"context_line":"  | deleted               | tinyint(1)   | YES  |     | NULL    |       |"},{"line_number":109,"context_line":"  +-----------------------+--------------+------+-----+---------+-------+"},{"line_number":110,"context_line":"  | id                    | varchar(36)  | NO   | PRI | NULL    |       |"},{"line_number":111,"context_line":"  +-----------------------+--------------+------+-----+---------+-------+"},{"line_number":112,"context_line":"  | share_type_id         | varchar(255) | NO   |     | NULL    |       |"},{"line_number":113,"context_line":"  +-----------------------+--------------+------+-----+---------+-------+"},{"line_number":114,"context_line":"  | key_size              | int(11)      | YES  |     | NULL    |       |"},{"line_number":115,"context_line":"  +-----------------------+--------------+------+-----+---------+-------+"},{"line_number":116,"context_line":"  | cipher                | varchar(255) | YES  |     | NULL    |       |"}],"source_content_type":"text/x-rst","patch_set":2,"id":"ba78e1c9_4b5fb2a4","line":113,"range":{"start_line":111,"start_character":0,"end_line":113,"end_character":73},"updated":"2023-10-25 20:44:12.000000000","message":"should we have a status of some sort? I\u0027m unsure how long it would take to encrypt a share, and if that fails, what would happen?","commit_id":"e64af4d2075bc78bbe7801856ca1bfbcafadbf5d"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"9c6beba3aae488334596c7f7eb293db38764a7c4","unresolved":false,"context_lines":[{"line_number":108,"context_line":"  | deleted               | tinyint(1)   | YES  |     | NULL    |       |"},{"line_number":109,"context_line":"  +-----------------------+--------------+------+-----+---------+-------+"},{"line_number":110,"context_line":"  | id                    | varchar(36)  | NO   | PRI | NULL    |       |"},{"line_number":111,"context_line":"  +-----------------------+--------------+------+-----+---------+-------+"},{"line_number":112,"context_line":"  | share_type_id         | varchar(255) | NO   |     | NULL    |       |"},{"line_number":113,"context_line":"  +-----------------------+--------------+------+-----+---------+-------+"},{"line_number":114,"context_line":"  | key_size              | int(11)      | YES  |     | NULL    |       |"},{"line_number":115,"context_line":"  +-----------------------+--------------+------+-----+---------+-------+"},{"line_number":116,"context_line":"  | cipher                | varchar(255) | YES  |     | NULL    |       |"}],"source_content_type":"text/x-rst","patch_set":2,"id":"f6a40da1_46d2390e","line":113,"range":{"start_line":111,"start_character":0,"end_line":113,"end_character":73},"in_reply_to":"ba78e1c9_4b5fb2a4","updated":"2023-10-27 12:07:11.000000000","message":"the encryption happens on backend today as well and its not reflected in either status. So we wont need status with this addition as well.","commit_id":"e64af4d2075bc78bbe7801856ca1bfbcafadbf5d"},{"author":{"_account_id":30407,"name":"haixin","email":"haixin_haixin@qq.com","username":"haixin"},"change_message_id":"86b694260d10968b76723aa61603d61d9f539b3c","unresolved":false,"context_lines":[{"line_number":108,"context_line":"  | deleted               | tinyint(1)   | YES  |     | NULL    |       |"},{"line_number":109,"context_line":"  +-----------------------+--------------+------+-----+---------+-------+"},{"line_number":110,"context_line":"  | id                    | varchar(36)  | NO   | PRI | NULL    |       |"},{"line_number":111,"context_line":"  +-----------------------+--------------+------+-----+---------+-------+"},{"line_number":112,"context_line":"  | share_type_id         | varchar(255) | NO   |     | NULL    |       |"},{"line_number":113,"context_line":"  +-----------------------+--------------+------+-----+---------+-------+"},{"line_number":114,"context_line":"  | key_size              | int(11)      | YES  |     | NULL    |       |"},{"line_number":115,"context_line":"  +-----------------------+--------------+------+-----+---------+-------+"},{"line_number":116,"context_line":"  | cipher                | varchar(255) | YES  |     | NULL    |       |"}],"source_content_type":"text/x-rst","patch_set":2,"id":"f9f1a3eb_f6294ac3","line":113,"range":{"start_line":111,"start_character":0,"end_line":113,"end_character":73},"in_reply_to":"f6a40da1_46d2390e","updated":"2023-12-04 07:49:20.000000000","message":"yes, i agree with Kiran Pawar, Encryption is a back-end storage feature, and manila tells the storage that the share is encrypted and what the encryption key is when it creates a share through the drive.\n\nThen, after the share is mounted, the data will be encrypted only when the data IO is generated.","commit_id":"e64af4d2075bc78bbe7801856ca1bfbcafadbf5d"},{"author":{"_account_id":29632,"name":"Carlos Eduardo","email":"ces.eduardo98@gmail.com","username":"silvacarlos"},"change_message_id":"c8d0fa4179f2dbe878fa02f6661020b72afba2d5","unresolved":true,"context_lines":[{"line_number":151,"context_line":""},{"line_number":152,"context_line":"CLI API impact"},{"line_number":153,"context_line":"--------------"},{"line_number":154,"context_line":""},{"line_number":155,"context_line":"Add new parameters to commands in openstackclient(OSC):"},{"line_number":156,"context_line":""},{"line_number":157,"context_line":"openstack share type create [--encryption-provider \u003cprovider\u003e]"}],"source_content_type":"text/x-rst","patch_set":2,"id":"545bcc96_ba190fe9","line":154,"updated":"2023-10-25 20:44:12.000000000","message":"are you planning to implement new commands also be provided to the new encryption API?","commit_id":"e64af4d2075bc78bbe7801856ca1bfbcafadbf5d"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"9c6beba3aae488334596c7f7eb293db38764a7c4","unresolved":false,"context_lines":[{"line_number":151,"context_line":""},{"line_number":152,"context_line":"CLI API impact"},{"line_number":153,"context_line":"--------------"},{"line_number":154,"context_line":""},{"line_number":155,"context_line":"Add new parameters to commands in openstackclient(OSC):"},{"line_number":156,"context_line":""},{"line_number":157,"context_line":"openstack share type create [--encryption-provider \u003cprovider\u003e]"}],"source_content_type":"text/x-rst","patch_set":2,"id":"954c7f34_1146420b","line":154,"in_reply_to":"545bcc96_ba190fe9","updated":"2023-10-27 12:07:11.000000000","message":"the encryption with share type will be API interfaces, For manilaclient there wont be new commands, but there will be new params to existing share type comamnds.","commit_id":"e64af4d2075bc78bbe7801856ca1bfbcafadbf5d"},{"author":{"_account_id":30407,"name":"haixin","email":"haixin_haixin@qq.com","username":"haixin"},"change_message_id":"86b694260d10968b76723aa61603d61d9f539b3c","unresolved":false,"context_lines":[{"line_number":151,"context_line":""},{"line_number":152,"context_line":"CLI API impact"},{"line_number":153,"context_line":"--------------"},{"line_number":154,"context_line":""},{"line_number":155,"context_line":"Add new parameters to commands in openstackclient(OSC):"},{"line_number":156,"context_line":""},{"line_number":157,"context_line":"openstack share type create [--encryption-provider \u003cprovider\u003e]"}],"source_content_type":"text/x-rst","patch_set":2,"id":"f678418e_94f4f4c3","line":154,"in_reply_to":"954c7f34_1146420b","updated":"2023-12-04 07:49:20.000000000","message":"i agree with Carlos Eduardo. please see my comments.","commit_id":"e64af4d2075bc78bbe7801856ca1bfbcafadbf5d"},{"author":{"_account_id":29632,"name":"Carlos Eduardo","email":"ces.eduardo98@gmail.com","username":"silvacarlos"},"change_message_id":"c8d0fa4179f2dbe878fa02f6661020b72afba2d5","unresolved":true,"context_lines":[{"line_number":182,"context_line":"                         [--encryption-control-location \u003ccontrol-location\u003e]"},{"line_number":183,"context_line":"                         \u003cshare-type\u003e"},{"line_number":184,"context_line":""},{"line_number":185,"context_line":"* encryption-provider: Set the class that provides encryption support for this"},{"line_number":186,"context_line":"                       share type (e.g “LuksEncryptor”)"},{"line_number":187,"context_line":"* encryption-cipher: Set the encryption algorithm or mode for this share type"},{"line_number":188,"context_line":"* encryption-key-size: Set the size of the encryption key of this share type"},{"line_number":189,"context_line":"* encryption-control-location: Set the notional service where the encryption is"},{"line_number":190,"context_line":"                               performed (“front-end” or “back-end”)."},{"line_number":191,"context_line":"* share-type: Share type to display (name or ID)"},{"line_number":192,"context_line":""},{"line_number":193,"context_line":""},{"line_number":194,"context_line":"openstack share type unset [--encryption-type]"}],"source_content_type":"text/x-rst","patch_set":2,"id":"4f1b2951_e90a33fb","line":191,"range":{"start_line":185,"start_character":0,"end_line":191,"end_character":48},"updated":"2023-10-25 20:44:12.000000000","message":"I believe this is kind of a duplicate of what\u0027s described between lines 163 and 167 right?","commit_id":"e64af4d2075bc78bbe7801856ca1bfbcafadbf5d"},{"author":{"_account_id":29632,"name":"Carlos Eduardo","email":"ces.eduardo98@gmail.com","username":"silvacarlos"},"change_message_id":"cf0f723e26a2554b4c8fd8e4e76db9253cc2b033","unresolved":true,"context_lines":[{"line_number":182,"context_line":"                         [--encryption-control-location \u003ccontrol-location\u003e]"},{"line_number":183,"context_line":"                         \u003cshare-type\u003e"},{"line_number":184,"context_line":""},{"line_number":185,"context_line":"* encryption-provider: Set the class that provides encryption support for this"},{"line_number":186,"context_line":"                       share type (e.g “LuksEncryptor”)"},{"line_number":187,"context_line":"* encryption-cipher: Set the encryption algorithm or mode for this share type"},{"line_number":188,"context_line":"* encryption-key-size: Set the size of the encryption key of this share type"},{"line_number":189,"context_line":"* encryption-control-location: Set the notional service where the encryption is"},{"line_number":190,"context_line":"                               performed (“front-end” or “back-end”)."},{"line_number":191,"context_line":"* share-type: Share type to display (name or ID)"},{"line_number":192,"context_line":""},{"line_number":193,"context_line":""},{"line_number":194,"context_line":"openstack share type unset [--encryption-type]"}],"source_content_type":"text/x-rst","patch_set":2,"id":"8da6cf7e_23130726","line":191,"range":{"start_line":185,"start_character":0,"end_line":191,"end_character":48},"in_reply_to":"2678e42e_7849f29d","updated":"2024-01-09 13:38:24.000000000","message":"I\u0027m okay if you want to leave it :)","commit_id":"e64af4d2075bc78bbe7801856ca1bfbcafadbf5d"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"9c6beba3aae488334596c7f7eb293db38764a7c4","unresolved":true,"context_lines":[{"line_number":182,"context_line":"                         [--encryption-control-location \u003ccontrol-location\u003e]"},{"line_number":183,"context_line":"                         \u003cshare-type\u003e"},{"line_number":184,"context_line":""},{"line_number":185,"context_line":"* encryption-provider: Set the class that provides encryption support for this"},{"line_number":186,"context_line":"                       share type (e.g “LuksEncryptor”)"},{"line_number":187,"context_line":"* encryption-cipher: Set the encryption algorithm or mode for this share type"},{"line_number":188,"context_line":"* encryption-key-size: Set the size of the encryption key of this share type"},{"line_number":189,"context_line":"* encryption-control-location: Set the notional service where the encryption is"},{"line_number":190,"context_line":"                               performed (“front-end” or “back-end”)."},{"line_number":191,"context_line":"* share-type: Share type to display (name or ID)"},{"line_number":192,"context_line":""},{"line_number":193,"context_line":""},{"line_number":194,"context_line":"openstack share type unset [--encryption-type]"}],"source_content_type":"text/x-rst","patch_set":2,"id":"2678e42e_7849f29d","line":191,"range":{"start_line":185,"start_character":0,"end_line":191,"end_character":48},"in_reply_to":"4f1b2951_e90a33fb","updated":"2023-10-27 12:07:11.000000000","message":"yes, just added the information of that particular command. Should I remove it ?","commit_id":"e64af4d2075bc78bbe7801856ca1bfbcafadbf5d"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"a617aa9538edb1e806b34417a61330bff33fbdc0","unresolved":false,"context_lines":[{"line_number":182,"context_line":"                         [--encryption-control-location \u003ccontrol-location\u003e]"},{"line_number":183,"context_line":"                         \u003cshare-type\u003e"},{"line_number":184,"context_line":""},{"line_number":185,"context_line":"* encryption-provider: Set the class that provides encryption support for this"},{"line_number":186,"context_line":"                       share type (e.g “LuksEncryptor”)"},{"line_number":187,"context_line":"* encryption-cipher: Set the encryption algorithm or mode for this share type"},{"line_number":188,"context_line":"* encryption-key-size: Set the size of the encryption key of this share type"},{"line_number":189,"context_line":"* encryption-control-location: Set the notional service where the encryption is"},{"line_number":190,"context_line":"                               performed (“front-end” or “back-end”)."},{"line_number":191,"context_line":"* share-type: Share type to display (name or ID)"},{"line_number":192,"context_line":""},{"line_number":193,"context_line":""},{"line_number":194,"context_line":"openstack share type unset [--encryption-type]"}],"source_content_type":"text/x-rst","patch_set":2,"id":"8392caa9_b474fbb9","line":191,"range":{"start_line":185,"start_character":0,"end_line":191,"end_character":48},"in_reply_to":"8da6cf7e_23130726","updated":"2024-02-05 11:02:59.000000000","message":"Done","commit_id":"e64af4d2075bc78bbe7801856ca1bfbcafadbf5d"},{"author":{"_account_id":18816,"name":"Maurice Escher","display_name":"carthaca","email":"maurice.escher@sap.com","username":"mapocace"},"change_message_id":"fec16decbdbb75914bf883a2026626fb8f82d0a1","unresolved":true,"context_lines":[{"line_number":384,"context_line":"References"},{"line_number":385,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":386,"context_line":""},{"line_number":387,"context_line":"_`[1]`: https://specs.openstack.org/openstack/cinder-specs/specs/kilo/nfs-backup.html"}],"source_content_type":"text/x-rst","patch_set":2,"id":"ad9dce3b_e1d514c7","line":387,"range":{"start_line":387,"start_character":8,"end_line":387,"end_character":85},"updated":"2023-10-27 08:23:33.000000000","message":"Copy\u0026Paste error from backup spec?\n\nI did not find a cinder spec/blueprint - but there are some reviews at https://review.opendev.org/q/topic:bp%252Fencrypt-cinder-volumes","commit_id":"e64af4d2075bc78bbe7801856ca1bfbcafadbf5d"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"9c6beba3aae488334596c7f7eb293db38764a7c4","unresolved":false,"context_lines":[{"line_number":384,"context_line":"References"},{"line_number":385,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":386,"context_line":""},{"line_number":387,"context_line":"_`[1]`: https://specs.openstack.org/openstack/cinder-specs/specs/kilo/nfs-backup.html"}],"source_content_type":"text/x-rst","patch_set":2,"id":"72f5d9d9_4187e31d","line":387,"range":{"start_line":387,"start_character":8,"end_line":387,"end_character":85},"in_reply_to":"ad9dce3b_e1d514c7","updated":"2023-10-27 12:07:11.000000000","message":"Done","commit_id":"e64af4d2075bc78bbe7801856ca1bfbcafadbf5d"},{"author":{"_account_id":36178,"name":"Saravanan Manickam","display_name":"msaravan","email":"manicsaran@gmail.com","username":"msaravan"},"change_message_id":"9848d399180c17af49d57c46f1195eddeeb50c1d","unresolved":true,"context_lines":[{"line_number":50,"context_line":"The backend then talks with key store using KMIP(Key Management"},{"line_number":51,"context_line":"Interoperability Protocol) and then retrieve the key data. The key data is"},{"line_number":52,"context_line":"then used to encrypt the share by backend. Manila does not control the actual"},{"line_number":53,"context_line":"encryption of data as it is being done by backend driver and its proprietary"},{"line_number":54,"context_line":"methods."},{"line_number":55,"context_line":""},{"line_number":56,"context_line":""}],"source_content_type":"text/x-rst","patch_set":4,"id":"6f3cec58_13b8c17c","line":53,"updated":"2023-12-07 14:50:36.000000000","message":"What call would be made if the share created on a storage server has already a mechanism of encrypting it. Do you provide one more option to overwrite the settings whatever already configured at the backend.","commit_id":"7e375d234c48fb3e6c33584ea12452ec0e29ee60"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"ce20c78e714389377989ae85331fa97b39517469","unresolved":false,"context_lines":[{"line_number":50,"context_line":"The backend then talks with key store using KMIP(Key Management"},{"line_number":51,"context_line":"Interoperability Protocol) and then retrieve the key data. The key data is"},{"line_number":52,"context_line":"then used to encrypt the share by backend. Manila does not control the actual"},{"line_number":53,"context_line":"encryption of data as it is being done by backend driver and its proprietary"},{"line_number":54,"context_line":"methods."},{"line_number":55,"context_line":""},{"line_number":56,"context_line":""}],"source_content_type":"text/x-rst","patch_set":4,"id":"97586e3d_5c9c3304","line":53,"in_reply_to":"25dbe89b_465c2231","updated":"2024-01-18 01:01:42.000000000","message":"please \"resolve\" comments when you address them...","commit_id":"7e375d234c48fb3e6c33584ea12452ec0e29ee60"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"228864d4cb62c80d8505184ac2fab04cacc019bd","unresolved":true,"context_lines":[{"line_number":50,"context_line":"The backend then talks with key store using KMIP(Key Management"},{"line_number":51,"context_line":"Interoperability Protocol) and then retrieve the key data. The key data is"},{"line_number":52,"context_line":"then used to encrypt the share by backend. Manila does not control the actual"},{"line_number":53,"context_line":"encryption of data as it is being done by backend driver and its proprietary"},{"line_number":54,"context_line":"methods."},{"line_number":55,"context_line":""},{"line_number":56,"context_line":""}],"source_content_type":"text/x-rst","patch_set":4,"id":"25dbe89b_465c2231","line":53,"in_reply_to":"6f3cec58_13b8c17c","updated":"2024-01-03 13:15:31.000000000","message":"added","commit_id":"7e375d234c48fb3e6c33584ea12452ec0e29ee60"},{"author":{"_account_id":36178,"name":"Saravanan Manickam","display_name":"msaravan","email":"manicsaran@gmail.com","username":"msaravan"},"change_message_id":"9848d399180c17af49d57c46f1195eddeeb50c1d","unresolved":true,"context_lines":[{"line_number":79,"context_line":"  to backend hardware to perform the encryption."},{"line_number":80,"context_line":""},{"line_number":81,"context_line":"  The fetched key data or key ref will then used by underlying backend e.g."},{"line_number":82,"context_line":"  NetApp ONTAP to encrypt the share."},{"line_number":83,"context_line":""},{"line_number":84,"context_line":"Alternatives"},{"line_number":85,"context_line":"------------"}],"source_content_type":"text/x-rst","patch_set":4,"id":"60369c15_c25f3d4c","line":82,"updated":"2023-12-07 14:50:36.000000000","message":"Different vendors handle encryption differently. For instance, NetApp can handle encryption at aggregate level (pools in Manila), volume level (shares in manila). If user has enabled encryption already at storage server (vserver in NetApp) level, how would that be impacted if user tries to modify that via openstack level. Do we assume that, if the share is already encrypted by the vendor in his own way, we\u0027ll not overwrite that with the settings we have in Barbican ?","commit_id":"7e375d234c48fb3e6c33584ea12452ec0e29ee60"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"228864d4cb62c80d8505184ac2fab04cacc019bd","unresolved":true,"context_lines":[{"line_number":79,"context_line":"  to backend hardware to perform the encryption."},{"line_number":80,"context_line":""},{"line_number":81,"context_line":"  The fetched key data or key ref will then used by underlying backend e.g."},{"line_number":82,"context_line":"  NetApp ONTAP to encrypt the share."},{"line_number":83,"context_line":""},{"line_number":84,"context_line":"Alternatives"},{"line_number":85,"context_line":"------------"}],"source_content_type":"text/x-rst","patch_set":4,"id":"8c6ac68e_ce942454","line":82,"in_reply_to":"60369c15_c25f3d4c","updated":"2024-01-03 13:15:31.000000000","message":"added in above section.","commit_id":"7e375d234c48fb3e6c33584ea12452ec0e29ee60"},{"author":{"_account_id":29632,"name":"Carlos Eduardo","email":"ces.eduardo98@gmail.com","username":"silvacarlos"},"change_message_id":"cf0f723e26a2554b4c8fd8e4e76db9253cc2b033","unresolved":true,"context_lines":[{"line_number":79,"context_line":"  to backend hardware to perform the encryption."},{"line_number":80,"context_line":""},{"line_number":81,"context_line":"  The fetched key data or key ref will then used by underlying backend e.g."},{"line_number":82,"context_line":"  NetApp ONTAP to encrypt the share."},{"line_number":83,"context_line":""},{"line_number":84,"context_line":"Alternatives"},{"line_number":85,"context_line":"------------"}],"source_content_type":"text/x-rst","patch_set":4,"id":"d2ef7c74_37cd18f8","line":82,"in_reply_to":"8c6ac68e_ce942454","updated":"2024-01-09 13:38:24.000000000","message":"Great observation, Saravanan... Yes, Kiran, I understand the statement you added to line 58... But I think Saravanan question would still be valid: would it be an issue if a share server (vserver) already has encryption configured and we try to create an encrypted share? Is there a way to check that before or it shouldn\u0027t be a problem?","commit_id":"7e375d234c48fb3e6c33584ea12452ec0e29ee60"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"a617aa9538edb1e806b34417a61330bff33fbdc0","unresolved":false,"context_lines":[{"line_number":79,"context_line":"  to backend hardware to perform the encryption."},{"line_number":80,"context_line":""},{"line_number":81,"context_line":"  The fetched key data or key ref will then used by underlying backend e.g."},{"line_number":82,"context_line":"  NetApp ONTAP to encrypt the share."},{"line_number":83,"context_line":""},{"line_number":84,"context_line":"Alternatives"},{"line_number":85,"context_line":"------------"}],"source_content_type":"text/x-rst","patch_set":4,"id":"b24e1db8_28ae06da","line":82,"in_reply_to":"8fd91534_eea4ff40","updated":"2024-02-05 11:02:59.000000000","message":"Done","commit_id":"7e375d234c48fb3e6c33584ea12452ec0e29ee60"},{"author":{"_account_id":18816,"name":"Maurice Escher","display_name":"carthaca","email":"maurice.escher@sap.com","username":"mapocace"},"change_message_id":"e98d005ee75ca348729f7d46ddd50b538bd96cbd","unresolved":true,"context_lines":[{"line_number":79,"context_line":"  to backend hardware to perform the encryption."},{"line_number":80,"context_line":""},{"line_number":81,"context_line":"  The fetched key data or key ref will then used by underlying backend e.g."},{"line_number":82,"context_line":"  NetApp ONTAP to encrypt the share."},{"line_number":83,"context_line":""},{"line_number":84,"context_line":"Alternatives"},{"line_number":85,"context_line":"------------"}],"source_content_type":"text/x-rst","patch_set":4,"id":"8fd91534_eea4ff40","line":82,"in_reply_to":"d2ef7c74_37cd18f8","updated":"2024-01-17 12:46:51.000000000","message":"That is a detail of driver implementation. \nThe driver can decide wether the maybe already existing encryption satisfies the ask to encrypt or if it needs to do something, e.g. re-encrypt with a new key.","commit_id":"7e375d234c48fb3e6c33584ea12452ec0e29ee60"},{"author":{"_account_id":30407,"name":"haixin","email":"haixin_haixin@qq.com","username":"haixin"},"change_message_id":"5ce474c498eb22f44336c2a4646c22efdecfb4f0","unresolved":true,"context_lines":[{"line_number":160,"context_line":"                            [--encryption-control-location \u003ccontrol-location\u003e]"},{"line_number":161,"context_line":"                            \u003cname\u003e"},{"line_number":162,"context_line":""},{"line_number":163,"context_line":"* encryption-provider: Set the class that provides encryption support for this"},{"line_number":164,"context_line":"                       share type (e.g “LuksEncryptor”)"},{"line_number":165,"context_line":"* encryption-cipher: Set the encryption algorithm or mode for this share type"},{"line_number":166,"context_line":"* encryption-key-size: Set the size of the encryption key of this share type"},{"line_number":167,"context_line":"* encryption-control-location: Set the notional service where the encryption is"},{"line_number":168,"context_line":"                               performed (“front-end” or “back-end”)."},{"line_number":169,"context_line":"* name: Name of share type."},{"line_number":170,"context_line":""},{"line_number":171,"context_line":""}],"source_content_type":"text/x-rst","patch_set":4,"id":"212f65a3_e8fe9199","line":168,"range":{"start_line":163,"start_character":2,"end_line":168,"end_character":69},"updated":"2023-12-04 07:41:11.000000000","message":"in cinder, if we want to create a encryption volume type, encryption-provider must be specified. can not only specify key-size or cipher or control-location.\nso do we need to do like cinder?\nhow about to support add encryption for an existing share type. but not create new share type with encryption.\n\n    openstack share encryption-type-create [--cipher \u003ccipher\u003e]\n                                           [--key-size \u003ckey_size\u003e]\n                                           [--control-location \u003ccontrol_location\u003e]\n                                           \u003cshare_type\u003e \u003cprovider\u003e","commit_id":"7e375d234c48fb3e6c33584ea12452ec0e29ee60"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"b508a6c63cf223e330e38658876e7e8a4c426051","unresolved":true,"context_lines":[{"line_number":160,"context_line":"                            [--encryption-control-location \u003ccontrol-location\u003e]"},{"line_number":161,"context_line":"                            \u003cname\u003e"},{"line_number":162,"context_line":""},{"line_number":163,"context_line":"* encryption-provider: Set the class that provides encryption support for this"},{"line_number":164,"context_line":"                       share type (e.g “LuksEncryptor”)"},{"line_number":165,"context_line":"* encryption-cipher: Set the encryption algorithm or mode for this share type"},{"line_number":166,"context_line":"* encryption-key-size: Set the size of the encryption key of this share type"},{"line_number":167,"context_line":"* encryption-control-location: Set the notional service where the encryption is"},{"line_number":168,"context_line":"                               performed (“front-end” or “back-end”)."},{"line_number":169,"context_line":"* name: Name of share type."},{"line_number":170,"context_line":""},{"line_number":171,"context_line":""}],"source_content_type":"text/x-rst","patch_set":4,"id":"df457fb1_a11fa7c7","line":168,"range":{"start_line":163,"start_character":2,"end_line":168,"end_character":69},"in_reply_to":"212f65a3_e8fe9199","updated":"2023-12-04 13:28:49.000000000","message":"we need to do like cinder\n1. openstack share encryption-type-create looks like different command where encryption is feature similar to dhss or snapshot support. So it can be part of share type or can not. We can not make this as simple option like --snapshot-support because it needs multiple parameters. \n2. But I am ok with your approach as well. \n\nLet us see what others think.","commit_id":"7e375d234c48fb3e6c33584ea12452ec0e29ee60"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"a617aa9538edb1e806b34417a61330bff33fbdc0","unresolved":false,"context_lines":[{"line_number":160,"context_line":"                            [--encryption-control-location \u003ccontrol-location\u003e]"},{"line_number":161,"context_line":"                            \u003cname\u003e"},{"line_number":162,"context_line":""},{"line_number":163,"context_line":"* encryption-provider: Set the class that provides encryption support for this"},{"line_number":164,"context_line":"                       share type (e.g “LuksEncryptor”)"},{"line_number":165,"context_line":"* encryption-cipher: Set the encryption algorithm or mode for this share type"},{"line_number":166,"context_line":"* encryption-key-size: Set the size of the encryption key of this share type"},{"line_number":167,"context_line":"* encryption-control-location: Set the notional service where the encryption is"},{"line_number":168,"context_line":"                               performed (“front-end” or “back-end”)."},{"line_number":169,"context_line":"* name: Name of share type."},{"line_number":170,"context_line":""},{"line_number":171,"context_line":""}],"source_content_type":"text/x-rst","patch_set":4,"id":"ff8890a9_6280042c","line":168,"range":{"start_line":163,"start_character":2,"end_line":168,"end_character":69},"in_reply_to":"8cfbec2c_53fa60e8","updated":"2024-02-05 11:02:59.000000000","message":"Done","commit_id":"7e375d234c48fb3e6c33584ea12452ec0e29ee60"},{"author":{"_account_id":29632,"name":"Carlos Eduardo","email":"ces.eduardo98@gmail.com","username":"silvacarlos"},"change_message_id":"cf0f723e26a2554b4c8fd8e4e76db9253cc2b033","unresolved":true,"context_lines":[{"line_number":160,"context_line":"                            [--encryption-control-location \u003ccontrol-location\u003e]"},{"line_number":161,"context_line":"                            \u003cname\u003e"},{"line_number":162,"context_line":""},{"line_number":163,"context_line":"* encryption-provider: Set the class that provides encryption support for this"},{"line_number":164,"context_line":"                       share type (e.g “LuksEncryptor”)"},{"line_number":165,"context_line":"* encryption-cipher: Set the encryption algorithm or mode for this share type"},{"line_number":166,"context_line":"* encryption-key-size: Set the size of the encryption key of this share type"},{"line_number":167,"context_line":"* encryption-control-location: Set the notional service where the encryption is"},{"line_number":168,"context_line":"                               performed (“front-end” or “back-end”)."},{"line_number":169,"context_line":"* name: Name of share type."},{"line_number":170,"context_line":""},{"line_number":171,"context_line":""}],"source_content_type":"text/x-rst","patch_set":4,"id":"eae10362_e71563ba","line":168,"range":{"start_line":163,"start_character":2,"end_line":168,"end_character":69},"in_reply_to":"df457fb1_a11fa7c7","updated":"2024-01-09 13:38:24.000000000","message":"I think haixin\u0027s idea in terms gives more granularity and helps things to be reused, even though it might result in a couple of more details to implement... If we are to stay consistent with the way OpenStack is already doing things, I believe we should stick to Cinder UX in the encryption and make this already a bit familiar to users.\n\nOperators feedback would be relevant here as well.","commit_id":"7e375d234c48fb3e6c33584ea12452ec0e29ee60"},{"author":{"_account_id":18816,"name":"Maurice Escher","display_name":"carthaca","email":"maurice.escher@sap.com","username":"mapocace"},"change_message_id":"e98d005ee75ca348729f7d46ddd50b538bd96cbd","unresolved":true,"context_lines":[{"line_number":160,"context_line":"                            [--encryption-control-location \u003ccontrol-location\u003e]"},{"line_number":161,"context_line":"                            \u003cname\u003e"},{"line_number":162,"context_line":""},{"line_number":163,"context_line":"* encryption-provider: Set the class that provides encryption support for this"},{"line_number":164,"context_line":"                       share type (e.g “LuksEncryptor”)"},{"line_number":165,"context_line":"* encryption-cipher: Set the encryption algorithm or mode for this share type"},{"line_number":166,"context_line":"* encryption-key-size: Set the size of the encryption key of this share type"},{"line_number":167,"context_line":"* encryption-control-location: Set the notional service where the encryption is"},{"line_number":168,"context_line":"                               performed (“front-end” or “back-end”)."},{"line_number":169,"context_line":"* name: Name of share type."},{"line_number":170,"context_line":""},{"line_number":171,"context_line":""}],"source_content_type":"text/x-rst","patch_set":4,"id":"8cfbec2c_53fa60e8","line":168,"range":{"start_line":163,"start_character":2,"end_line":168,"end_character":69},"in_reply_to":"eae10362_e71563ba","updated":"2024-01-17 12:46:51.000000000","message":"I\u0027m very much in favor of keeping the UX close to cinder, that means not having an additional command.\n\nSee https://docs.openstack.org/python-openstackclient/latest/cli/command-objects/volume-type.html","commit_id":"7e375d234c48fb3e6c33584ea12452ec0e29ee60"},{"author":{"_account_id":30407,"name":"haixin","email":"haixin_haixin@qq.com","username":"haixin"},"change_message_id":"5ce474c498eb22f44336c2a4646c22efdecfb4f0","unresolved":true,"context_lines":[{"line_number":169,"context_line":"* name: Name of share type."},{"line_number":170,"context_line":""},{"line_number":171,"context_line":""},{"line_number":172,"context_line":"openstack share type show [--encryption-type]"},{"line_number":173,"context_line":"                          \u003cshare-type\u003e"},{"line_number":174,"context_line":""},{"line_number":175,"context_line":"* encryption-type: Display encryption information of this share type."},{"line_number":176,"context_line":"* share-type: Share type to display (name or ID)"}],"source_content_type":"text/x-rst","patch_set":4,"id":"b737e94f_f9e08dbc","line":173,"range":{"start_line":172,"start_character":0,"end_line":173,"end_character":38},"updated":"2023-12-04 07:41:11.000000000","message":"how about:\n\n    openstack share encryption-type-show \u003cshare-type\u003e","commit_id":"7e375d234c48fb3e6c33584ea12452ec0e29ee60"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"a617aa9538edb1e806b34417a61330bff33fbdc0","unresolved":false,"context_lines":[{"line_number":169,"context_line":"* name: Name of share type."},{"line_number":170,"context_line":""},{"line_number":171,"context_line":""},{"line_number":172,"context_line":"openstack share type show [--encryption-type]"},{"line_number":173,"context_line":"                          \u003cshare-type\u003e"},{"line_number":174,"context_line":""},{"line_number":175,"context_line":"* encryption-type: Display encryption information of this share type."},{"line_number":176,"context_line":"* share-type: Share type to display (name or ID)"}],"source_content_type":"text/x-rst","patch_set":4,"id":"009df5ee_58eccdb9","line":173,"range":{"start_line":172,"start_character":0,"end_line":173,"end_character":38},"in_reply_to":"b737e94f_f9e08dbc","updated":"2024-02-05 11:02:59.000000000","message":"Done","commit_id":"7e375d234c48fb3e6c33584ea12452ec0e29ee60"},{"author":{"_account_id":30407,"name":"haixin","email":"haixin_haixin@qq.com","username":"haixin"},"change_message_id":"5ce474c498eb22f44336c2a4646c22efdecfb4f0","unresolved":true,"context_lines":[{"line_number":176,"context_line":"* share-type: Share type to display (name or ID)"},{"line_number":177,"context_line":""},{"line_number":178,"context_line":""},{"line_number":179,"context_line":"openstack share type set [--encryption-provider \u003cprovider\u003e]"},{"line_number":180,"context_line":"                         [--encryption-cipher \u003ccipher\u003e]"},{"line_number":181,"context_line":"                         [--encryption-key-size \u003ckey-size\u003e]"},{"line_number":182,"context_line":"                         [--encryption-control-location \u003ccontrol-location\u003e]"},{"line_number":183,"context_line":"                         \u003cshare-type\u003e"},{"line_number":184,"context_line":""},{"line_number":185,"context_line":"* encryption-provider: Set the class that provides encryption support for this"},{"line_number":186,"context_line":"                       share type (e.g “LuksEncryptor”)"}],"source_content_type":"text/x-rst","patch_set":4,"id":"3f4a961f_e1973be7","line":183,"range":{"start_line":179,"start_character":0,"end_line":183,"end_character":37},"updated":"2023-12-04 07:41:11.000000000","message":"openstack SDK has support this command to update an existing share type.\n\n    openstack share type set    [-h]\n                                [--extra-specs [\u003ckey\u003dvalue\u003e [\u003ckey\u003dvalue\u003e ...]]]\n                                [--public \u003cpublic\u003e]\n                                [--description \u003cdescription\u003e] [--name \u003cname\u003e]\n                                \u003cshare_type\u003e    \n\nso, we use this command again, Easily cause confusion, how about we make new command for encryption share type, just like cinder.\n\n    openstack share encryption-type-update [--provider \u003cprovider\u003e]\n                                           [--cipher [\u003ccipher\u003e]]\n                                           [--key-size [\u003ckey-size\u003e]]\n                                           [--control-location \u003ccontrol-location\u003e]\n                                           \u003cshare-type\u003e","commit_id":"7e375d234c48fb3e6c33584ea12452ec0e29ee60"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"a617aa9538edb1e806b34417a61330bff33fbdc0","unresolved":false,"context_lines":[{"line_number":176,"context_line":"* share-type: Share type to display (name or ID)"},{"line_number":177,"context_line":""},{"line_number":178,"context_line":""},{"line_number":179,"context_line":"openstack share type set [--encryption-provider \u003cprovider\u003e]"},{"line_number":180,"context_line":"                         [--encryption-cipher \u003ccipher\u003e]"},{"line_number":181,"context_line":"                         [--encryption-key-size \u003ckey-size\u003e]"},{"line_number":182,"context_line":"                         [--encryption-control-location \u003ccontrol-location\u003e]"},{"line_number":183,"context_line":"                         \u003cshare-type\u003e"},{"line_number":184,"context_line":""},{"line_number":185,"context_line":"* encryption-provider: Set the class that provides encryption support for this"},{"line_number":186,"context_line":"                       share type (e.g “LuksEncryptor”)"}],"source_content_type":"text/x-rst","patch_set":4,"id":"69d6d664_7bd1c3da","line":183,"range":{"start_line":179,"start_character":0,"end_line":183,"end_character":37},"in_reply_to":"35af1d02_a09f6561","updated":"2024-02-05 11:02:59.000000000","message":"Done","commit_id":"7e375d234c48fb3e6c33584ea12452ec0e29ee60"},{"author":{"_account_id":18816,"name":"Maurice Escher","display_name":"carthaca","email":"maurice.escher@sap.com","username":"mapocace"},"change_message_id":"e98d005ee75ca348729f7d46ddd50b538bd96cbd","unresolved":true,"context_lines":[{"line_number":176,"context_line":"* share-type: Share type to display (name or ID)"},{"line_number":177,"context_line":""},{"line_number":178,"context_line":""},{"line_number":179,"context_line":"openstack share type set [--encryption-provider \u003cprovider\u003e]"},{"line_number":180,"context_line":"                         [--encryption-cipher \u003ccipher\u003e]"},{"line_number":181,"context_line":"                         [--encryption-key-size \u003ckey-size\u003e]"},{"line_number":182,"context_line":"                         [--encryption-control-location \u003ccontrol-location\u003e]"},{"line_number":183,"context_line":"                         \u003cshare-type\u003e"},{"line_number":184,"context_line":""},{"line_number":185,"context_line":"* encryption-provider: Set the class that provides encryption support for this"},{"line_number":186,"context_line":"                       share type (e.g “LuksEncryptor”)"}],"source_content_type":"text/x-rst","patch_set":4,"id":"35af1d02_a09f6561","line":183,"range":{"start_line":179,"start_character":0,"end_line":183,"end_character":37},"in_reply_to":"3f4a961f_e1973be7","updated":"2024-01-17 12:46:51.000000000","message":"For cinder there is no additional command or am I missing something?\nTo update the encryption options, those have to be set with `openstack volume type set`\n\nhttps://docs.openstack.org/python-openstackclient/latest/cli/command-objects/volume-type.html#volume-type-set","commit_id":"7e375d234c48fb3e6c33584ea12452ec0e29ee60"},{"author":{"_account_id":30407,"name":"haixin","email":"haixin_haixin@qq.com","username":"haixin"},"change_message_id":"5ce474c498eb22f44336c2a4646c22efdecfb4f0","unresolved":true,"context_lines":[{"line_number":191,"context_line":"* share-type: Share type to display (name or ID)"},{"line_number":192,"context_line":""},{"line_number":193,"context_line":""},{"line_number":194,"context_line":"openstack share type unset [--encryption-type]"},{"line_number":195,"context_line":"                           \u003cshare-type\u003e"},{"line_number":196,"context_line":""},{"line_number":197,"context_line":"* encryption-type: Remove the encryption type for this share type."},{"line_number":198,"context_line":"* share-type: Share type to unset encryption info (name or ID)"}],"source_content_type":"text/x-rst","patch_set":4,"id":"8965561d_c9c86070","line":195,"range":{"start_line":194,"start_character":0,"end_line":195,"end_character":39},"updated":"2023-12-04 07:41:11.000000000","message":"(ansible)[root@ /]# openstack share type unset -h\nusage: openstack share type unset [-h] \u003cshare_type\u003e \u003ckey\u003e [\u003ckey\u003e ...]\n\nwe know this command has been used to remove some extra-spec.\n\nso how about:\n\n    openstack share encryption-type-delete \u003cshare-type\u003e","commit_id":"7e375d234c48fb3e6c33584ea12452ec0e29ee60"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"a617aa9538edb1e806b34417a61330bff33fbdc0","unresolved":false,"context_lines":[{"line_number":191,"context_line":"* share-type: Share type to display (name or ID)"},{"line_number":192,"context_line":""},{"line_number":193,"context_line":""},{"line_number":194,"context_line":"openstack share type unset [--encryption-type]"},{"line_number":195,"context_line":"                           \u003cshare-type\u003e"},{"line_number":196,"context_line":""},{"line_number":197,"context_line":"* encryption-type: Remove the encryption type for this share type."},{"line_number":198,"context_line":"* share-type: Share type to unset encryption info (name or ID)"}],"source_content_type":"text/x-rst","patch_set":4,"id":"6ff5e70f_6728d2eb","line":195,"range":{"start_line":194,"start_character":0,"end_line":195,"end_character":39},"in_reply_to":"8965561d_c9c86070","updated":"2024-02-05 11:02:59.000000000","message":"Done","commit_id":"7e375d234c48fb3e6c33584ea12452ec0e29ee60"},{"author":{"_account_id":30407,"name":"haixin","email":"haixin_haixin@qq.com","username":"haixin"},"change_message_id":"5ce474c498eb22f44336c2a4646c22efdecfb4f0","unresolved":true,"context_lines":[{"line_number":198,"context_line":"* share-type: Share type to unset encryption info (name or ID)"},{"line_number":199,"context_line":""},{"line_number":200,"context_line":""},{"line_number":201,"context_line":"openstack share type list [--encryption-type]"},{"line_number":202,"context_line":""},{"line_number":203,"context_line":"* encryption-type: Display encryption information for each volume type in list"},{"line_number":204,"context_line":""}],"source_content_type":"text/x-rst","patch_set":4,"id":"03856523_87f8c966","line":201,"range":{"start_line":201,"start_character":0,"end_line":201,"end_character":45},"updated":"2023-12-04 07:41:11.000000000","message":"how about:\n\n    openstack share encryption-type-list \u003cshare-type\u003e","commit_id":"7e375d234c48fb3e6c33584ea12452ec0e29ee60"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"a617aa9538edb1e806b34417a61330bff33fbdc0","unresolved":false,"context_lines":[{"line_number":198,"context_line":"* share-type: Share type to unset encryption info (name or ID)"},{"line_number":199,"context_line":""},{"line_number":200,"context_line":""},{"line_number":201,"context_line":"openstack share type list [--encryption-type]"},{"line_number":202,"context_line":""},{"line_number":203,"context_line":"* encryption-type: Display encryption information for each volume type in list"},{"line_number":204,"context_line":""}],"source_content_type":"text/x-rst","patch_set":4,"id":"93561d54_5db23170","line":201,"range":{"start_line":201,"start_character":0,"end_line":201,"end_character":45},"in_reply_to":"03856523_87f8c966","updated":"2024-02-05 11:02:59.000000000","message":"Done","commit_id":"7e375d234c48fb3e6c33584ea12452ec0e29ee60"},{"author":{"_account_id":30407,"name":"haixin","email":"haixin_haixin@qq.com","username":"haixin"},"change_message_id":"5ce474c498eb22f44336c2a4646c22efdecfb4f0","unresolved":true,"context_lines":[{"line_number":217,"context_line":"        \"encryption\": {"},{"line_number":218,"context_line":"            \"key_size\": 256,"},{"line_number":219,"context_line":"            \"provider\": \"luks\","},{"line_number":220,"context_line":"            \"control_location\":\"front-end\","},{"line_number":221,"context_line":"            \"cipher\": \"aes-xts-plain64\""},{"line_number":222,"context_line":"        }"},{"line_number":223,"context_line":"    }"}],"source_content_type":"text/x-rst","patch_set":4,"id":"49a5a6a1_d8edb79c","line":220,"range":{"start_line":220,"start_character":32,"end_line":220,"end_character":41},"updated":"2023-12-04 07:41:11.000000000","message":"In cinder, because qemu natively supports luks encryption and decryption, front-end encryption or decryption can use the host\u0027s qemu to read encrypted data and decrypt it. If front-end encryption is still used, share is mounted using NFS. Can NFS decrypt luks encrypted data? Or do we only support back-end encryption?","commit_id":"7e375d234c48fb3e6c33584ea12452ec0e29ee60"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"a617aa9538edb1e806b34417a61330bff33fbdc0","unresolved":false,"context_lines":[{"line_number":217,"context_line":"        \"encryption\": {"},{"line_number":218,"context_line":"            \"key_size\": 256,"},{"line_number":219,"context_line":"            \"provider\": \"luks\","},{"line_number":220,"context_line":"            \"control_location\":\"front-end\","},{"line_number":221,"context_line":"            \"cipher\": \"aes-xts-plain64\""},{"line_number":222,"context_line":"        }"},{"line_number":223,"context_line":"    }"}],"source_content_type":"text/x-rst","patch_set":4,"id":"5719cf92_62ef9248","line":220,"range":{"start_line":220,"start_character":32,"end_line":220,"end_character":41},"in_reply_to":"1fa85d53_1aad1e83","updated":"2024-02-05 11:02:59.000000000","message":"This will be back-end and default for now.","commit_id":"7e375d234c48fb3e6c33584ea12452ec0e29ee60"},{"author":{"_account_id":29632,"name":"Carlos Eduardo","email":"ces.eduardo98@gmail.com","username":"silvacarlos"},"change_message_id":"cf0f723e26a2554b4c8fd8e4e76db9253cc2b033","unresolved":true,"context_lines":[{"line_number":217,"context_line":"        \"encryption\": {"},{"line_number":218,"context_line":"            \"key_size\": 256,"},{"line_number":219,"context_line":"            \"provider\": \"luks\","},{"line_number":220,"context_line":"            \"control_location\":\"front-end\","},{"line_number":221,"context_line":"            \"cipher\": \"aes-xts-plain64\""},{"line_number":222,"context_line":"        }"},{"line_number":223,"context_line":"    }"}],"source_content_type":"text/x-rst","patch_set":4,"id":"1fa85d53_1aad1e83","line":220,"range":{"start_line":220,"start_character":32,"end_line":220,"end_character":41},"in_reply_to":"49a5a6a1_d8edb79c","updated":"2024-01-09 13:38:24.000000000","message":"would this impact the virtiofs effort too?","commit_id":"7e375d234c48fb3e6c33584ea12452ec0e29ee60"},{"author":{"_account_id":30407,"name":"haixin","email":"haixin_haixin@qq.com","username":"haixin"},"change_message_id":"5ce474c498eb22f44336c2a4646c22efdecfb4f0","unresolved":true,"context_lines":[{"line_number":222,"context_line":"        }"},{"line_number":223,"context_line":"    }"},{"line_number":224,"context_line":""},{"line_number":225,"context_line":"All fields in the ``encryption`` request are needed."},{"line_number":226,"context_line":""},{"line_number":227,"context_line":"If the share-type is not known to manila, the API will respond with"},{"line_number":228,"context_line":"``404 Not Found``."}],"source_content_type":"text/x-rst","patch_set":4,"id":"538d576d_95d31aa4","line":225,"range":{"start_line":225,"start_character":0,"end_line":225,"end_character":52},"updated":"2023-12-04 07:41:11.000000000","message":"if all fields are needed. then command\n\n    openstack share encryption-type-create [--cipher \u003ccipher\u003e]\n                                           [--key-size \u003ckey_size\u003e]\n                                           [--control-location \u003ccontrol_location\u003e]\n                                           \u003cshare_type\u003e \u003cprovider\u003e\n               \nshould change to:\n\n    openstack share encryption-type-create \n    \u003cshare_type\u003e \u003cprovider\u003e \u003ccipher\u003e \u003ckey_size\u003e \u003ccontrol_location\u003e","commit_id":"7e375d234c48fb3e6c33584ea12452ec0e29ee60"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"a617aa9538edb1e806b34417a61330bff33fbdc0","unresolved":false,"context_lines":[{"line_number":222,"context_line":"        }"},{"line_number":223,"context_line":"    }"},{"line_number":224,"context_line":""},{"line_number":225,"context_line":"All fields in the ``encryption`` request are needed."},{"line_number":226,"context_line":""},{"line_number":227,"context_line":"If the share-type is not known to manila, the API will respond with"},{"line_number":228,"context_line":"``404 Not Found``."}],"source_content_type":"text/x-rst","patch_set":4,"id":"9c271f06_1a4e8670","line":225,"range":{"start_line":225,"start_character":0,"end_line":225,"end_character":52},"in_reply_to":"538d576d_95d31aa4","updated":"2024-02-05 11:02:59.000000000","message":"no, this means if u specify any field of encryption, you need to specify all of them. Else do not specify encryption field at all i.e. create share type without encryption","commit_id":"7e375d234c48fb3e6c33584ea12452ec0e29ee60"},{"author":{"_account_id":30407,"name":"haixin","email":"haixin_haixin@qq.com","username":"haixin"},"change_message_id":"5ce474c498eb22f44336c2a4646c22efdecfb4f0","unresolved":true,"context_lines":[{"line_number":301,"context_line":""},{"line_number":302,"context_line":"Driver impact"},{"line_number":303,"context_line":"-------------"},{"line_number":304,"context_line":"The backend driver needs to implement::"},{"line_number":305,"context_line":"1. Function to talk with key-store using KMIP protocol"},{"line_number":306,"context_line":"2. Encrypt the share with key data sent from key-store e.g. Barbican"},{"line_number":307,"context_line":""}],"source_content_type":"text/x-rst","patch_set":4,"id":"7ad331af_e53291ec","line":304,"range":{"start_line":304,"start_character":0,"end_line":304,"end_character":39},"updated":"2023-12-04 07:41:11.000000000","message":"This looks like back-end encryption, i.e. control_location is back-end.","commit_id":"7e375d234c48fb3e6c33584ea12452ec0e29ee60"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"a617aa9538edb1e806b34417a61330bff33fbdc0","unresolved":false,"context_lines":[{"line_number":301,"context_line":""},{"line_number":302,"context_line":"Driver impact"},{"line_number":303,"context_line":"-------------"},{"line_number":304,"context_line":"The backend driver needs to implement::"},{"line_number":305,"context_line":"1. Function to talk with key-store using KMIP protocol"},{"line_number":306,"context_line":"2. Encrypt the share with key data sent from key-store e.g. Barbican"},{"line_number":307,"context_line":""}],"source_content_type":"text/x-rst","patch_set":4,"id":"0390efd9_5cbf5fb5","line":304,"range":{"start_line":304,"start_character":0,"end_line":304,"end_character":39},"in_reply_to":"7ad331af_e53291ec","updated":"2024-02-05 11:02:59.000000000","message":"Done","commit_id":"7e375d234c48fb3e6c33584ea12452ec0e29ee60"},{"author":{"_account_id":36178,"name":"Saravanan Manickam","display_name":"msaravan","email":"manicsaran@gmail.com","username":"msaravan"},"change_message_id":"9848d399180c17af49d57c46f1195eddeeb50c1d","unresolved":true,"context_lines":[{"line_number":303,"context_line":"-------------"},{"line_number":304,"context_line":"The backend driver needs to implement::"},{"line_number":305,"context_line":"1. Function to talk with key-store using KMIP protocol"},{"line_number":306,"context_line":"2. Encrypt the share with key data sent from key-store e.g. Barbican"},{"line_number":307,"context_line":""},{"line_number":308,"context_line":""},{"line_number":309,"context_line":"Security impact"}],"source_content_type":"text/x-rst","patch_set":4,"id":"65aca70d_df25af72","line":306,"updated":"2023-12-07 14:50:36.000000000","message":"How do we control this when user goes for DHSS\u003dTrue option. Do you expect us to enable the encryption settings at storage server (vserver) level. If that happens, user need not to do any extra steps to encrypt all the shares created further, inside this DHSS server, as encryption can be made just automatic for all of them whenever created.","commit_id":"7e375d234c48fb3e6c33584ea12452ec0e29ee60"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"ce20c78e714389377989ae85331fa97b39517469","unresolved":false,"context_lines":[{"line_number":303,"context_line":"-------------"},{"line_number":304,"context_line":"The backend driver needs to implement::"},{"line_number":305,"context_line":"1. Function to talk with key-store using KMIP protocol"},{"line_number":306,"context_line":"2. Encrypt the share with key data sent from key-store e.g. Barbican"},{"line_number":307,"context_line":""},{"line_number":308,"context_line":""},{"line_number":309,"context_line":"Security impact"}],"source_content_type":"text/x-rst","patch_set":4,"id":"9f373e5a_ec1e8651","line":306,"in_reply_to":"0f8baeae_8d0b17fb","updated":"2024-01-18 01:01:42.000000000","message":"I agree with beginning with per-share-encryption. \n\nIn the \"driver impact\" section, there\u0027s a call out to \"share server encryption\" that can be removed; or moved to a different section rather than \"Driver Impact\". I\u0027ll leave a comment there.","commit_id":"7e375d234c48fb3e6c33584ea12452ec0e29ee60"},{"author":{"_account_id":18816,"name":"Maurice Escher","display_name":"carthaca","email":"maurice.escher@sap.com","username":"mapocace"},"change_message_id":"e98d005ee75ca348729f7d46ddd50b538bd96cbd","unresolved":true,"context_lines":[{"line_number":303,"context_line":"-------------"},{"line_number":304,"context_line":"The backend driver needs to implement::"},{"line_number":305,"context_line":"1. Function to talk with key-store using KMIP protocol"},{"line_number":306,"context_line":"2. Encrypt the share with key data sent from key-store e.g. Barbican"},{"line_number":307,"context_line":""},{"line_number":308,"context_line":""},{"line_number":309,"context_line":"Security impact"}],"source_content_type":"text/x-rst","patch_set":4,"id":"0f8baeae_8d0b17fb","line":306,"in_reply_to":"65aca70d_df25af72","updated":"2024-01-17 12:46:51.000000000","message":"There are use-cases where shares in the same share server should not use the same key, hence I think it is best to go with single share encryption first.\n\nAny grouping (either via share groups or at share server level) to optimize certain setups, can be added in a future implementation, I think.","commit_id":"7e375d234c48fb3e6c33584ea12452ec0e29ee60"},{"author":{"_account_id":30407,"name":"haixin","email":"haixin_haixin@qq.com","username":"haixin"},"change_message_id":"5ce474c498eb22f44336c2a4646c22efdecfb4f0","unresolved":true,"context_lines":[{"line_number":327,"context_line":"------------------"},{"line_number":328,"context_line":""},{"line_number":329,"context_line":"The share can be encrypted at front-end or back-end. But for Manila we intend"},{"line_number":330,"context_line":"to support only back-end encryption and so very less performance penalty in"},{"line_number":331,"context_line":"manila services."},{"line_number":332,"context_line":""},{"line_number":333,"context_line":"Other deployer impact"}],"source_content_type":"text/x-rst","patch_set":4,"id":"b299aa27_76186dd7","line":330,"range":{"start_line":330,"start_character":3,"end_line":330,"end_character":35},"updated":"2023-12-04 07:41:11.000000000","message":"if we only support back-end encryption, the default value of control_location could be back-end, and user do not need to specify it when create new encryption for share type.","commit_id":"7e375d234c48fb3e6c33584ea12452ec0e29ee60"},{"author":{"_account_id":18816,"name":"Maurice Escher","display_name":"carthaca","email":"maurice.escher@sap.com","username":"mapocace"},"change_message_id":"e98d005ee75ca348729f7d46ddd50b538bd96cbd","unresolved":true,"context_lines":[{"line_number":327,"context_line":"------------------"},{"line_number":328,"context_line":""},{"line_number":329,"context_line":"The share can be encrypted at front-end or back-end. But for Manila we intend"},{"line_number":330,"context_line":"to support only back-end encryption and so very less performance penalty in"},{"line_number":331,"context_line":"manila services."},{"line_number":332,"context_line":""},{"line_number":333,"context_line":"Other deployer impact"}],"source_content_type":"text/x-rst","patch_set":4,"id":"d2fb1fa0_f9890dd7","line":330,"range":{"start_line":330,"start_character":3,"end_line":330,"end_character":35},"in_reply_to":"b299aa27_76186dd7","updated":"2024-01-17 12:46:51.000000000","message":"I agree","commit_id":"7e375d234c48fb3e6c33584ea12452ec0e29ee60"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"a617aa9538edb1e806b34417a61330bff33fbdc0","unresolved":false,"context_lines":[{"line_number":327,"context_line":"------------------"},{"line_number":328,"context_line":""},{"line_number":329,"context_line":"The share can be encrypted at front-end or back-end. But for Manila we intend"},{"line_number":330,"context_line":"to support only back-end encryption and so very less performance penalty in"},{"line_number":331,"context_line":"manila services."},{"line_number":332,"context_line":""},{"line_number":333,"context_line":"Other deployer impact"}],"source_content_type":"text/x-rst","patch_set":4,"id":"0602e961_b1ee25bc","line":330,"range":{"start_line":330,"start_character":3,"end_line":330,"end_character":35},"in_reply_to":"c0f96cc2_abecd8bd","updated":"2024-02-05 11:02:59.000000000","message":"Done","commit_id":"7e375d234c48fb3e6c33584ea12452ec0e29ee60"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"ce20c78e714389377989ae85331fa97b39517469","unresolved":true,"context_lines":[{"line_number":327,"context_line":"------------------"},{"line_number":328,"context_line":""},{"line_number":329,"context_line":"The share can be encrypted at front-end or back-end. But for Manila we intend"},{"line_number":330,"context_line":"to support only back-end encryption and so very less performance penalty in"},{"line_number":331,"context_line":"manila services."},{"line_number":332,"context_line":""},{"line_number":333,"context_line":"Other deployer impact"}],"source_content_type":"text/x-rst","patch_set":4,"id":"c0f96cc2_abecd8bd","line":330,"range":{"start_line":330,"start_character":3,"end_line":330,"end_character":35},"in_reply_to":"d2fb1fa0_f9890dd7","updated":"2024-01-18 01:01:42.000000000","message":"+1","commit_id":"7e375d234c48fb3e6c33584ea12452ec0e29ee60"},{"author":{"_account_id":29632,"name":"Carlos Eduardo","email":"ces.eduardo98@gmail.com","username":"silvacarlos"},"change_message_id":"cf0f723e26a2554b4c8fd8e4e76db9253cc2b033","unresolved":true,"context_lines":[{"line_number":1,"context_line":".."},{"line_number":2,"context_line":" This work is licensed under a Creative Commons Attribution 3.0 Unported"},{"line_number":3,"context_line":" License."},{"line_number":4,"context_line":""},{"line_number":5,"context_line":" http://creativecommons.org/licenses/by/3.0/legalcode"},{"line_number":6,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"df7e1454_2c0c1422","line":3,"updated":"2024-01-09 13:38:24.000000000","message":"I\u0027m missing a couple of things in the spec and I believe we should give them some thought:\n1. What to do in case of manage/unmanage: In this case, I believe it would be unsafe to allow a share to be unmanaged in case it was encrypted.\n\n2. Share transfers\nWe should ensure that the destination user also has access to the share while transferring it.\n\n3. Share backups\nAre we supporting this from the get go? What will be the impact?\n\n4. Share snapshots\nAre we supporting this from the get go? What will be the impact?","commit_id":"7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"a617aa9538edb1e806b34417a61330bff33fbdc0","unresolved":false,"context_lines":[{"line_number":1,"context_line":".."},{"line_number":2,"context_line":" This work is licensed under a Creative Commons Attribution 3.0 Unported"},{"line_number":3,"context_line":" License."},{"line_number":4,"context_line":""},{"line_number":5,"context_line":" http://creativecommons.org/licenses/by/3.0/legalcode"},{"line_number":6,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"24ee5390_1339ea64","line":3,"in_reply_to":"b139dc06_c124914e","updated":"2024-02-05 11:02:59.000000000","message":"Done","commit_id":"7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc"},{"author":{"_account_id":18816,"name":"Maurice Escher","display_name":"carthaca","email":"maurice.escher@sap.com","username":"mapocace"},"change_message_id":"e98d005ee75ca348729f7d46ddd50b538bd96cbd","unresolved":true,"context_lines":[{"line_number":1,"context_line":".."},{"line_number":2,"context_line":" This work is licensed under a Creative Commons Attribution 3.0 Unported"},{"line_number":3,"context_line":" License."},{"line_number":4,"context_line":""},{"line_number":5,"context_line":" http://creativecommons.org/licenses/by/3.0/legalcode"},{"line_number":6,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"b139dc06_c124914e","line":3,"in_reply_to":"df7e1454_2c0c1422","updated":"2024-01-17 12:46:51.000000000","message":"Good questions. I\u0027ll add my thoughts:\n\nre 1: I think unmanage would need to make sure that the user, who sends that command has access to the key, too. But I would be also fine with the safe approach in not allowing to unmanage such shares.\nre 2: same like 1, I think. But with a higher tendency to not allow this because of complexity. I don\u0027t know if barbican even has a concept of transferring a key?\nre 3: not all backup targets may support this, depends on the driver, I think.\nre 4: I can imagine that snapshots simply can re-use the encryption key of the parent. Snapshots anyhow have a strong tie to the parent object.","commit_id":"7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc"},{"author":{"_account_id":29632,"name":"Carlos Eduardo","email":"ces.eduardo98@gmail.com","username":"silvacarlos"},"change_message_id":"cf0f723e26a2554b4c8fd8e4e76db9253cc2b033","unresolved":true,"context_lines":[{"line_number":11,"context_line":"Blueprint: https://blueprints.launchpad.net/manila/+spec/share-encryption"},{"line_number":12,"context_line":""},{"line_number":13,"context_line":"Manila share encryption is a valuable feature for most of storage users,"},{"line_number":14,"context_line":"specially for NAS user, but currently, manila itself doesn\u0027t support generic"},{"line_number":15,"context_line":"share encryption features, this spec proposes a encryption solution based on"},{"line_number":16,"context_line":"the existing one from cinder `[1]`_."},{"line_number":17,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"61dc3d6a_46f17d07","line":14,"range":{"start_line":14,"start_character":39,"end_line":14,"end_character":45},"updated":"2024-01-09 13:38:24.000000000","message":"nit: Manila","commit_id":"7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"a617aa9538edb1e806b34417a61330bff33fbdc0","unresolved":false,"context_lines":[{"line_number":11,"context_line":"Blueprint: https://blueprints.launchpad.net/manila/+spec/share-encryption"},{"line_number":12,"context_line":""},{"line_number":13,"context_line":"Manila share encryption is a valuable feature for most of storage users,"},{"line_number":14,"context_line":"specially for NAS user, but currently, manila itself doesn\u0027t support generic"},{"line_number":15,"context_line":"share encryption features, this spec proposes a encryption solution based on"},{"line_number":16,"context_line":"the existing one from cinder `[1]`_."},{"line_number":17,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"243e793a_861f0c0a","line":14,"range":{"start_line":14,"start_character":39,"end_line":14,"end_character":45},"in_reply_to":"61dc3d6a_46f17d07","updated":"2024-02-05 11:02:59.000000000","message":"Done","commit_id":"7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc"},{"author":{"_account_id":29632,"name":"Carlos Eduardo","email":"ces.eduardo98@gmail.com","username":"silvacarlos"},"change_message_id":"cf0f723e26a2554b4c8fd8e4e76db9253cc2b033","unresolved":true,"context_lines":[{"line_number":12,"context_line":""},{"line_number":13,"context_line":"Manila share encryption is a valuable feature for most of storage users,"},{"line_number":14,"context_line":"specially for NAS user, but currently, manila itself doesn\u0027t support generic"},{"line_number":15,"context_line":"share encryption features, this spec proposes a encryption solution based on"},{"line_number":16,"context_line":"the existing one from cinder `[1]`_."},{"line_number":17,"context_line":""},{"line_number":18,"context_line":"Problem description"}],"source_content_type":"text/x-rst","patch_set":5,"id":"06810ac6_fd3c38f4","line":15,"range":{"start_line":15,"start_character":25,"end_line":15,"end_character":28},"updated":"2024-01-09 13:38:24.000000000","message":"nit: . This","commit_id":"7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"a617aa9538edb1e806b34417a61330bff33fbdc0","unresolved":false,"context_lines":[{"line_number":12,"context_line":""},{"line_number":13,"context_line":"Manila share encryption is a valuable feature for most of storage users,"},{"line_number":14,"context_line":"specially for NAS user, but currently, manila itself doesn\u0027t support generic"},{"line_number":15,"context_line":"share encryption features, this spec proposes a encryption solution based on"},{"line_number":16,"context_line":"the existing one from cinder `[1]`_."},{"line_number":17,"context_line":""},{"line_number":18,"context_line":"Problem description"}],"source_content_type":"text/x-rst","patch_set":5,"id":"f0097fbf_678714fd","line":15,"range":{"start_line":15,"start_character":25,"end_line":15,"end_character":28},"in_reply_to":"06810ac6_fd3c38f4","updated":"2024-02-05 11:02:59.000000000","message":"Done","commit_id":"7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"ce20c78e714389377989ae85331fa97b39517469","unresolved":true,"context_lines":[{"line_number":10,"context_line":""},{"line_number":11,"context_line":"Blueprint: https://blueprints.launchpad.net/manila/+spec/share-encryption"},{"line_number":12,"context_line":""},{"line_number":13,"context_line":"Manila share encryption is a valuable feature for most of storage users,"},{"line_number":14,"context_line":"specially for NAS user, but currently, manila itself doesn\u0027t support generic"},{"line_number":15,"context_line":"share encryption features, this spec proposes a encryption solution based on"},{"line_number":16,"context_line":"the existing one from cinder `[1]`_."},{"line_number":17,"context_line":""},{"line_number":18,"context_line":"Problem description"},{"line_number":19,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":5,"id":"6a5cb950_fa4874bc","line":16,"range":{"start_line":13,"start_character":0,"end_line":16,"end_character":36},"updated":"2024-01-18 01:01:42.000000000","message":"imho, the introduction needs to suggest what is being done about the problem that exists in a succinct way. Would this be a good statement?\n\n\n\u0027\u0027\u0027\nEncrypting OpenStack Manila shares is crucial for ensuring the security and confidentiality of users\u0027 data. There are broadly two levels of encryption: \"front-end\" (data in-transit) and \"back-end\" (data at-rest). Currently, users can request back-end data encryption via share types that have custom extra-specs. These custom-extra specs direct the back end driver to encrypt the share data at rest, however, there is no mechanism for the user to control much else regarding the encryption process. Ideally, users must be allowed to create and manage their own encryption keys. This specification proposes an approach that enables Manila to coordinate user defined encryption keys for \"back-end\" (at rest) encryption of share data.\n\u0027\u0027\u0027","commit_id":"7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"a617aa9538edb1e806b34417a61330bff33fbdc0","unresolved":false,"context_lines":[{"line_number":10,"context_line":""},{"line_number":11,"context_line":"Blueprint: https://blueprints.launchpad.net/manila/+spec/share-encryption"},{"line_number":12,"context_line":""},{"line_number":13,"context_line":"Manila share encryption is a valuable feature for most of storage users,"},{"line_number":14,"context_line":"specially for NAS user, but currently, manila itself doesn\u0027t support generic"},{"line_number":15,"context_line":"share encryption features, this spec proposes a encryption solution based on"},{"line_number":16,"context_line":"the existing one from cinder `[1]`_."},{"line_number":17,"context_line":""},{"line_number":18,"context_line":"Problem description"},{"line_number":19,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":5,"id":"9a63c93d_64e286cb","line":16,"range":{"start_line":13,"start_character":0,"end_line":16,"end_character":36},"in_reply_to":"6a5cb950_fa4874bc","updated":"2024-02-05 11:02:59.000000000","message":"Done","commit_id":"7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"ce20c78e714389377989ae85331fa97b39517469","unresolved":true,"context_lines":[{"line_number":18,"context_line":"Problem description"},{"line_number":19,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":20,"context_line":""},{"line_number":21,"context_line":"Today we can\u0027t use manila commands to encrypt shares. This makes the platforms"},{"line_number":22,"context_line":"hosting shares for VMs high value targets because an attacker can break into a"},{"line_number":23,"context_line":"share-hosting platform and read the data. Another issue is that the physical"},{"line_number":24,"context_line":"storage medium could be stolen, remounted, and accessed from a different"}],"source_content_type":"text/x-rst","patch_set":5,"id":"8ed377f9_e50a12d6","line":21,"range":{"start_line":21,"start_character":0,"end_line":21,"end_character":54},"updated":"2024-01-18 01:01:42.000000000","message":"This is incorrect; \n\nWhat you mean to say is that the encryption workflow implemented today is sub-optimal.\n\nPerhaps replace with this\n\n\"\"\"\nWhile manila users can create encrypted shares with some storage back ends, they cannot create or control their encryption keys via OpenStack. Encryption keys are made up by the storage back end or the Manila driver, and any one with access to the keys could access the data if they gain access to the back end storage. So the main problem that this specification is addressing is user control of encryption keys.\n\"\"\"\n\n\nI\u0027d also, for the sake of completeness, mention why we should even care about encryption. Your write up for that is good; here\u0027s a blurb Chat GPT generated when i asked it a question.. maybe it can help:\n\n\n```\n\nHere are some reasons why you should consider encrypting OpenStack Manila shares:\n\n1. **Data Confidentiality:** Encryption protects the confidentiality of your data by converting it into unreadable ciphertext. If unauthorized users gain access to the storage, they won\u0027t be able to make sense of the encrypted data without the appropriate decryption key.\n\n2. **Compliance Requirements:** Many industries and regulatory standards require the encryption of sensitive data. Encrypting OpenStack Manila shares helps you comply with data protection regulations and industry standards, ensuring that your organization meets legal requirements.\n\n3. **Protection Against Unauthorized Access:** Encrypting shares adds an extra layer of security against unauthorized access. Even if someone gains access to the underlying storage, they won\u0027t be able to access the data without the encryption key.\n\n4. **Secure Data Transfer:** When data is transferred between different components of your OpenStack environment or across the network, encryption ensures that the data remains secure during transit. This is especially important in multi-tenant environments where multiple users or projects may share the same infrastructure.\n\n5. **Mitigation of Insider Threats:** Encryption can help mitigate the risk of insider threats. Even if an authorized user with access to the storage attempts to misuse the data, encryption prevents them from reading or tampering with sensitive information without the proper decryption key.\n\n6. **Protection Against Data Breaches:** In the event of a security breach or data leak, encrypted data is much more difficult for attackers to exploit. This can significantly reduce the impact of a data breach, as the stolen information remains unreadable without the encryption key.\n\n7. **Risk Management:** Encryption is a fundamental component of a comprehensive risk management strategy. By implementing encryption for OpenStack Manila shares, you enhance your overall security posture and reduce the potential impact of security incidents.\n\n```\n\nIf you decide to use any of this, we should omit the 4th point, we\u0027re not solving \"in-transit\" data encryption with this effort...","commit_id":"7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"a617aa9538edb1e806b34417a61330bff33fbdc0","unresolved":false,"context_lines":[{"line_number":18,"context_line":"Problem description"},{"line_number":19,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":20,"context_line":""},{"line_number":21,"context_line":"Today we can\u0027t use manila commands to encrypt shares. This makes the platforms"},{"line_number":22,"context_line":"hosting shares for VMs high value targets because an attacker can break into a"},{"line_number":23,"context_line":"share-hosting platform and read the data. Another issue is that the physical"},{"line_number":24,"context_line":"storage medium could be stolen, remounted, and accessed from a different"}],"source_content_type":"text/x-rst","patch_set":5,"id":"f3629405_867cac16","line":21,"range":{"start_line":21,"start_character":0,"end_line":21,"end_character":54},"in_reply_to":"8ed377f9_e50a12d6","updated":"2024-02-05 11:02:59.000000000","message":"ok, I have added above information in problem description section.","commit_id":"7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc"},{"author":{"_account_id":29632,"name":"Carlos Eduardo","email":"ces.eduardo98@gmail.com","username":"silvacarlos"},"change_message_id":"cf0f723e26a2554b4c8fd8e4e76db9253cc2b033","unresolved":true,"context_lines":[{"line_number":32,"context_line":"encryption provides a manila level support to trigger the data encryption on"},{"line_number":33,"context_line":"backend and thus protect the data from attacker."},{"line_number":34,"context_line":""},{"line_number":35,"context_line":"In order to support share encrytion, user needs to create manila share type"},{"line_number":36,"context_line":"and associate encryption information with it. The information contain fields"},{"line_number":37,"context_line":"such as size of encryption key, encryption provider class, control location"},{"line_number":38,"context_line":"and encryption algorithm e.g. aes-xts-plain64. If share is created using such"}],"source_content_type":"text/x-rst","patch_set":5,"id":"abbddd23_b7f159e2","line":35,"range":{"start_line":35,"start_character":51,"end_line":35,"end_character":59},"updated":"2024-01-09 13:38:24.000000000","message":"create a manila","commit_id":"7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc"},{"author":{"_account_id":29632,"name":"Carlos Eduardo","email":"ces.eduardo98@gmail.com","username":"silvacarlos"},"change_message_id":"cf0f723e26a2554b4c8fd8e4e76db9253cc2b033","unresolved":true,"context_lines":[{"line_number":32,"context_line":"encryption provides a manila level support to trigger the data encryption on"},{"line_number":33,"context_line":"backend and thus protect the data from attacker."},{"line_number":34,"context_line":""},{"line_number":35,"context_line":"In order to support share encrytion, user needs to create manila share type"},{"line_number":36,"context_line":"and associate encryption information with it. The information contain fields"},{"line_number":37,"context_line":"such as size of encryption key, encryption provider class, control location"},{"line_number":38,"context_line":"and encryption algorithm e.g. aes-xts-plain64. If share is created using such"}],"source_content_type":"text/x-rst","patch_set":5,"id":"80f75258_d377f826","line":35,"range":{"start_line":35,"start_character":37,"end_line":35,"end_character":41},"updated":"2024-01-09 13:38:24.000000000","message":"the user","commit_id":"7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"a617aa9538edb1e806b34417a61330bff33fbdc0","unresolved":false,"context_lines":[{"line_number":32,"context_line":"encryption provides a manila level support to trigger the data encryption on"},{"line_number":33,"context_line":"backend and thus protect the data from attacker."},{"line_number":34,"context_line":""},{"line_number":35,"context_line":"In order to support share encrytion, user needs to create manila share type"},{"line_number":36,"context_line":"and associate encryption information with it. The information contain fields"},{"line_number":37,"context_line":"such as size of encryption key, encryption provider class, control location"},{"line_number":38,"context_line":"and encryption algorithm e.g. aes-xts-plain64. If share is created using such"}],"source_content_type":"text/x-rst","patch_set":5,"id":"12a0bada_c57185af","line":35,"range":{"start_line":35,"start_character":37,"end_line":35,"end_character":41},"in_reply_to":"80f75258_d377f826","updated":"2024-02-05 11:02:59.000000000","message":"Done","commit_id":"7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"a617aa9538edb1e806b34417a61330bff33fbdc0","unresolved":false,"context_lines":[{"line_number":32,"context_line":"encryption provides a manila level support to trigger the data encryption on"},{"line_number":33,"context_line":"backend and thus protect the data from attacker."},{"line_number":34,"context_line":""},{"line_number":35,"context_line":"In order to support share encrytion, user needs to create manila share type"},{"line_number":36,"context_line":"and associate encryption information with it. The information contain fields"},{"line_number":37,"context_line":"such as size of encryption key, encryption provider class, control location"},{"line_number":38,"context_line":"and encryption algorithm e.g. aes-xts-plain64. If share is created using such"}],"source_content_type":"text/x-rst","patch_set":5,"id":"7b2695ed_c97bbfa1","line":35,"range":{"start_line":35,"start_character":51,"end_line":35,"end_character":59},"in_reply_to":"abbddd23_b7f159e2","updated":"2024-02-05 11:02:59.000000000","message":"Done","commit_id":"7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"ce20c78e714389377989ae85331fa97b39517469","unresolved":true,"context_lines":[{"line_number":32,"context_line":"encryption provides a manila level support to trigger the data encryption on"},{"line_number":33,"context_line":"backend and thus protect the data from attacker."},{"line_number":34,"context_line":""},{"line_number":35,"context_line":"In order to support share encrytion, user needs to create manila share type"},{"line_number":36,"context_line":"and associate encryption information with it. The information contain fields"},{"line_number":37,"context_line":"such as size of encryption key, encryption provider class, control location"},{"line_number":38,"context_line":"and encryption algorithm e.g. aes-xts-plain64. If share is created using such"},{"line_number":39,"context_line":"share types, Manila will generate encryption key with the help of key store"}],"source_content_type":"text/x-rst","patch_set":5,"id":"45a35b2f_eed787a3","line":36,"range":{"start_line":35,"start_character":37,"end_line":36,"end_character":45},"updated":"2024-01-18 01:01:42.000000000","message":"by virtue of default RBAC, a user cannot create a share type in Manila; an administrator can..","commit_id":"7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"a617aa9538edb1e806b34417a61330bff33fbdc0","unresolved":false,"context_lines":[{"line_number":32,"context_line":"encryption provides a manila level support to trigger the data encryption on"},{"line_number":33,"context_line":"backend and thus protect the data from attacker."},{"line_number":34,"context_line":""},{"line_number":35,"context_line":"In order to support share encrytion, user needs to create manila share type"},{"line_number":36,"context_line":"and associate encryption information with it. The information contain fields"},{"line_number":37,"context_line":"such as size of encryption key, encryption provider class, control location"},{"line_number":38,"context_line":"and encryption algorithm e.g. aes-xts-plain64. If share is created using such"},{"line_number":39,"context_line":"share types, Manila will generate encryption key with the help of key store"}],"source_content_type":"text/x-rst","patch_set":5,"id":"325866bf_490d0bea","line":36,"range":{"start_line":35,"start_character":37,"end_line":36,"end_character":45},"in_reply_to":"45a35b2f_eed787a3","updated":"2024-02-05 11:02:59.000000000","message":"Done","commit_id":"7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc"},{"author":{"_account_id":29632,"name":"Carlos Eduardo","email":"ces.eduardo98@gmail.com","username":"silvacarlos"},"change_message_id":"cf0f723e26a2554b4c8fd8e4e76db9253cc2b033","unresolved":true,"context_lines":[{"line_number":39,"context_line":"share types, Manila will generate encryption key with the help of key store"},{"line_number":40,"context_line":"e.g. Barbican."},{"line_number":41,"context_line":""},{"line_number":42,"context_line":"User can also encrypt the share using their own keys. Such keys are stored in"},{"line_number":43,"context_line":"key store e.g. Barbican by user. In this case, use can either use share types"},{"line_number":44,"context_line":"with or without encyrption information. If share type with encryption"},{"line_number":45,"context_line":"information is used to create share along-with user provided key, the user"}],"source_content_type":"text/x-rst","patch_set":5,"id":"7fb4817d_9ecea1fb","line":42,"range":{"start_line":42,"start_character":0,"end_line":42,"end_character":4},"updated":"2024-01-09 13:38:24.000000000","message":"The user","commit_id":"7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"a617aa9538edb1e806b34417a61330bff33fbdc0","unresolved":false,"context_lines":[{"line_number":39,"context_line":"share types, Manila will generate encryption key with the help of key store"},{"line_number":40,"context_line":"e.g. Barbican."},{"line_number":41,"context_line":""},{"line_number":42,"context_line":"User can also encrypt the share using their own keys. Such keys are stored in"},{"line_number":43,"context_line":"key store e.g. Barbican by user. In this case, use can either use share types"},{"line_number":44,"context_line":"with or without encyrption information. If share type with encryption"},{"line_number":45,"context_line":"information is used to create share along-with user provided key, the user"}],"source_content_type":"text/x-rst","patch_set":5,"id":"868100c3_b25f3cf2","line":42,"range":{"start_line":42,"start_character":0,"end_line":42,"end_character":4},"in_reply_to":"7fb4817d_9ecea1fb","updated":"2024-02-05 11:02:59.000000000","message":"Done","commit_id":"7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"ce20c78e714389377989ae85331fa97b39517469","unresolved":true,"context_lines":[{"line_number":39,"context_line":"share types, Manila will generate encryption key with the help of key store"},{"line_number":40,"context_line":"e.g. Barbican."},{"line_number":41,"context_line":""},{"line_number":42,"context_line":"User can also encrypt the share using their own keys. Such keys are stored in"},{"line_number":43,"context_line":"key store e.g. Barbican by user. In this case, use can either use share types"},{"line_number":44,"context_line":"with or without encyrption information. If share type with encryption"},{"line_number":45,"context_line":"information is used to create share along-with user provided key, the user"},{"line_number":46,"context_line":"provided key will take preference and share type encryption information of the"},{"line_number":47,"context_line":"share type will be ignored."},{"line_number":48,"context_line":""},{"line_number":49,"context_line":"In either scenario, after key is being fetched it will be given to backend."},{"line_number":50,"context_line":"The backend then talks with key store using KMIP(Key Management"}],"source_content_type":"text/x-rst","patch_set":5,"id":"4b283625_064a77c7","line":47,"range":{"start_line":42,"start_character":0,"end_line":47,"end_character":27},"updated":"2024-01-18 01:01:42.000000000","message":"I didn\u0027t understand this: \n\nHow can a user provide their own key? Is this done when creating a share? Also, how is the key provided? Will they give us the ID of the secret from barbican?\n\n\nYour examples below don\u0027t clarify this","commit_id":"7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"a617aa9538edb1e806b34417a61330bff33fbdc0","unresolved":false,"context_lines":[{"line_number":39,"context_line":"share types, Manila will generate encryption key with the help of key store"},{"line_number":40,"context_line":"e.g. Barbican."},{"line_number":41,"context_line":""},{"line_number":42,"context_line":"User can also encrypt the share using their own keys. Such keys are stored in"},{"line_number":43,"context_line":"key store e.g. Barbican by user. In this case, use can either use share types"},{"line_number":44,"context_line":"with or without encyrption information. If share type with encryption"},{"line_number":45,"context_line":"information is used to create share along-with user provided key, the user"},{"line_number":46,"context_line":"provided key will take preference and share type encryption information of the"},{"line_number":47,"context_line":"share type will be ignored."},{"line_number":48,"context_line":""},{"line_number":49,"context_line":"In either scenario, after key is being fetched it will be given to backend."},{"line_number":50,"context_line":"The backend then talks with key store using KMIP(Key Management"}],"source_content_type":"text/x-rst","patch_set":5,"id":"f9738f7d_142b6423","line":47,"range":{"start_line":42,"start_character":0,"end_line":47,"end_character":27},"in_reply_to":"4b283625_064a77c7","updated":"2024-02-05 11:02:59.000000000","message":"Done","commit_id":"7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"ce20c78e714389377989ae85331fa97b39517469","unresolved":true,"context_lines":[{"line_number":46,"context_line":"provided key will take preference and share type encryption information of the"},{"line_number":47,"context_line":"share type will be ignored."},{"line_number":48,"context_line":""},{"line_number":49,"context_line":"In either scenario, after key is being fetched it will be given to backend."},{"line_number":50,"context_line":"The backend then talks with key store using KMIP(Key Management"},{"line_number":51,"context_line":"Interoperability Protocol) and then retrieve the key data. The key data is"},{"line_number":52,"context_line":"then used to encrypt the share by backend. Manila does not control the actual"}],"source_content_type":"text/x-rst","patch_set":5,"id":"8d8c8425_435a75fc","line":49,"range":{"start_line":49,"start_character":67,"end_line":49,"end_character":74},"updated":"2024-01-18 01:01:42.000000000","message":"the storage back end via the storage back end driver","commit_id":"7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"a617aa9538edb1e806b34417a61330bff33fbdc0","unresolved":false,"context_lines":[{"line_number":46,"context_line":"provided key will take preference and share type encryption information of the"},{"line_number":47,"context_line":"share type will be ignored."},{"line_number":48,"context_line":""},{"line_number":49,"context_line":"In either scenario, after key is being fetched it will be given to backend."},{"line_number":50,"context_line":"The backend then talks with key store using KMIP(Key Management"},{"line_number":51,"context_line":"Interoperability Protocol) and then retrieve the key data. The key data is"},{"line_number":52,"context_line":"then used to encrypt the share by backend. Manila does not control the actual"}],"source_content_type":"text/x-rst","patch_set":5,"id":"b8cf8505_c13c5b2e","line":49,"range":{"start_line":49,"start_character":67,"end_line":49,"end_character":74},"in_reply_to":"8d8c8425_435a75fc","updated":"2024-02-05 11:02:59.000000000","message":"Done","commit_id":"7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc"},{"author":{"_account_id":29632,"name":"Carlos Eduardo","email":"ces.eduardo98@gmail.com","username":"silvacarlos"},"change_message_id":"cf0f723e26a2554b4c8fd8e4e76db9253cc2b033","unresolved":true,"context_lines":[{"line_number":47,"context_line":"share type will be ignored."},{"line_number":48,"context_line":""},{"line_number":49,"context_line":"In either scenario, after key is being fetched it will be given to backend."},{"line_number":50,"context_line":"The backend then talks with key store using KMIP(Key Management"},{"line_number":51,"context_line":"Interoperability Protocol) and then retrieve the key data. The key data is"},{"line_number":52,"context_line":"then used to encrypt the share by backend. Manila does not control the actual"},{"line_number":53,"context_line":"encryption of data as it is being done by backend driver and its proprietary"}],"source_content_type":"text/x-rst","patch_set":5,"id":"79054630_dc9daef9","line":50,"range":{"start_line":50,"start_character":47,"end_line":50,"end_character":49},"updated":"2024-01-09 13:38:24.000000000","message":"nit: please add a blank space between P and (","commit_id":"7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"ce20c78e714389377989ae85331fa97b39517469","unresolved":true,"context_lines":[{"line_number":47,"context_line":"share type will be ignored."},{"line_number":48,"context_line":""},{"line_number":49,"context_line":"In either scenario, after key is being fetched it will be given to backend."},{"line_number":50,"context_line":"The backend then talks with key store using KMIP(Key Management"},{"line_number":51,"context_line":"Interoperability Protocol) and then retrieve the key data. The key data is"},{"line_number":52,"context_line":"then used to encrypt the share by backend. Manila does not control the actual"},{"line_number":53,"context_line":"encryption of data as it is being done by backend driver and its proprietary"}],"source_content_type":"text/x-rst","patch_set":5,"id":"b9791f32_6cde283d","line":50,"range":{"start_line":50,"start_character":4,"end_line":50,"end_character":11},"updated":"2024-01-18 01:01:42.000000000","message":"storage back end","commit_id":"7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"a617aa9538edb1e806b34417a61330bff33fbdc0","unresolved":false,"context_lines":[{"line_number":47,"context_line":"share type will be ignored."},{"line_number":48,"context_line":""},{"line_number":49,"context_line":"In either scenario, after key is being fetched it will be given to backend."},{"line_number":50,"context_line":"The backend then talks with key store using KMIP(Key Management"},{"line_number":51,"context_line":"Interoperability Protocol) and then retrieve the key data. The key data is"},{"line_number":52,"context_line":"then used to encrypt the share by backend. Manila does not control the actual"},{"line_number":53,"context_line":"encryption of data as it is being done by backend driver and its proprietary"}],"source_content_type":"text/x-rst","patch_set":5,"id":"1f6bba70_4830515a","line":50,"range":{"start_line":50,"start_character":47,"end_line":50,"end_character":49},"in_reply_to":"79054630_dc9daef9","updated":"2024-02-05 11:02:59.000000000","message":"Done","commit_id":"7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"a617aa9538edb1e806b34417a61330bff33fbdc0","unresolved":false,"context_lines":[{"line_number":47,"context_line":"share type will be ignored."},{"line_number":48,"context_line":""},{"line_number":49,"context_line":"In either scenario, after key is being fetched it will be given to backend."},{"line_number":50,"context_line":"The backend then talks with key store using KMIP(Key Management"},{"line_number":51,"context_line":"Interoperability Protocol) and then retrieve the key data. The key data is"},{"line_number":52,"context_line":"then used to encrypt the share by backend. Manila does not control the actual"},{"line_number":53,"context_line":"encryption of data as it is being done by backend driver and its proprietary"}],"source_content_type":"text/x-rst","patch_set":5,"id":"3983ebaa_2b58a8d0","line":50,"range":{"start_line":50,"start_character":4,"end_line":50,"end_character":11},"in_reply_to":"b9791f32_6cde283d","updated":"2024-02-05 11:02:59.000000000","message":"Done","commit_id":"7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"ce20c78e714389377989ae85331fa97b39517469","unresolved":true,"context_lines":[{"line_number":48,"context_line":""},{"line_number":49,"context_line":"In either scenario, after key is being fetched it will be given to backend."},{"line_number":50,"context_line":"The backend then talks with key store using KMIP(Key Management"},{"line_number":51,"context_line":"Interoperability Protocol) and then retrieve the key data. The key data is"},{"line_number":52,"context_line":"then used to encrypt the share by backend. Manila does not control the actual"},{"line_number":53,"context_line":"encryption of data as it is being done by backend driver and its proprietary"},{"line_number":54,"context_line":"methods."}],"source_content_type":"text/x-rst","patch_set":5,"id":"9f7a46fd_13280d94","line":51,"range":{"start_line":51,"start_character":31,"end_line":51,"end_character":44},"updated":"2024-01-18 01:01:42.000000000","message":"nit: retrieves","commit_id":"7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"a617aa9538edb1e806b34417a61330bff33fbdc0","unresolved":false,"context_lines":[{"line_number":48,"context_line":""},{"line_number":49,"context_line":"In either scenario, after key is being fetched it will be given to backend."},{"line_number":50,"context_line":"The backend then talks with key store using KMIP(Key Management"},{"line_number":51,"context_line":"Interoperability Protocol) and then retrieve the key data. The key data is"},{"line_number":52,"context_line":"then used to encrypt the share by backend. Manila does not control the actual"},{"line_number":53,"context_line":"encryption of data as it is being done by backend driver and its proprietary"},{"line_number":54,"context_line":"methods."}],"source_content_type":"text/x-rst","patch_set":5,"id":"b32add86_04113654","line":51,"range":{"start_line":51,"start_character":31,"end_line":51,"end_character":44},"in_reply_to":"9f7a46fd_13280d94","updated":"2024-02-05 11:02:59.000000000","message":"Done","commit_id":"7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"ce20c78e714389377989ae85331fa97b39517469","unresolved":true,"context_lines":[{"line_number":49,"context_line":"In either scenario, after key is being fetched it will be given to backend."},{"line_number":50,"context_line":"The backend then talks with key store using KMIP(Key Management"},{"line_number":51,"context_line":"Interoperability Protocol) and then retrieve the key data. The key data is"},{"line_number":52,"context_line":"then used to encrypt the share by backend. Manila does not control the actual"},{"line_number":53,"context_line":"encryption of data as it is being done by backend driver and its proprietary"},{"line_number":54,"context_line":"methods."},{"line_number":55,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"53c9e54a_2a96b4e3","line":52,"range":{"start_line":52,"start_character":25,"end_line":52,"end_character":41},"updated":"2024-01-18 01:01:42.000000000","message":"nit: \"share\u0027s data within the storage back end.\"","commit_id":"7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"a617aa9538edb1e806b34417a61330bff33fbdc0","unresolved":false,"context_lines":[{"line_number":49,"context_line":"In either scenario, after key is being fetched it will be given to backend."},{"line_number":50,"context_line":"The backend then talks with key store using KMIP(Key Management"},{"line_number":51,"context_line":"Interoperability Protocol) and then retrieve the key data. The key data is"},{"line_number":52,"context_line":"then used to encrypt the share by backend. Manila does not control the actual"},{"line_number":53,"context_line":"encryption of data as it is being done by backend driver and its proprietary"},{"line_number":54,"context_line":"methods."},{"line_number":55,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"adaf5951_ba789f80","line":52,"range":{"start_line":52,"start_character":25,"end_line":52,"end_character":41},"in_reply_to":"53c9e54a_2a96b4e3","updated":"2024-02-05 11:02:59.000000000","message":"Done","commit_id":"7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"ce20c78e714389377989ae85331fa97b39517469","unresolved":true,"context_lines":[{"line_number":50,"context_line":"The backend then talks with key store using KMIP(Key Management"},{"line_number":51,"context_line":"Interoperability Protocol) and then retrieve the key data. The key data is"},{"line_number":52,"context_line":"then used to encrypt the share by backend. Manila does not control the actual"},{"line_number":53,"context_line":"encryption of data as it is being done by backend driver and its proprietary"},{"line_number":54,"context_line":"methods."},{"line_number":55,"context_line":""},{"line_number":56,"context_line":"Please note, if key is not provided share will be encrypted using in-built"}],"source_content_type":"text/x-rst","patch_set":5,"id":"d9f44492_5a2edaee","line":53,"range":{"start_line":53,"start_character":65,"end_line":53,"end_character":76},"updated":"2024-01-18 01:01:42.000000000","message":"\"proprietary\" is inappropriate... \n\nperhaps replace with:\n\n\n\"\"\"\nThe actual encryption of the data at-rest is performed by the back end storage system. The scope of Manila\u0027s involvement ends with coordinating the user\u0027s secret with the Key Store.\n\"\"\"","commit_id":"7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"a617aa9538edb1e806b34417a61330bff33fbdc0","unresolved":false,"context_lines":[{"line_number":50,"context_line":"The backend then talks with key store using KMIP(Key Management"},{"line_number":51,"context_line":"Interoperability Protocol) and then retrieve the key data. The key data is"},{"line_number":52,"context_line":"then used to encrypt the share by backend. Manila does not control the actual"},{"line_number":53,"context_line":"encryption of data as it is being done by backend driver and its proprietary"},{"line_number":54,"context_line":"methods."},{"line_number":55,"context_line":""},{"line_number":56,"context_line":"Please note, if key is not provided share will be encrypted using in-built"}],"source_content_type":"text/x-rst","patch_set":5,"id":"677c5b68_5a162987","line":53,"range":{"start_line":53,"start_character":65,"end_line":53,"end_character":76},"in_reply_to":"d9f44492_5a2edaee","updated":"2024-02-05 11:02:59.000000000","message":"Done","commit_id":"7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"ce20c78e714389377989ae85331fa97b39517469","unresolved":true,"context_lines":[{"line_number":53,"context_line":"encryption of data as it is being done by backend driver and its proprietary"},{"line_number":54,"context_line":"methods."},{"line_number":55,"context_line":""},{"line_number":56,"context_line":"Please note, if key is not provided share will be encrypted using in-built"},{"line_number":57,"context_line":"mechanism of backend driver if supported otherwise it wont be encrypted."},{"line_number":58,"context_line":"However, if key is provided, share will be encrypted using key i.e. it will"},{"line_number":59,"context_line":"overwrite default or in-built mechanism."},{"line_number":60,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"37385415_5633a7ef","line":57,"range":{"start_line":56,"start_character":0,"end_line":57,"end_character":72},"updated":"2024-01-18 01:01:42.000000000","message":"What does this mean?\n\nI see two workflows:\n\n \n\u003d\u003d\u003d\u003d\u003d\n\n1) Manila generates encryption key and stores it on the keystore:\n\na) Admin configures Manila with key manager\nb) Admin creates a share type, and an encryption type\nc) User uses encryption-enabled share type to create a share\nd) Internally manila creates an encryption secret and stores it on the keystore; and provides all data to the storage system via its driver\ne) storage system reaches out to key store, and encrypts share data at rest with the key\n\n\u003d\u003d\u003d\u003d\u003d\n\n2) User provides key stored on the keystore\n\na) Admin configures Manila with key manager\nb) DOES Admin need to a share type, and an encryption type anymore?\nc) User specifies key reference when creating a share\nd) Internally manila ensures the encryption secret exists, and provides data to the storage system via its driver\ne) storage system reaches out to key store, and encrypts share data at rest with the key\n\n\n\u003d\u003d\u003d\u003d\u003d\n\n\nam i understanding this correctly?\nwhat does this note mean?","commit_id":"7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc"},{"author":{"_account_id":29632,"name":"Carlos Eduardo","email":"ces.eduardo98@gmail.com","username":"silvacarlos"},"change_message_id":"cf0f723e26a2554b4c8fd8e4e76db9253cc2b033","unresolved":true,"context_lines":[{"line_number":54,"context_line":"methods."},{"line_number":55,"context_line":""},{"line_number":56,"context_line":"Please note, if key is not provided share will be encrypted using in-built"},{"line_number":57,"context_line":"mechanism of backend driver if supported otherwise it wont be encrypted."},{"line_number":58,"context_line":"However, if key is provided, share will be encrypted using key i.e. it will"},{"line_number":59,"context_line":"overwrite default or in-built mechanism."},{"line_number":60,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"50249993_70307d61","line":57,"range":{"start_line":57,"start_character":54,"end_line":57,"end_character":58},"updated":"2024-01-09 13:38:24.000000000","message":"won\u0027t","commit_id":"7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"a617aa9538edb1e806b34417a61330bff33fbdc0","unresolved":false,"context_lines":[{"line_number":53,"context_line":"encryption of data as it is being done by backend driver and its proprietary"},{"line_number":54,"context_line":"methods."},{"line_number":55,"context_line":""},{"line_number":56,"context_line":"Please note, if key is not provided share will be encrypted using in-built"},{"line_number":57,"context_line":"mechanism of backend driver if supported otherwise it wont be encrypted."},{"line_number":58,"context_line":"However, if key is provided, share will be encrypted using key i.e. it will"},{"line_number":59,"context_line":"overwrite default or in-built mechanism."},{"line_number":60,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"8b6c6967_bd2bbf4c","line":57,"range":{"start_line":56,"start_character":0,"end_line":57,"end_character":72},"in_reply_to":"37385415_5633a7ef","updated":"2024-02-05 11:02:59.000000000","message":"I mean to say some driver (e.g. netapp) support default encryption. So even if no encryption key-ref or share-type provided, the can possibly still be encrypted if supported by back end driver. But this is confusing statement and hence removed.\n\nYes, above mentioned 2 scenarios are correct understanding.","commit_id":"7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"a617aa9538edb1e806b34417a61330bff33fbdc0","unresolved":false,"context_lines":[{"line_number":54,"context_line":"methods."},{"line_number":55,"context_line":""},{"line_number":56,"context_line":"Please note, if key is not provided share will be encrypted using in-built"},{"line_number":57,"context_line":"mechanism of backend driver if supported otherwise it wont be encrypted."},{"line_number":58,"context_line":"However, if key is provided, share will be encrypted using key i.e. it will"},{"line_number":59,"context_line":"overwrite default or in-built mechanism."},{"line_number":60,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"aac94f34_0739025b","line":57,"range":{"start_line":57,"start_character":54,"end_line":57,"end_character":58},"in_reply_to":"50249993_70307d61","updated":"2024-02-05 11:02:59.000000000","message":"Done","commit_id":"7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"ce20c78e714389377989ae85331fa97b39517469","unresolved":true,"context_lines":[{"line_number":61,"context_line":"Proposed change"},{"line_number":62,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":63,"context_line":""},{"line_number":64,"context_line":"* New API collection for encryption"},{"line_number":65,"context_line":""},{"line_number":66,"context_line":"  In order to support encryption with share type, we will introduce the basic"},{"line_number":67,"context_line":"  operations create/update/delete/list/show for encryption."}],"source_content_type":"text/x-rst","patch_set":5,"id":"3853aae6_38a2327c","line":64,"range":{"start_line":64,"start_character":25,"end_line":64,"end_character":35},"updated":"2024-01-18 01:01:42.000000000","message":"creating \"encryption specs\"","commit_id":"7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"a617aa9538edb1e806b34417a61330bff33fbdc0","unresolved":false,"context_lines":[{"line_number":61,"context_line":"Proposed change"},{"line_number":62,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":63,"context_line":""},{"line_number":64,"context_line":"* New API collection for encryption"},{"line_number":65,"context_line":""},{"line_number":66,"context_line":"  In order to support encryption with share type, we will introduce the basic"},{"line_number":67,"context_line":"  operations create/update/delete/list/show for encryption."}],"source_content_type":"text/x-rst","patch_set":5,"id":"7eab2080_c51e522a","line":64,"range":{"start_line":64,"start_character":25,"end_line":64,"end_character":35},"in_reply_to":"3853aae6_38a2327c","updated":"2024-02-05 11:02:59.000000000","message":"Done","commit_id":"7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"ce20c78e714389377989ae85331fa97b39517469","unresolved":true,"context_lines":[{"line_number":63,"context_line":""},{"line_number":64,"context_line":"* New API collection for encryption"},{"line_number":65,"context_line":""},{"line_number":66,"context_line":"  In order to support encryption with share type, we will introduce the basic"},{"line_number":67,"context_line":"  operations create/update/delete/list/show for encryption."},{"line_number":68,"context_line":""},{"line_number":69,"context_line":"* New database resource encryption"}],"source_content_type":"text/x-rst","patch_set":5,"id":"ddddbaa6_feffbc0b","line":66,"range":{"start_line":66,"start_character":72,"end_line":66,"end_character":77},"updated":"2024-01-18 01:01:42.000000000","message":"please drop \"basic\"","commit_id":"7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"a617aa9538edb1e806b34417a61330bff33fbdc0","unresolved":false,"context_lines":[{"line_number":63,"context_line":""},{"line_number":64,"context_line":"* New API collection for encryption"},{"line_number":65,"context_line":""},{"line_number":66,"context_line":"  In order to support encryption with share type, we will introduce the basic"},{"line_number":67,"context_line":"  operations create/update/delete/list/show for encryption."},{"line_number":68,"context_line":""},{"line_number":69,"context_line":"* New database resource encryption"}],"source_content_type":"text/x-rst","patch_set":5,"id":"632c4e6a_5576a98f","line":66,"range":{"start_line":66,"start_character":72,"end_line":66,"end_character":77},"in_reply_to":"ddddbaa6_feffbc0b","updated":"2024-02-05 11:02:59.000000000","message":"Done","commit_id":"7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"ce20c78e714389377989ae85331fa97b39517469","unresolved":true,"context_lines":[{"line_number":64,"context_line":"* New API collection for encryption"},{"line_number":65,"context_line":""},{"line_number":66,"context_line":"  In order to support encryption with share type, we will introduce the basic"},{"line_number":67,"context_line":"  operations create/update/delete/list/show for encryption."},{"line_number":68,"context_line":""},{"line_number":69,"context_line":"* New database resource encryption"},{"line_number":70,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"927baaa9_549ddd1b","line":67,"range":{"start_line":67,"start_character":44,"end_line":67,"end_character":59},"updated":"2024-01-18 01:01:42.000000000","message":"encryption specs associated with a share type.","commit_id":"7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"a617aa9538edb1e806b34417a61330bff33fbdc0","unresolved":false,"context_lines":[{"line_number":64,"context_line":"* New API collection for encryption"},{"line_number":65,"context_line":""},{"line_number":66,"context_line":"  In order to support encryption with share type, we will introduce the basic"},{"line_number":67,"context_line":"  operations create/update/delete/list/show for encryption."},{"line_number":68,"context_line":""},{"line_number":69,"context_line":"* New database resource encryption"},{"line_number":70,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"0429e5a0_4dda3fdf","line":67,"range":{"start_line":67,"start_character":44,"end_line":67,"end_character":59},"in_reply_to":"927baaa9_549ddd1b","updated":"2024-02-05 11:02:59.000000000","message":"Done","commit_id":"7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"ce20c78e714389377989ae85331fa97b39517469","unresolved":true,"context_lines":[{"line_number":71,"context_line":"  When creating a share type, user can specify encryption information such as"},{"line_number":72,"context_line":"  cipher, key_size, provider, control location."},{"line_number":73,"context_line":""},{"line_number":74,"context_line":"* Change in Manila"},{"line_number":75,"context_line":""},{"line_number":76,"context_line":"  Manila api service will add key manager interface and talk with key it e.g."},{"line_number":77,"context_line":"  Castellan(which internally talks with key store e.g. Barbican). The key"}],"source_content_type":"text/x-rst","patch_set":5,"id":"01d9ac1b_9ee99d9b","line":74,"range":{"start_line":74,"start_character":2,"end_line":74,"end_character":18},"updated":"2024-01-18 01:01:42.000000000","message":"everything specified here is a change in manila... \n\nDo you mean:\n\n \"Manila API service changes\"","commit_id":"7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"a617aa9538edb1e806b34417a61330bff33fbdc0","unresolved":false,"context_lines":[{"line_number":71,"context_line":"  When creating a share type, user can specify encryption information such as"},{"line_number":72,"context_line":"  cipher, key_size, provider, control location."},{"line_number":73,"context_line":""},{"line_number":74,"context_line":"* Change in Manila"},{"line_number":75,"context_line":""},{"line_number":76,"context_line":"  Manila api service will add key manager interface and talk with key it e.g."},{"line_number":77,"context_line":"  Castellan(which internally talks with key store e.g. Barbican). The key"}],"source_content_type":"text/x-rst","patch_set":5,"id":"772e5c03_73f7e8dc","line":74,"range":{"start_line":74,"start_character":2,"end_line":74,"end_character":18},"in_reply_to":"01d9ac1b_9ee99d9b","updated":"2024-02-05 11:02:59.000000000","message":"Done","commit_id":"7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"ce20c78e714389377989ae85331fa97b39517469","unresolved":true,"context_lines":[{"line_number":73,"context_line":""},{"line_number":74,"context_line":"* Change in Manila"},{"line_number":75,"context_line":""},{"line_number":76,"context_line":"  Manila api service will add key manager interface and talk with key it e.g."},{"line_number":77,"context_line":"  Castellan(which internally talks with key store e.g. Barbican). The key"},{"line_number":78,"context_line":"  manager will be configured via conf file."},{"line_number":79,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"f0992cd8_ea28959c","line":76,"range":{"start_line":76,"start_character":27,"end_line":76,"end_character":69},"updated":"2024-01-18 01:01:42.000000000","message":"\"allow configuration of a key manager. We will introduce an interface for the Manila API service to communicate with an external key manager (e.g. Castellan), which internally works with a key store (e.g. Barbican).\"","commit_id":"7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"a617aa9538edb1e806b34417a61330bff33fbdc0","unresolved":false,"context_lines":[{"line_number":73,"context_line":""},{"line_number":74,"context_line":"* Change in Manila"},{"line_number":75,"context_line":""},{"line_number":76,"context_line":"  Manila api service will add key manager interface and talk with key it e.g."},{"line_number":77,"context_line":"  Castellan(which internally talks with key store e.g. Barbican). The key"},{"line_number":78,"context_line":"  manager will be configured via conf file."},{"line_number":79,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"a61edfd8_7a47c415","line":76,"range":{"start_line":76,"start_character":27,"end_line":76,"end_character":69},"in_reply_to":"f0992cd8_ea28959c","updated":"2024-02-05 11:02:59.000000000","message":"Done","commit_id":"7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc"},{"author":{"_account_id":29632,"name":"Carlos Eduardo","email":"ces.eduardo98@gmail.com","username":"silvacarlos"},"change_message_id":"cf0f723e26a2554b4c8fd8e4e76db9253cc2b033","unresolved":true,"context_lines":[{"line_number":74,"context_line":"* Change in Manila"},{"line_number":75,"context_line":""},{"line_number":76,"context_line":"  Manila api service will add key manager interface and talk with key it e.g."},{"line_number":77,"context_line":"  Castellan(which internally talks with key store e.g. Barbican). The key"},{"line_number":78,"context_line":"  manager will be configured via conf file."},{"line_number":79,"context_line":""},{"line_number":80,"context_line":"* Changes in backend driver"}],"source_content_type":"text/x-rst","patch_set":5,"id":"f2f66fb8_97b9ef7c","line":77,"range":{"start_line":77,"start_character":10,"end_line":77,"end_character":12},"updated":"2024-01-09 13:38:24.000000000","message":"nit: please add a blank space here","commit_id":"7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"a617aa9538edb1e806b34417a61330bff33fbdc0","unresolved":false,"context_lines":[{"line_number":74,"context_line":"* Change in Manila"},{"line_number":75,"context_line":""},{"line_number":76,"context_line":"  Manila api service will add key manager interface and talk with key it e.g."},{"line_number":77,"context_line":"  Castellan(which internally talks with key store e.g. Barbican). The key"},{"line_number":78,"context_line":"  manager will be configured via conf file."},{"line_number":79,"context_line":""},{"line_number":80,"context_line":"* Changes in backend driver"}],"source_content_type":"text/x-rst","patch_set":5,"id":"3764a416_4105513e","line":77,"range":{"start_line":77,"start_character":10,"end_line":77,"end_character":12},"in_reply_to":"f2f66fb8_97b9ef7c","updated":"2024-02-05 11:02:59.000000000","message":"Done","commit_id":"7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"ce20c78e714389377989ae85331fa97b39517469","unresolved":true,"context_lines":[{"line_number":76,"context_line":"  Manila api service will add key manager interface and talk with key it e.g."},{"line_number":77,"context_line":"  Castellan(which internally talks with key store e.g. Barbican). The key"},{"line_number":78,"context_line":"  manager will be configured via conf file."},{"line_number":79,"context_line":""},{"line_number":80,"context_line":"* Changes in backend driver"},{"line_number":81,"context_line":""},{"line_number":82,"context_line":"  A backend driver will get encryption key data or key ref which it will pass"}],"source_content_type":"text/x-rst","patch_set":5,"id":"2c4b33a0_df0ee1d6","line":79,"updated":"2024-01-18 01:01:42.000000000","message":"you mentioned that if an encryption key is not specified during creation, manila will need to create an encryption key.. is that correct? if yes, please add that detail here","commit_id":"7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"a617aa9538edb1e806b34417a61330bff33fbdc0","unresolved":false,"context_lines":[{"line_number":76,"context_line":"  Manila api service will add key manager interface and talk with key it e.g."},{"line_number":77,"context_line":"  Castellan(which internally talks with key store e.g. Barbican). The key"},{"line_number":78,"context_line":"  manager will be configured via conf file."},{"line_number":79,"context_line":""},{"line_number":80,"context_line":"* Changes in backend driver"},{"line_number":81,"context_line":""},{"line_number":82,"context_line":"  A backend driver will get encryption key data or key ref which it will pass"}],"source_content_type":"text/x-rst","patch_set":5,"id":"2ada91ff_1a735dcb","line":79,"in_reply_to":"2c4b33a0_df0ee1d6","updated":"2024-02-05 11:02:59.000000000","message":"Done","commit_id":"7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"ce20c78e714389377989ae85331fa97b39517469","unresolved":true,"context_lines":[{"line_number":79,"context_line":""},{"line_number":80,"context_line":"* Changes in backend driver"},{"line_number":81,"context_line":""},{"line_number":82,"context_line":"  A backend driver will get encryption key data or key ref which it will pass"},{"line_number":83,"context_line":"  to backend hardware to perform the encryption."},{"line_number":84,"context_line":""},{"line_number":85,"context_line":"  The fetched key data or key ref will then used by underlying backend e.g."},{"line_number":86,"context_line":"  NetApp ONTAP to encrypt the share."}],"source_content_type":"text/x-rst","patch_set":5,"id":"d8f6de16_cb584521","line":83,"range":{"start_line":82,"start_character":0,"end_line":83,"end_character":48},"updated":"2024-01-18 01:01:42.000000000","message":"which is it?  \"encryption key data\" or \"key ref\"?","commit_id":"7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"a617aa9538edb1e806b34417a61330bff33fbdc0","unresolved":false,"context_lines":[{"line_number":79,"context_line":""},{"line_number":80,"context_line":"* Changes in backend driver"},{"line_number":81,"context_line":""},{"line_number":82,"context_line":"  A backend driver will get encryption key data or key ref which it will pass"},{"line_number":83,"context_line":"  to backend hardware to perform the encryption."},{"line_number":84,"context_line":""},{"line_number":85,"context_line":"  The fetched key data or key ref will then used by underlying backend e.g."},{"line_number":86,"context_line":"  NetApp ONTAP to encrypt the share."}],"source_content_type":"text/x-rst","patch_set":5,"id":"c1108a2c_51585cec","line":83,"range":{"start_line":82,"start_character":0,"end_line":83,"end_character":48},"in_reply_to":"d8f6de16_cb584521","updated":"2024-02-05 11:02:59.000000000","message":"key ref(this can be key-id if share-type is used or key-ref if provided by user during share create). In both cases, back end driver will have key ref with it.\nThe backend driver then talks with key-store to fetch key data to perform encryption.","commit_id":"7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"ce20c78e714389377989ae85331fa97b39517469","unresolved":true,"context_lines":[{"line_number":88,"context_line":"Alternatives"},{"line_number":89,"context_line":"------------"},{"line_number":90,"context_line":""},{"line_number":91,"context_line":"Considering few backend drivers e.g. NetApp ONTAP currently provides a way to"},{"line_number":92,"context_line":"encrypt share. This is being done using extra-specs field within share-type."},{"line_number":93,"context_line":"However with this approach, user does not have control over the encryption"},{"line_number":94,"context_line":"and can not use their own keys."}],"source_content_type":"text/x-rst","patch_set":5,"id":"6ee965b5_5f006277","line":91,"range":{"start_line":91,"start_character":60,"end_line":91,"end_character":68},"updated":"2024-01-18 01:01:42.000000000","message":"nit: provide","commit_id":"7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"a617aa9538edb1e806b34417a61330bff33fbdc0","unresolved":false,"context_lines":[{"line_number":88,"context_line":"Alternatives"},{"line_number":89,"context_line":"------------"},{"line_number":90,"context_line":""},{"line_number":91,"context_line":"Considering few backend drivers e.g. NetApp ONTAP currently provides a way to"},{"line_number":92,"context_line":"encrypt share. This is being done using extra-specs field within share-type."},{"line_number":93,"context_line":"However with this approach, user does not have control over the encryption"},{"line_number":94,"context_line":"and can not use their own keys."}],"source_content_type":"text/x-rst","patch_set":5,"id":"ab268be0_f49ba7f5","line":91,"range":{"start_line":91,"start_character":60,"end_line":91,"end_character":68},"in_reply_to":"6ee965b5_5f006277","updated":"2024-02-05 11:02:59.000000000","message":"Done","commit_id":"7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"ce20c78e714389377989ae85331fa97b39517469","unresolved":true,"context_lines":[{"line_number":94,"context_line":"and can not use their own keys."},{"line_number":95,"context_line":""},{"line_number":96,"context_line":"Also we could use the third-party projects to encrypt the file shares."},{"line_number":97,"context_line":""},{"line_number":98,"context_line":"Data model impact"},{"line_number":99,"context_line":"-----------------"},{"line_number":100,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"2cda8415_3cf9c406","line":97,"updated":"2024-01-18 01:01:42.000000000","message":"This section should answer the question:\n\n\"What are my alternatives if OpenStack Manila doesn\u0027t provide a way for users to use their own encryption keys?\"\n\n\n\nPerhaps:\n\n\n\n\"\"\"\n\nIf OpenStack Manila doesn\u0027t provide a way for users to manage their own encryption keys, the cloud may need an out-of-band solution, such as:\n\n- External or third party key management services that support integration with OpenStack Manila\n- Client-Side Encryption: forego data encryption at-rest. Users must encrypt their data locally on their clients before storing it in Manila shares\n- File-Level Encryption: encrypting individual files or directories within the clients using tools or libraries instead of encrypting the share data as a whole.\n- Custom Scripts or Tools: Deployment-local scripts that enable users to manage their encryption keys outside of OpenStack Manila. This may involve creating a user interface or command-line tool that interacts with OpenStack Manila and external key management systems.\n- OpenStack Manila Extensions: unofficial API extensions that can enhance the functionality of Manila to deal with encryption metadata.\n\nIn all, these alternatives are inferior to the convenience that we would provide by implementing the proposal in this specification.\n\n\"\"\"","commit_id":"7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"a617aa9538edb1e806b34417a61330bff33fbdc0","unresolved":false,"context_lines":[{"line_number":94,"context_line":"and can not use their own keys."},{"line_number":95,"context_line":""},{"line_number":96,"context_line":"Also we could use the third-party projects to encrypt the file shares."},{"line_number":97,"context_line":""},{"line_number":98,"context_line":"Data model impact"},{"line_number":99,"context_line":"-----------------"},{"line_number":100,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"c140b403_3b8fe031","line":97,"in_reply_to":"2cda8415_3cf9c406","updated":"2024-02-05 11:02:59.000000000","message":"Done","commit_id":"7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"ce20c78e714389377989ae85331fa97b39517469","unresolved":true,"context_lines":[{"line_number":121,"context_line":"  +-----------------------+--------------+------+-----+---------+-------+"},{"line_number":122,"context_line":"  | provider              | varchar(255) | YES  |     | NULL    |       |"},{"line_number":123,"context_line":"  +-----------------------+--------------+------+-----+---------+-------+"},{"line_number":124,"context_line":"  | control_location      | varchar(255) | YES  |     | NULL    |       |"},{"line_number":125,"context_line":"  +-----------------------+--------------+------+-----+---------+-------+"},{"line_number":126,"context_line":""},{"line_number":127,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"a1dfb262_a9893fcd","line":124,"range":{"start_line":124,"start_character":56,"end_line":124,"end_character":60},"updated":"2024-01-18 01:01:42.000000000","message":"\"back-end\" ?","commit_id":"7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"a617aa9538edb1e806b34417a61330bff33fbdc0","unresolved":false,"context_lines":[{"line_number":121,"context_line":"  +-----------------------+--------------+------+-----+---------+-------+"},{"line_number":122,"context_line":"  | provider              | varchar(255) | YES  |     | NULL    |       |"},{"line_number":123,"context_line":"  +-----------------------+--------------+------+-----+---------+-------+"},{"line_number":124,"context_line":"  | control_location      | varchar(255) | YES  |     | NULL    |       |"},{"line_number":125,"context_line":"  +-----------------------+--------------+------+-----+---------+-------+"},{"line_number":126,"context_line":""},{"line_number":127,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"f66dbcb5_abd62602","line":124,"range":{"start_line":124,"start_character":56,"end_line":124,"end_character":60},"in_reply_to":"a1dfb262_a9893fcd","updated":"2024-02-05 11:02:59.000000000","message":"Done","commit_id":"7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc"},{"author":{"_account_id":29632,"name":"Carlos Eduardo","email":"ces.eduardo98@gmail.com","username":"silvacarlos"},"change_message_id":"cf0f723e26a2554b4c8fd8e4e76db9253cc2b033","unresolved":true,"context_lines":[{"line_number":125,"context_line":"  +-----------------------+--------------+------+-----+---------+-------+"},{"line_number":126,"context_line":""},{"line_number":127,"context_line":""},{"line_number":128,"context_line":"* New field in shares table"},{"line_number":129,"context_line":""},{"line_number":130,"context_line":"  +-----------------------+---------------+------+-----+---------+-------+"},{"line_number":131,"context_line":"  | Field                 | Type          | Null | Key | Default | Extra |"}],"source_content_type":"text/x-rst","patch_set":5,"id":"aea3954e_41d55424","line":128,"range":{"start_line":128,"start_character":0,"end_line":128,"end_character":27},"updated":"2024-01-09 13:38:24.000000000","message":"shouldn\u0027t we have this for snapshots, backups (and possibly) replicas too?","commit_id":"7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"a617aa9538edb1e806b34417a61330bff33fbdc0","unresolved":false,"context_lines":[{"line_number":125,"context_line":"  +-----------------------+--------------+------+-----+---------+-------+"},{"line_number":126,"context_line":""},{"line_number":127,"context_line":""},{"line_number":128,"context_line":"* New field in shares table"},{"line_number":129,"context_line":""},{"line_number":130,"context_line":"  +-----------------------+---------------+------+-----+---------+-------+"},{"line_number":131,"context_line":"  | Field                 | Type          | Null | Key | Default | Extra |"}],"source_content_type":"text/x-rst","patch_set":5,"id":"61114290_87e4b846","line":128,"range":{"start_line":128,"start_character":0,"end_line":128,"end_character":27},"in_reply_to":"96615198_52a2edb8","updated":"2024-02-05 11:02:59.000000000","message":"Done","commit_id":"7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"ce20c78e714389377989ae85331fa97b39517469","unresolved":true,"context_lines":[{"line_number":125,"context_line":"  +-----------------------+--------------+------+-----+---------+-------+"},{"line_number":126,"context_line":""},{"line_number":127,"context_line":""},{"line_number":128,"context_line":"* New field in shares table"},{"line_number":129,"context_line":""},{"line_number":130,"context_line":"  +-----------------------+---------------+------+-----+---------+-------+"},{"line_number":131,"context_line":"  | Field                 | Type          | Null | Key | Default | Extra |"}],"source_content_type":"text/x-rst","patch_set":5,"id":"96615198_52a2edb8","line":128,"range":{"start_line":128,"start_character":0,"end_line":128,"end_character":27},"in_reply_to":"aea3954e_41d55424","updated":"2024-01-18 01:01:42.000000000","message":"I do think its relevant to snapshots... \n\nbackups and replicas less so... I expect that all replicas of the share would have the same encryption key","commit_id":"7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc"},{"author":{"_account_id":29632,"name":"Carlos Eduardo","email":"ces.eduardo98@gmail.com","username":"silvacarlos"},"change_message_id":"cf0f723e26a2554b4c8fd8e4e76db9253cc2b033","unresolved":true,"context_lines":[{"line_number":147,"context_line":"  +-----------------------+---------------+------+-----+---------+-------+"},{"line_number":148,"context_line":"  | encrypt_ref           | varchar(1023) | YES  |     | NULL    |       |"},{"line_number":149,"context_line":"  +-----------------------+---------------+------+-----+---------+-------+"},{"line_number":150,"context_line":"  | share_id              | varchar(255)  | YES  |     | NULL    |       |"},{"line_number":151,"context_line":"  +-----------------------+---------------+------+-----+---------+-------+"},{"line_number":152,"context_line":"  | deleted               | tinyint(1)    | YES  |     | NULL    |       |"},{"line_number":153,"context_line":"  +-----------------------+---------------+------+-----+---------+-------+"}],"source_content_type":"text/x-rst","patch_set":5,"id":"1d93b7a7_15c15229","line":150,"range":{"start_line":150,"start_character":4,"end_line":150,"end_character":12},"updated":"2024-01-09 13:38:24.000000000","message":"if we are expanding this to snapshots and backups, this table should be more generic and this field should be named resource_id, as it would span also snapshots and backups","commit_id":"7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"ce20c78e714389377989ae85331fa97b39517469","unresolved":true,"context_lines":[{"line_number":147,"context_line":"  +-----------------------+---------------+------+-----+---------+-------+"},{"line_number":148,"context_line":"  | encrypt_ref           | varchar(1023) | YES  |     | NULL    |       |"},{"line_number":149,"context_line":"  +-----------------------+---------------+------+-----+---------+-------+"},{"line_number":150,"context_line":"  | share_id              | varchar(255)  | YES  |     | NULL    |       |"},{"line_number":151,"context_line":"  +-----------------------+---------------+------+-----+---------+-------+"},{"line_number":152,"context_line":"  | deleted               | tinyint(1)    | YES  |     | NULL    |       |"},{"line_number":153,"context_line":"  +-----------------------+---------------+------+-----+---------+-------+"}],"source_content_type":"text/x-rst","patch_set":5,"id":"2211c54f_88812c59","line":150,"range":{"start_line":150,"start_character":4,"end_line":150,"end_character":12},"in_reply_to":"1d93b7a7_15c15229","updated":"2024-01-18 01:01:42.000000000","message":"then you\u0027ll also need a \"resource_type\"","commit_id":"7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"a617aa9538edb1e806b34417a61330bff33fbdc0","unresolved":false,"context_lines":[{"line_number":147,"context_line":"  +-----------------------+---------------+------+-----+---------+-------+"},{"line_number":148,"context_line":"  | encrypt_ref           | varchar(1023) | YES  |     | NULL    |       |"},{"line_number":149,"context_line":"  +-----------------------+---------------+------+-----+---------+-------+"},{"line_number":150,"context_line":"  | share_id              | varchar(255)  | YES  |     | NULL    |       |"},{"line_number":151,"context_line":"  +-----------------------+---------------+------+-----+---------+-------+"},{"line_number":152,"context_line":"  | deleted               | tinyint(1)    | YES  |     | NULL    |       |"},{"line_number":153,"context_line":"  +-----------------------+---------------+------+-----+---------+-------+"}],"source_content_type":"text/x-rst","patch_set":5,"id":"48d93eec_036fafea","line":150,"range":{"start_line":150,"start_character":4,"end_line":150,"end_character":12},"in_reply_to":"2211c54f_88812c59","updated":"2024-02-05 11:02:59.000000000","message":"I have removed this table.\n1) The share-type based encryption will generate encryption key id from key manager and put in resources table.\n2) The non share-type based encryption, end user will directly pass encryption-key-id. this will be directly passed to backend storage driver. If manila has access to key manager, manila can validate otherwise it will just pass it to backend storage driver.","commit_id":"7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc"},{"author":{"_account_id":29632,"name":"Carlos Eduardo","email":"ces.eduardo98@gmail.com","username":"silvacarlos"},"change_message_id":"cf0f723e26a2554b4c8fd8e4e76db9253cc2b033","unresolved":true,"context_lines":[{"line_number":204,"context_line":""},{"line_number":205,"context_line":"openstack share type list [--encryption-type]"},{"line_number":206,"context_line":""},{"line_number":207,"context_line":"* encryption-type: Display encryption information for each volume type in list"},{"line_number":208,"context_line":""},{"line_number":209,"context_line":""},{"line_number":210,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"7921ee4f_c775cdba","line":207,"range":{"start_line":207,"start_character":59,"end_line":207,"end_character":70},"updated":"2024-01-09 13:38:24.000000000","message":"share type","commit_id":"7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"a617aa9538edb1e806b34417a61330bff33fbdc0","unresolved":false,"context_lines":[{"line_number":204,"context_line":""},{"line_number":205,"context_line":"openstack share type list [--encryption-type]"},{"line_number":206,"context_line":""},{"line_number":207,"context_line":"* encryption-type: Display encryption information for each volume type in list"},{"line_number":208,"context_line":""},{"line_number":209,"context_line":""},{"line_number":210,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"25ce38db_3a8a13b9","line":207,"range":{"start_line":207,"start_character":59,"end_line":207,"end_character":70},"in_reply_to":"7921ee4f_c775cdba","updated":"2024-02-05 11:02:59.000000000","message":"Done","commit_id":"7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"ce20c78e714389377989ae85331fa97b39517469","unresolved":true,"context_lines":[{"line_number":307,"context_line":"-------------"},{"line_number":308,"context_line":"The backend driver needs to implement:"},{"line_number":309,"context_line":""},{"line_number":310,"context_line":"*  Function to talk with key-store using KMIP protocol"},{"line_number":311,"context_line":""},{"line_number":312,"context_line":"*  Encrypt the share with key data sent from key-store e.g. Barbican"},{"line_number":313,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"55b138ed_ed2b1409","line":310,"range":{"start_line":310,"start_character":3,"end_line":310,"end_character":54},"updated":"2024-01-18 01:01:42.000000000","message":"Does the driver need to do this?","commit_id":"7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"a617aa9538edb1e806b34417a61330bff33fbdc0","unresolved":false,"context_lines":[{"line_number":307,"context_line":"-------------"},{"line_number":308,"context_line":"The backend driver needs to implement:"},{"line_number":309,"context_line":""},{"line_number":310,"context_line":"*  Function to talk with key-store using KMIP protocol"},{"line_number":311,"context_line":""},{"line_number":312,"context_line":"*  Encrypt the share with key data sent from key-store e.g. Barbican"},{"line_number":313,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"7e2729de_fee2cd0f","line":310,"range":{"start_line":310,"start_character":3,"end_line":310,"end_character":54},"in_reply_to":"55b138ed_ed2b1409","updated":"2024-02-05 11:02:59.000000000","message":"removed","commit_id":"7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"ce20c78e714389377989ae85331fa97b39517469","unresolved":true,"context_lines":[{"line_number":309,"context_line":""},{"line_number":310,"context_line":"*  Function to talk with key-store using KMIP protocol"},{"line_number":311,"context_line":""},{"line_number":312,"context_line":"*  Encrypt the share with key data sent from key-store e.g. Barbican"},{"line_number":313,"context_line":""},{"line_number":314,"context_line":"* In case DHSS\u003dtrue, the share server encryption will be done by driver"},{"line_number":315,"context_line":"  in-built mechanism while volume level encryption will be done by user"}],"source_content_type":"text/x-rst","patch_set":5,"id":"34716572_e803fe46","line":312,"range":{"start_line":312,"start_character":0,"end_line":312,"end_character":68},"updated":"2024-01-18 01:01:42.000000000","message":"Instruct the back end storage system to Encrypt the share with key data sent from key-store e.g. Barbican","commit_id":"7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"a617aa9538edb1e806b34417a61330bff33fbdc0","unresolved":false,"context_lines":[{"line_number":309,"context_line":""},{"line_number":310,"context_line":"*  Function to talk with key-store using KMIP protocol"},{"line_number":311,"context_line":""},{"line_number":312,"context_line":"*  Encrypt the share with key data sent from key-store e.g. Barbican"},{"line_number":313,"context_line":""},{"line_number":314,"context_line":"* In case DHSS\u003dtrue, the share server encryption will be done by driver"},{"line_number":315,"context_line":"  in-built mechanism while volume level encryption will be done by user"}],"source_content_type":"text/x-rst","patch_set":5,"id":"487d9ba0_02c32d92","line":312,"range":{"start_line":312,"start_character":0,"end_line":312,"end_character":68},"in_reply_to":"34716572_e803fe46","updated":"2024-02-05 11:02:59.000000000","message":"updated","commit_id":"7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc"},{"author":{"_account_id":29632,"name":"Carlos Eduardo","email":"ces.eduardo98@gmail.com","username":"silvacarlos"},"change_message_id":"cf0f723e26a2554b4c8fd8e4e76db9253cc2b033","unresolved":true,"context_lines":[{"line_number":312,"context_line":"*  Encrypt the share with key data sent from key-store e.g. Barbican"},{"line_number":313,"context_line":""},{"line_number":314,"context_line":"* In case DHSS\u003dtrue, the share server encryption will be done by driver"},{"line_number":315,"context_line":"  in-built mechanism while volume level encryption will be done by user"},{"line_number":316,"context_line":"  provided key."},{"line_number":317,"context_line":""},{"line_number":318,"context_line":"Security impact"}],"source_content_type":"text/x-rst","patch_set":5,"id":"42e28c2b_eaea5f47","line":315,"range":{"start_line":315,"start_character":27,"end_line":315,"end_character":33},"updated":"2024-01-09 13:38:24.000000000","message":"share","commit_id":"7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"a617aa9538edb1e806b34417a61330bff33fbdc0","unresolved":false,"context_lines":[{"line_number":312,"context_line":"*  Encrypt the share with key data sent from key-store e.g. Barbican"},{"line_number":313,"context_line":""},{"line_number":314,"context_line":"* In case DHSS\u003dtrue, the share server encryption will be done by driver"},{"line_number":315,"context_line":"  in-built mechanism while volume level encryption will be done by user"},{"line_number":316,"context_line":"  provided key."},{"line_number":317,"context_line":""},{"line_number":318,"context_line":"Security impact"}],"source_content_type":"text/x-rst","patch_set":5,"id":"2529ece3_978fdd2c","line":315,"range":{"start_line":315,"start_character":27,"end_line":315,"end_character":33},"in_reply_to":"42e28c2b_eaea5f47","updated":"2024-02-05 11:02:59.000000000","message":"Done","commit_id":"7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"ce20c78e714389377989ae85331fa97b39517469","unresolved":true,"context_lines":[{"line_number":311,"context_line":""},{"line_number":312,"context_line":"*  Encrypt the share with key data sent from key-store e.g. Barbican"},{"line_number":313,"context_line":""},{"line_number":314,"context_line":"* In case DHSS\u003dtrue, the share server encryption will be done by driver"},{"line_number":315,"context_line":"  in-built mechanism while volume level encryption will be done by user"},{"line_number":316,"context_line":"  provided key."},{"line_number":317,"context_line":""},{"line_number":318,"context_line":"Security impact"},{"line_number":319,"context_line":"---------------"}],"source_content_type":"text/x-rst","patch_set":5,"id":"f6e001df_e7b3e4a6","line":316,"range":{"start_line":314,"start_character":2,"end_line":316,"end_character":15},"updated":"2024-01-18 01:01:42.000000000","message":"I think this is confusing.. \n\n\nFirstly, a \"share server\" always exists, whether DHSS\u003dTrue or False; with DHSS\u003dTrue, drivers can create share servers on the fly, with DHSS\u003dFalse, it is assumed there is one share server for all the shares. \n\nSecond, I think you need to clarify that this specification does not target encryption at the share server level. If a share server has any sort of encryption settings, the expectation on the back end storage system and its driver is that the per-share encryption settings from Manila will override the encryption settings of the share server for the given share.","commit_id":"7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"a617aa9538edb1e806b34417a61330bff33fbdc0","unresolved":false,"context_lines":[{"line_number":311,"context_line":""},{"line_number":312,"context_line":"*  Encrypt the share with key data sent from key-store e.g. Barbican"},{"line_number":313,"context_line":""},{"line_number":314,"context_line":"* In case DHSS\u003dtrue, the share server encryption will be done by driver"},{"line_number":315,"context_line":"  in-built mechanism while volume level encryption will be done by user"},{"line_number":316,"context_line":"  provided key."},{"line_number":317,"context_line":""},{"line_number":318,"context_line":"Security impact"},{"line_number":319,"context_line":"---------------"}],"source_content_type":"text/x-rst","patch_set":5,"id":"4be52ef3_e42a4d7b","line":316,"range":{"start_line":314,"start_character":2,"end_line":316,"end_character":15},"in_reply_to":"f6e001df_e7b3e4a6","updated":"2024-02-05 11:02:59.000000000","message":"Done","commit_id":"7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"98202b8ba82f526be262b75ce604289cfab7f930","unresolved":true,"context_lines":[{"line_number":19,"context_line":"much else regarding the encryption process. Ideally, users must be allowed to"},{"line_number":20,"context_line":"create and manage their own encryption keys. This specification proposes an"},{"line_number":21,"context_line":"approach that enables Manila to coordinate user defined encryption keys for"},{"line_number":22,"context_line":"\"back-end\" (at rest) encryption of share data. An encryption solution based"},{"line_number":23,"context_line":"on the existing one from cinder `[1]`_."},{"line_number":24,"context_line":""},{"line_number":25,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"8ce5f41d_7ff15b9a","line":22,"range":{"start_line":22,"start_character":47,"end_line":22,"end_character":49},"updated":"2024-02-05 23:38:14.000000000","message":"nit: missing the noun and verb to associate with the subject\n\n\"This spec proposes an encryption ...\"","commit_id":"02fc22953ffcf3e31a89bc5fe9bd1697a70830c5"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"10c252e1ffbd847a31b7503b24873291c9546fd4","unresolved":false,"context_lines":[{"line_number":19,"context_line":"much else regarding the encryption process. Ideally, users must be allowed to"},{"line_number":20,"context_line":"create and manage their own encryption keys. This specification proposes an"},{"line_number":21,"context_line":"approach that enables Manila to coordinate user defined encryption keys for"},{"line_number":22,"context_line":"\"back-end\" (at rest) encryption of share data. An encryption solution based"},{"line_number":23,"context_line":"on the existing one from cinder `[1]`_."},{"line_number":24,"context_line":""},{"line_number":25,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"4edc90d7_a8b571a4","line":22,"range":{"start_line":22,"start_character":47,"end_line":22,"end_character":49},"in_reply_to":"8ce5f41d_7ff15b9a","updated":"2024-02-06 09:44:53.000000000","message":"Done","commit_id":"02fc22953ffcf3e31a89bc5fe9bd1697a70830c5"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"98202b8ba82f526be262b75ce604289cfab7f930","unresolved":true,"context_lines":[{"line_number":75,"context_line":""},{"line_number":76,"context_line":"In order to support share encrytion, administrator needs to create a manila"},{"line_number":77,"context_line":"share type and associate encryption information with it. The information"},{"line_number":78,"context_line":"contain fields such as size of encryption key, encryption provider class,"},{"line_number":79,"context_line":"control location and encryption algorithm e.g. aes-xts-plain64. If share is"},{"line_number":80,"context_line":"created using such share types, Manila will generate encryption key with"},{"line_number":81,"context_line":"the help of key store e.g. Barbican."}],"source_content_type":"text/x-rst","patch_set":6,"id":"32161c66_52f03c06","line":78,"range":{"start_line":78,"start_character":0,"end_line":78,"end_character":7},"updated":"2024-02-05 23:38:14.000000000","message":"nit: contains","commit_id":"02fc22953ffcf3e31a89bc5fe9bd1697a70830c5"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"10c252e1ffbd847a31b7503b24873291c9546fd4","unresolved":false,"context_lines":[{"line_number":75,"context_line":""},{"line_number":76,"context_line":"In order to support share encrytion, administrator needs to create a manila"},{"line_number":77,"context_line":"share type and associate encryption information with it. The information"},{"line_number":78,"context_line":"contain fields such as size of encryption key, encryption provider class,"},{"line_number":79,"context_line":"control location and encryption algorithm e.g. aes-xts-plain64. If share is"},{"line_number":80,"context_line":"created using such share types, Manila will generate encryption key with"},{"line_number":81,"context_line":"the help of key store e.g. Barbican."}],"source_content_type":"text/x-rst","patch_set":6,"id":"833ccf9e_62bcd291","line":78,"range":{"start_line":78,"start_character":0,"end_line":78,"end_character":7},"in_reply_to":"32161c66_52f03c06","updated":"2024-02-06 09:44:53.000000000","message":"Done","commit_id":"02fc22953ffcf3e31a89bc5fe9bd1697a70830c5"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"98202b8ba82f526be262b75ce604289cfab7f930","unresolved":true,"context_lines":[{"line_number":76,"context_line":"In order to support share encrytion, administrator needs to create a manila"},{"line_number":77,"context_line":"share type and associate encryption information with it. The information"},{"line_number":78,"context_line":"contain fields such as size of encryption key, encryption provider class,"},{"line_number":79,"context_line":"control location and encryption algorithm e.g. aes-xts-plain64. If share is"},{"line_number":80,"context_line":"created using such share types, Manila will generate encryption key with"},{"line_number":81,"context_line":"the help of key store e.g. Barbican."},{"line_number":82,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"9e7f15a6_c3c49250","line":79,"range":{"start_line":79,"start_character":67,"end_line":79,"end_character":72},"updated":"2024-02-05 23:38:14.000000000","message":"nit: a share\n\nor \n\nIf shares are created using such share types..","commit_id":"02fc22953ffcf3e31a89bc5fe9bd1697a70830c5"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"10c252e1ffbd847a31b7503b24873291c9546fd4","unresolved":false,"context_lines":[{"line_number":76,"context_line":"In order to support share encrytion, administrator needs to create a manila"},{"line_number":77,"context_line":"share type and associate encryption information with it. The information"},{"line_number":78,"context_line":"contain fields such as size of encryption key, encryption provider class,"},{"line_number":79,"context_line":"control location and encryption algorithm e.g. aes-xts-plain64. If share is"},{"line_number":80,"context_line":"created using such share types, Manila will generate encryption key with"},{"line_number":81,"context_line":"the help of key store e.g. Barbican."},{"line_number":82,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"79cd689e_6b44094a","line":79,"range":{"start_line":79,"start_character":67,"end_line":79,"end_character":72},"in_reply_to":"9e7f15a6_c3c49250","updated":"2024-02-06 09:44:53.000000000","message":"Done","commit_id":"02fc22953ffcf3e31a89bc5fe9bd1697a70830c5"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"98202b8ba82f526be262b75ce604289cfab7f930","unresolved":true,"context_lines":[{"line_number":77,"context_line":"share type and associate encryption information with it. The information"},{"line_number":78,"context_line":"contain fields such as size of encryption key, encryption provider class,"},{"line_number":79,"context_line":"control location and encryption algorithm e.g. aes-xts-plain64. If share is"},{"line_number":80,"context_line":"created using such share types, Manila will generate encryption key with"},{"line_number":81,"context_line":"the help of key store e.g. Barbican."},{"line_number":82,"context_line":""},{"line_number":83,"context_line":"The user can also encrypt the share using their own keys. Such keys are stored"}],"source_content_type":"text/x-rst","patch_set":6,"id":"3b4a8c5b_678bbf4d","line":80,"range":{"start_line":80,"start_character":52,"end_line":80,"end_character":54},"updated":"2024-02-05 23:38:14.000000000","message":"nit: an","commit_id":"02fc22953ffcf3e31a89bc5fe9bd1697a70830c5"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"10c252e1ffbd847a31b7503b24873291c9546fd4","unresolved":false,"context_lines":[{"line_number":77,"context_line":"share type and associate encryption information with it. The information"},{"line_number":78,"context_line":"contain fields such as size of encryption key, encryption provider class,"},{"line_number":79,"context_line":"control location and encryption algorithm e.g. aes-xts-plain64. If share is"},{"line_number":80,"context_line":"created using such share types, Manila will generate encryption key with"},{"line_number":81,"context_line":"the help of key store e.g. Barbican."},{"line_number":82,"context_line":""},{"line_number":83,"context_line":"The user can also encrypt the share using their own keys. Such keys are stored"}],"source_content_type":"text/x-rst","patch_set":6,"id":"6d240a5c_2344a780","line":80,"range":{"start_line":80,"start_character":52,"end_line":80,"end_character":54},"in_reply_to":"3b4a8c5b_678bbf4d","updated":"2024-02-06 09:44:53.000000000","message":"Done","commit_id":"02fc22953ffcf3e31a89bc5fe9bd1697a70830c5"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"98202b8ba82f526be262b75ce604289cfab7f930","unresolved":true,"context_lines":[{"line_number":87,"context_line":"ref, manila will throw error."},{"line_number":88,"context_line":""},{"line_number":89,"context_line":"In either scenario, after key is being fetched it will be given to storage"},{"line_number":90,"context_line":"back end driver. The storoge back end driver then talks with key-store using"},{"line_number":91,"context_line":"KMIP (Key Management Interoperability Protocol) and then retrieves the key"},{"line_number":92,"context_line":"data. The key data is then used to encrypt the share\u0027s data within the storage"},{"line_number":93,"context_line":"back end."}],"source_content_type":"text/x-rst","patch_set":6,"id":"9d6f038a_dbb01078","line":90,"range":{"start_line":90,"start_character":21,"end_line":90,"end_character":28},"updated":"2024-02-05 23:38:14.000000000","message":"spelling: storage","commit_id":"02fc22953ffcf3e31a89bc5fe9bd1697a70830c5"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"10c252e1ffbd847a31b7503b24873291c9546fd4","unresolved":false,"context_lines":[{"line_number":87,"context_line":"ref, manila will throw error."},{"line_number":88,"context_line":""},{"line_number":89,"context_line":"In either scenario, after key is being fetched it will be given to storage"},{"line_number":90,"context_line":"back end driver. The storoge back end driver then talks with key-store using"},{"line_number":91,"context_line":"KMIP (Key Management Interoperability Protocol) and then retrieves the key"},{"line_number":92,"context_line":"data. The key data is then used to encrypt the share\u0027s data within the storage"},{"line_number":93,"context_line":"back end."}],"source_content_type":"text/x-rst","patch_set":6,"id":"bd52e0d6_3e5c8df7","line":90,"range":{"start_line":90,"start_character":21,"end_line":90,"end_character":28},"in_reply_to":"9d6f038a_dbb01078","updated":"2024-02-06 09:44:53.000000000","message":"Done","commit_id":"02fc22953ffcf3e31a89bc5fe9bd1697a70830c5"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"98202b8ba82f526be262b75ce604289cfab7f930","unresolved":true,"context_lines":[{"line_number":140,"context_line":"* Things to consider for this spec"},{"line_number":141,"context_line":""},{"line_number":142,"context_line":"  If share is created from encryption based share-type, Manila will not"},{"line_number":143,"context_line":"  1. Share unmanage"},{"line_number":144,"context_line":"  2. Share transfer"},{"line_number":145,"context_line":"  3. Share backup"},{"line_number":146,"context_line":""},{"line_number":147,"context_line":"  In future, some of these operation might be allowed for encrypted share."},{"line_number":148,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"19477280_b11429f1","line":145,"range":{"start_line":143,"start_character":0,"end_line":145,"end_character":17},"updated":"2024-02-05 23:38:14.000000000","message":"nit: rewrite: \n\n```\nManila will not permit the following actions on the share:\n\n - unmanage\n - transfer\n - backup\n\n```","commit_id":"02fc22953ffcf3e31a89bc5fe9bd1697a70830c5"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"10c252e1ffbd847a31b7503b24873291c9546fd4","unresolved":false,"context_lines":[{"line_number":140,"context_line":"* Things to consider for this spec"},{"line_number":141,"context_line":""},{"line_number":142,"context_line":"  If share is created from encryption based share-type, Manila will not"},{"line_number":143,"context_line":"  1. Share unmanage"},{"line_number":144,"context_line":"  2. Share transfer"},{"line_number":145,"context_line":"  3. Share backup"},{"line_number":146,"context_line":""},{"line_number":147,"context_line":"  In future, some of these operation might be allowed for encrypted share."},{"line_number":148,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"a1e59735_fff79274","line":145,"range":{"start_line":143,"start_character":0,"end_line":145,"end_character":17},"in_reply_to":"19477280_b11429f1","updated":"2024-02-06 09:44:53.000000000","message":"Done","commit_id":"02fc22953ffcf3e31a89bc5fe9bd1697a70830c5"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"98202b8ba82f526be262b75ce604289cfab7f930","unresolved":true,"context_lines":[{"line_number":236,"context_line":"* encryption-cipher: Set the encryption algorithm or mode for this share type"},{"line_number":237,"context_line":"* encryption-key-size: Set the size of the encryption key of this share type"},{"line_number":238,"context_line":"* name: Name of share type."},{"line_number":239,"context_line":""},{"line_number":240,"context_line":""},{"line_number":241,"context_line":"openstack share type show [--encryption-type]"},{"line_number":242,"context_line":"                          \u003cshare-type\u003e"}],"source_content_type":"text/x-rst","patch_set":6,"id":"500d7025_da8e1380","line":239,"updated":"2024-02-05 23:38:14.000000000","message":"I think you also need an extra-spec to ensure that you\u0027re scheduling to backends that support this style of encryption.. So far, we only have vendor specific extra-specs such as \"netapp_flexvol_encryption\".. \n\n\nA generic encryption capability called \"encryption_support\" can be introduced, defaulting to False. Admins then would have to either set \"encryption_support\" to True explicitly, or specify these encryption options so that we can set this ourselves.","commit_id":"02fc22953ffcf3e31a89bc5fe9bd1697a70830c5"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"10c252e1ffbd847a31b7503b24873291c9546fd4","unresolved":false,"context_lines":[{"line_number":236,"context_line":"* encryption-cipher: Set the encryption algorithm or mode for this share type"},{"line_number":237,"context_line":"* encryption-key-size: Set the size of the encryption key of this share type"},{"line_number":238,"context_line":"* name: Name of share type."},{"line_number":239,"context_line":""},{"line_number":240,"context_line":""},{"line_number":241,"context_line":"openstack share type show [--encryption-type]"},{"line_number":242,"context_line":"                          \u003cshare-type\u003e"}],"source_content_type":"text/x-rst","patch_set":6,"id":"82b8289d_61fea316","line":239,"in_reply_to":"500d7025_da8e1380","updated":"2024-02-06 09:44:53.000000000","message":"Done","commit_id":"02fc22953ffcf3e31a89bc5fe9bd1697a70830c5"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"98202b8ba82f526be262b75ce604289cfab7f930","unresolved":true,"context_lines":[{"line_number":366,"context_line":""},{"line_number":367,"context_line":"If the share-type is not known to manila, the API will respond with"},{"line_number":368,"context_line":"``404 Not Found``. If any share is already created from share-type,"},{"line_number":369,"context_line":"manila will not allow to delete encryption type. User must delete"},{"line_number":370,"context_line":"all shares from share-type and then only can delete encryption type."},{"line_number":371,"context_line":""},{"line_number":372,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"a9268bb8_1129865a","line":369,"range":{"start_line":369,"start_character":22,"end_line":369,"end_character":47},"updated":"2024-02-05 23:38:14.000000000","message":"nit: deletion of the corresponding encryption type.","commit_id":"02fc22953ffcf3e31a89bc5fe9bd1697a70830c5"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"10c252e1ffbd847a31b7503b24873291c9546fd4","unresolved":false,"context_lines":[{"line_number":366,"context_line":""},{"line_number":367,"context_line":"If the share-type is not known to manila, the API will respond with"},{"line_number":368,"context_line":"``404 Not Found``. If any share is already created from share-type,"},{"line_number":369,"context_line":"manila will not allow to delete encryption type. User must delete"},{"line_number":370,"context_line":"all shares from share-type and then only can delete encryption type."},{"line_number":371,"context_line":""},{"line_number":372,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"05b9ed19_a94abddf","line":369,"range":{"start_line":369,"start_character":22,"end_line":369,"end_character":47},"in_reply_to":"a9268bb8_1129865a","updated":"2024-02-06 09:44:53.000000000","message":"Done","commit_id":"02fc22953ffcf3e31a89bc5fe9bd1697a70830c5"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"98202b8ba82f526be262b75ce604289cfab7f930","unresolved":true,"context_lines":[{"line_number":367,"context_line":"If the share-type is not known to manila, the API will respond with"},{"line_number":368,"context_line":"``404 Not Found``. If any share is already created from share-type,"},{"line_number":369,"context_line":"manila will not allow to delete encryption type. User must delete"},{"line_number":370,"context_line":"all shares from share-type and then only can delete encryption type."},{"line_number":371,"context_line":""},{"line_number":372,"context_line":""},{"line_number":373,"context_line":"Driver impact"}],"source_content_type":"text/x-rst","patch_set":6,"id":"eda92003_38169693","line":370,"range":{"start_line":370,"start_character":36,"end_line":370,"end_character":40},"updated":"2024-02-05 23:38:14.000000000","message":"nit: drop \"only\"","commit_id":"02fc22953ffcf3e31a89bc5fe9bd1697a70830c5"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"10c252e1ffbd847a31b7503b24873291c9546fd4","unresolved":false,"context_lines":[{"line_number":367,"context_line":"If the share-type is not known to manila, the API will respond with"},{"line_number":368,"context_line":"``404 Not Found``. If any share is already created from share-type,"},{"line_number":369,"context_line":"manila will not allow to delete encryption type. User must delete"},{"line_number":370,"context_line":"all shares from share-type and then only can delete encryption type."},{"line_number":371,"context_line":""},{"line_number":372,"context_line":""},{"line_number":373,"context_line":"Driver impact"}],"source_content_type":"text/x-rst","patch_set":6,"id":"2e6c6169_18b5f501","line":370,"range":{"start_line":370,"start_character":36,"end_line":370,"end_character":40},"in_reply_to":"eda92003_38169693","updated":"2024-02-06 09:44:53.000000000","message":"Done","commit_id":"02fc22953ffcf3e31a89bc5fe9bd1697a70830c5"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"1e32701c2b7ac51c6ae6c709a7f75f527c97a0b4","unresolved":true,"context_lines":[{"line_number":77,"context_line":"share type and associate encryption information with it. The information"},{"line_number":78,"context_line":"contains fields such as size of encryption key, encryption provider class,"},{"line_number":79,"context_line":"control location and encryption algorithm e.g. aes-xts-plain64. If a share is"},{"line_number":80,"context_line":"created using such share types, Manila will an generate encryption key with"},{"line_number":81,"context_line":"the help of key-store e.g. Barbican."},{"line_number":82,"context_line":""},{"line_number":83,"context_line":"The user can also encrypt the share using their own keys. Such keys are stored"}],"source_content_type":"text/x-rst","patch_set":7,"id":"6797e7b3_252a209d","line":80,"range":{"start_line":80,"start_character":44,"end_line":80,"end_character":56},"updated":"2024-02-08 04:37:45.000000000","message":"generate an","commit_id":"78fe49cc3d0342bf8d54166a55db80297c5aaa0d"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"c6764bd8c653e827ca0bb19ebbb38e24c3ccce61","unresolved":false,"context_lines":[{"line_number":77,"context_line":"share type and associate encryption information with it. The information"},{"line_number":78,"context_line":"contains fields such as size of encryption key, encryption provider class,"},{"line_number":79,"context_line":"control location and encryption algorithm e.g. aes-xts-plain64. If a share is"},{"line_number":80,"context_line":"created using such share types, Manila will an generate encryption key with"},{"line_number":81,"context_line":"the help of key-store e.g. Barbican."},{"line_number":82,"context_line":""},{"line_number":83,"context_line":"The user can also encrypt the share using their own keys. Such keys are stored"}],"source_content_type":"text/x-rst","patch_set":7,"id":"45cf9231_22bd3aa4","line":80,"range":{"start_line":80,"start_character":44,"end_line":80,"end_character":56},"in_reply_to":"6797e7b3_252a209d","updated":"2024-02-08 11:12:41.000000000","message":"Done","commit_id":"78fe49cc3d0342bf8d54166a55db80297c5aaa0d"},{"author":{"_account_id":18816,"name":"Maurice Escher","display_name":"carthaca","email":"maurice.escher@sap.com","username":"mapocace"},"change_message_id":"5f4902b049086fa41501aa886a5a09ee3479389b","unresolved":true,"context_lines":[{"line_number":81,"context_line":"the help of key-store e.g. Barbican."},{"line_number":82,"context_line":""},{"line_number":83,"context_line":"The user can also encrypt the share using their own keys. Such keys are stored"},{"line_number":84,"context_line":"in key store supported by driver e.g. Barbican. In this case, use need to use"},{"line_number":85,"context_line":"share type without encyrption information i.e. if share type with encryption"},{"line_number":86,"context_line":"information is used to create share along-with user provided encryption key"},{"line_number":87,"context_line":"ref, manila will throw error."}],"source_content_type":"text/x-rst","patch_set":7,"id":"ac2ae4e4_cb8ab535","line":84,"range":{"start_line":84,"start_character":62,"end_line":84,"end_character":70},"updated":"2024-02-08 12:29:40.000000000","message":"the user needs","commit_id":"78fe49cc3d0342bf8d54166a55db80297c5aaa0d"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"d273ebc7dddf019b0015fc903b5b742beb7d040c","unresolved":false,"context_lines":[{"line_number":81,"context_line":"the help of key-store e.g. Barbican."},{"line_number":82,"context_line":""},{"line_number":83,"context_line":"The user can also encrypt the share using their own keys. Such keys are stored"},{"line_number":84,"context_line":"in key store supported by driver e.g. Barbican. In this case, use need to use"},{"line_number":85,"context_line":"share type without encyrption information i.e. if share type with encryption"},{"line_number":86,"context_line":"information is used to create share along-with user provided encryption key"},{"line_number":87,"context_line":"ref, manila will throw error."}],"source_content_type":"text/x-rst","patch_set":7,"id":"0b5d15bd_0914232c","line":84,"range":{"start_line":84,"start_character":62,"end_line":84,"end_character":70},"in_reply_to":"ac2ae4e4_cb8ab535","updated":"2024-02-08 12:36:03.000000000","message":"Done","commit_id":"78fe49cc3d0342bf8d54166a55db80297c5aaa0d"},{"author":{"_account_id":18816,"name":"Maurice Escher","display_name":"carthaca","email":"maurice.escher@sap.com","username":"mapocace"},"change_message_id":"5f4902b049086fa41501aa886a5a09ee3479389b","unresolved":true,"context_lines":[{"line_number":82,"context_line":""},{"line_number":83,"context_line":"The user can also encrypt the share using their own keys. Such keys are stored"},{"line_number":84,"context_line":"in key store supported by driver e.g. Barbican. In this case, use need to use"},{"line_number":85,"context_line":"share type without encyrption information i.e. if share type with encryption"},{"line_number":86,"context_line":"information is used to create share along-with user provided encryption key"},{"line_number":87,"context_line":"ref, manila will throw error."},{"line_number":88,"context_line":""}],"source_content_type":"text/x-rst","patch_set":7,"id":"8a058079_0effa510","line":85,"range":{"start_line":85,"start_character":19,"end_line":85,"end_character":29},"updated":"2024-02-08 12:29:40.000000000","message":"encryption","commit_id":"78fe49cc3d0342bf8d54166a55db80297c5aaa0d"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"d273ebc7dddf019b0015fc903b5b742beb7d040c","unresolved":false,"context_lines":[{"line_number":82,"context_line":""},{"line_number":83,"context_line":"The user can also encrypt the share using their own keys. Such keys are stored"},{"line_number":84,"context_line":"in key store supported by driver e.g. Barbican. In this case, use need to use"},{"line_number":85,"context_line":"share type without encyrption information i.e. if share type with encryption"},{"line_number":86,"context_line":"information is used to create share along-with user provided encryption key"},{"line_number":87,"context_line":"ref, manila will throw error."},{"line_number":88,"context_line":""}],"source_content_type":"text/x-rst","patch_set":7,"id":"3005a282_7b005248","line":85,"range":{"start_line":85,"start_character":19,"end_line":85,"end_character":29},"in_reply_to":"8a058079_0effa510","updated":"2024-02-08 12:36:03.000000000","message":"Done","commit_id":"78fe49cc3d0342bf8d54166a55db80297c5aaa0d"},{"author":{"_account_id":18816,"name":"Maurice Escher","display_name":"carthaca","email":"maurice.escher@sap.com","username":"mapocace"},"change_message_id":"5f4902b049086fa41501aa886a5a09ee3479389b","unresolved":true,"context_lines":[{"line_number":141,"context_line":"  introduced, defaulting to False. Admins then would have to either set"},{"line_number":142,"context_line":"  \"encryption_support\" to True explicitly, or specify these encryption"},{"line_number":143,"context_line":"  options so that Manila will set it. This will help to filter the storage"},{"line_number":144,"context_line":"  back ends that support such style of encyrption."},{"line_number":145,"context_line":""},{"line_number":146,"context_line":"* Things to consider for this spec"},{"line_number":147,"context_line":""}],"source_content_type":"text/x-rst","patch_set":7,"id":"0b69e77c_366e7999","line":144,"range":{"start_line":144,"start_character":39,"end_line":144,"end_character":49},"updated":"2024-02-08 12:29:40.000000000","message":"encryption","commit_id":"78fe49cc3d0342bf8d54166a55db80297c5aaa0d"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"d273ebc7dddf019b0015fc903b5b742beb7d040c","unresolved":false,"context_lines":[{"line_number":141,"context_line":"  introduced, defaulting to False. Admins then would have to either set"},{"line_number":142,"context_line":"  \"encryption_support\" to True explicitly, or specify these encryption"},{"line_number":143,"context_line":"  options so that Manila will set it. This will help to filter the storage"},{"line_number":144,"context_line":"  back ends that support such style of encyrption."},{"line_number":145,"context_line":""},{"line_number":146,"context_line":"* Things to consider for this spec"},{"line_number":147,"context_line":""}],"source_content_type":"text/x-rst","patch_set":7,"id":"c6663a50_ac776f8a","line":144,"range":{"start_line":144,"start_character":39,"end_line":144,"end_character":49},"in_reply_to":"0b69e77c_366e7999","updated":"2024-02-08 12:36:03.000000000","message":"Done","commit_id":"78fe49cc3d0342bf8d54166a55db80297c5aaa0d"}],"specs/dalmatian/share_encryption.rst":[{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"5cad2a4910b6f325002a2d14853fe49204960159","unresolved":true,"context_lines":[{"line_number":232,"context_line":"--------------"},{"line_number":233,"context_line":""},{"line_number":234,"context_line":"Add new parameters to commands in openstackclient(OSC):"},{"line_number":235,"context_line":""},{"line_number":236,"context_line":"openstack share type create [--encryption-provider \u003cprovider\u003e]"},{"line_number":237,"context_line":"                            [--encryption-cipher \u003ccipher\u003e]"},{"line_number":238,"context_line":"                            [--encryption-key-size \u003ckey-size\u003e]"},{"line_number":239,"context_line":"                            \u003cname\u003e"},{"line_number":240,"context_line":""},{"line_number":241,"context_line":"* encryption-provider: Set the class that provides encryption support for this"},{"line_number":242,"context_line":"                       share type (e.g “LuksEncryptor”)"}],"source_content_type":"text/x-rst","patch_set":10,"id":"b8e2f0a3_12ebe0cb","line":239,"range":{"start_line":235,"start_character":0,"end_line":239,"end_character":34},"updated":"2024-02-13 17:25:06.000000000","message":"enclose commands in a:\n```\n  .. code \n  \n```\n  \nsection. The formatting in the doc o/p is a bit messed up because sphinx thinks the first line of each command is a heading..","commit_id":"bcfdc98cbc88fc7f82b5ee395e75aa221d20fd68"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"97ac760272dcd506addc4989ed063f72d0d08fa7","unresolved":false,"context_lines":[{"line_number":232,"context_line":"--------------"},{"line_number":233,"context_line":""},{"line_number":234,"context_line":"Add new parameters to commands in openstackclient(OSC):"},{"line_number":235,"context_line":""},{"line_number":236,"context_line":"openstack share type create [--encryption-provider \u003cprovider\u003e]"},{"line_number":237,"context_line":"                            [--encryption-cipher \u003ccipher\u003e]"},{"line_number":238,"context_line":"                            [--encryption-key-size \u003ckey-size\u003e]"},{"line_number":239,"context_line":"                            \u003cname\u003e"},{"line_number":240,"context_line":""},{"line_number":241,"context_line":"* encryption-provider: Set the class that provides encryption support for this"},{"line_number":242,"context_line":"                       share type (e.g “LuksEncryptor”)"}],"source_content_type":"text/x-rst","patch_set":10,"id":"fe982f49_5843f050","line":239,"range":{"start_line":235,"start_character":0,"end_line":239,"end_character":34},"in_reply_to":"b8e2f0a3_12ebe0cb","updated":"2024-02-26 14:22:58.000000000","message":"Done","commit_id":"bcfdc98cbc88fc7f82b5ee395e75aa221d20fd68"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"5cad2a4910b6f325002a2d14853fe49204960159","unresolved":true,"context_lines":[{"line_number":382,"context_line":"-------------"},{"line_number":383,"context_line":"The backend driver needs to implement:"},{"line_number":384,"context_line":""},{"line_number":385,"context_line":"* Instruct the back end storage system to Encrypt the share with key"},{"line_number":386,"context_line":"   data sent from key-store e.g. Barbican"},{"line_number":387,"context_line":""},{"line_number":388,"context_line":"Security impact"},{"line_number":389,"context_line":"---------------"}],"source_content_type":"text/x-rst","patch_set":10,"id":"589d91b8_2d5bed14","line":386,"range":{"start_line":385,"start_character":0,"end_line":386,"end_character":41},"updated":"2024-02-13 17:25:06.000000000","message":"this neednt be a bulleted list, the doc formatting messes up because of the space added before the second line. Either line up \"data\" to \"Instruct\", or convert this section into a paragraph instead of this list","commit_id":"bcfdc98cbc88fc7f82b5ee395e75aa221d20fd68"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"97ac760272dcd506addc4989ed063f72d0d08fa7","unresolved":false,"context_lines":[{"line_number":382,"context_line":"-------------"},{"line_number":383,"context_line":"The backend driver needs to implement:"},{"line_number":384,"context_line":""},{"line_number":385,"context_line":"* Instruct the back end storage system to Encrypt the share with key"},{"line_number":386,"context_line":"   data sent from key-store e.g. Barbican"},{"line_number":387,"context_line":""},{"line_number":388,"context_line":"Security impact"},{"line_number":389,"context_line":"---------------"}],"source_content_type":"text/x-rst","patch_set":10,"id":"c996095f_6ca9edcb","line":386,"range":{"start_line":385,"start_character":0,"end_line":386,"end_character":41},"in_reply_to":"589d91b8_2d5bed14","updated":"2024-02-26 14:22:58.000000000","message":"Done","commit_id":"bcfdc98cbc88fc7f82b5ee395e75aa221d20fd68"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"ad055441ac3f296e45b37adc00385fc863e33aa9","unresolved":true,"context_lines":[{"line_number":234,"context_line":"Add new parameters to commands in openstackclient(OSC):"},{"line_number":235,"context_line":""},{"line_number":236,"context_line":""},{"line_number":237,"context_line":"    .. code"},{"line_number":238,"context_line":""},{"line_number":239,"context_line":"       openstack share type create [--encryption-provider \u003cprovider\u003e]"},{"line_number":240,"context_line":"                                   [--encryption-cipher \u003ccipher\u003e]"}],"source_content_type":"text/x-rst","patch_set":11,"id":"30fb8e3e_d33b89ea","line":237,"range":{"start_line":237,"start_character":0,"end_line":237,"end_character":11},"updated":"2024-02-27 22:21:37.000000000","message":"these annotations shouldn\u0027t be indented.. \n\nplease see the o/p: https://1b366c06238369d2a3aa-922c284b53012421c7cb8203c60422be.ssl.cf5.rackcdn.com/898999/11/check/openstack-tox-docs/8da72c1/docs/specs/dalmatian/share_encryption.html\n\nYou can build this doc locally too, to see how things look before you submit:\n\n\n```\n tox -e docs\n```","commit_id":"986f9b501b737f4d861973b2f30144e3041b2bec"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"4d8c18352d064a9d930c9b85233c0ed064765d8d","unresolved":false,"context_lines":[{"line_number":234,"context_line":"Add new parameters to commands in openstackclient(OSC):"},{"line_number":235,"context_line":""},{"line_number":236,"context_line":""},{"line_number":237,"context_line":"    .. code"},{"line_number":238,"context_line":""},{"line_number":239,"context_line":"       openstack share type create [--encryption-provider \u003cprovider\u003e]"},{"line_number":240,"context_line":"                                   [--encryption-cipher \u003ccipher\u003e]"}],"source_content_type":"text/x-rst","patch_set":11,"id":"7b8ae290_603f35c3","line":237,"range":{"start_line":237,"start_character":0,"end_line":237,"end_character":11},"in_reply_to":"30fb8e3e_d33b89ea","updated":"2024-02-28 12:57:28.000000000","message":"Done","commit_id":"986f9b501b737f4d861973b2f30144e3041b2bec"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"bdf6a579d655fd4c9959e069c6773657f9aa480f","unresolved":true,"context_lines":[{"line_number":147,"context_line":""},{"line_number":148,"context_line":"  If share is created from encryption based share-type, Manila will not permit"},{"line_number":149,"context_line":"  the following actions on the share:"},{"line_number":150,"context_line":"  - unmanage"},{"line_number":151,"context_line":"  - transfer"},{"line_number":152,"context_line":"  - backup"},{"line_number":153,"context_line":""}],"source_content_type":"text/x-rst","patch_set":16,"id":"33604d05_a247da0c","line":150,"updated":"2024-03-05 23:31:04.000000000","message":"add a blank line above for this list to be formatted properly","commit_id":"dcfd3ad11f24298e826b59878f1d880beb8f6473"},{"author":{"_account_id":29632,"name":"Carlos Eduardo","email":"ces.eduardo98@gmail.com","username":"silvacarlos"},"change_message_id":"0ce2b8a69612304e35b2cbdb10f4f99eb17e61a7","unresolved":false,"context_lines":[{"line_number":147,"context_line":""},{"line_number":148,"context_line":"  If share is created from encryption based share-type, Manila will not permit"},{"line_number":149,"context_line":"  the following actions on the share:"},{"line_number":150,"context_line":"  - unmanage"},{"line_number":151,"context_line":"  - transfer"},{"line_number":152,"context_line":"  - backup"},{"line_number":153,"context_line":""}],"source_content_type":"text/x-rst","patch_set":16,"id":"7ed902ae_e2548794","line":150,"in_reply_to":"33604d05_a247da0c","updated":"2024-03-14 13:16:07.000000000","message":"Done","commit_id":"dcfd3ad11f24298e826b59878f1d880beb8f6473"}]}
