)]}'
{"/COMMIT_MSG":[{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"c620386dd9fdad5ab379b150d5f600c77adb1ec6","unresolved":true,"context_lines":[{"line_number":4,"context_line":"Commit:     Kiran Pawar \u003ckinpaa@gmail.com\u003e"},{"line_number":5,"context_line":"CommitDate: 2025-04-24 12:26:26 +0000"},{"line_number":6,"context_line":""},{"line_number":7,"context_line":"Update spec for share encryption (NetApp use-case)"},{"line_number":8,"context_line":""},{"line_number":9,"context_line":"Currently, manila doesn\u0027t support user controlled way to encrypt the"},{"line_number":10,"context_line":"shares. This spec intends to make this possible."}],"source_content_type":"text/x-gerrit-commit-message","patch_set":7,"id":"4694a4cd_ddef7273","line":7,"range":{"start_line":7,"start_character":33,"end_line":7,"end_character":50},"updated":"2025-05-01 03:29:15.000000000","message":"I would remove this from the title - the spec doesn\u0027t have to be specific to a storage driver. You\u0027re proposing this for a class of storage drivers - those that support DHSS\u003dTrue","commit_id":"0cb3316bc029e25a86f0e569e9abffef2e1805d3"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"429c726ec9fd62eed1adce357d83b70a7070a1b3","unresolved":false,"context_lines":[{"line_number":4,"context_line":"Commit:     Kiran Pawar \u003ckinpaa@gmail.com\u003e"},{"line_number":5,"context_line":"CommitDate: 2025-04-24 12:26:26 +0000"},{"line_number":6,"context_line":""},{"line_number":7,"context_line":"Update spec for share encryption (NetApp use-case)"},{"line_number":8,"context_line":""},{"line_number":9,"context_line":"Currently, manila doesn\u0027t support user controlled way to encrypt the"},{"line_number":10,"context_line":"shares. This spec intends to make this possible."}],"source_content_type":"text/x-gerrit-commit-message","patch_set":7,"id":"9ed9bb8e_ebe269b0","line":7,"range":{"start_line":7,"start_character":33,"end_line":7,"end_character":50},"in_reply_to":"4694a4cd_ddef7273","updated":"2025-05-02 10:34:10.000000000","message":"Done","commit_id":"0cb3316bc029e25a86f0e569e9abffef2e1805d3"}],"/PATCHSET_LEVEL":[{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"848cddefbc5b0d6f7660060f00cd5e563269c597","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"e650db47_dbbac911","updated":"2025-02-06 21:48:16.000000000","message":"Thanks for the update, several questions inline\n\nAlso @manicsaran@gmail.com mentioned that you could share the backend interactions with Barbican.. maybe it\u0027d be a useful addition to the Appendix of this specification, or atleast serve as a helpful guide to reviewers.","commit_id":"6b381bec1fce0078077e08749e65fcbb4807342e"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"e72f0bc28d170d023745e0514b133b8c2a21d615","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"90e7ac6e_8833a1d5","updated":"2025-01-30 13:36:55.000000000","message":"updated from https://review.opendev.org/c/openstack/manila-specs/+/898999","commit_id":"6b381bec1fce0078077e08749e65fcbb4807342e"},{"author":{"_account_id":18816,"name":"Maurice Escher","display_name":"carthaca","email":"maurice.escher@sap.com","username":"mapocace"},"change_message_id":"2f6052468fa8328f3496e148ca3702b96619ffa7","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"22223fe2_9b4f6d8b","updated":"2025-04-16 11:18:46.000000000","message":"Thanks for updating the spec.\n\nWill the idea of the new encryption_keys_per_share_network quota be part of this here or added as a later improvement?","commit_id":"9317b0b3a3b85104efb1a9edcb3150e28ce7d358"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"8c217951a014bdeaed894c58b6394fab0e0db541","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"924cb4ab_ade9755e","in_reply_to":"22223fe2_9b4f6d8b","updated":"2025-04-16 14:07:08.000000000","message":"added.","commit_id":"9317b0b3a3b85104efb1a9edcb3150e28ce7d358"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"e4e25f4c144086657d43b3c432b9722cda8a5a5b","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":5,"id":"dde910f3_aad4eb1c","updated":"2025-04-19 05:54:59.000000000","message":"Addressed comments, need +1 for logic/workflow approval.","commit_id":"29e6781d844f11ce3c3a10ac1f4827d298b0c363"},{"author":{"_account_id":29632,"name":"Carlos Eduardo","email":"ces.eduardo98@gmail.com","username":"silvacarlos"},"change_message_id":"e66244a67e2c45f70def2adf2f569d66a69718c4","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":5,"id":"f6f14fd8_d48563b4","updated":"2025-04-17 15:58:54.000000000","message":"Thanks for the spec updates, I have some questions inline. Please take a look","commit_id":"29e6781d844f11ce3c3a10ac1f4827d298b0c363"},{"author":{"_account_id":30407,"name":"haixin","email":"haixin_haixin@qq.com","username":"haixin"},"change_message_id":"bac30530f33c7908855b2979e3a5a2adceefdf79","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":5,"id":"50519464_ed3c063a","updated":"2025-04-18 07:18:35.000000000","message":"hi, Kiran Pawar. thanks for your update. here are some comments.","commit_id":"29e6781d844f11ce3c3a10ac1f4827d298b0c363"},{"author":{"_account_id":36179,"name":"Saikumar Pulluri","display_name":"Saikumar Pulluri","email":"saikumar1016@gmail.com","username":"pulluri"},"change_message_id":"c40c2b07fcf2e61c0b5430f7120528d7752b90d4","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":6,"id":"f986a028_7d97c25e","updated":"2025-04-22 05:30:48.000000000","message":"Hey Kiran, really appreciate your efforts! Thanks for working on this spec. I know we had discussed offline for most of the points but just updated the NetApp specific cases just for clarity. Specs looks good to me from NetApp driver point of view!","commit_id":"74f33a6158373c31d69d3b514e861934917b4830"},{"author":{"_account_id":36179,"name":"Saikumar Pulluri","display_name":"Saikumar Pulluri","email":"saikumar1016@gmail.com","username":"pulluri"},"change_message_id":"25bb1147b720aed40e58b1294db2fccabd8f1b88","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":6,"id":"23ba2285_3c54121b","updated":"2025-04-22 05:31:28.000000000","message":"LGTM, thanks!","commit_id":"74f33a6158373c31d69d3b514e861934917b4830"},{"author":{"_account_id":30407,"name":"haixin","email":"haixin_haixin@qq.com","username":"haixin"},"change_message_id":"e04fc254f1d979b80c9b0bc85dfd60e9649f6380","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":6,"id":"590ad2d1_e41d6b37","updated":"2025-04-21 05:24:20.000000000","message":"LGTM.","commit_id":"74f33a6158373c31d69d3b514e861934917b4830"},{"author":{"_account_id":18816,"name":"Maurice Escher","display_name":"carthaca","email":"maurice.escher@sap.com","username":"mapocace"},"change_message_id":"8a91cf21b752df9d2e4757fa66b651d41aaaf7f0","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":6,"id":"bcd93353_0d798807","updated":"2025-04-22 07:53:14.000000000","message":"Thanks for the steady improvements and reworks on the spec. I found a few typos (optional).\nThe -1 is given for the comment about the quota validation inline, please have a look.","commit_id":"74f33a6158373c31d69d3b514e861934917b4830"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"c620386dd9fdad5ab379b150d5f600c77adb1ec6","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":7,"id":"4ca43cff_25712615","updated":"2025-05-01 03:29:15.000000000","message":"Hi Kiran, thanks for your changes.. some more comments inline","commit_id":"0cb3316bc029e25a86f0e569e9abffef2e1805d3"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"a82b87ca74d1fa7d7d4720c1acf4b3206ed3b8f7","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":9,"id":"1b72bf57_74fe65af","updated":"2025-05-08 18:19:08.000000000","message":"Hi, \n\nsharing some notes from the collab review we had: \n\nhttps://etherpad.opendev.org/p/share-encryption-with-barbican-secret-ref\n\n\n\n\nDuring the collab review, the following changes were deliberated:\n\nWe\u0027ll decouple \"encryption_support\" from \"netapp_flexvol_encryption\" - a coupling that the proposal above suggests. The new workflow is:\n    \n- Share backend drivers can report \"encryption_support\" as a capability\n- the capability can have any of these values: [\"share\"], [\"share_server\"], [\"share\", \"share_server\"], None\n- \"share\" would mean that encryption keys are supported per-share\n- \"share_server\" would mean that encryption keys are supported per share-server\n- None would mean that encryption_support isn\u0027t provided by the backend driver\n- having both keys would mean that either case is possible - so the user can request whatever they\u0027d like through share type extra-specs\n- Administrators can now create a tenant-visible extra-spec on share types called \"encryption_support\". It can have a string value\n- \"share\": meaning that the user can expect encryption keys to be per-share\n- \"share_server\": meaning that the user can expect encryption keys to apply at the share server level\n- None: no encryption needed (admins wouldn\u0027t include this as an extra-spec at all, unless they explicitly want to match a backend that doesn\u0027t support encryption)\n- End users would use a share type and create their shares\n- if they specify a \"encryption-key-ref\" during share creation, if the share type has \"encryption_support\" set to either \"share\" or \"share_server\", manila will validate the encryption key ref with barbican and store the encryption key ref in the share model in the database (or the share instance model - that\u0027s an implementation detail) \n- if they don\u0027t specify an \"encryption-key-ref\" during share creation, regardless of the value of \"encryption_support\" in the share type, the share is not encrypted\n\n\nHow share drivers are expected to work:\n- If BYOK share encryption is supported, a driver must report \"encryption_support\" as a capability setting the appropriate value:  [\"share\"], [\"share_server\"], [\"share\", \"share_server\"]\n- If BYOK share encryption isn\u0027t supported, the base driver will report \"encryption_support\" as None\n- When a share creation request arrives, if DHSS\u003dTrue, drivers will be asked to provide a compatible share server - the call will include the share\u0027s encryption-key-ref (if provided) along with all the other network details \n- if a share server exists with the appropriate key ref and satisfying the networking parameters, the driver can present that server\n- if a compatible share server doesn\u0027t exist, the driver returns [] and the share manager will ask the driver to create a new server through _setup_server by providing the network details, encryption-key-ref and appropriate data (barbican details, app creds etc)\n- When the encryption key ref isn\u0027t provided by the end user:\n- They expect that the share isn\u0027t encrypted. BUT, they could be using a share type and share network that allows scheduling on an available share server that has encryption setup previously. This is perfectly valid, the driver isn\u0027t supposed to encrypt that share even if it is exported on the same share server that has been setup for encryption\n\nQuotas to prevent misuse:\n- In the workflow suggested above, there\u0027s a possibility that users can cause the creation of new share servers and exhaust a limited resource\n- Ideally you\u0027d have a limit on the number of share networks (this quota exists today) and the number of share encryption keys (this quota must be supported newly) \n- another option explored in the past is a quota for encryption_keys_per_network\n- gouthamr isn\u0027t sure why this proposal wasn\u0027t accepted, but understands that a broad quota on share encryption keys could also work to prevent misuse\n\nNetApp must explicitly ensure through their documentation that \"netapp_flexvol_encryption\" has nothing to do with this BYOK share encryption feature. It shouldn\u0027t be used in combination. A recommendation: the driver can raise an error and a user message when someone uses both extra-specs on a share type.","commit_id":"649c3d61bd54e2e0af1a778045d8dd212c025825"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"d4655130b6e8514f1fac704ce0280f3d46774309","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":9,"id":"51c8b743_141edad0","in_reply_to":"1b72bf57_74fe65af","updated":"2025-05-09 10:43:35.000000000","message":"I have updated spec based on discussion. \n\nw.r.t \"netapp_flexvol_encryption\", Admin can set it to True or False (does not matter), but if encryption_key_ref is provided in share create request, only that ref will be considered. i.e. \"netapp_flexvol_encryption\"\" will be silently ignored. Hence its not mentioned in spec anymore.","commit_id":"649c3d61bd54e2e0af1a778045d8dd212c025825"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"41fb8aaad2cb34a39909f6692ef56e700777a52f","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":10,"id":"62635b7e_b01ec4ef","updated":"2025-05-09 22:55:44.000000000","message":"Thanks for the updates; some more comments inline","commit_id":"1005c3a73cc9dd2508361d1f56be621ad9aa6199"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"d1cce5bb9e2150c756c2aa156e9be27fd22207bc","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":11,"id":"ce2f8719_f301355e","updated":"2025-05-27 22:47:38.000000000","message":"Couple of quota related things to fix up; ty Kiran!","commit_id":"bad8d7d6e3c69775d522a72042fa232412c65f14"},{"author":{"_account_id":36179,"name":"Saikumar Pulluri","display_name":"Saikumar Pulluri","email":"saikumar1016@gmail.com","username":"pulluri"},"change_message_id":"2a89309fe5ed7e2d79a08e998dc2c5ef6c568077","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":11,"id":"56bf022f_f5cc030b","updated":"2025-05-12 14:29:04.000000000","message":"I have reviewed a couple of times and provided comments during our talks or over chat. The updated spec looks good to me from NetApp driver point of view. Thank you Kiran for working on this.\n\nThank you @gouthampravi@gmail.com for taking time and reviewing this thoroughly!!","commit_id":"bad8d7d6e3c69775d522a72042fa232412c65f14"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"113442a57bca91474c417925b2a51736d9a98b7c","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":12,"id":"c09ca9d0_be19c659","updated":"2025-05-31 09:40:27.000000000","message":"I was working on adding error in API layer for quota, but again found that its not correct place.\n\n1. we are creating share server in manager.py and so quota should be handled there only.\n2. Restricting quota based on share type \u0027encryption_support\u0027 and encryption_key_ref user input is not valid case. E.g. server_encryption_keys quota set to 5. And then all 5 keys (and so share_server exist). Now request comes for another share create with key from existing share_servers, we can not restrict it since no new share will be created in share_manager for this scenario. So if we have to restrict in manila-api, we need to get all share_servers and check their encryption_keys. Also not all drivers supporting share_server encryption keys will have restriction on number of share servers.\n\n@gouthampravi@gmail.com / @ces.eduardo98@gmail.com. wdyt ?","commit_id":"964d4b751292be106f37ee57d8d3ee0246b936d6"},{"author":{"_account_id":29632,"name":"Carlos Eduardo","email":"ces.eduardo98@gmail.com","username":"silvacarlos"},"change_message_id":"48aaee1e36d445baa61183d51d9d21f0df788304","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":12,"id":"55860b4f_a4256e9a","updated":"2025-05-28 18:25:19.000000000","message":"LGTM, thanks Kiran","commit_id":"964d4b751292be106f37ee57d8d3ee0246b936d6"},{"author":{"_account_id":36179,"name":"Saikumar Pulluri","display_name":"Saikumar Pulluri","email":"saikumar1016@gmail.com","username":"pulluri"},"change_message_id":"66f9fc4e5da93c4e6a07028a172a7b5d0b4ab12a","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":12,"id":"a28fe09a_ed848fc4","updated":"2025-05-29 10:59:55.000000000","message":"LGTM.","commit_id":"964d4b751292be106f37ee57d8d3ee0246b936d6"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"7c14d74cc618e6a3c8ff45662241ca0efc2a80bd","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":12,"id":"d7942c25_d5dee0ac","in_reply_to":"4f3652cd_712fb668","updated":"2025-06-05 07:04:22.000000000","message":"ok, new mapping table \"encryption_keys\" will be needed and column \"id, project_id, resource\" will be created. The default resource for now is \"share_server\" and then getting unique keys in the project against quota \"server_encryption_keys\" will be evaluated for now.","commit_id":"964d4b751292be106f37ee57d8d3ee0246b936d6"},{"author":{"_account_id":29632,"name":"Carlos Eduardo","email":"ces.eduardo98@gmail.com","username":"silvacarlos"},"change_message_id":"8de4b88061029d058154b2c7ca1c1ccdfc93728f","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":12,"id":"6468ebb6_a608f662","in_reply_to":"55860b4f_a4256e9a","updated":"2025-05-28 18:25:51.000000000","message":"I only added a minor question, but if reviewers are okay, I\u0027m good too. Thank you for your hard work on this spec!","commit_id":"964d4b751292be106f37ee57d8d3ee0246b936d6"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"a81d3a4794bd400e56795cdd6ca0eeb226342509","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":12,"id":"4f3652cd_712fb668","in_reply_to":"c09ca9d0_be19c659","updated":"2025-06-05 06:39:31.000000000","message":"Can we simplify this and set a quota on encryption keys? I\u0027ve been stating that I don\u0027t see a use case where a cloud administrator will not want to restrict share encryption keys vs server encryption keys. \n\nWith a quota on encryption keys, you can maintain a count using the quotas apparatus for every new/unique key that you see - a mapping table can be maintained to facilitate this. We\u0027d need to store:\n\n  encryption_key_ref, project_id\n  \nand efficiently query this to establish the uniqueness. Would taht work?","commit_id":"964d4b751292be106f37ee57d8d3ee0246b936d6"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"e7506bd281b7dddd57efceb6aa14b44e0ef6de39","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":12,"id":"9cbfab3e_94cae457","in_reply_to":"d7942c25_d5dee0ac","updated":"2025-06-05 17:25:30.000000000","message":"Lets refine this with code.. and come back and update the spec if necessary","commit_id":"964d4b751292be106f37ee57d8d3ee0246b936d6"}],"doc/source/index.rst":[{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"c620386dd9fdad5ab379b150d5f600c77adb1ec6","unresolved":true,"context_lines":[{"line_number":26,"context_line":"   specs/flamingo/*"},{"line_number":27,"context_line":""},{"line_number":28,"context_line":""},{"line_number":29,"context_line":"2025.1 Epoxy approved specs"},{"line_number":30,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":31,"context_line":""},{"line_number":32,"context_line":".. toctree::"},{"line_number":33,"context_line":"   :glob:"},{"line_number":34,"context_line":"   :maxdepth: 1"},{"line_number":35,"context_line":""},{"line_number":36,"context_line":"   specs/epoxy/*"},{"line_number":37,"context_line":""},{"line_number":38,"context_line":""},{"line_number":39,"context_line":"2024.2 Dalmatian approved specs"}],"source_content_type":"text/x-rst","patch_set":7,"id":"1bbbb0c4_5da377ad","line":36,"range":{"start_line":29,"start_character":0,"end_line":36,"end_character":16},"updated":"2025-05-01 03:29:15.000000000","message":"We can delete this since no specs were accepted in Epoxy","commit_id":"0cb3316bc029e25a86f0e569e9abffef2e1805d3"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"429c726ec9fd62eed1adce357d83b70a7070a1b3","unresolved":false,"context_lines":[{"line_number":26,"context_line":"   specs/flamingo/*"},{"line_number":27,"context_line":""},{"line_number":28,"context_line":""},{"line_number":29,"context_line":"2025.1 Epoxy approved specs"},{"line_number":30,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":31,"context_line":""},{"line_number":32,"context_line":".. toctree::"},{"line_number":33,"context_line":"   :glob:"},{"line_number":34,"context_line":"   :maxdepth: 1"},{"line_number":35,"context_line":""},{"line_number":36,"context_line":"   specs/epoxy/*"},{"line_number":37,"context_line":""},{"line_number":38,"context_line":""},{"line_number":39,"context_line":"2024.2 Dalmatian approved specs"}],"source_content_type":"text/x-rst","patch_set":7,"id":"1b587500_5bb8780c","line":36,"range":{"start_line":29,"start_character":0,"end_line":36,"end_character":16},"in_reply_to":"1bbbb0c4_5da377ad","updated":"2025-05-02 10:34:10.000000000","message":"Done","commit_id":"0cb3316bc029e25a86f0e569e9abffef2e1805d3"}],"specs/epoxy/share_encryption.rst":[{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"848cddefbc5b0d6f7660060f00cd5e563269c597","unresolved":true,"context_lines":[{"line_number":84,"context_line":"in key store supported by driver e.g. Barbican. In this case, user need to use"},{"line_number":85,"context_line":"share type without encryption information i.e. if share type with encryption"},{"line_number":86,"context_line":"information is used to create share along-with user provided encryption key"},{"line_number":87,"context_line":"ref, manila will throw error. Some driver can also support encryption using"},{"line_number":88,"context_line":"share server encryption key instead of share specific encryption key. The share"},{"line_number":89,"context_line":"create request accordingly will deal with either share encryption key or share"},{"line_number":90,"context_line":"server encryption key based on storage driver support."}],"source_content_type":"text/x-rst","patch_set":1,"id":"d42d8720_8cfd7efb","line":87,"range":{"start_line":87,"start_character":35,"end_line":87,"end_character":41},"updated":"2025-02-06 21:48:16.000000000","message":"nit: drivers","commit_id":"6b381bec1fce0078077e08749e65fcbb4807342e"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"daf0d35b97f3cc6e903c49e120d1ef88805f0e99","unresolved":false,"context_lines":[{"line_number":84,"context_line":"in key store supported by driver e.g. Barbican. In this case, user need to use"},{"line_number":85,"context_line":"share type without encryption information i.e. if share type with encryption"},{"line_number":86,"context_line":"information is used to create share along-with user provided encryption key"},{"line_number":87,"context_line":"ref, manila will throw error. Some driver can also support encryption using"},{"line_number":88,"context_line":"share server encryption key instead of share specific encryption key. The share"},{"line_number":89,"context_line":"create request accordingly will deal with either share encryption key or share"},{"line_number":90,"context_line":"server encryption key based on storage driver support."}],"source_content_type":"text/x-rst","patch_set":1,"id":"44e08777_7962355a","line":87,"range":{"start_line":87,"start_character":35,"end_line":87,"end_character":41},"in_reply_to":"d42d8720_8cfd7efb","updated":"2025-02-13 08:42:58.000000000","message":"Done","commit_id":"6b381bec1fce0078077e08749e65fcbb4807342e"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"848cddefbc5b0d6f7660060f00cd5e563269c597","unresolved":true,"context_lines":[{"line_number":85,"context_line":"share type without encryption information i.e. if share type with encryption"},{"line_number":86,"context_line":"information is used to create share along-with user provided encryption key"},{"line_number":87,"context_line":"ref, manila will throw error. Some driver can also support encryption using"},{"line_number":88,"context_line":"share server encryption key instead of share specific encryption key. The share"},{"line_number":89,"context_line":"create request accordingly will deal with either share encryption key or share"},{"line_number":90,"context_line":"server encryption key based on storage driver support."},{"line_number":91,"context_line":""},{"line_number":92,"context_line":"In either scenario, after key is being fetched it will be given to storage"},{"line_number":93,"context_line":"back end driver. The storage back end driver then talks with key-store using"}],"source_content_type":"text/x-rst","patch_set":1,"id":"8c91b1cb_7ebcf2c0","line":90,"range":{"start_line":88,"start_character":70,"end_line":90,"end_character":54},"updated":"2025-02-06 21:48:16.000000000","message":"In a couple of paragraphs below you state that a user can override the encryption key for a particular share after setting up a share server wide encryption key. I think you should clarify that here first..","commit_id":"6b381bec1fce0078077e08749e65fcbb4807342e"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"daf0d35b97f3cc6e903c49e120d1ef88805f0e99","unresolved":false,"context_lines":[{"line_number":85,"context_line":"share type without encryption information i.e. if share type with encryption"},{"line_number":86,"context_line":"information is used to create share along-with user provided encryption key"},{"line_number":87,"context_line":"ref, manila will throw error. Some driver can also support encryption using"},{"line_number":88,"context_line":"share server encryption key instead of share specific encryption key. The share"},{"line_number":89,"context_line":"create request accordingly will deal with either share encryption key or share"},{"line_number":90,"context_line":"server encryption key based on storage driver support."},{"line_number":91,"context_line":""},{"line_number":92,"context_line":"In either scenario, after key is being fetched it will be given to storage"},{"line_number":93,"context_line":"back end driver. The storage back end driver then talks with key-store using"}],"source_content_type":"text/x-rst","patch_set":1,"id":"a9dfafd3_cc933401","line":90,"range":{"start_line":88,"start_character":70,"end_line":90,"end_character":54},"in_reply_to":"8c91b1cb_7ebcf2c0","updated":"2025-02-13 08:42:58.000000000","message":"Done","commit_id":"6b381bec1fce0078077e08749e65fcbb4807342e"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"848cddefbc5b0d6f7660060f00cd5e563269c597","unresolved":true,"context_lines":[{"line_number":99,"context_line":"system. The scope of Manila\u0027s involvement ends with coordinating the user\u0027s"},{"line_number":100,"context_line":"secret with the Key Store."},{"line_number":101,"context_line":""},{"line_number":102,"context_line":"This specification does not target encryption at the share server level. If a"},{"line_number":103,"context_line":"share server has any sort of encryption settings, the expectation on the back"},{"line_number":104,"context_line":"end storage system and its driver is that the per-share encryption settings"},{"line_number":105,"context_line":"from Manila will override the encryption settings of the share server for the"},{"line_number":106,"context_line":"given share. The driver can also decide whether the default encryption"},{"line_number":107,"context_line":"satisfies the ask to encrypt or if it needs to do something, e.g. re-encrypt"},{"line_number":108,"context_line":"with a new key."},{"line_number":109,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"091c48b5_34e9951b","line":106,"range":{"start_line":102,"start_character":0,"end_line":106,"end_character":12},"updated":"2025-02-06 21:48:16.000000000","message":"you should revise this text with clarification to my question above and remove the line: \"This specification does not target encryption at the share server level.\" - because with the latest update, you\u0027re planning to support encryption at the server level","commit_id":"6b381bec1fce0078077e08749e65fcbb4807342e"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"daf0d35b97f3cc6e903c49e120d1ef88805f0e99","unresolved":false,"context_lines":[{"line_number":99,"context_line":"system. The scope of Manila\u0027s involvement ends with coordinating the user\u0027s"},{"line_number":100,"context_line":"secret with the Key Store."},{"line_number":101,"context_line":""},{"line_number":102,"context_line":"This specification does not target encryption at the share server level. If a"},{"line_number":103,"context_line":"share server has any sort of encryption settings, the expectation on the back"},{"line_number":104,"context_line":"end storage system and its driver is that the per-share encryption settings"},{"line_number":105,"context_line":"from Manila will override the encryption settings of the share server for the"},{"line_number":106,"context_line":"given share. The driver can also decide whether the default encryption"},{"line_number":107,"context_line":"satisfies the ask to encrypt or if it needs to do something, e.g. re-encrypt"},{"line_number":108,"context_line":"with a new key."},{"line_number":109,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"d092f4ae_d097bdb9","line":106,"range":{"start_line":102,"start_character":0,"end_line":106,"end_character":12},"in_reply_to":"091c48b5_34e9951b","updated":"2025-02-13 08:42:58.000000000","message":"Done","commit_id":"6b381bec1fce0078077e08749e65fcbb4807342e"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"848cddefbc5b0d6f7660060f00cd5e563269c597","unresolved":true,"context_lines":[{"line_number":120,"context_line":"* Modify share create API"},{"line_number":121,"context_line":""},{"line_number":122,"context_line":"  In order to support \u0027bring your own key\u0027 use case, manila share create API"},{"line_number":123,"context_line":"  will accept two optional parameters e.g. encryption-key-ref and"},{"line_number":124,"context_line":"  server-encryption-key-ref."},{"line_number":125,"context_line":""},{"line_number":126,"context_line":"* New database resource encryption"}],"source_content_type":"text/x-rst","patch_set":1,"id":"b7750800_d86a9934","line":123,"range":{"start_line":123,"start_character":43,"end_line":123,"end_character":61},"updated":"2025-02-06 21:48:16.000000000","message":"```suggestion\n  will accept two optional parameters e.g. ``encryption-key-ref`` and\n```","commit_id":"6b381bec1fce0078077e08749e65fcbb4807342e"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"daf0d35b97f3cc6e903c49e120d1ef88805f0e99","unresolved":false,"context_lines":[{"line_number":120,"context_line":"* Modify share create API"},{"line_number":121,"context_line":""},{"line_number":122,"context_line":"  In order to support \u0027bring your own key\u0027 use case, manila share create API"},{"line_number":123,"context_line":"  will accept two optional parameters e.g. encryption-key-ref and"},{"line_number":124,"context_line":"  server-encryption-key-ref."},{"line_number":125,"context_line":""},{"line_number":126,"context_line":"* New database resource encryption"}],"source_content_type":"text/x-rst","patch_set":1,"id":"0eaaf0e3_f5285560","line":123,"range":{"start_line":123,"start_character":43,"end_line":123,"end_character":61},"in_reply_to":"b7750800_d86a9934","updated":"2025-02-13 08:42:58.000000000","message":"Done","commit_id":"6b381bec1fce0078077e08749e65fcbb4807342e"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"848cddefbc5b0d6f7660060f00cd5e563269c597","unresolved":true,"context_lines":[{"line_number":121,"context_line":""},{"line_number":122,"context_line":"  In order to support \u0027bring your own key\u0027 use case, manila share create API"},{"line_number":123,"context_line":"  will accept two optional parameters e.g. encryption-key-ref and"},{"line_number":124,"context_line":"  server-encryption-key-ref."},{"line_number":125,"context_line":""},{"line_number":126,"context_line":"* New database resource encryption"},{"line_number":127,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"1422f0ca_0588388b","line":124,"range":{"start_line":124,"start_character":2,"end_line":124,"end_character":27},"updated":"2025-02-06 21:48:16.000000000","message":"```suggestion\n  ``server-encryption-key-ref``.\n```","commit_id":"6b381bec1fce0078077e08749e65fcbb4807342e"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"daf0d35b97f3cc6e903c49e120d1ef88805f0e99","unresolved":false,"context_lines":[{"line_number":121,"context_line":""},{"line_number":122,"context_line":"  In order to support \u0027bring your own key\u0027 use case, manila share create API"},{"line_number":123,"context_line":"  will accept two optional parameters e.g. encryption-key-ref and"},{"line_number":124,"context_line":"  server-encryption-key-ref."},{"line_number":125,"context_line":""},{"line_number":126,"context_line":"* New database resource encryption"},{"line_number":127,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"6a3a836a_f9c2870e","line":124,"range":{"start_line":124,"start_character":2,"end_line":124,"end_character":27},"in_reply_to":"1422f0ca_0588388b","updated":"2025-02-13 08:42:58.000000000","message":"Done","commit_id":"6b381bec1fce0078077e08749e65fcbb4807342e"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"848cddefbc5b0d6f7660060f00cd5e563269c597","unresolved":true,"context_lines":[{"line_number":138,"context_line":"  driver. However, if share-type with encryption information is used (i.e."},{"line_number":139,"context_line":"  encryption key is not provided), API service will generate key in key-store"},{"line_number":140,"context_line":"  and the pass key ref to back end driver."},{"line_number":141,"context_line":"  In both cases, the encryption key ref is valid barbican(i.e. key-manager)"},{"line_number":142,"context_line":"  secret_ref and so Manila-api will ask Barbican service to create ACL for"},{"line_number":143,"context_line":"  \u0027barbican\u0027 user. The \u0027barbican\u0027 user will be defined in manila.conf. This"},{"line_number":144,"context_line":"  user will be used by storage driver to fetch the actual key payload from"},{"line_number":145,"context_line":"  key-manager service. For this to work, Manila-share service will create an"},{"line_number":146,"context_line":"  application credentials for \u0027barbican\u0027 user and pass those credentials"},{"line_number":147,"context_line":"  (i.e. application cred id and cred secret) to storage driver."},{"line_number":148,"context_line":""},{"line_number":149,"context_line":"* Changes in backend driver"},{"line_number":150,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"391adcef_a8f44412","line":147,"range":{"start_line":141,"start_character":2,"end_line":147,"end_character":63},"updated":"2025-02-06 21:48:16.000000000","message":"I think your explanation at midcycle clarified this a bit better. Can you see if the following makes sense, and use it instead?\n\n\n```suggestion\n  In both cases, the encryption key ref will be a valid barbican (i.e. key-manager)\n  secret_ref. Storage back end devices would need to obtain the key out-of-band\n  in order to perform the encryption. Manila will collate the necessary information\n  that allows a storage back end to identify and retrieve the secret from the\n  key manager.\n  \n  Manila will interact with Barbican as a service. It will use service\n  credentials to create or retrieve secrets from Barbican on behalf of\n  OpenStack users. Back end storage devices would also need OpenStack\n  credentials to work with Barbican. We will improve Manila\u0027s share manager\n  service to create OpenStack Identity Service (Keystone) application\n  credentials to facilitate this interaction, and hand these to the\n  storage back end device via storage back end drivers.\n```","commit_id":"6b381bec1fce0078077e08749e65fcbb4807342e"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"daf0d35b97f3cc6e903c49e120d1ef88805f0e99","unresolved":false,"context_lines":[{"line_number":138,"context_line":"  driver. However, if share-type with encryption information is used (i.e."},{"line_number":139,"context_line":"  encryption key is not provided), API service will generate key in key-store"},{"line_number":140,"context_line":"  and the pass key ref to back end driver."},{"line_number":141,"context_line":"  In both cases, the encryption key ref is valid barbican(i.e. key-manager)"},{"line_number":142,"context_line":"  secret_ref and so Manila-api will ask Barbican service to create ACL for"},{"line_number":143,"context_line":"  \u0027barbican\u0027 user. The \u0027barbican\u0027 user will be defined in manila.conf. This"},{"line_number":144,"context_line":"  user will be used by storage driver to fetch the actual key payload from"},{"line_number":145,"context_line":"  key-manager service. For this to work, Manila-share service will create an"},{"line_number":146,"context_line":"  application credentials for \u0027barbican\u0027 user and pass those credentials"},{"line_number":147,"context_line":"  (i.e. application cred id and cred secret) to storage driver."},{"line_number":148,"context_line":""},{"line_number":149,"context_line":"* Changes in backend driver"},{"line_number":150,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"3662e751_418f806d","line":147,"range":{"start_line":141,"start_character":2,"end_line":147,"end_character":63},"in_reply_to":"391adcef_a8f44412","updated":"2025-02-13 08:42:58.000000000","message":"Done","commit_id":"6b381bec1fce0078077e08749e65fcbb4807342e"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"848cddefbc5b0d6f7660060f00cd5e563269c597","unresolved":true,"context_lines":[{"line_number":145,"context_line":"  key-manager service. For this to work, Manila-share service will create an"},{"line_number":146,"context_line":"  application credentials for \u0027barbican\u0027 user and pass those credentials"},{"line_number":147,"context_line":"  (i.e. application cred id and cred secret) to storage driver."},{"line_number":148,"context_line":""},{"line_number":149,"context_line":"* Changes in backend driver"},{"line_number":150,"context_line":""},{"line_number":151,"context_line":"  A backend driver will get encryption key ref which it will pass to backend"}],"source_content_type":"text/x-rst","patch_set":1,"id":"1321f645_f21d00e5","line":148,"updated":"2025-02-06 21:48:16.000000000","message":"We had some follow up at the midcycle meeting regarding this:\n\n1) How can we ensure that the application credentials that Manila creates and hands over to the storage system are pared down adequately? You need to call specifically that the application credentials that Manila creates will:\n\n- be \"restricted\", i.e., the creds cannot create more creds\n- have \"access rules\" that specifically allow retrieving only the secret necessary. The creds cannot list secrets, or retrieve unrelated secrets even if they belong to the same tenant.","commit_id":"6b381bec1fce0078077e08749e65fcbb4807342e"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"daf0d35b97f3cc6e903c49e120d1ef88805f0e99","unresolved":false,"context_lines":[{"line_number":145,"context_line":"  key-manager service. For this to work, Manila-share service will create an"},{"line_number":146,"context_line":"  application credentials for \u0027barbican\u0027 user and pass those credentials"},{"line_number":147,"context_line":"  (i.e. application cred id and cred secret) to storage driver."},{"line_number":148,"context_line":""},{"line_number":149,"context_line":"* Changes in backend driver"},{"line_number":150,"context_line":""},{"line_number":151,"context_line":"  A backend driver will get encryption key ref which it will pass to backend"}],"source_content_type":"text/x-rst","patch_set":1,"id":"2f369dd5_9d4ecd53","line":148,"in_reply_to":"1321f645_f21d00e5","updated":"2025-02-13 08:42:58.000000000","message":"Done","commit_id":"6b381bec1fce0078077e08749e65fcbb4807342e"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"848cddefbc5b0d6f7660060f00cd5e563269c597","unresolved":true,"context_lines":[{"line_number":149,"context_line":"* Changes in backend driver"},{"line_number":150,"context_line":""},{"line_number":151,"context_line":"  A backend driver will get encryption key ref which it will pass to backend"},{"line_number":152,"context_line":"  hardware to perform the encryption. The back end driver will fetch key data"},{"line_number":153,"context_line":"  from key-store using key ref. The fetched key data will be used to encrypt"},{"line_number":154,"context_line":"  the share\u0027 data."},{"line_number":155,"context_line":""},{"line_number":156,"context_line":"* A generic encryption capability called \"encryption_support\" will be"}],"source_content_type":"text/x-rst","patch_set":1,"id":"9c41fb77_8aab44bf","line":153,"range":{"start_line":152,"start_character":38,"end_line":153,"end_character":31},"updated":"2025-02-06 21:48:16.000000000","message":"The back end driver will not be doing this. You mean that the back end storage system will fetch the key directly, out of band of manila using the ref that Manila shares via the back end driver","commit_id":"6b381bec1fce0078077e08749e65fcbb4807342e"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"daf0d35b97f3cc6e903c49e120d1ef88805f0e99","unresolved":false,"context_lines":[{"line_number":149,"context_line":"* Changes in backend driver"},{"line_number":150,"context_line":""},{"line_number":151,"context_line":"  A backend driver will get encryption key ref which it will pass to backend"},{"line_number":152,"context_line":"  hardware to perform the encryption. The back end driver will fetch key data"},{"line_number":153,"context_line":"  from key-store using key ref. The fetched key data will be used to encrypt"},{"line_number":154,"context_line":"  the share\u0027 data."},{"line_number":155,"context_line":""},{"line_number":156,"context_line":"* A generic encryption capability called \"encryption_support\" will be"}],"source_content_type":"text/x-rst","patch_set":1,"id":"bd6cb852_1b47d0db","line":153,"range":{"start_line":152,"start_character":38,"end_line":153,"end_character":31},"in_reply_to":"9c41fb77_8aab44bf","updated":"2025-02-13 08:42:58.000000000","message":"Done","commit_id":"6b381bec1fce0078077e08749e65fcbb4807342e"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"848cddefbc5b0d6f7660060f00cd5e563269c597","unresolved":true,"context_lines":[{"line_number":315,"context_line":"                           [--server-encryption-key-ref \u003cserver-key-ref\u003e]"},{"line_number":316,"context_line":"                           \u003cshare_protocol\u003e \u003csize\u003e"},{"line_number":317,"context_line":""},{"line_number":318,"context_line":"* encryption-key-ref: Valid Barbican (i.e. key-manager) secret ref represents"},{"line_number":319,"context_line":"  share encryption key reference"},{"line_number":320,"context_line":"* server-encryption-key-ref: Valid Barbican (i.e. key-manager) secret ref"},{"line_number":321,"context_line":"  represents share server encryption key reference"}],"source_content_type":"text/x-rst","patch_set":1,"id":"b4503e6c_d077f170","line":318,"range":{"start_line":318,"start_character":22,"end_line":318,"end_character":67},"updated":"2025-02-06 21:48:16.000000000","message":"This may be confusing to end users.. They\u0027re used to seeing Names or IDs, but the parameters here seem to be expecting URLs.\n\nThese URLs will likely contain the public Barbican service endpoint. It\u0027s possible that Manila doesn\u0027t interact with Barbican on the same endpoint... Manila and Barbican can be configured to interact via an Internal network, and the URL would look different. \n\nSo I suggest allowing a UUID as the ref.. This UUID would be the encryption ref ID from Barbican - pretty much the same way we look up neutron network IDs or neutron subnet IDs when dealing with share networks","commit_id":"6b381bec1fce0078077e08749e65fcbb4807342e"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"daf0d35b97f3cc6e903c49e120d1ef88805f0e99","unresolved":false,"context_lines":[{"line_number":315,"context_line":"                           [--server-encryption-key-ref \u003cserver-key-ref\u003e]"},{"line_number":316,"context_line":"                           \u003cshare_protocol\u003e \u003csize\u003e"},{"line_number":317,"context_line":""},{"line_number":318,"context_line":"* encryption-key-ref: Valid Barbican (i.e. key-manager) secret ref represents"},{"line_number":319,"context_line":"  share encryption key reference"},{"line_number":320,"context_line":"* server-encryption-key-ref: Valid Barbican (i.e. key-manager) secret ref"},{"line_number":321,"context_line":"  represents share server encryption key reference"}],"source_content_type":"text/x-rst","patch_set":1,"id":"20a6479d_11f683db","line":318,"range":{"start_line":318,"start_character":22,"end_line":318,"end_character":67},"in_reply_to":"b4503e6c_d077f170","updated":"2025-02-13 08:42:58.000000000","message":"Done","commit_id":"6b381bec1fce0078077e08749e65fcbb4807342e"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"848cddefbc5b0d6f7660060f00cd5e563269c597","unresolved":true,"context_lines":[{"line_number":444,"context_line":"            \"scheduler_hints\": {"},{"line_number":445,"context_line":"            },"},{"line_number":446,"context_line":"            \"encryption_key_ref\": http://10.180.1.176/key-manager/v1/secrets/b7460a86-30ea-4c20-901f-6cee1e945286,"},{"line_number":447,"context_line":"            \"server_encryption_key_ref\":http://10.180.1.176/key-manager/v1/secrets/de4ee749-5a15-43a1-9bc9-0f8f693821c0,"},{"line_number":448,"context_line":"        }"},{"line_number":449,"context_line":"    }"},{"line_number":450,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"532b62f8_15079d1f","line":447,"range":{"start_line":447,"start_character":119,"end_line":447,"end_character":120},"updated":"2025-02-06 21:48:16.000000000","message":"no trailing comma allowed on the last element of JSON objects","commit_id":"6b381bec1fce0078077e08749e65fcbb4807342e"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"daf0d35b97f3cc6e903c49e120d1ef88805f0e99","unresolved":false,"context_lines":[{"line_number":444,"context_line":"            \"scheduler_hints\": {"},{"line_number":445,"context_line":"            },"},{"line_number":446,"context_line":"            \"encryption_key_ref\": http://10.180.1.176/key-manager/v1/secrets/b7460a86-30ea-4c20-901f-6cee1e945286,"},{"line_number":447,"context_line":"            \"server_encryption_key_ref\":http://10.180.1.176/key-manager/v1/secrets/de4ee749-5a15-43a1-9bc9-0f8f693821c0,"},{"line_number":448,"context_line":"        }"},{"line_number":449,"context_line":"    }"},{"line_number":450,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"a6fc0c7b_17622272","line":447,"range":{"start_line":447,"start_character":119,"end_line":447,"end_character":120},"in_reply_to":"532b62f8_15079d1f","updated":"2025-02-13 08:42:58.000000000","message":"Done","commit_id":"6b381bec1fce0078077e08749e65fcbb4807342e"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"848cddefbc5b0d6f7660060f00cd5e563269c597","unresolved":true,"context_lines":[{"line_number":448,"context_line":"        }"},{"line_number":449,"context_line":"    }"},{"line_number":450,"context_line":""},{"line_number":451,"context_line":"The ``encryption_key_ref`` and ``server_encryption_key_ref`` should be valid"},{"line_number":452,"context_line":"Barbican secrets, otherwise the API will respond with ``404 Not Found``"},{"line_number":453,"context_line":""},{"line_number":454,"context_line":"Ideally storage driver support either of share encryption key ref or share"},{"line_number":455,"context_line":"server encryption key ref. If end user specify both key references, Manila"}],"source_content_type":"text/x-rst","patch_set":1,"id":"c27fa292_74e42533","line":452,"range":{"start_line":451,"start_character":0,"end_line":452,"end_character":70},"updated":"2025-02-06 21:48:16.000000000","message":"Will Manila API do this? Or will you be invoking Barbican checks only in the manager service?","commit_id":"6b381bec1fce0078077e08749e65fcbb4807342e"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"429c726ec9fd62eed1adce357d83b70a7070a1b3","unresolved":false,"context_lines":[{"line_number":448,"context_line":"        }"},{"line_number":449,"context_line":"    }"},{"line_number":450,"context_line":""},{"line_number":451,"context_line":"The ``encryption_key_ref`` and ``server_encryption_key_ref`` should be valid"},{"line_number":452,"context_line":"Barbican secrets, otherwise the API will respond with ``404 Not Found``"},{"line_number":453,"context_line":""},{"line_number":454,"context_line":"Ideally storage driver support either of share encryption key ref or share"},{"line_number":455,"context_line":"server encryption key ref. If end user specify both key references, Manila"}],"source_content_type":"text/x-rst","patch_set":1,"id":"bcb42c54_1dc105a9","line":452,"range":{"start_line":451,"start_character":0,"end_line":452,"end_character":70},"in_reply_to":"b6271b7c_6654a20f","updated":"2025-05-02 10:34:10.000000000","message":"Acknowledged","commit_id":"6b381bec1fce0078077e08749e65fcbb4807342e"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"daf0d35b97f3cc6e903c49e120d1ef88805f0e99","unresolved":true,"context_lines":[{"line_number":448,"context_line":"        }"},{"line_number":449,"context_line":"    }"},{"line_number":450,"context_line":""},{"line_number":451,"context_line":"The ``encryption_key_ref`` and ``server_encryption_key_ref`` should be valid"},{"line_number":452,"context_line":"Barbican secrets, otherwise the API will respond with ``404 Not Found``"},{"line_number":453,"context_line":""},{"line_number":454,"context_line":"Ideally storage driver support either of share encryption key ref or share"},{"line_number":455,"context_line":"server encryption key ref. If end user specify both key references, Manila"}],"source_content_type":"text/x-rst","patch_set":1,"id":"b6271b7c_6654a20f","line":452,"range":{"start_line":451,"start_character":0,"end_line":452,"end_character":70},"in_reply_to":"c27fa292_74e42533","updated":"2025-02-13 08:42:58.000000000","message":"In manila-api layer, we will invoke barbican to get ACL on barbican secrets. If this fails, this means keys are invalid and manila-api will throw error.\n\nIn manager service, manila will talk with keystone to create/get application credentails. \n\nlet me know if you think otherwise.","commit_id":"6b381bec1fce0078077e08749e65fcbb4807342e"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"848cddefbc5b0d6f7660060f00cd5e563269c597","unresolved":true,"context_lines":[{"line_number":451,"context_line":"The ``encryption_key_ref`` and ``server_encryption_key_ref`` should be valid"},{"line_number":452,"context_line":"Barbican secrets, otherwise the API will respond with ``404 Not Found``"},{"line_number":453,"context_line":""},{"line_number":454,"context_line":"Ideally storage driver support either of share encryption key ref or share"},{"line_number":455,"context_line":"server encryption key ref. If end user specify both key references, Manila"},{"line_number":456,"context_line":"will ignore server encryption key ref and ask storage driver to do encryption"},{"line_number":457,"context_line":"using share encryption key ref. If share server encryption key referernce is"}],"source_content_type":"text/x-rst","patch_set":1,"id":"cbbf8e9d_880b4118","line":454,"range":{"start_line":454,"start_character":23,"end_line":454,"end_character":30},"updated":"2025-02-06 21:48:16.000000000","message":"must support","commit_id":"6b381bec1fce0078077e08749e65fcbb4807342e"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"daf0d35b97f3cc6e903c49e120d1ef88805f0e99","unresolved":false,"context_lines":[{"line_number":451,"context_line":"The ``encryption_key_ref`` and ``server_encryption_key_ref`` should be valid"},{"line_number":452,"context_line":"Barbican secrets, otherwise the API will respond with ``404 Not Found``"},{"line_number":453,"context_line":""},{"line_number":454,"context_line":"Ideally storage driver support either of share encryption key ref or share"},{"line_number":455,"context_line":"server encryption key ref. If end user specify both key references, Manila"},{"line_number":456,"context_line":"will ignore server encryption key ref and ask storage driver to do encryption"},{"line_number":457,"context_line":"using share encryption key ref. If share server encryption key referernce is"}],"source_content_type":"text/x-rst","patch_set":1,"id":"2572b4eb_2bc898e3","line":454,"range":{"start_line":454,"start_character":23,"end_line":454,"end_character":30},"in_reply_to":"cbbf8e9d_880b4118","updated":"2025-02-13 08:42:58.000000000","message":"Done","commit_id":"6b381bec1fce0078077e08749e65fcbb4807342e"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"848cddefbc5b0d6f7660060f00cd5e563269c597","unresolved":true,"context_lines":[{"line_number":454,"context_line":"Ideally storage driver support either of share encryption key ref or share"},{"line_number":455,"context_line":"server encryption key ref. If end user specify both key references, Manila"},{"line_number":456,"context_line":"will ignore server encryption key ref and ask storage driver to do encryption"},{"line_number":457,"context_line":"using share encryption key ref. If share server encryption key referernce is"},{"line_number":458,"context_line":"provided in API call, its stored with share server and not with share."},{"line_number":459,"context_line":""},{"line_number":460,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"95c518ff_8082e46b","line":457,"range":{"start_line":457,"start_character":63,"end_line":457,"end_character":73},"updated":"2025-02-06 21:48:16.000000000","message":"typo","commit_id":"6b381bec1fce0078077e08749e65fcbb4807342e"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"daf0d35b97f3cc6e903c49e120d1ef88805f0e99","unresolved":false,"context_lines":[{"line_number":454,"context_line":"Ideally storage driver support either of share encryption key ref or share"},{"line_number":455,"context_line":"server encryption key ref. If end user specify both key references, Manila"},{"line_number":456,"context_line":"will ignore server encryption key ref and ask storage driver to do encryption"},{"line_number":457,"context_line":"using share encryption key ref. If share server encryption key referernce is"},{"line_number":458,"context_line":"provided in API call, its stored with share server and not with share."},{"line_number":459,"context_line":""},{"line_number":460,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"7b94f393_46f754b0","line":457,"range":{"start_line":457,"start_character":63,"end_line":457,"end_character":73},"in_reply_to":"95c518ff_8082e46b","updated":"2025-02-13 08:42:58.000000000","message":"Done","commit_id":"6b381bec1fce0078077e08749e65fcbb4807342e"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"848cddefbc5b0d6f7660060f00cd5e563269c597","unresolved":true,"context_lines":[{"line_number":455,"context_line":"server encryption key ref. If end user specify both key references, Manila"},{"line_number":456,"context_line":"will ignore server encryption key ref and ask storage driver to do encryption"},{"line_number":457,"context_line":"using share encryption key ref. If share server encryption key referernce is"},{"line_number":458,"context_line":"provided in API call, its stored with share server and not with share."},{"line_number":459,"context_line":""},{"line_number":460,"context_line":""},{"line_number":461,"context_line":"Response(202 Accepted)::"}],"source_content_type":"text/x-rst","patch_set":1,"id":"dc51205a_2b6ad450","line":458,"range":{"start_line":458,"start_character":22,"end_line":458,"end_character":70},"updated":"2025-02-06 21:48:16.000000000","message":"Would there be any issue if you updated the share\u0027s ref to the server\u0027s ref if one wasn\u0027t provided while creating the share?\n\nEnd users can\u0027t see their servers.. so how would they know if a specific share is encrypted if the encryption_key_ref is empty?","commit_id":"6b381bec1fce0078077e08749e65fcbb4807342e"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"daf0d35b97f3cc6e903c49e120d1ef88805f0e99","unresolved":true,"context_lines":[{"line_number":455,"context_line":"server encryption key ref. If end user specify both key references, Manila"},{"line_number":456,"context_line":"will ignore server encryption key ref and ask storage driver to do encryption"},{"line_number":457,"context_line":"using share encryption key ref. If share server encryption key referernce is"},{"line_number":458,"context_line":"provided in API call, its stored with share server and not with share."},{"line_number":459,"context_line":""},{"line_number":460,"context_line":""},{"line_number":461,"context_line":"Response(202 Accepted)::"}],"source_content_type":"text/x-rst","patch_set":1,"id":"e62cd5c3_f5fca705","line":458,"range":{"start_line":458,"start_character":22,"end_line":458,"end_character":70},"in_reply_to":"dc51205a_2b6ad450","updated":"2025-02-13 08:42:58.000000000","message":"if share is encrypted with share server encryption key, then we need to display it to end user to know its encrypted.\n\nso get API will return both key and share server key, if either is present that means share is encrypted.\n\nwdyt ?","commit_id":"6b381bec1fce0078077e08749e65fcbb4807342e"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"429c726ec9fd62eed1adce357d83b70a7070a1b3","unresolved":false,"context_lines":[{"line_number":455,"context_line":"server encryption key ref. If end user specify both key references, Manila"},{"line_number":456,"context_line":"will ignore server encryption key ref and ask storage driver to do encryption"},{"line_number":457,"context_line":"using share encryption key ref. If share server encryption key referernce is"},{"line_number":458,"context_line":"provided in API call, its stored with share server and not with share."},{"line_number":459,"context_line":""},{"line_number":460,"context_line":""},{"line_number":461,"context_line":"Response(202 Accepted)::"}],"source_content_type":"text/x-rst","patch_set":1,"id":"8374748e_80ed16b7","line":458,"range":{"start_line":458,"start_character":22,"end_line":458,"end_character":70},"in_reply_to":"e62cd5c3_f5fca705","updated":"2025-05-02 10:34:10.000000000","message":"Acknowledged","commit_id":"6b381bec1fce0078077e08749e65fcbb4807342e"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"2732b9572a67b995077f2f57e4c69486cf7c6031","unresolved":true,"context_lines":[{"line_number":504,"context_line":"            \"id\": \"011d21e2-fbc3-4e4a-9993-9ea223f73264\","},{"line_number":505,"context_line":"            \"size\": 1,"},{"line_number":506,"context_line":"            \"description\": \"My custom share London\","},{"line_number":507,"context_line":"            \"encrytion_key_ref\": b7460a86-30ea-4c20-901f-6cee1e945286"},{"line_number":508,"context_line":"        }"},{"line_number":509,"context_line":"   }"},{"line_number":510,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"a99569f3_81e45d30","line":507,"range":{"start_line":507,"start_character":33,"end_line":507,"end_character":69},"updated":"2025-04-10 14:08:32.000000000","message":"quotes missing","commit_id":"dd7a7ac088497e8ddfc25819140989c8b04bb42e"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"8c217951a014bdeaed894c58b6394fab0e0db541","unresolved":false,"context_lines":[{"line_number":504,"context_line":"            \"id\": \"011d21e2-fbc3-4e4a-9993-9ea223f73264\","},{"line_number":505,"context_line":"            \"size\": 1,"},{"line_number":506,"context_line":"            \"description\": \"My custom share London\","},{"line_number":507,"context_line":"            \"encrytion_key_ref\": b7460a86-30ea-4c20-901f-6cee1e945286"},{"line_number":508,"context_line":"        }"},{"line_number":509,"context_line":"   }"},{"line_number":510,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"8e07fb0e_c680115b","line":507,"range":{"start_line":507,"start_character":33,"end_line":507,"end_character":69},"in_reply_to":"a99569f3_81e45d30","updated":"2025-04-16 14:07:08.000000000","message":"changed to null, since with share server encryption and single option for share create command, we can consider this null/None for now.","commit_id":"dd7a7ac088497e8ddfc25819140989c8b04bb42e"}],"specs/flamingo/share_encryption.rst":[{"author":{"_account_id":18816,"name":"Maurice Escher","display_name":"carthaca","email":"maurice.escher@sap.com","username":"mapocace"},"change_message_id":"2f6052468fa8328f3496e148ca3702b96619ffa7","unresolved":true,"context_lines":[{"line_number":78,"context_line":"share performed using share-server encryption keys. Such keys are stored in"},{"line_number":79,"context_line":"key-store supported by driver e.g. Barbican. The encryption key ref will be"},{"line_number":80,"context_line":"provided in share create request. After key ref is being validated by manila,"},{"line_number":81,"context_line":"it will be given to storage back end driver. The storage back end driver then"},{"line_number":82,"context_line":"talks with key-store using KMIP (Key Management Interoperability Protocol)"},{"line_number":83,"context_line":"and then retrieves the key data. The key data will be used to encrypt the"},{"line_number":84,"context_line":"share\u0027s data within the storage back end."},{"line_number":85,"context_line":""},{"line_number":86,"context_line":"The actual encryption of the data at-rest is performed by the back end storage"}],"source_content_type":"text/x-rst","patch_set":3,"id":"c6920cd9_468aa341","line":83,"range":{"start_line":81,"start_character":45,"end_line":83,"end_character":31},"updated":"2025-04-16 11:18:46.000000000","message":"I think this sentence can be completely removed. Too much driver detail and KMIP is out of the picture anyway in the flow.","commit_id":"9317b0b3a3b85104efb1a9edcb3150e28ce7d358"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"8c217951a014bdeaed894c58b6394fab0e0db541","unresolved":false,"context_lines":[{"line_number":78,"context_line":"share performed using share-server encryption keys. Such keys are stored in"},{"line_number":79,"context_line":"key-store supported by driver e.g. Barbican. The encryption key ref will be"},{"line_number":80,"context_line":"provided in share create request. After key ref is being validated by manila,"},{"line_number":81,"context_line":"it will be given to storage back end driver. The storage back end driver then"},{"line_number":82,"context_line":"talks with key-store using KMIP (Key Management Interoperability Protocol)"},{"line_number":83,"context_line":"and then retrieves the key data. The key data will be used to encrypt the"},{"line_number":84,"context_line":"share\u0027s data within the storage back end."},{"line_number":85,"context_line":""},{"line_number":86,"context_line":"The actual encryption of the data at-rest is performed by the back end storage"}],"source_content_type":"text/x-rst","patch_set":3,"id":"0328998a_122fd339","line":83,"range":{"start_line":81,"start_character":45,"end_line":83,"end_character":31},"in_reply_to":"c6920cd9_468aa341","updated":"2025-04-16 14:07:08.000000000","message":"Done","commit_id":"9317b0b3a3b85104efb1a9edcb3150e28ce7d358"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"c620386dd9fdad5ab379b150d5f600c77adb1ec6","unresolved":true,"context_lines":[{"line_number":73,"context_line":"encryption provides a manila level support to trigger the data encryption on"},{"line_number":74,"context_line":"backend and thus protect the data from attacker."},{"line_number":75,"context_line":""},{"line_number":76,"context_line":"Users can encrypt share using share specific encryption key or using share"},{"line_number":77,"context_line":"server specific encryption key. In this spec, we are targeting encryption of"},{"line_number":78,"context_line":"share performed using share-server encryption keys. Such keys are stored in"},{"line_number":79,"context_line":"key-store supported by driver e.g. Barbican. The encryption key ref will be"},{"line_number":80,"context_line":"provided in share create request. After key ref is being validated by manila,"},{"line_number":81,"context_line":"it will be given to storage back end driver. The key data will be used to"}],"source_content_type":"text/x-rst","patch_set":5,"id":"cd951071_f2ac6432","line":78,"range":{"start_line":76,"start_character":0,"end_line":78,"end_character":51},"updated":"2025-05-01 03:29:15.000000000","message":"The conversations we\u0027ve had elsewhere would make this transparent to the end user - i.e., _they_ cannot pick one kind deliberately, mainly because they don\u0027t control share servers today\n\nWhen users create multiple shares with a share network, there\u0027s no guarantee that all the shares are exported with the same share server. \n\nIt\u0027s an internal, but important detail and this statement makes it sound like they can make a choice.\n\n\nMaybe rewriting it as:\n\n```suggestion\nUsers can provide Manila with a reference to an encryption key. This encryption key can be applied by share drivers to share servers that they create, or individually to a specific share.\n```\n\nMeaning: we\u0027ll leave it up to the share driver to decide how/where the encryption key will apply. In case of NetApp, they will support encryption key customization at the share server level.. so, they\u0027ll make sure to spin up a new server if the encryption key is different, but the share network is the same.","commit_id":"29e6781d844f11ce3c3a10ac1f4827d298b0c363"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"429c726ec9fd62eed1adce357d83b70a7070a1b3","unresolved":false,"context_lines":[{"line_number":73,"context_line":"encryption provides a manila level support to trigger the data encryption on"},{"line_number":74,"context_line":"backend and thus protect the data from attacker."},{"line_number":75,"context_line":""},{"line_number":76,"context_line":"Users can encrypt share using share specific encryption key or using share"},{"line_number":77,"context_line":"server specific encryption key. In this spec, we are targeting encryption of"},{"line_number":78,"context_line":"share performed using share-server encryption keys. Such keys are stored in"},{"line_number":79,"context_line":"key-store supported by driver e.g. Barbican. The encryption key ref will be"},{"line_number":80,"context_line":"provided in share create request. After key ref is being validated by manila,"},{"line_number":81,"context_line":"it will be given to storage back end driver. The key data will be used to"}],"source_content_type":"text/x-rst","patch_set":5,"id":"d83a9381_d632a0f9","line":78,"range":{"start_line":76,"start_character":0,"end_line":78,"end_character":51},"in_reply_to":"cd951071_f2ac6432","updated":"2025-05-02 10:34:10.000000000","message":"Acknowledged","commit_id":"29e6781d844f11ce3c3a10ac1f4827d298b0c363"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"c620386dd9fdad5ab379b150d5f600c77adb1ec6","unresolved":true,"context_lines":[{"line_number":126,"context_line":"  via the back end driver. The fetched key data will be used to encrypt"},{"line_number":127,"context_line":"  the share data."},{"line_number":128,"context_line":""},{"line_number":129,"context_line":"* A generic encryption capability called \"driver_supports_encryption\" will be"},{"line_number":130,"context_line":"  introduced, defaulting to False. Admins then would have to either set"},{"line_number":131,"context_line":"  \"driver_supports_encryption\" to True explicitly, or specify these encryption"},{"line_number":132,"context_line":"  options so that Manila will set it. This will help to filter the storage"}],"source_content_type":"text/x-rst","patch_set":5,"id":"3ac1b033_cc329384","line":129,"range":{"start_line":129,"start_character":42,"end_line":129,"end_character":68},"updated":"2025-05-01 03:29:15.000000000","message":"\"encryption_support\" perhaps like the other common capabilities: https://docs.openstack.org/manila/latest/admin/capabilities_and_extra_specs.html","commit_id":"29e6781d844f11ce3c3a10ac1f4827d298b0c363"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"c620386dd9fdad5ab379b150d5f600c77adb1ec6","unresolved":true,"context_lines":[{"line_number":126,"context_line":"  via the back end driver. The fetched key data will be used to encrypt"},{"line_number":127,"context_line":"  the share data."},{"line_number":128,"context_line":""},{"line_number":129,"context_line":"* A generic encryption capability called \"driver_supports_encryption\" will be"},{"line_number":130,"context_line":"  introduced, defaulting to False. Admins then would have to either set"},{"line_number":131,"context_line":"  \"driver_supports_encryption\" to True explicitly, or specify these encryption"},{"line_number":132,"context_line":"  options so that Manila will set it. This will help to filter the storage"}],"source_content_type":"text/x-rst","patch_set":5,"id":"ea1187b4_6cbe71c6","line":129,"range":{"start_line":129,"start_character":4,"end_line":129,"end_character":34},"updated":"2025-05-01 03:29:15.000000000","message":"Can you rephrase this as:\n\n\"common tenant-visible boolean capability\"","commit_id":"29e6781d844f11ce3c3a10ac1f4827d298b0c363"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"429c726ec9fd62eed1adce357d83b70a7070a1b3","unresolved":false,"context_lines":[{"line_number":126,"context_line":"  via the back end driver. The fetched key data will be used to encrypt"},{"line_number":127,"context_line":"  the share data."},{"line_number":128,"context_line":""},{"line_number":129,"context_line":"* A generic encryption capability called \"driver_supports_encryption\" will be"},{"line_number":130,"context_line":"  introduced, defaulting to False. Admins then would have to either set"},{"line_number":131,"context_line":"  \"driver_supports_encryption\" to True explicitly, or specify these encryption"},{"line_number":132,"context_line":"  options so that Manila will set it. This will help to filter the storage"}],"source_content_type":"text/x-rst","patch_set":5,"id":"3d14b20f_b75c0662","line":129,"range":{"start_line":129,"start_character":42,"end_line":129,"end_character":68},"in_reply_to":"3ac1b033_cc329384","updated":"2025-05-02 10:34:10.000000000","message":"Done","commit_id":"29e6781d844f11ce3c3a10ac1f4827d298b0c363"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"429c726ec9fd62eed1adce357d83b70a7070a1b3","unresolved":false,"context_lines":[{"line_number":126,"context_line":"  via the back end driver. The fetched key data will be used to encrypt"},{"line_number":127,"context_line":"  the share data."},{"line_number":128,"context_line":""},{"line_number":129,"context_line":"* A generic encryption capability called \"driver_supports_encryption\" will be"},{"line_number":130,"context_line":"  introduced, defaulting to False. Admins then would have to either set"},{"line_number":131,"context_line":"  \"driver_supports_encryption\" to True explicitly, or specify these encryption"},{"line_number":132,"context_line":"  options so that Manila will set it. This will help to filter the storage"}],"source_content_type":"text/x-rst","patch_set":5,"id":"bc9ceaab_036dacec","line":129,"range":{"start_line":129,"start_character":4,"end_line":129,"end_character":34},"in_reply_to":"ea1187b4_6cbe71c6","updated":"2025-05-02 10:34:10.000000000","message":"Done","commit_id":"29e6781d844f11ce3c3a10ac1f4827d298b0c363"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"c620386dd9fdad5ab379b150d5f600c77adb1ec6","unresolved":true,"context_lines":[{"line_number":127,"context_line":"  the share data."},{"line_number":128,"context_line":""},{"line_number":129,"context_line":"* A generic encryption capability called \"driver_supports_encryption\" will be"},{"line_number":130,"context_line":"  introduced, defaulting to False. Admins then would have to either set"},{"line_number":131,"context_line":"  \"driver_supports_encryption\" to True explicitly, or specify these encryption"},{"line_number":132,"context_line":"  options so that Manila will set it. This will help to filter the storage"},{"line_number":133,"context_line":"  back ends that support such style of encryption."},{"line_number":134,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"88d74605_69153fc1","line":131,"range":{"start_line":130,"start_character":35,"end_line":131,"end_character":50},"updated":"2025-05-01 03:29:15.000000000","message":"capability !\u003d extra-specs \n\nadmins set extra-specs to match capabilities or perform operations with them\n\n\n\n```suggestion\n  introduced, defaulting to False. Admins then would have to set an `encryption_support` extra-spec on the share types to True, and optionally provide encryption specifications if they want Manila to create an encryption key on the key store.\n```","commit_id":"29e6781d844f11ce3c3a10ac1f4827d298b0c363"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"429c726ec9fd62eed1adce357d83b70a7070a1b3","unresolved":false,"context_lines":[{"line_number":127,"context_line":"  the share data."},{"line_number":128,"context_line":""},{"line_number":129,"context_line":"* A generic encryption capability called \"driver_supports_encryption\" will be"},{"line_number":130,"context_line":"  introduced, defaulting to False. Admins then would have to either set"},{"line_number":131,"context_line":"  \"driver_supports_encryption\" to True explicitly, or specify these encryption"},{"line_number":132,"context_line":"  options so that Manila will set it. This will help to filter the storage"},{"line_number":133,"context_line":"  back ends that support such style of encryption."},{"line_number":134,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"16632b0b_57efd084","line":131,"range":{"start_line":130,"start_character":35,"end_line":131,"end_character":50},"in_reply_to":"88d74605_69153fc1","updated":"2025-05-02 10:34:10.000000000","message":"We are no longer conidering Manila creating key on the key store with this specification. So all references of encryption spec are removed.","commit_id":"29e6781d844f11ce3c3a10ac1f4827d298b0c363"},{"author":{"_account_id":29632,"name":"Carlos Eduardo","email":"ces.eduardo98@gmail.com","username":"silvacarlos"},"change_message_id":"e66244a67e2c45f70def2adf2f569d66a69718c4","unresolved":true,"context_lines":[{"line_number":131,"context_line":"  \"driver_supports_encryption\" to True explicitly, or specify these encryption"},{"line_number":132,"context_line":"  options so that Manila will set it. This will help to filter the storage"},{"line_number":133,"context_line":"  back ends that support such style of encryption."},{"line_number":134,"context_line":""},{"line_number":135,"context_line":""},{"line_number":136,"context_line":"Alternatives"},{"line_number":137,"context_line":"------------"}],"source_content_type":"text/x-rst","patch_set":5,"id":"e33d55c4_ed0b8ec7","line":134,"updated":"2025-04-17 15:58:54.000000000","message":"please mention that this specification targets only DHSS\u003dTrue scenarios and that the keys will be configured to share servers. DHSS\u003dFalse scenarios might be considered in the future.","commit_id":"29e6781d844f11ce3c3a10ac1f4827d298b0c363"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"429c726ec9fd62eed1adce357d83b70a7070a1b3","unresolved":false,"context_lines":[{"line_number":131,"context_line":"  \"driver_supports_encryption\" to True explicitly, or specify these encryption"},{"line_number":132,"context_line":"  options so that Manila will set it. This will help to filter the storage"},{"line_number":133,"context_line":"  back ends that support such style of encryption."},{"line_number":134,"context_line":""},{"line_number":135,"context_line":""},{"line_number":136,"context_line":"Alternatives"},{"line_number":137,"context_line":"------------"}],"source_content_type":"text/x-rst","patch_set":5,"id":"90ffebe3_0032a28e","line":134,"in_reply_to":"b261741b_87952be5","updated":"2025-05-02 10:34:10.000000000","message":"encryption key is specified during share create. It can be either share key or share server key, end user does not know. Manila will decide internally by talking with driver.\nThe will be no encryption specs in share type. I have also removed above capability since we dont need it. \n\n\u0027encryption_support\u0027 is added in driver stats which helps to filter the backends that support encryption by Manila scheduler. New filter will be introduced for this since we want to filter for encryption only when encryption keys are provided in share create request i.e. going further in request_spec of scheduler.\n\nNo change in share type is needed.","commit_id":"29e6781d844f11ce3c3a10ac1f4827d298b0c363"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"e4e25f4c144086657d43b3c432b9722cda8a5a5b","unresolved":false,"context_lines":[{"line_number":131,"context_line":"  \"driver_supports_encryption\" to True explicitly, or specify these encryption"},{"line_number":132,"context_line":"  options so that Manila will set it. This will help to filter the storage"},{"line_number":133,"context_line":"  back ends that support such style of encryption."},{"line_number":134,"context_line":""},{"line_number":135,"context_line":""},{"line_number":136,"context_line":"Alternatives"},{"line_number":137,"context_line":"------------"}],"source_content_type":"text/x-rst","patch_set":5,"id":"fed54a73_298950b0","line":134,"in_reply_to":"e33d55c4_ed0b8ec7","updated":"2025-04-19 05:54:59.000000000","message":"Done","commit_id":"29e6781d844f11ce3c3a10ac1f4827d298b0c363"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"c620386dd9fdad5ab379b150d5f600c77adb1ec6","unresolved":true,"context_lines":[{"line_number":131,"context_line":"  \"driver_supports_encryption\" to True explicitly, or specify these encryption"},{"line_number":132,"context_line":"  options so that Manila will set it. This will help to filter the storage"},{"line_number":133,"context_line":"  back ends that support such style of encryption."},{"line_number":134,"context_line":""},{"line_number":135,"context_line":""},{"line_number":136,"context_line":"Alternatives"},{"line_number":137,"context_line":"------------"}],"source_content_type":"text/x-rst","patch_set":5,"id":"b261741b_87952be5","line":134,"in_reply_to":"e33d55c4_ed0b8ec7","updated":"2025-05-01 03:29:15.000000000","message":"reading this spec, it looks like we\u0027ll create a bunch of common API and database changes taht can be extended to the DHSS\u003dFalse case.. it\u0027s possible we won\u0027t have a DHSS\u003dFalse driver implementation right away.. but, i don\u0027t see any problematic bits so far in the common bits proposed.. \n\nThis has evolved since our discussion at the PTG where the initial version of this spec proposal said:\n\n\"there\u0027ll be per-share encryption and per-share-server encryption, where per-share encryption will override per-share-server encryption\"... \n\nnow i see it as:\n\n\"encryption key is specified during share creation (not share network creation), or encryption specs are included in a share type that is used with shares. When a share network is also provided, the driver can choose to implement encryption per share server.\"\n\nalso, the common capability (currently called \"driver_supports_encryption\") will default to False... meaning if NetApp chooses to not implement this with DHSS\u003dFalse, it\u0027s alright.","commit_id":"29e6781d844f11ce3c3a10ac1f4827d298b0c363"},{"author":{"_account_id":29632,"name":"Carlos Eduardo","email":"ces.eduardo98@gmail.com","username":"silvacarlos"},"change_message_id":"e66244a67e2c45f70def2adf2f569d66a69718c4","unresolved":true,"context_lines":[{"line_number":169,"context_line":"  +-----------------------+---------------+------+-----+---------+-------+"},{"line_number":170,"context_line":"  | Field                 | Type          | Null | Key | Default | Extra |"},{"line_number":171,"context_line":"  +\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d+\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d+\u003d\u003d\u003d\u003d\u003d\u003d+\u003d\u003d\u003d\u003d\u003d+\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d+\u003d\u003d\u003d\u003d\u003d\u003d\u003d+"},{"line_number":172,"context_line":"  | encryption_key_ref    | varchar(1023) | YES  |     | NULL    |       |"},{"line_number":173,"context_line":"  +-----------------------+---------------+------+-----+---------+-------+"},{"line_number":174,"context_line":"  | app_cred_id           | varchar(255)  | YES  |     | NULL    |       |"},{"line_number":175,"context_line":"  +-----------------------+---------------+------+-----+---------+-------+"}],"source_content_type":"text/x-rst","patch_set":5,"id":"a24a57f0_3fb5a36c","line":172,"range":{"start_line":172,"start_character":27,"end_line":172,"end_character":41},"updated":"2025-04-17 15:58:54.000000000","message":"is this a UUID? if so, it should be string(36)","commit_id":"29e6781d844f11ce3c3a10ac1f4827d298b0c363"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"e4e25f4c144086657d43b3c432b9722cda8a5a5b","unresolved":false,"context_lines":[{"line_number":169,"context_line":"  +-----------------------+---------------+------+-----+---------+-------+"},{"line_number":170,"context_line":"  | Field                 | Type          | Null | Key | Default | Extra |"},{"line_number":171,"context_line":"  +\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d+\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d+\u003d\u003d\u003d\u003d\u003d\u003d+\u003d\u003d\u003d\u003d\u003d+\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d+\u003d\u003d\u003d\u003d\u003d\u003d\u003d+"},{"line_number":172,"context_line":"  | encryption_key_ref    | varchar(1023) | YES  |     | NULL    |       |"},{"line_number":173,"context_line":"  +-----------------------+---------------+------+-----+---------+-------+"},{"line_number":174,"context_line":"  | app_cred_id           | varchar(255)  | YES  |     | NULL    |       |"},{"line_number":175,"context_line":"  +-----------------------+---------------+------+-----+---------+-------+"}],"source_content_type":"text/x-rst","patch_set":5,"id":"6ee982bb_23106376","line":172,"range":{"start_line":172,"start_character":27,"end_line":172,"end_character":41},"in_reply_to":"037439c6_1edbef91","updated":"2025-04-19 05:54:59.000000000","message":"I was confused about it, since earlier planned to store barbican href as encrytion key ref. But yes UUID makes sense since both manila and backend hardware can talk to barbican with UUID.","commit_id":"29e6781d844f11ce3c3a10ac1f4827d298b0c363"},{"author":{"_account_id":30407,"name":"haixin","email":"haixin_haixin@qq.com","username":"haixin"},"change_message_id":"bac30530f33c7908855b2979e3a5a2adceefdf79","unresolved":true,"context_lines":[{"line_number":169,"context_line":"  +-----------------------+---------------+------+-----+---------+-------+"},{"line_number":170,"context_line":"  | Field                 | Type          | Null | Key | Default | Extra |"},{"line_number":171,"context_line":"  +\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d+\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d+\u003d\u003d\u003d\u003d\u003d\u003d+\u003d\u003d\u003d\u003d\u003d+\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d+\u003d\u003d\u003d\u003d\u003d\u003d\u003d+"},{"line_number":172,"context_line":"  | encryption_key_ref    | varchar(1023) | YES  |     | NULL    |       |"},{"line_number":173,"context_line":"  +-----------------------+---------------+------+-----+---------+-------+"},{"line_number":174,"context_line":"  | app_cred_id           | varchar(255)  | YES  |     | NULL    |       |"},{"line_number":175,"context_line":"  +-----------------------+---------------+------+-----+---------+-------+"}],"source_content_type":"text/x-rst","patch_set":5,"id":"037439c6_1edbef91","line":172,"range":{"start_line":172,"start_character":27,"end_line":172,"end_character":41},"in_reply_to":"a24a57f0_3fb5a36c","updated":"2025-04-18 07:18:35.000000000","message":"+1, it is a Barbican encryption key UUID. \nmaybe use encryption_key_id as new field.\n\n\ni think we can add same field to shares table. In this way, we can directly use share.encryption_key_id in the code to determine whether the data is encrypted or not, thereby quickly restricting the migration, backup or other operations.","commit_id":"29e6781d844f11ce3c3a10ac1f4827d298b0c363"},{"author":{"_account_id":29632,"name":"Carlos Eduardo","email":"ces.eduardo98@gmail.com","username":"silvacarlos"},"change_message_id":"e66244a67e2c45f70def2adf2f569d66a69718c4","unresolved":true,"context_lines":[{"line_number":171,"context_line":"  +\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d+\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d+\u003d\u003d\u003d\u003d\u003d\u003d+\u003d\u003d\u003d\u003d\u003d+\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d+\u003d\u003d\u003d\u003d\u003d\u003d\u003d+"},{"line_number":172,"context_line":"  | encryption_key_ref    | varchar(1023) | YES  |     | NULL    |       |"},{"line_number":173,"context_line":"  +-----------------------+---------------+------+-----+---------+-------+"},{"line_number":174,"context_line":"  | app_cred_id           | varchar(255)  | YES  |     | NULL    |       |"},{"line_number":175,"context_line":"  +-----------------------+---------------+------+-----+---------+-------+"},{"line_number":176,"context_line":""},{"line_number":177,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"85478d1a_89da95db","line":174,"range":{"start_line":174,"start_character":28,"end_line":174,"end_character":35},"updated":"2025-04-17 15:58:54.000000000","message":"same as above","commit_id":"29e6781d844f11ce3c3a10ac1f4827d298b0c363"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"e4e25f4c144086657d43b3c432b9722cda8a5a5b","unresolved":false,"context_lines":[{"line_number":171,"context_line":"  +\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d+\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d+\u003d\u003d\u003d\u003d\u003d\u003d+\u003d\u003d\u003d\u003d\u003d+\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d+\u003d\u003d\u003d\u003d\u003d\u003d\u003d+"},{"line_number":172,"context_line":"  | encryption_key_ref    | varchar(1023) | YES  |     | NULL    |       |"},{"line_number":173,"context_line":"  +-----------------------+---------------+------+-----+---------+-------+"},{"line_number":174,"context_line":"  | app_cred_id           | varchar(255)  | YES  |     | NULL    |       |"},{"line_number":175,"context_line":"  +-----------------------+---------------+------+-----+---------+-------+"},{"line_number":176,"context_line":""},{"line_number":177,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"ae27d6e2_62d9fcb2","line":174,"range":{"start_line":174,"start_character":28,"end_line":174,"end_character":35},"in_reply_to":"85478d1a_89da95db","updated":"2025-04-19 05:54:59.000000000","message":"Done","commit_id":"29e6781d844f11ce3c3a10ac1f4827d298b0c363"},{"author":{"_account_id":29632,"name":"Carlos Eduardo","email":"ces.eduardo98@gmail.com","username":"silvacarlos"},"change_message_id":"e66244a67e2c45f70def2adf2f569d66a69718c4","unresolved":true,"context_lines":[{"line_number":216,"context_line":"            \"encryption_key_ref\": b7460a86-30ea-4c20-901f-6cee1e945286,"},{"line_number":217,"context_line":"        }"},{"line_number":218,"context_line":"    }"},{"line_number":219,"context_line":""},{"line_number":220,"context_line":"The ``encryption_key_ref`` should be valid Barbican secrets, otherwise the"},{"line_number":221,"context_line":"API will respond with ``404 Not Found``"},{"line_number":222,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"9fa51fd0_a8f5472f","line":219,"updated":"2025-04-17 15:58:54.000000000","message":"as an enhancement (that can follow this spec), I think we can also allow admins to filter share servers created using a given key ref","commit_id":"29e6781d844f11ce3c3a10ac1f4827d298b0c363"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"e4e25f4c144086657d43b3c432b9722cda8a5a5b","unresolved":false,"context_lines":[{"line_number":216,"context_line":"            \"encryption_key_ref\": b7460a86-30ea-4c20-901f-6cee1e945286,"},{"line_number":217,"context_line":"        }"},{"line_number":218,"context_line":"    }"},{"line_number":219,"context_line":""},{"line_number":220,"context_line":"The ``encryption_key_ref`` should be valid Barbican secrets, otherwise the"},{"line_number":221,"context_line":"API will respond with ``404 Not Found``"},{"line_number":222,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"85c6e321_f66b0de3","line":219,"in_reply_to":"9fa51fd0_a8f5472f","updated":"2025-04-19 05:54:59.000000000","message":"yes, we can do that.","commit_id":"29e6781d844f11ce3c3a10ac1f4827d298b0c363"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"c620386dd9fdad5ab379b150d5f600c77adb1ec6","unresolved":true,"context_lines":[{"line_number":218,"context_line":"    }"},{"line_number":219,"context_line":""},{"line_number":220,"context_line":"The ``encryption_key_ref`` should be valid Barbican secrets, otherwise the"},{"line_number":221,"context_line":"API will respond with ``404 Not Found``"},{"line_number":222,"context_line":""},{"line_number":223,"context_line":"Ideally storage driver must support either of share encryption key ref or"},{"line_number":224,"context_line":"share-server encryption key ref. Manila-share manager will implement logic by"}],"source_content_type":"text/x-rst","patch_set":5,"id":"6e91124b_79b343b7","line":221,"range":{"start_line":221,"start_character":22,"end_line":221,"end_character":39},"updated":"2025-05-01 03:29:15.000000000","message":"400 Bad Request\n\n\n404 is appropriate if the resource in the URL is not found.","commit_id":"29e6781d844f11ce3c3a10ac1f4827d298b0c363"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"429c726ec9fd62eed1adce357d83b70a7070a1b3","unresolved":false,"context_lines":[{"line_number":218,"context_line":"    }"},{"line_number":219,"context_line":""},{"line_number":220,"context_line":"The ``encryption_key_ref`` should be valid Barbican secrets, otherwise the"},{"line_number":221,"context_line":"API will respond with ``404 Not Found``"},{"line_number":222,"context_line":""},{"line_number":223,"context_line":"Ideally storage driver must support either of share encryption key ref or"},{"line_number":224,"context_line":"share-server encryption key ref. Manila-share manager will implement logic by"}],"source_content_type":"text/x-rst","patch_set":5,"id":"6da7da6a_9283a1b3","line":221,"range":{"start_line":221,"start_character":22,"end_line":221,"end_character":39},"in_reply_to":"6e91124b_79b343b7","updated":"2025-05-02 10:34:10.000000000","message":"Done","commit_id":"29e6781d844f11ce3c3a10ac1f4827d298b0c363"},{"author":{"_account_id":30407,"name":"haixin","email":"haixin_haixin@qq.com","username":"haixin"},"change_message_id":"bac30530f33c7908855b2979e3a5a2adceefdf79","unresolved":true,"context_lines":[{"line_number":219,"context_line":""},{"line_number":220,"context_line":"The ``encryption_key_ref`` should be valid Barbican secrets, otherwise the"},{"line_number":221,"context_line":"API will respond with ``404 Not Found``"},{"line_number":222,"context_line":""},{"line_number":223,"context_line":"Ideally storage driver must support either of share encryption key ref or"},{"line_number":224,"context_line":"share-server encryption key ref. Manila-share manager will implement logic by"},{"line_number":225,"context_line":"hand-shaking with driver to determine whether its share encryption key ref or"}],"source_content_type":"text/x-rst","patch_set":5,"id":"fcd8a292_b8e6d59f","line":222,"updated":"2025-04-18 07:18:35.000000000","message":"If the encryption_key_ref specified by the user is different from the existing encryption_key_ref of the share server, then the one specified by the user shall prevail.","commit_id":"29e6781d844f11ce3c3a10ac1f4827d298b0c363"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"e4e25f4c144086657d43b3c432b9722cda8a5a5b","unresolved":false,"context_lines":[{"line_number":219,"context_line":""},{"line_number":220,"context_line":"The ``encryption_key_ref`` should be valid Barbican secrets, otherwise the"},{"line_number":221,"context_line":"API will respond with ``404 Not Found``"},{"line_number":222,"context_line":""},{"line_number":223,"context_line":"Ideally storage driver must support either of share encryption key ref or"},{"line_number":224,"context_line":"share-server encryption key ref. Manila-share manager will implement logic by"},{"line_number":225,"context_line":"hand-shaking with driver to determine whether its share encryption key ref or"}],"source_content_type":"text/x-rst","patch_set":5,"id":"73181c8e_7b12e00c","line":222,"in_reply_to":"fcd8a292_b8e6d59f","updated":"2025-04-19 05:54:59.000000000","message":"This is mentioned around line 260. We always create new share server with new keys unless quota is hit","commit_id":"29e6781d844f11ce3c3a10ac1f4827d298b0c363"},{"author":{"_account_id":29632,"name":"Carlos Eduardo","email":"ces.eduardo98@gmail.com","username":"silvacarlos"},"change_message_id":"e66244a67e2c45f70def2adf2f569d66a69718c4","unresolved":true,"context_lines":[{"line_number":220,"context_line":"The ``encryption_key_ref`` should be valid Barbican secrets, otherwise the"},{"line_number":221,"context_line":"API will respond with ``404 Not Found``"},{"line_number":222,"context_line":""},{"line_number":223,"context_line":"Ideally storage driver must support either of share encryption key ref or"},{"line_number":224,"context_line":"share-server encryption key ref. Manila-share manager will implement logic by"},{"line_number":225,"context_line":"hand-shaking with driver to determine whether its share encryption key ref or"},{"line_number":226,"context_line":"share-server encryption key ref. In either case, Manila will ask storage"}],"source_content_type":"text/x-rst","patch_set":5,"id":"a5201b7e_517943dd","line":223,"range":{"start_line":223,"start_character":8,"end_line":223,"end_character":15},"updated":"2025-04-17 15:58:54.000000000","message":"the storage","commit_id":"29e6781d844f11ce3c3a10ac1f4827d298b0c363"},{"author":{"_account_id":29632,"name":"Carlos Eduardo","email":"ces.eduardo98@gmail.com","username":"silvacarlos"},"change_message_id":"e66244a67e2c45f70def2adf2f569d66a69718c4","unresolved":true,"context_lines":[{"line_number":220,"context_line":"The ``encryption_key_ref`` should be valid Barbican secrets, otherwise the"},{"line_number":221,"context_line":"API will respond with ``404 Not Found``"},{"line_number":222,"context_line":""},{"line_number":223,"context_line":"Ideally storage driver must support either of share encryption key ref or"},{"line_number":224,"context_line":"share-server encryption key ref. Manila-share manager will implement logic by"},{"line_number":225,"context_line":"hand-shaking with driver to determine whether its share encryption key ref or"},{"line_number":226,"context_line":"share-server encryption key ref. In either case, Manila will ask storage"}],"source_content_type":"text/x-rst","patch_set":5,"id":"56463e66_e7d67aef","line":223,"range":{"start_line":223,"start_character":0,"end_line":223,"end_character":73},"updated":"2025-04-17 15:58:54.000000000","message":"this whole paragraph is a bit confusing to me, added some questions","commit_id":"29e6781d844f11ce3c3a10ac1f4827d298b0c363"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"e4e25f4c144086657d43b3c432b9722cda8a5a5b","unresolved":false,"context_lines":[{"line_number":220,"context_line":"The ``encryption_key_ref`` should be valid Barbican secrets, otherwise the"},{"line_number":221,"context_line":"API will respond with ``404 Not Found``"},{"line_number":222,"context_line":""},{"line_number":223,"context_line":"Ideally storage driver must support either of share encryption key ref or"},{"line_number":224,"context_line":"share-server encryption key ref. Manila-share manager will implement logic by"},{"line_number":225,"context_line":"hand-shaking with driver to determine whether its share encryption key ref or"},{"line_number":226,"context_line":"share-server encryption key ref. In either case, Manila will ask storage"}],"source_content_type":"text/x-rst","patch_set":5,"id":"c492d999_8217abfb","line":223,"range":{"start_line":223,"start_character":0,"end_line":223,"end_character":73},"in_reply_to":"56463e66_e7d67aef","updated":"2025-04-19 05:54:59.000000000","message":"Acknowledged","commit_id":"29e6781d844f11ce3c3a10ac1f4827d298b0c363"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"e4e25f4c144086657d43b3c432b9722cda8a5a5b","unresolved":false,"context_lines":[{"line_number":220,"context_line":"The ``encryption_key_ref`` should be valid Barbican secrets, otherwise the"},{"line_number":221,"context_line":"API will respond with ``404 Not Found``"},{"line_number":222,"context_line":""},{"line_number":223,"context_line":"Ideally storage driver must support either of share encryption key ref or"},{"line_number":224,"context_line":"share-server encryption key ref. Manila-share manager will implement logic by"},{"line_number":225,"context_line":"hand-shaking with driver to determine whether its share encryption key ref or"},{"line_number":226,"context_line":"share-server encryption key ref. In either case, Manila will ask storage"}],"source_content_type":"text/x-rst","patch_set":5,"id":"f0436c8c_b32c1434","line":223,"range":{"start_line":223,"start_character":8,"end_line":223,"end_character":15},"in_reply_to":"a5201b7e_517943dd","updated":"2025-04-19 05:54:59.000000000","message":"Done","commit_id":"29e6781d844f11ce3c3a10ac1f4827d298b0c363"},{"author":{"_account_id":29632,"name":"Carlos Eduardo","email":"ces.eduardo98@gmail.com","username":"silvacarlos"},"change_message_id":"e66244a67e2c45f70def2adf2f569d66a69718c4","unresolved":true,"context_lines":[{"line_number":220,"context_line":"The ``encryption_key_ref`` should be valid Barbican secrets, otherwise the"},{"line_number":221,"context_line":"API will respond with ``404 Not Found``"},{"line_number":222,"context_line":""},{"line_number":223,"context_line":"Ideally storage driver must support either of share encryption key ref or"},{"line_number":224,"context_line":"share-server encryption key ref. Manila-share manager will implement logic by"},{"line_number":225,"context_line":"hand-shaking with driver to determine whether its share encryption key ref or"},{"line_number":226,"context_line":"share-server encryption key ref. In either case, Manila will ask storage"},{"line_number":227,"context_line":"driver to do encryption using encryption key ref. If encryption key ref is"}],"source_content_type":"text/x-rst","patch_set":5,"id":"61a2f13b_2f6224a6","line":224,"range":{"start_line":223,"start_character":0,"end_line":224,"end_character":32},"updated":"2025-04-17 15:58:54.000000000","message":"can this still apply for share server encryption?\n\nI am looking at  https://etherpad.opendev.org/p/share-encryption-with-barbican-secret-ref:\n\n```\n*Another proposal to keep encryption key ref user agnostic:*\n   1. User provide single option --encryption-key-ref during share create.\n   It can be share encryption key ref or share server encryption key ref.\n   This will be validated by communicated with Barbican\n\n```\n\nwhat would be the difference between share encryption key ref or share server encryption key ref? I thought we would only have share server encryption key from now on.\n\nnow quoting @manicsaran@gmail.com at the PTG:\n\n```\nNetapp will handle user defined encryption keys only at vserver level,\nand not at volume level.\n```\n\nConsidering that, we should not have share encryption key ref, right?","commit_id":"29e6781d844f11ce3c3a10ac1f4827d298b0c363"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"e4e25f4c144086657d43b3c432b9722cda8a5a5b","unresolved":false,"context_lines":[{"line_number":220,"context_line":"The ``encryption_key_ref`` should be valid Barbican secrets, otherwise the"},{"line_number":221,"context_line":"API will respond with ``404 Not Found``"},{"line_number":222,"context_line":""},{"line_number":223,"context_line":"Ideally storage driver must support either of share encryption key ref or"},{"line_number":224,"context_line":"share-server encryption key ref. Manila-share manager will implement logic by"},{"line_number":225,"context_line":"hand-shaking with driver to determine whether its share encryption key ref or"},{"line_number":226,"context_line":"share-server encryption key ref. In either case, Manila will ask storage"},{"line_number":227,"context_line":"driver to do encryption using encryption key ref. If encryption key ref is"}],"source_content_type":"text/x-rst","patch_set":5,"id":"19bec051_d6f674d1","line":224,"range":{"start_line":223,"start_character":0,"end_line":224,"end_character":32},"in_reply_to":"61a2f13b_2f6224a6","updated":"2025-04-19 05:54:59.000000000","message":"Yes, share encryption key is not targeted by this spec. Just to mention single option to share create API, I thought to give some reference of share encryption key. But I remove all references as this will be future work whenever supported.","commit_id":"29e6781d844f11ce3c3a10ac1f4827d298b0c363"},{"author":{"_account_id":29632,"name":"Carlos Eduardo","email":"ces.eduardo98@gmail.com","username":"silvacarlos"},"change_message_id":"e66244a67e2c45f70def2adf2f569d66a69718c4","unresolved":true,"context_lines":[{"line_number":223,"context_line":"Ideally storage driver must support either of share encryption key ref or"},{"line_number":224,"context_line":"share-server encryption key ref. Manila-share manager will implement logic by"},{"line_number":225,"context_line":"hand-shaking with driver to determine whether its share encryption key ref or"},{"line_number":226,"context_line":"share-server encryption key ref. In either case, Manila will ask storage"},{"line_number":227,"context_line":"driver to do encryption using encryption key ref. If encryption key ref is"},{"line_number":228,"context_line":"provided in API call is for share-server then its stored with share-server"},{"line_number":229,"context_line":"else stored with share instance."}],"source_content_type":"text/x-rst","patch_set":5,"id":"38f6e0f8_4d5ac9ab","line":226,"range":{"start_line":226,"start_character":65,"end_line":226,"end_character":72},"updated":"2025-04-17 15:58:54.000000000","message":"the storage","commit_id":"29e6781d844f11ce3c3a10ac1f4827d298b0c363"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"e4e25f4c144086657d43b3c432b9722cda8a5a5b","unresolved":false,"context_lines":[{"line_number":223,"context_line":"Ideally storage driver must support either of share encryption key ref or"},{"line_number":224,"context_line":"share-server encryption key ref. Manila-share manager will implement logic by"},{"line_number":225,"context_line":"hand-shaking with driver to determine whether its share encryption key ref or"},{"line_number":226,"context_line":"share-server encryption key ref. In either case, Manila will ask storage"},{"line_number":227,"context_line":"driver to do encryption using encryption key ref. If encryption key ref is"},{"line_number":228,"context_line":"provided in API call is for share-server then its stored with share-server"},{"line_number":229,"context_line":"else stored with share instance."}],"source_content_type":"text/x-rst","patch_set":5,"id":"860a4965_231d0659","line":226,"range":{"start_line":226,"start_character":65,"end_line":226,"end_character":72},"in_reply_to":"38f6e0f8_4d5ac9ab","updated":"2025-04-19 05:54:59.000000000","message":"Done","commit_id":"29e6781d844f11ce3c3a10ac1f4827d298b0c363"},{"author":{"_account_id":29632,"name":"Carlos Eduardo","email":"ces.eduardo98@gmail.com","username":"silvacarlos"},"change_message_id":"e66244a67e2c45f70def2adf2f569d66a69718c4","unresolved":true,"context_lines":[{"line_number":224,"context_line":"share-server encryption key ref. Manila-share manager will implement logic by"},{"line_number":225,"context_line":"hand-shaking with driver to determine whether its share encryption key ref or"},{"line_number":226,"context_line":"share-server encryption key ref. In either case, Manila will ask storage"},{"line_number":227,"context_line":"driver to do encryption using encryption key ref. If encryption key ref is"},{"line_number":228,"context_line":"provided in API call is for share-server then its stored with share-server"},{"line_number":229,"context_line":"else stored with share instance."},{"line_number":230,"context_line":""},{"line_number":231,"context_line":"For spec implementation, we will consider NetApp ONTAP driver. It needs an"},{"line_number":232,"context_line":"optional extra-spec in share-type called \u0027netapp_flexvol_encryption\u0027 set to"}],"source_content_type":"text/x-rst","patch_set":5,"id":"98e90872_5eb0f4ac","line":229,"range":{"start_line":227,"start_character":50,"end_line":229,"end_character":32},"updated":"2025-04-17 15:58:54.000000000","message":"sorry, I don\u0027t understand this piece. We are currently targeting encryption for share servers, correct? This means that the only moment we can get the encryption key coming from the user is during the share creation, and that will be set in the share server. The spec (or the approach) doesn\u0027t mention in any place the encryption key being stored in the share instance other than this place. The answer to the question above will likely answer this too","commit_id":"29e6781d844f11ce3c3a10ac1f4827d298b0c363"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"e4e25f4c144086657d43b3c432b9722cda8a5a5b","unresolved":false,"context_lines":[{"line_number":224,"context_line":"share-server encryption key ref. Manila-share manager will implement logic by"},{"line_number":225,"context_line":"hand-shaking with driver to determine whether its share encryption key ref or"},{"line_number":226,"context_line":"share-server encryption key ref. In either case, Manila will ask storage"},{"line_number":227,"context_line":"driver to do encryption using encryption key ref. If encryption key ref is"},{"line_number":228,"context_line":"provided in API call is for share-server then its stored with share-server"},{"line_number":229,"context_line":"else stored with share instance."},{"line_number":230,"context_line":""},{"line_number":231,"context_line":"For spec implementation, we will consider NetApp ONTAP driver. It needs an"},{"line_number":232,"context_line":"optional extra-spec in share-type called \u0027netapp_flexvol_encryption\u0027 set to"}],"source_content_type":"text/x-rst","patch_set":5,"id":"115e0108_e1de7d42","line":229,"range":{"start_line":227,"start_character":50,"end_line":229,"end_character":32},"in_reply_to":"98e90872_5eb0f4ac","updated":"2025-04-19 05:54:59.000000000","message":"The share instance mentioning removed.","commit_id":"29e6781d844f11ce3c3a10ac1f4827d298b0c363"},{"author":{"_account_id":29632,"name":"Carlos Eduardo","email":"ces.eduardo98@gmail.com","username":"silvacarlos"},"change_message_id":"e66244a67e2c45f70def2adf2f569d66a69718c4","unresolved":true,"context_lines":[{"line_number":236,"context_line":"e.g. share-type A (netapp_flexvol_encryption \u003d True)"},{"line_number":237,"context_line":"e.g. share-type B (netapp_flexvol_encryption \u003d False)"},{"line_number":238,"context_line":""},{"line_number":239,"context_line":"1. Create share with enc key ref with share-type A:"},{"line_number":240,"context_line":"   Here, share and share-server both are encrypted with provided enc key ref."},{"line_number":241,"context_line":""},{"line_number":242,"context_line":"2. Create share with enc key ref with share-type B:"}],"source_content_type":"text/x-rst","patch_set":5,"id":"12232c6a_9b695d59","line":239,"range":{"start_line":239,"start_character":21,"end_line":239,"end_character":24},"updated":"2025-04-17 15:58:54.000000000","message":"encryption","commit_id":"29e6781d844f11ce3c3a10ac1f4827d298b0c363"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"e4e25f4c144086657d43b3c432b9722cda8a5a5b","unresolved":false,"context_lines":[{"line_number":236,"context_line":"e.g. share-type A (netapp_flexvol_encryption \u003d True)"},{"line_number":237,"context_line":"e.g. share-type B (netapp_flexvol_encryption \u003d False)"},{"line_number":238,"context_line":""},{"line_number":239,"context_line":"1. Create share with enc key ref with share-type A:"},{"line_number":240,"context_line":"   Here, share and share-server both are encrypted with provided enc key ref."},{"line_number":241,"context_line":""},{"line_number":242,"context_line":"2. Create share with enc key ref with share-type B:"}],"source_content_type":"text/x-rst","patch_set":5,"id":"9b7403dc_abcffb27","line":239,"range":{"start_line":239,"start_character":21,"end_line":239,"end_character":24},"in_reply_to":"12232c6a_9b695d59","updated":"2025-04-19 05:54:59.000000000","message":"Done","commit_id":"29e6781d844f11ce3c3a10ac1f4827d298b0c363"},{"author":{"_account_id":29632,"name":"Carlos Eduardo","email":"ces.eduardo98@gmail.com","username":"silvacarlos"},"change_message_id":"e66244a67e2c45f70def2adf2f569d66a69718c4","unresolved":true,"context_lines":[{"line_number":239,"context_line":"1. Create share with enc key ref with share-type A:"},{"line_number":240,"context_line":"   Here, share and share-server both are encrypted with provided enc key ref."},{"line_number":241,"context_line":""},{"line_number":242,"context_line":"2. Create share with enc key ref with share-type B:"},{"line_number":243,"context_line":"   Here, share in unencrypted, but share-server is encrypted with given enc key"},{"line_number":244,"context_line":"   ref. In future, we can have another share under this encrypted share-server"},{"line_number":245,"context_line":"   which can be either encrypted with share-server enc key ref. This means,"}],"source_content_type":"text/x-rst","patch_set":5,"id":"d3a2df31_b0e74d1d","line":242,"range":{"start_line":242,"start_character":0,"end_line":242,"end_character":51},"updated":"2025-04-17 15:58:54.000000000","message":"I think this partially answers my questions above, but I think we should focus on the share server scenario. We should not be mentioning that this is going to be saved under the share instance. Maybe when the time comes, then it would be more appropriate to make that association.","commit_id":"29e6781d844f11ce3c3a10ac1f4827d298b0c363"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"e4e25f4c144086657d43b3c432b9722cda8a5a5b","unresolved":false,"context_lines":[{"line_number":239,"context_line":"1. Create share with enc key ref with share-type A:"},{"line_number":240,"context_line":"   Here, share and share-server both are encrypted with provided enc key ref."},{"line_number":241,"context_line":""},{"line_number":242,"context_line":"2. Create share with enc key ref with share-type B:"},{"line_number":243,"context_line":"   Here, share in unencrypted, but share-server is encrypted with given enc key"},{"line_number":244,"context_line":"   ref. In future, we can have another share under this encrypted share-server"},{"line_number":245,"context_line":"   which can be either encrypted with share-server enc key ref. This means,"}],"source_content_type":"text/x-rst","patch_set":5,"id":"27bddb5c_ba8bc7cd","line":242,"range":{"start_line":242,"start_character":0,"end_line":242,"end_character":51},"in_reply_to":"d3a2df31_b0e74d1d","updated":"2025-04-19 05:54:59.000000000","message":"Acknowledged","commit_id":"29e6781d844f11ce3c3a10ac1f4827d298b0c363"},{"author":{"_account_id":30407,"name":"haixin","email":"haixin_haixin@qq.com","username":"haixin"},"change_message_id":"bac30530f33c7908855b2979e3a5a2adceefdf79","unresolved":true,"context_lines":[{"line_number":310,"context_line":""},{"line_number":311,"context_line":"* Notify Manila-share Manager whether driver supports share encryption"},{"line_number":312,"context_line":"  key ref or share-server encryption key ref."},{"line_number":313,"context_line":""},{"line_number":314,"context_line":"* Return valid list of share-servers to Manila-share Manager based on"},{"line_number":315,"context_line":"  requested parameters. This is supported today, however needs to enhance"},{"line_number":316,"context_line":"  to consider share-server encryption key ref."}],"source_content_type":"text/x-rst","patch_set":5,"id":"277c75e0_5dd48f68","line":313,"updated":"2025-04-18 07:18:35.000000000","message":"in manila share scheduler, class HostState also need add share_encryption_support.\nsuch as:\n\n    self.share_encryption_support \u003d False","commit_id":"29e6781d844f11ce3c3a10ac1f4827d298b0c363"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"e4e25f4c144086657d43b3c432b9722cda8a5a5b","unresolved":false,"context_lines":[{"line_number":310,"context_line":""},{"line_number":311,"context_line":"* Notify Manila-share Manager whether driver supports share encryption"},{"line_number":312,"context_line":"  key ref or share-server encryption key ref."},{"line_number":313,"context_line":""},{"line_number":314,"context_line":"* Return valid list of share-servers to Manila-share Manager based on"},{"line_number":315,"context_line":"  requested parameters. This is supported today, however needs to enhance"},{"line_number":316,"context_line":"  to consider share-server encryption key ref."}],"source_content_type":"text/x-rst","patch_set":5,"id":"1db8325c_aa41ffb9","line":313,"in_reply_to":"277c75e0_5dd48f68","updated":"2025-04-19 05:54:59.000000000","message":"Done","commit_id":"29e6781d844f11ce3c3a10ac1f4827d298b0c363"},{"author":{"_account_id":30407,"name":"haixin","email":"haixin_haixin@qq.com","username":"haixin"},"change_message_id":"bac30530f33c7908855b2979e3a5a2adceefdf79","unresolved":true,"context_lines":[{"line_number":333,"context_line":"Other end user impact"},{"line_number":334,"context_line":"---------------------"},{"line_number":335,"context_line":""},{"line_number":336,"context_line":"None"},{"line_number":337,"context_line":""},{"line_number":338,"context_line":"Performance Impact"},{"line_number":339,"context_line":"------------------"}],"source_content_type":"text/x-rst","patch_set":5,"id":"05e3d389_24c6a2ea","line":336,"range":{"start_line":336,"start_character":0,"end_line":336,"end_character":4},"updated":"2025-04-18 07:18:35.000000000","message":"user maybe need to get encryption key uuid from Barbican, if they want to specific encrytion key ref.","commit_id":"29e6781d844f11ce3c3a10ac1f4827d298b0c363"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"e4e25f4c144086657d43b3c432b9722cda8a5a5b","unresolved":false,"context_lines":[{"line_number":333,"context_line":"Other end user impact"},{"line_number":334,"context_line":"---------------------"},{"line_number":335,"context_line":""},{"line_number":336,"context_line":"None"},{"line_number":337,"context_line":""},{"line_number":338,"context_line":"Performance Impact"},{"line_number":339,"context_line":"------------------"}],"source_content_type":"text/x-rst","patch_set":5,"id":"e4387e45_f63557c3","line":336,"range":{"start_line":336,"start_character":0,"end_line":336,"end_character":4},"in_reply_to":"05e3d389_24c6a2ea","updated":"2025-04-19 05:54:59.000000000","message":"Done","commit_id":"29e6781d844f11ce3c3a10ac1f4827d298b0c363"},{"author":{"_account_id":30407,"name":"haixin","email":"haixin_haixin@qq.com","username":"haixin"},"change_message_id":"bac30530f33c7908855b2979e3a5a2adceefdf79","unresolved":true,"context_lines":[{"line_number":367,"context_line":"* Implement \u0027bring you own key\u0027 in share create APIs."},{"line_number":368,"context_line":"* Update share-create command in python-manilaclient."},{"line_number":369,"context_line":"* Implement tempest support."},{"line_number":370,"context_line":""},{"line_number":371,"context_line":"Future Work Items"},{"line_number":372,"context_line":"-----------------"},{"line_number":373,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"6bf9c1a2_d9fcd16f","line":370,"updated":"2025-04-18 07:18:35.000000000","message":"* Docment about create share with encryption","commit_id":"29e6781d844f11ce3c3a10ac1f4827d298b0c363"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"e4e25f4c144086657d43b3c432b9722cda8a5a5b","unresolved":false,"context_lines":[{"line_number":367,"context_line":"* Implement \u0027bring you own key\u0027 in share create APIs."},{"line_number":368,"context_line":"* Update share-create command in python-manilaclient."},{"line_number":369,"context_line":"* Implement tempest support."},{"line_number":370,"context_line":""},{"line_number":371,"context_line":"Future Work Items"},{"line_number":372,"context_line":"-----------------"},{"line_number":373,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"696107b6_1ae58680","line":370,"in_reply_to":"6bf9c1a2_d9fcd16f","updated":"2025-04-19 05:54:59.000000000","message":"Done","commit_id":"29e6781d844f11ce3c3a10ac1f4827d298b0c363"},{"author":{"_account_id":18816,"name":"Maurice Escher","display_name":"carthaca","email":"maurice.escher@sap.com","username":"mapocace"},"change_message_id":"8a91cf21b752df9d2e4757fa66b651d41aaaf7f0","unresolved":true,"context_lines":[{"line_number":126,"context_line":"  via the back end driver. The fetched key data will be used to encrypt"},{"line_number":127,"context_line":"  the share data."},{"line_number":128,"context_line":""},{"line_number":129,"context_line":"* A generic encryption capability called \"share_encncryption_support\" will be"},{"line_number":130,"context_line":"  introduced, defaulting to False. Admins then would have to either set"},{"line_number":131,"context_line":"  \"share_encncryption_support\" to True explicitly, or specify these encryption"},{"line_number":132,"context_line":"  options so that Manila will set it. This will help to filter the storage"}],"source_content_type":"text/x-rst","patch_set":6,"id":"8f569aee_1ec2d145","line":129,"range":{"start_line":129,"start_character":42,"end_line":129,"end_character":68},"updated":"2025-04-22 07:53:14.000000000","message":"nit: typo share_encryption_support","commit_id":"74f33a6158373c31d69d3b514e861934917b4830"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"e3370ac3a9a9e2eda2d7b5c949d484bd9966b6a9","unresolved":false,"context_lines":[{"line_number":126,"context_line":"  via the back end driver. The fetched key data will be used to encrypt"},{"line_number":127,"context_line":"  the share data."},{"line_number":128,"context_line":""},{"line_number":129,"context_line":"* A generic encryption capability called \"share_encncryption_support\" will be"},{"line_number":130,"context_line":"  introduced, defaulting to False. Admins then would have to either set"},{"line_number":131,"context_line":"  \"share_encncryption_support\" to True explicitly, or specify these encryption"},{"line_number":132,"context_line":"  options so that Manila will set it. This will help to filter the storage"}],"source_content_type":"text/x-rst","patch_set":6,"id":"e390de16_72fbf19c","line":129,"range":{"start_line":129,"start_character":42,"end_line":129,"end_character":68},"in_reply_to":"8f569aee_1ec2d145","updated":"2025-04-24 12:26:34.000000000","message":"renamed to encryption_support. We need to introduce attribute to driver Class which can be share_encryption_support or share_server_encryption_support. So kept this caps to encryption_support.","commit_id":"74f33a6158373c31d69d3b514e861934917b4830"},{"author":{"_account_id":18816,"name":"Maurice Escher","display_name":"carthaca","email":"maurice.escher@sap.com","username":"mapocace"},"change_message_id":"8a91cf21b752df9d2e4757fa66b651d41aaaf7f0","unresolved":true,"context_lines":[{"line_number":128,"context_line":""},{"line_number":129,"context_line":"* A generic encryption capability called \"share_encncryption_support\" will be"},{"line_number":130,"context_line":"  introduced, defaulting to False. Admins then would have to either set"},{"line_number":131,"context_line":"  \"share_encncryption_support\" to True explicitly, or specify these encryption"},{"line_number":132,"context_line":"  options so that Manila will set it. This will help to filter the storage"},{"line_number":133,"context_line":"  back ends that support such style of encryption. This specification targets"},{"line_number":134,"context_line":"  only DHSS\u003dTrue scenarios and that the keys will be configured to share"}],"source_content_type":"text/x-rst","patch_set":6,"id":"a5e99f1a_980ee77d","line":131,"range":{"start_line":131,"start_character":3,"end_line":131,"end_character":29},"updated":"2025-04-22 07:53:14.000000000","message":"nit: typo share_encryption_support","commit_id":"74f33a6158373c31d69d3b514e861934917b4830"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"e3370ac3a9a9e2eda2d7b5c949d484bd9966b6a9","unresolved":false,"context_lines":[{"line_number":128,"context_line":""},{"line_number":129,"context_line":"* A generic encryption capability called \"share_encncryption_support\" will be"},{"line_number":130,"context_line":"  introduced, defaulting to False. Admins then would have to either set"},{"line_number":131,"context_line":"  \"share_encncryption_support\" to True explicitly, or specify these encryption"},{"line_number":132,"context_line":"  options so that Manila will set it. This will help to filter the storage"},{"line_number":133,"context_line":"  back ends that support such style of encryption. This specification targets"},{"line_number":134,"context_line":"  only DHSS\u003dTrue scenarios and that the keys will be configured to share"}],"source_content_type":"text/x-rst","patch_set":6,"id":"3bc15190_b24d2a02","line":131,"range":{"start_line":131,"start_character":3,"end_line":131,"end_character":29},"in_reply_to":"a5e99f1a_980ee77d","updated":"2025-04-24 12:26:34.000000000","message":"Done","commit_id":"74f33a6158373c31d69d3b514e861934917b4830"},{"author":{"_account_id":36179,"name":"Saikumar Pulluri","display_name":"Saikumar Pulluri","email":"saikumar1016@gmail.com","username":"pulluri"},"change_message_id":"c40c2b07fcf2e61c0b5430f7120528d7752b90d4","unresolved":true,"context_lines":[{"line_number":239,"context_line":"e.g. share-type B (netapp_flexvol_encryption \u003d False)"},{"line_number":240,"context_line":""},{"line_number":241,"context_line":"1. Create share with encryption key ref with share-type A:"},{"line_number":242,"context_line":"   Here, share and share server both are encrypted with provided encryption"},{"line_number":243,"context_line":"   key ref."},{"line_number":244,"context_line":""},{"line_number":245,"context_line":"2. Create share with encryption key ref with share-type B:"}],"source_content_type":"text/x-rst","patch_set":6,"id":"ff2c50d8_503b44d9","line":242,"updated":"2025-04-22 05:30:48.000000000","message":"NetApp driver encrypts(configured barbican key-store) share server only and we enable encryption on the share created.","commit_id":"74f33a6158373c31d69d3b514e861934917b4830"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"e3370ac3a9a9e2eda2d7b5c949d484bd9966b6a9","unresolved":false,"context_lines":[{"line_number":239,"context_line":"e.g. share-type B (netapp_flexvol_encryption \u003d False)"},{"line_number":240,"context_line":""},{"line_number":241,"context_line":"1. Create share with encryption key ref with share-type A:"},{"line_number":242,"context_line":"   Here, share and share server both are encrypted with provided encryption"},{"line_number":243,"context_line":"   key ref."},{"line_number":244,"context_line":""},{"line_number":245,"context_line":"2. Create share with encryption key ref with share-type B:"}],"source_content_type":"text/x-rst","patch_set":6,"id":"c457439b_7e38bf44","line":242,"in_reply_to":"ff2c50d8_503b44d9","updated":"2025-04-24 12:26:34.000000000","message":"Done","commit_id":"74f33a6158373c31d69d3b514e861934917b4830"},{"author":{"_account_id":18816,"name":"Maurice Escher","display_name":"carthaca","email":"maurice.escher@sap.com","username":"mapocace"},"change_message_id":"8a91cf21b752df9d2e4757fa66b651d41aaaf7f0","unresolved":true,"context_lines":[{"line_number":243,"context_line":"   key ref."},{"line_number":244,"context_line":""},{"line_number":245,"context_line":"2. Create share with encryption key ref with share-type B:"},{"line_number":246,"context_line":"   Here, share in unencrypted, but share server is encrypted with given"},{"line_number":247,"context_line":"   encryption key ref. In future, we can have another share under this"},{"line_number":248,"context_line":"   encrypted share server which can be either encrypted with share server"},{"line_number":249,"context_line":"   encryption key ref. This means, share server hosts both encrypted and"}],"source_content_type":"text/x-rst","patch_set":6,"id":"88248dac_07a47ce3","line":246,"range":{"start_line":246,"start_character":15,"end_line":246,"end_character":17},"updated":"2025-04-22 07:53:14.000000000","message":"nit: typo `is`","commit_id":"74f33a6158373c31d69d3b514e861934917b4830"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"e3370ac3a9a9e2eda2d7b5c949d484bd9966b6a9","unresolved":false,"context_lines":[{"line_number":243,"context_line":"   key ref."},{"line_number":244,"context_line":""},{"line_number":245,"context_line":"2. Create share with encryption key ref with share-type B:"},{"line_number":246,"context_line":"   Here, share in unencrypted, but share server is encrypted with given"},{"line_number":247,"context_line":"   encryption key ref. In future, we can have another share under this"},{"line_number":248,"context_line":"   encrypted share server which can be either encrypted with share server"},{"line_number":249,"context_line":"   encryption key ref. This means, share server hosts both encrypted and"}],"source_content_type":"text/x-rst","patch_set":6,"id":"775a500c_e420b824","line":246,"range":{"start_line":246,"start_character":15,"end_line":246,"end_character":17},"in_reply_to":"88248dac_07a47ce3","updated":"2025-04-24 12:26:34.000000000","message":"Done","commit_id":"74f33a6158373c31d69d3b514e861934917b4830"},{"author":{"_account_id":36179,"name":"Saikumar Pulluri","display_name":"Saikumar Pulluri","email":"saikumar1016@gmail.com","username":"pulluri"},"change_message_id":"c40c2b07fcf2e61c0b5430f7120528d7752b90d4","unresolved":true,"context_lines":[{"line_number":250,"context_line":"   unencrypted shares."},{"line_number":251,"context_line":""},{"line_number":252,"context_line":"3. Create share without encryption key ref with share-type A:"},{"line_number":253,"context_line":"   Here, share and share server is encrypted with default encryption key ref."},{"line_number":254,"context_line":"   (This is supported today)"},{"line_number":255,"context_line":""},{"line_number":256,"context_line":"4. Create share without encryption key ref with share-type B:"}],"source_content_type":"text/x-rst","patch_set":6,"id":"cfad26e5_d072f925","line":253,"updated":"2025-04-22 05:30:48.000000000","message":"Just giving the INFO:\nToday if a share server is not encrypted(Not configured with any key-store). We look at if admin vserver(ONTAP concept) has key store(onboard key-manager) configured, if is configured, we will enable encryption for the share created. If there is no key-store for data vserver (share server) or admin vserver, we don\u0027t allow enabling share encryption on a share.","commit_id":"74f33a6158373c31d69d3b514e861934917b4830"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"e3370ac3a9a9e2eda2d7b5c949d484bd9966b6a9","unresolved":false,"context_lines":[{"line_number":250,"context_line":"   unencrypted shares."},{"line_number":251,"context_line":""},{"line_number":252,"context_line":"3. Create share without encryption key ref with share-type A:"},{"line_number":253,"context_line":"   Here, share and share server is encrypted with default encryption key ref."},{"line_number":254,"context_line":"   (This is supported today)"},{"line_number":255,"context_line":""},{"line_number":256,"context_line":"4. Create share without encryption key ref with share-type B:"}],"source_content_type":"text/x-rst","patch_set":6,"id":"5d2931f2_116ac99c","line":253,"in_reply_to":"cfad26e5_d072f925","updated":"2025-04-24 12:26:34.000000000","message":"Acknowledged","commit_id":"74f33a6158373c31d69d3b514e861934917b4830"},{"author":{"_account_id":18816,"name":"Maurice Escher","display_name":"carthaca","email":"maurice.escher@sap.com","username":"mapocace"},"change_message_id":"8a91cf21b752df9d2e4757fa66b651d41aaaf7f0","unresolved":true,"context_lines":[{"line_number":254,"context_line":"   (This is supported today)"},{"line_number":255,"context_line":""},{"line_number":256,"context_line":"4. Create share without encryption key ref with share-type B:"},{"line_number":257,"context_line":"   Here, share in unencrypted."},{"line_number":258,"context_line":""},{"line_number":259,"context_line":"In short, whenever encryption key ref is provided, new encrypted share server"},{"line_number":260,"context_line":"will be created unless same key is used previously (i.e. share server exist)."}],"source_content_type":"text/x-rst","patch_set":6,"id":"5015faf5_980a266e","line":257,"range":{"start_line":257,"start_character":15,"end_line":257,"end_character":17},"updated":"2025-04-22 07:53:14.000000000","message":"nit: typo `is`","commit_id":"74f33a6158373c31d69d3b514e861934917b4830"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"e3370ac3a9a9e2eda2d7b5c949d484bd9966b6a9","unresolved":false,"context_lines":[{"line_number":254,"context_line":"   (This is supported today)"},{"line_number":255,"context_line":""},{"line_number":256,"context_line":"4. Create share without encryption key ref with share-type B:"},{"line_number":257,"context_line":"   Here, share in unencrypted."},{"line_number":258,"context_line":""},{"line_number":259,"context_line":"In short, whenever encryption key ref is provided, new encrypted share server"},{"line_number":260,"context_line":"will be created unless same key is used previously (i.e. share server exist)."}],"source_content_type":"text/x-rst","patch_set":6,"id":"f3cd44e9_fa4048c2","line":257,"range":{"start_line":257,"start_character":15,"end_line":257,"end_character":17},"in_reply_to":"5015faf5_980a266e","updated":"2025-04-24 12:26:34.000000000","message":"Done","commit_id":"74f33a6158373c31d69d3b514e861934917b4830"},{"author":{"_account_id":18816,"name":"Maurice Escher","display_name":"carthaca","email":"maurice.escher@sap.com","username":"mapocace"},"change_message_id":"8a91cf21b752df9d2e4757fa66b651d41aaaf7f0","unresolved":true,"context_lines":[{"line_number":261,"context_line":"To restrict share server creation with different encryption keys new quota"},{"line_number":262,"context_line":"called \u0027encryption_keys_per_share_network\u0027 will be introduced. Once quota"},{"line_number":263,"context_line":"limit is reached, instead of creating new share server (and share), the share"},{"line_number":264,"context_line":"create API will keep share in error state and user message of quota error will"},{"line_number":265,"context_line":"be generated."},{"line_number":266,"context_line":""},{"line_number":267,"context_line":"Response(202 Accepted)::"},{"line_number":268,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"5f93009b_f4aee94c","line":265,"range":{"start_line":264,"start_character":16,"end_line":265,"end_character":12},"updated":"2025-04-22 07:53:14.000000000","message":"I think, if the API layer can make this decision (and I see no reason why not) then we can directly return the quota error to the user like we do with other quotas.\nNo need to even have a share in error state and a delayed notification via user message.","commit_id":"74f33a6158373c31d69d3b514e861934917b4830"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"c620386dd9fdad5ab379b150d5f600c77adb1ec6","unresolved":true,"context_lines":[{"line_number":261,"context_line":"To restrict share server creation with different encryption keys new quota"},{"line_number":262,"context_line":"called \u0027encryption_keys_per_share_network\u0027 will be introduced. Once quota"},{"line_number":263,"context_line":"limit is reached, instead of creating new share server (and share), the share"},{"line_number":264,"context_line":"create API will keep share in error state and user message of quota error will"},{"line_number":265,"context_line":"be generated."},{"line_number":266,"context_line":""},{"line_number":267,"context_line":"Response(202 Accepted)::"},{"line_number":268,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"ef26cb34_c567cbbb","line":265,"range":{"start_line":264,"start_character":16,"end_line":265,"end_character":12},"in_reply_to":"05d123d3_b937c353","updated":"2025-05-01 03:29:15.000000000","message":"I am re-opening this question.. you can know this based on share type extra-specs and capabilities.. see suggestion on the latest patch","commit_id":"74f33a6158373c31d69d3b514e861934917b4830"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"d1cce5bb9e2150c756c2aa156e9be27fd22207bc","unresolved":true,"context_lines":[{"line_number":261,"context_line":"To restrict share server creation with different encryption keys new quota"},{"line_number":262,"context_line":"called \u0027encryption_keys_per_share_network\u0027 will be introduced. Once quota"},{"line_number":263,"context_line":"limit is reached, instead of creating new share server (and share), the share"},{"line_number":264,"context_line":"create API will keep share in error state and user message of quota error will"},{"line_number":265,"context_line":"be generated."},{"line_number":266,"context_line":""},{"line_number":267,"context_line":"Response(202 Accepted)::"},{"line_number":268,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"588e62aa_0b8f61ac","line":265,"range":{"start_line":264,"start_character":16,"end_line":265,"end_character":12},"in_reply_to":"1d2267a5_f12d3462","updated":"2025-05-27 22:47:38.000000000","message":"Yes ^\n\nDriver capabilities can have a list of values; extra-spec is expected to be an item from the list","commit_id":"74f33a6158373c31d69d3b514e861934917b4830"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"2b979f2c1c9817d5594f6c3b6a8cfbcffe8cbf00","unresolved":false,"context_lines":[{"line_number":261,"context_line":"To restrict share server creation with different encryption keys new quota"},{"line_number":262,"context_line":"called \u0027encryption_keys_per_share_network\u0027 will be introduced. Once quota"},{"line_number":263,"context_line":"limit is reached, instead of creating new share server (and share), the share"},{"line_number":264,"context_line":"create API will keep share in error state and user message of quota error will"},{"line_number":265,"context_line":"be generated."},{"line_number":266,"context_line":""},{"line_number":267,"context_line":"Response(202 Accepted)::"},{"line_number":268,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"a67e9112_a1bffcd6","line":265,"range":{"start_line":264,"start_character":16,"end_line":265,"end_character":12},"in_reply_to":"588e62aa_0b8f61ac","updated":"2025-05-28 10:15:38.000000000","message":"Acknowledged","commit_id":"74f33a6158373c31d69d3b514e861934917b4830"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"e3370ac3a9a9e2eda2d7b5c949d484bd9966b6a9","unresolved":false,"context_lines":[{"line_number":261,"context_line":"To restrict share server creation with different encryption keys new quota"},{"line_number":262,"context_line":"called \u0027encryption_keys_per_share_network\u0027 will be introduced. Once quota"},{"line_number":263,"context_line":"limit is reached, instead of creating new share server (and share), the share"},{"line_number":264,"context_line":"create API will keep share in error state and user message of quota error will"},{"line_number":265,"context_line":"be generated."},{"line_number":266,"context_line":""},{"line_number":267,"context_line":"Response(202 Accepted)::"},{"line_number":268,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"05d123d3_b937c353","line":265,"range":{"start_line":264,"start_character":16,"end_line":265,"end_character":12},"in_reply_to":"5f93009b_f4aee94c","updated":"2025-04-24 12:26:34.000000000","message":"quota will be considered after determining whether key is share_key or share_server_key. Thus it will be in share-manager instead of API.","commit_id":"74f33a6158373c31d69d3b514e861934917b4830"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"df1e9189b5cb3596b1d4bc7c3bbad1e4781cd197","unresolved":false,"context_lines":[{"line_number":261,"context_line":"To restrict share server creation with different encryption keys new quota"},{"line_number":262,"context_line":"called \u0027encryption_keys_per_share_network\u0027 will be introduced. Once quota"},{"line_number":263,"context_line":"limit is reached, instead of creating new share server (and share), the share"},{"line_number":264,"context_line":"create API will keep share in error state and user message of quota error will"},{"line_number":265,"context_line":"be generated."},{"line_number":266,"context_line":""},{"line_number":267,"context_line":"Response(202 Accepted)::"},{"line_number":268,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"ade27324_8536445d","line":265,"range":{"start_line":264,"start_character":16,"end_line":265,"end_character":12},"in_reply_to":"a2b12e3e_82ec836d","updated":"2025-05-15 15:45:53.000000000","message":"but we can have both [share, share_server] encryption support. And ideally quota should be considered where share server is actually created in db(and backend). Isn\u0027t be the most appropriate place to validate ?","commit_id":"74f33a6158373c31d69d3b514e861934917b4830"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"d4655130b6e8514f1fac704ce0280f3d46774309","unresolved":false,"context_lines":[{"line_number":261,"context_line":"To restrict share server creation with different encryption keys new quota"},{"line_number":262,"context_line":"called \u0027encryption_keys_per_share_network\u0027 will be introduced. Once quota"},{"line_number":263,"context_line":"limit is reached, instead of creating new share server (and share), the share"},{"line_number":264,"context_line":"create API will keep share in error state and user message of quota error will"},{"line_number":265,"context_line":"be generated."},{"line_number":266,"context_line":""},{"line_number":267,"context_line":"Response(202 Accepted)::"},{"line_number":268,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"c7f3b1dc_c46427bb","line":265,"range":{"start_line":264,"start_character":16,"end_line":265,"end_character":12},"in_reply_to":"ad098bb2_248a5cd5","updated":"2025-05-09 10:43:35.000000000","message":"Done","commit_id":"74f33a6158373c31d69d3b514e861934917b4830"},{"author":{"_account_id":18816,"name":"Maurice Escher","display_name":"carthaca","email":"maurice.escher@sap.com","username":"mapocace"},"change_message_id":"68cbb0a8b99bbf656bf188a62635c42724134a2c","unresolved":false,"context_lines":[{"line_number":261,"context_line":"To restrict share server creation with different encryption keys new quota"},{"line_number":262,"context_line":"called \u0027encryption_keys_per_share_network\u0027 will be introduced. Once quota"},{"line_number":263,"context_line":"limit is reached, instead of creating new share server (and share), the share"},{"line_number":264,"context_line":"create API will keep share in error state and user message of quota error will"},{"line_number":265,"context_line":"be generated."},{"line_number":266,"context_line":""},{"line_number":267,"context_line":"Response(202 Accepted)::"},{"line_number":268,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"1d2267a5_f12d3462","line":265,"range":{"start_line":264,"start_character":16,"end_line":265,"end_character":12},"in_reply_to":"ade27324_8536445d","updated":"2025-05-15 15:55:14.000000000","message":"Not my understanding, the driver can report both as capability, but the extra spec must choose one of them (or none).","commit_id":"74f33a6158373c31d69d3b514e861934917b4830"},{"author":{"_account_id":18816,"name":"Maurice Escher","display_name":"carthaca","email":"maurice.escher@sap.com","username":"mapocace"},"change_message_id":"b227e037ef7de851e281fa2d811191b6c0794ff3","unresolved":false,"context_lines":[{"line_number":261,"context_line":"To restrict share server creation with different encryption keys new quota"},{"line_number":262,"context_line":"called \u0027encryption_keys_per_share_network\u0027 will be introduced. Once quota"},{"line_number":263,"context_line":"limit is reached, instead of creating new share server (and share), the share"},{"line_number":264,"context_line":"create API will keep share in error state and user message of quota error will"},{"line_number":265,"context_line":"be generated."},{"line_number":266,"context_line":""},{"line_number":267,"context_line":"Response(202 Accepted)::"},{"line_number":268,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"a2b12e3e_82ec836d","line":265,"range":{"start_line":264,"start_character":16,"end_line":265,"end_character":12},"in_reply_to":"c7f3b1dc_c46427bb","updated":"2025-05-15 15:31:44.000000000","message":"I\u0027m with Goutham, we know what type it is based on the `encryption_support` in the share type extra specs, it is either `share` or `share_server` and we can validate and return early.","commit_id":"74f33a6158373c31d69d3b514e861934917b4830"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"429c726ec9fd62eed1adce357d83b70a7070a1b3","unresolved":true,"context_lines":[{"line_number":261,"context_line":"To restrict share server creation with different encryption keys new quota"},{"line_number":262,"context_line":"called \u0027encryption_keys_per_share_network\u0027 will be introduced. Once quota"},{"line_number":263,"context_line":"limit is reached, instead of creating new share server (and share), the share"},{"line_number":264,"context_line":"create API will keep share in error state and user message of quota error will"},{"line_number":265,"context_line":"be generated."},{"line_number":266,"context_line":""},{"line_number":267,"context_line":"Response(202 Accepted)::"},{"line_number":268,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"ad098bb2_248a5cd5","line":265,"range":{"start_line":264,"start_character":16,"end_line":265,"end_character":12},"in_reply_to":"ef26cb34_c567cbbb","updated":"2025-05-02 10:34:10.000000000","message":"Let us keep share type extra-spec out of question. We allow share create with user provided key for which specific share type is not needed. At runtime the request is filtered by EncryptionFilter if request_spec contains encryption key. Once landed in manila share-manager, driver will report if it support share_server_encryption and so quota limit is checked. I have reference implemention (under testing with NetApp folks). Please check manila/share/manager.py to get idea about this. https://review.opendev.org/c/openstack/manila/+/911089","commit_id":"74f33a6158373c31d69d3b514e861934917b4830"},{"author":{"_account_id":18816,"name":"Maurice Escher","display_name":"carthaca","email":"maurice.escher@sap.com","username":"mapocace"},"change_message_id":"8a91cf21b752df9d2e4757fa66b651d41aaaf7f0","unresolved":true,"context_lines":[{"line_number":304,"context_line":"            \"id\": \"011d21e2-fbc3-4e4a-9993-9ea223f73264\","},{"line_number":305,"context_line":"            \"size\": 1,"},{"line_number":306,"context_line":"            \"description\": \"My custom share London\","},{"line_number":307,"context_line":"            \"encrytion_key_ref\": null,"},{"line_number":308,"context_line":"        }"},{"line_number":309,"context_line":"   }"},{"line_number":310,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"0ac3cb26_6bd6ebf3","line":307,"range":{"start_line":307,"start_character":13,"end_line":307,"end_character":30},"updated":"2025-04-22 07:53:14.000000000","message":"nit: typo encryption_key_ref","commit_id":"74f33a6158373c31d69d3b514e861934917b4830"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"e3370ac3a9a9e2eda2d7b5c949d484bd9966b6a9","unresolved":false,"context_lines":[{"line_number":304,"context_line":"            \"id\": \"011d21e2-fbc3-4e4a-9993-9ea223f73264\","},{"line_number":305,"context_line":"            \"size\": 1,"},{"line_number":306,"context_line":"            \"description\": \"My custom share London\","},{"line_number":307,"context_line":"            \"encrytion_key_ref\": null,"},{"line_number":308,"context_line":"        }"},{"line_number":309,"context_line":"   }"},{"line_number":310,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"fca9dd4a_1723f598","line":307,"range":{"start_line":307,"start_character":13,"end_line":307,"end_character":30},"in_reply_to":"0ac3cb26_6bd6ebf3","updated":"2025-04-24 12:26:34.000000000","message":"removed from response of share.","commit_id":"74f33a6158373c31d69d3b514e861934917b4830"},{"author":{"_account_id":18816,"name":"Maurice Escher","display_name":"carthaca","email":"maurice.escher@sap.com","username":"mapocace"},"change_message_id":"8a91cf21b752df9d2e4757fa66b651d41aaaf7f0","unresolved":true,"context_lines":[{"line_number":376,"context_line":"* Implement \u0027bring you own key\u0027 in share create APIs."},{"line_number":377,"context_line":"* Update share-create command in python-manilaclient."},{"line_number":378,"context_line":"* Implement tempest support."},{"line_number":379,"context_line":"* Docment about create share with encryption"},{"line_number":380,"context_line":""},{"line_number":381,"context_line":"Future Work Items"},{"line_number":382,"context_line":"-----------------"}],"source_content_type":"text/x-rst","patch_set":6,"id":"8d4c9aa0_fdb2f976","line":379,"range":{"start_line":379,"start_character":2,"end_line":379,"end_character":9},"updated":"2025-04-22 07:53:14.000000000","message":"nit: typo Document","commit_id":"74f33a6158373c31d69d3b514e861934917b4830"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"e3370ac3a9a9e2eda2d7b5c949d484bd9966b6a9","unresolved":false,"context_lines":[{"line_number":376,"context_line":"* Implement \u0027bring you own key\u0027 in share create APIs."},{"line_number":377,"context_line":"* Update share-create command in python-manilaclient."},{"line_number":378,"context_line":"* Implement tempest support."},{"line_number":379,"context_line":"* Docment about create share with encryption"},{"line_number":380,"context_line":""},{"line_number":381,"context_line":"Future Work Items"},{"line_number":382,"context_line":"-----------------"}],"source_content_type":"text/x-rst","patch_set":6,"id":"0d3d393a_10d27167","line":379,"range":{"start_line":379,"start_character":2,"end_line":379,"end_character":9},"in_reply_to":"8d4c9aa0_fdb2f976","updated":"2025-04-24 12:26:34.000000000","message":"Done","commit_id":"74f33a6158373c31d69d3b514e861934917b4830"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"c620386dd9fdad5ab379b150d5f600c77adb1ec6","unresolved":true,"context_lines":[{"line_number":19,"context_line":"much else regarding the encryption process. Ideally, users must be allowed to"},{"line_number":20,"context_line":"create and manage their own encryption keys. This specification proposes an"},{"line_number":21,"context_line":"approach that enables Manila to coordinate user defined encryption keys for"},{"line_number":22,"context_line":"\"back-end\" (at rest) encryption of share data. This spec proposes share"},{"line_number":23,"context_line":"encryption solution based on the share server encryption keys."},{"line_number":24,"context_line":""},{"line_number":25,"context_line":""},{"line_number":26,"context_line":"Problem description"}],"source_content_type":"text/x-rst","patch_set":7,"id":"824068a0_8c68b846","line":23,"range":{"start_line":22,"start_character":47,"end_line":23,"end_character":62},"updated":"2025-05-01 03:29:15.000000000","message":"Lets drop this line, because this needs to be unpacked.. lets do that below.","commit_id":"0cb3316bc029e25a86f0e569e9abffef2e1805d3"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"429c726ec9fd62eed1adce357d83b70a7070a1b3","unresolved":false,"context_lines":[{"line_number":19,"context_line":"much else regarding the encryption process. Ideally, users must be allowed to"},{"line_number":20,"context_line":"create and manage their own encryption keys. This specification proposes an"},{"line_number":21,"context_line":"approach that enables Manila to coordinate user defined encryption keys for"},{"line_number":22,"context_line":"\"back-end\" (at rest) encryption of share data. This spec proposes share"},{"line_number":23,"context_line":"encryption solution based on the share server encryption keys."},{"line_number":24,"context_line":""},{"line_number":25,"context_line":""},{"line_number":26,"context_line":"Problem description"}],"source_content_type":"text/x-rst","patch_set":7,"id":"73bffb32_627955b1","line":23,"range":{"start_line":22,"start_character":47,"end_line":23,"end_character":62},"in_reply_to":"824068a0_8c68b846","updated":"2025-05-02 10:34:10.000000000","message":"Done","commit_id":"0cb3316bc029e25a86f0e569e9abffef2e1805d3"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"c620386dd9fdad5ab379b150d5f600c77adb1ec6","unresolved":true,"context_lines":[{"line_number":73,"context_line":"encryption provides a manila level support to trigger the data encryption on"},{"line_number":74,"context_line":"backend and thus protect the data from attacker."},{"line_number":75,"context_line":""},{"line_number":76,"context_line":"Users can encrypt share using share specific encryption key or using share"},{"line_number":77,"context_line":"server specific encryption key. In this spec, we are targeting encryption of"},{"line_number":78,"context_line":"share performed using share server encryption keys. Such keys are stored in"},{"line_number":79,"context_line":"key-store supported by driver e.g. Barbican. The encryption key ref will be"},{"line_number":80,"context_line":"provided in share create request. After key ref is being validated by manila,"},{"line_number":81,"context_line":"it will be given to storage back end driver. The key data will be used to"}],"source_content_type":"text/x-rst","patch_set":7,"id":"81cce44a_00660886","line":78,"range":{"start_line":76,"start_character":0,"end_line":78,"end_character":51},"updated":"2025-05-01 03:29:15.000000000","message":"The conversations we\u0027ve had elsewhere would make this transparent to the end user - i.e., they cannot pick one kind deliberately, mainly because they don\u0027t control share servers today\n\nWhen users create multiple shares with a share network, there\u0027s no guarantee that all the shares are exported with the same share server.\n\nIt\u0027s an internal, but important detail and this statement makes it sound like they can make a choice.\n\nMaybe rewriting it as:\n\n\n```suggestion\nUsers can provide Manila with a reference to an encryption key. This\nencryption key can be applied by share drivers to share servers that\nthey create, or individually to a specific share. Such keys are stored in\n```","commit_id":"0cb3316bc029e25a86f0e569e9abffef2e1805d3"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"429c726ec9fd62eed1adce357d83b70a7070a1b3","unresolved":false,"context_lines":[{"line_number":73,"context_line":"encryption provides a manila level support to trigger the data encryption on"},{"line_number":74,"context_line":"backend and thus protect the data from attacker."},{"line_number":75,"context_line":""},{"line_number":76,"context_line":"Users can encrypt share using share specific encryption key or using share"},{"line_number":77,"context_line":"server specific encryption key. In this spec, we are targeting encryption of"},{"line_number":78,"context_line":"share performed using share server encryption keys. Such keys are stored in"},{"line_number":79,"context_line":"key-store supported by driver e.g. Barbican. The encryption key ref will be"},{"line_number":80,"context_line":"provided in share create request. After key ref is being validated by manila,"},{"line_number":81,"context_line":"it will be given to storage back end driver. The key data will be used to"}],"source_content_type":"text/x-rst","patch_set":7,"id":"fe7e4d21_41a315f7","line":78,"range":{"start_line":76,"start_character":0,"end_line":78,"end_character":51},"in_reply_to":"81cce44a_00660886","updated":"2025-05-02 10:34:10.000000000","message":"Done","commit_id":"0cb3316bc029e25a86f0e569e9abffef2e1805d3"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"c620386dd9fdad5ab379b150d5f600c77adb1ec6","unresolved":true,"context_lines":[{"line_number":76,"context_line":"Users can encrypt share using share specific encryption key or using share"},{"line_number":77,"context_line":"server specific encryption key. In this spec, we are targeting encryption of"},{"line_number":78,"context_line":"share performed using share server encryption keys. Such keys are stored in"},{"line_number":79,"context_line":"key-store supported by driver e.g. Barbican. The encryption key ref will be"},{"line_number":80,"context_line":"provided in share create request. After key ref is being validated by manila,"},{"line_number":81,"context_line":"it will be given to storage back end driver. The key data will be used to"},{"line_number":82,"context_line":"encrypt the share\u0027s data within the storage back end."}],"source_content_type":"text/x-rst","patch_set":7,"id":"4fe14a5b_0b92fe75","line":79,"range":{"start_line":79,"start_character":0,"end_line":79,"end_character":43},"updated":"2025-05-01 03:29:15.000000000","message":"```suggestion\nthrough the OpenStack key management service, Barbican. The encryption key ref will be\n```","commit_id":"0cb3316bc029e25a86f0e569e9abffef2e1805d3"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"429c726ec9fd62eed1adce357d83b70a7070a1b3","unresolved":false,"context_lines":[{"line_number":76,"context_line":"Users can encrypt share using share specific encryption key or using share"},{"line_number":77,"context_line":"server specific encryption key. In this spec, we are targeting encryption of"},{"line_number":78,"context_line":"share performed using share server encryption keys. Such keys are stored in"},{"line_number":79,"context_line":"key-store supported by driver e.g. Barbican. The encryption key ref will be"},{"line_number":80,"context_line":"provided in share create request. After key ref is being validated by manila,"},{"line_number":81,"context_line":"it will be given to storage back end driver. The key data will be used to"},{"line_number":82,"context_line":"encrypt the share\u0027s data within the storage back end."}],"source_content_type":"text/x-rst","patch_set":7,"id":"1eaf4c93_728830a5","line":79,"range":{"start_line":79,"start_character":0,"end_line":79,"end_character":43},"in_reply_to":"4fe14a5b_0b92fe75","updated":"2025-05-02 10:34:10.000000000","message":"Done","commit_id":"0cb3316bc029e25a86f0e569e9abffef2e1805d3"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"c620386dd9fdad5ab379b150d5f600c77adb1ec6","unresolved":true,"context_lines":[{"line_number":78,"context_line":"share performed using share server encryption keys. Such keys are stored in"},{"line_number":79,"context_line":"key-store supported by driver e.g. Barbican. The encryption key ref will be"},{"line_number":80,"context_line":"provided in share create request. After key ref is being validated by manila,"},{"line_number":81,"context_line":"it will be given to storage back end driver. The key data will be used to"},{"line_number":82,"context_line":"encrypt the share\u0027s data within the storage back end."},{"line_number":83,"context_line":""},{"line_number":84,"context_line":"The actual encryption of the data at-rest is performed by the back end storage"}],"source_content_type":"text/x-rst","patch_set":7,"id":"5d756789_c988c8c2","line":81,"range":{"start_line":81,"start_character":37,"end_line":81,"end_character":43},"updated":"2025-05-01 03:29:15.000000000","message":"\"alongside information on how to access the key manager.\"?","commit_id":"0cb3316bc029e25a86f0e569e9abffef2e1805d3"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"429c726ec9fd62eed1adce357d83b70a7070a1b3","unresolved":false,"context_lines":[{"line_number":78,"context_line":"share performed using share server encryption keys. Such keys are stored in"},{"line_number":79,"context_line":"key-store supported by driver e.g. Barbican. The encryption key ref will be"},{"line_number":80,"context_line":"provided in share create request. After key ref is being validated by manila,"},{"line_number":81,"context_line":"it will be given to storage back end driver. The key data will be used to"},{"line_number":82,"context_line":"encrypt the share\u0027s data within the storage back end."},{"line_number":83,"context_line":""},{"line_number":84,"context_line":"The actual encryption of the data at-rest is performed by the back end storage"}],"source_content_type":"text/x-rst","patch_set":7,"id":"ca1c2972_1fcdd606","line":81,"range":{"start_line":81,"start_character":37,"end_line":81,"end_character":43},"in_reply_to":"5d756789_c988c8c2","updated":"2025-05-02 10:34:10.000000000","message":"Done","commit_id":"0cb3316bc029e25a86f0e569e9abffef2e1805d3"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"c620386dd9fdad5ab379b150d5f600c77adb1ec6","unresolved":true,"context_lines":[{"line_number":83,"context_line":""},{"line_number":84,"context_line":"The actual encryption of the data at-rest is performed by the back end storage"},{"line_number":85,"context_line":"system. The scope of Manila\u0027s involvement ends with coordinating the user\u0027s"},{"line_number":86,"context_line":"secret with the Key-store. The driver can also decide whether the default"},{"line_number":87,"context_line":"encryption satisfies the ask to encrypt or if it needs to do something, e.g."},{"line_number":88,"context_line":"re-encrypt with a new key."},{"line_number":89,"context_line":""},{"line_number":90,"context_line":""},{"line_number":91,"context_line":"Proposed change"}],"source_content_type":"text/x-rst","patch_set":7,"id":"bbc65fcf_c76cc635","line":88,"range":{"start_line":86,"start_character":27,"end_line":88,"end_character":26},"updated":"2025-05-01 03:29:15.000000000","message":"The driver can also decide whether the default\nencryption satisfies the ask to encrypt or if it needs to do something, e.g.\nre-encrypt with a new key.","commit_id":"0cb3316bc029e25a86f0e569e9abffef2e1805d3"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"429c726ec9fd62eed1adce357d83b70a7070a1b3","unresolved":false,"context_lines":[{"line_number":83,"context_line":""},{"line_number":84,"context_line":"The actual encryption of the data at-rest is performed by the back end storage"},{"line_number":85,"context_line":"system. The scope of Manila\u0027s involvement ends with coordinating the user\u0027s"},{"line_number":86,"context_line":"secret with the Key-store. The driver can also decide whether the default"},{"line_number":87,"context_line":"encryption satisfies the ask to encrypt or if it needs to do something, e.g."},{"line_number":88,"context_line":"re-encrypt with a new key."},{"line_number":89,"context_line":""},{"line_number":90,"context_line":""},{"line_number":91,"context_line":"Proposed change"}],"source_content_type":"text/x-rst","patch_set":7,"id":"b9554920_5dfd130c","line":88,"range":{"start_line":86,"start_character":27,"end_line":88,"end_character":26},"in_reply_to":"bbc65fcf_c76cc635","updated":"2025-05-02 10:34:10.000000000","message":"Removed this since re-encryption is not applicable with bring you own key.","commit_id":"0cb3316bc029e25a86f0e569e9abffef2e1805d3"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"c620386dd9fdad5ab379b150d5f600c77adb1ec6","unresolved":true,"context_lines":[{"line_number":100,"context_line":""},{"line_number":101,"context_line":"  Manila api service will allow configuration of a key manager. We will"},{"line_number":102,"context_line":"  introduce an interface for the Manila API service to communicate with an"},{"line_number":103,"context_line":"  external key manager (e.g. Castellan), which internally works with a key"},{"line_number":104,"context_line":"  store (e.g. Barbican). The key manager will be configured via conf file."},{"line_number":105,"context_line":"  When encryption key ref is provided, API service will pass it to back end"},{"line_number":106,"context_line":"  driver. Encryption key ref will be a valid barbican (i.e. key-manager)"}],"source_content_type":"text/x-rst","patch_set":7,"id":"17dede11_bb1982f0","line":103,"range":{"start_line":103,"start_character":11,"end_line":103,"end_character":22},"updated":"2025-05-01 03:29:15.000000000","message":"```suggestion\n  external key manager interface (OpenStack Castellan), which internally works with a key\n```","commit_id":"0cb3316bc029e25a86f0e569e9abffef2e1805d3"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"429c726ec9fd62eed1adce357d83b70a7070a1b3","unresolved":false,"context_lines":[{"line_number":100,"context_line":""},{"line_number":101,"context_line":"  Manila api service will allow configuration of a key manager. We will"},{"line_number":102,"context_line":"  introduce an interface for the Manila API service to communicate with an"},{"line_number":103,"context_line":"  external key manager (e.g. Castellan), which internally works with a key"},{"line_number":104,"context_line":"  store (e.g. Barbican). The key manager will be configured via conf file."},{"line_number":105,"context_line":"  When encryption key ref is provided, API service will pass it to back end"},{"line_number":106,"context_line":"  driver. Encryption key ref will be a valid barbican (i.e. key-manager)"}],"source_content_type":"text/x-rst","patch_set":7,"id":"e57ac474_f4a3a920","line":103,"range":{"start_line":103,"start_character":11,"end_line":103,"end_character":22},"in_reply_to":"17dede11_bb1982f0","updated":"2025-05-02 10:34:10.000000000","message":"Done","commit_id":"0cb3316bc029e25a86f0e569e9abffef2e1805d3"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"c620386dd9fdad5ab379b150d5f600c77adb1ec6","unresolved":true,"context_lines":[{"line_number":101,"context_line":"  Manila api service will allow configuration of a key manager. We will"},{"line_number":102,"context_line":"  introduce an interface for the Manila API service to communicate with an"},{"line_number":103,"context_line":"  external key manager (e.g. Castellan), which internally works with a key"},{"line_number":104,"context_line":"  store (e.g. Barbican). The key manager will be configured via conf file."},{"line_number":105,"context_line":"  When encryption key ref is provided, API service will pass it to back end"},{"line_number":106,"context_line":"  driver. Encryption key ref will be a valid barbican (i.e. key-manager)"},{"line_number":107,"context_line":"  secret_ref. Storage back end devices would need to obtain the key"}],"source_content_type":"text/x-rst","patch_set":7,"id":"2d802792_8c9cac39","line":104,"range":{"start_line":104,"start_character":9,"end_line":104,"end_character":12},"updated":"2025-05-01 03:29:15.000000000","message":"did you mean i.e.?\n\ni\u0027d replace \"e.g.\" with \"i.e.\", or just OpenStack Barbican","commit_id":"0cb3316bc029e25a86f0e569e9abffef2e1805d3"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"429c726ec9fd62eed1adce357d83b70a7070a1b3","unresolved":false,"context_lines":[{"line_number":101,"context_line":"  Manila api service will allow configuration of a key manager. We will"},{"line_number":102,"context_line":"  introduce an interface for the Manila API service to communicate with an"},{"line_number":103,"context_line":"  external key manager (e.g. Castellan), which internally works with a key"},{"line_number":104,"context_line":"  store (e.g. Barbican). The key manager will be configured via conf file."},{"line_number":105,"context_line":"  When encryption key ref is provided, API service will pass it to back end"},{"line_number":106,"context_line":"  driver. Encryption key ref will be a valid barbican (i.e. key-manager)"},{"line_number":107,"context_line":"  secret_ref. Storage back end devices would need to obtain the key"}],"source_content_type":"text/x-rst","patch_set":7,"id":"3b9ad07f_1c00523b","line":104,"range":{"start_line":104,"start_character":9,"end_line":104,"end_character":12},"in_reply_to":"2d802792_8c9cac39","updated":"2025-05-02 10:34:10.000000000","message":"Done","commit_id":"0cb3316bc029e25a86f0e569e9abffef2e1805d3"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"c620386dd9fdad5ab379b150d5f600c77adb1ec6","unresolved":true,"context_lines":[{"line_number":182,"context_line":""},{"line_number":183,"context_line":".. code-block:: bash"},{"line_number":184,"context_line":""},{"line_number":185,"context_line":"    openstack share create [--encryption-key-ref \u003ckey-ref\u003e]"},{"line_number":186,"context_line":"                           \u003cshare_protocol\u003e \u003csize\u003e"},{"line_number":187,"context_line":""},{"line_number":188,"context_line":"* encryption-key-ref: Valid Barbican (i.e. key-manager) secret ref (UUID)"},{"line_number":189,"context_line":"  represents share or share server encryption key reference"}],"source_content_type":"text/x-rst","patch_set":7,"id":"cc0fe68d_17dec290","line":186,"range":{"start_line":185,"start_character":0,"end_line":186,"end_character":50},"updated":"2025-05-01 03:29:15.000000000","message":"A clarification, you\u0027re no longer implementing the \"encryption specs\" approach that the previous spec talked about, correct?","commit_id":"0cb3316bc029e25a86f0e569e9abffef2e1805d3"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"429c726ec9fd62eed1adce357d83b70a7070a1b3","unresolved":false,"context_lines":[{"line_number":182,"context_line":""},{"line_number":183,"context_line":".. code-block:: bash"},{"line_number":184,"context_line":""},{"line_number":185,"context_line":"    openstack share create [--encryption-key-ref \u003ckey-ref\u003e]"},{"line_number":186,"context_line":"                           \u003cshare_protocol\u003e \u003csize\u003e"},{"line_number":187,"context_line":""},{"line_number":188,"context_line":"* encryption-key-ref: Valid Barbican (i.e. key-manager) secret ref (UUID)"},{"line_number":189,"context_line":"  represents share or share server encryption key reference"}],"source_content_type":"text/x-rst","patch_set":7,"id":"0019344b_d0dd1dee","line":186,"range":{"start_line":185,"start_character":0,"end_line":186,"end_character":50},"in_reply_to":"cc0fe68d_17dec290","updated":"2025-05-02 10:34:10.000000000","message":"yes, encryption spec or share type extra-spec is not needed/implemented now.","commit_id":"0cb3316bc029e25a86f0e569e9abffef2e1805d3"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"c620386dd9fdad5ab379b150d5f600c77adb1ec6","unresolved":true,"context_lines":[{"line_number":213,"context_line":"            },"},{"line_number":214,"context_line":"            \"scheduler_hints\": {"},{"line_number":215,"context_line":"            },"},{"line_number":216,"context_line":"            \"encryption_key_ref\": b7460a86-30ea-4c20-901f-6cee1e945286,"},{"line_number":217,"context_line":"        }"},{"line_number":218,"context_line":"    }"},{"line_number":219,"context_line":""}],"source_content_type":"text/x-rst","patch_set":7,"id":"7535af74_ecd1269b","line":216,"range":{"start_line":216,"start_character":34,"end_line":216,"end_character":71},"updated":"2025-05-01 03:29:15.000000000","message":"quotes, and no trailing comma","commit_id":"0cb3316bc029e25a86f0e569e9abffef2e1805d3"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"429c726ec9fd62eed1adce357d83b70a7070a1b3","unresolved":false,"context_lines":[{"line_number":213,"context_line":"            },"},{"line_number":214,"context_line":"            \"scheduler_hints\": {"},{"line_number":215,"context_line":"            },"},{"line_number":216,"context_line":"            \"encryption_key_ref\": b7460a86-30ea-4c20-901f-6cee1e945286,"},{"line_number":217,"context_line":"        }"},{"line_number":218,"context_line":"    }"},{"line_number":219,"context_line":""}],"source_content_type":"text/x-rst","patch_set":7,"id":"b2e7a19a_cf37bc2c","line":216,"range":{"start_line":216,"start_character":34,"end_line":216,"end_character":71},"in_reply_to":"7535af74_ecd1269b","updated":"2025-05-02 10:34:10.000000000","message":"Done","commit_id":"0cb3316bc029e25a86f0e569e9abffef2e1805d3"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"c620386dd9fdad5ab379b150d5f600c77adb1ec6","unresolved":true,"context_lines":[{"line_number":217,"context_line":"        }"},{"line_number":218,"context_line":"    }"},{"line_number":219,"context_line":""},{"line_number":220,"context_line":"The ``encryption_key_ref`` should be valid Barbican secrets, otherwise the"},{"line_number":221,"context_line":"API will respond with ``404 Not Found``"},{"line_number":222,"context_line":""},{"line_number":223,"context_line":"With bring-your-own-key encryption, ideally the storage driver must support"}],"source_content_type":"text/x-rst","patch_set":7,"id":"e2b8c565_324e761a","line":220,"range":{"start_line":220,"start_character":52,"end_line":220,"end_character":59},"updated":"2025-05-01 03:29:15.000000000","message":"secret\u0027s UUID","commit_id":"0cb3316bc029e25a86f0e569e9abffef2e1805d3"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"429c726ec9fd62eed1adce357d83b70a7070a1b3","unresolved":false,"context_lines":[{"line_number":217,"context_line":"        }"},{"line_number":218,"context_line":"    }"},{"line_number":219,"context_line":""},{"line_number":220,"context_line":"The ``encryption_key_ref`` should be valid Barbican secrets, otherwise the"},{"line_number":221,"context_line":"API will respond with ``404 Not Found``"},{"line_number":222,"context_line":""},{"line_number":223,"context_line":"With bring-your-own-key encryption, ideally the storage driver must support"}],"source_content_type":"text/x-rst","patch_set":7,"id":"e6b1fd67_278e5425","line":220,"range":{"start_line":220,"start_character":52,"end_line":220,"end_character":59},"in_reply_to":"e2b8c565_324e761a","updated":"2025-05-02 10:34:10.000000000","message":"Done","commit_id":"0cb3316bc029e25a86f0e569e9abffef2e1805d3"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"c620386dd9fdad5ab379b150d5f600c77adb1ec6","unresolved":true,"context_lines":[{"line_number":222,"context_line":""},{"line_number":223,"context_line":"With bring-your-own-key encryption, ideally the storage driver must support"},{"line_number":224,"context_line":"either of share encryption key ref or share server encryption key ref."},{"line_number":225,"context_line":"Manila-share manager will implement logic by hand-shaking with driver to"},{"line_number":226,"context_line":"determine whether its share encryption key ref or share server encryption key"},{"line_number":227,"context_line":"ref. In either case, Manila will ask storage driver to do encryption using"},{"line_number":228,"context_line":"encryption key ref. The share server encryption key ref is provided in API"}],"source_content_type":"text/x-rst","patch_set":7,"id":"26b8f6a5_5d7b6846","line":225,"range":{"start_line":225,"start_character":45,"end_line":225,"end_character":69},"updated":"2025-05-01 03:29:15.000000000","message":"instead, couldn\u0027t the driver just report a capability?\n\nsomething like:\n\"share_encryption_support_type\" - it could be an enum with values \"share\" and \"share_server\"\n\nWith this, the share manager will know what to do - i.e., send the encryption info with the driver\u0027s server creation method or share creation method","commit_id":"0cb3316bc029e25a86f0e569e9abffef2e1805d3"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"429c726ec9fd62eed1adce357d83b70a7070a1b3","unresolved":false,"context_lines":[{"line_number":222,"context_line":""},{"line_number":223,"context_line":"With bring-your-own-key encryption, ideally the storage driver must support"},{"line_number":224,"context_line":"either of share encryption key ref or share server encryption key ref."},{"line_number":225,"context_line":"Manila-share manager will implement logic by hand-shaking with driver to"},{"line_number":226,"context_line":"determine whether its share encryption key ref or share server encryption key"},{"line_number":227,"context_line":"ref. In either case, Manila will ask storage driver to do encryption using"},{"line_number":228,"context_line":"encryption key ref. The share server encryption key ref is provided in API"}],"source_content_type":"text/x-rst","patch_set":7,"id":"3382a39b_60c4c45b","line":225,"range":{"start_line":225,"start_character":45,"end_line":225,"end_character":69},"in_reply_to":"26b8f6a5_5d7b6846","updated":"2025-05-02 10:34:10.000000000","message":"Driver will report capability\nencryption_support and share_server_encryption_support\nencryption_support will be used by Filter during scheduling.\nshare_server_encryption_support will be used by Manila manager to decide quota since quota is applicable only for share server encryption keys.","commit_id":"0cb3316bc029e25a86f0e569e9abffef2e1805d3"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"c620386dd9fdad5ab379b150d5f600c77adb1ec6","unresolved":true,"context_lines":[{"line_number":228,"context_line":"encryption key ref. The share server encryption key ref is provided in API"},{"line_number":229,"context_line":"call is stored with share server."},{"line_number":230,"context_line":""},{"line_number":231,"context_line":"For spec implementation, we will consider NetApp ONTAP driver. It needs an"},{"line_number":232,"context_line":"optional extra-spec in share-type called \u0027netapp_flexvol_encryption\u0027 set to"},{"line_number":233,"context_line":"True to support encryption. Also, it supports only share server encryption"},{"line_number":234,"context_line":"key ref, which generate possible 4 cases:"},{"line_number":235,"context_line":""},{"line_number":236,"context_line":"e.g. share-type A (netapp_flexvol_encryption \u003d True)"},{"line_number":237,"context_line":"e.g. share-type B (netapp_flexvol_encryption \u003d False)"}],"source_content_type":"text/x-rst","patch_set":7,"id":"93d3cb17_49943c6e","line":234,"range":{"start_line":231,"start_character":0,"end_line":234,"end_character":41},"updated":"2025-05-01 03:29:15.000000000","message":"-2\n\nAbove, you suggest a generic capability: \"encryption_support\"\nWhy is \"netapp_flexvol_encryption\" necessary?\n\nThis is an existing NetApp specific extra-spec that allows you to schedule to encrypted aggregates.. basically a different/parallel feature","commit_id":"0cb3316bc029e25a86f0e569e9abffef2e1805d3"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"429c726ec9fd62eed1adce357d83b70a7070a1b3","unresolved":false,"context_lines":[{"line_number":228,"context_line":"encryption key ref. The share server encryption key ref is provided in API"},{"line_number":229,"context_line":"call is stored with share server."},{"line_number":230,"context_line":""},{"line_number":231,"context_line":"For spec implementation, we will consider NetApp ONTAP driver. It needs an"},{"line_number":232,"context_line":"optional extra-spec in share-type called \u0027netapp_flexvol_encryption\u0027 set to"},{"line_number":233,"context_line":"True to support encryption. Also, it supports only share server encryption"},{"line_number":234,"context_line":"key ref, which generate possible 4 cases:"},{"line_number":235,"context_line":""},{"line_number":236,"context_line":"e.g. share-type A (netapp_flexvol_encryption \u003d True)"},{"line_number":237,"context_line":"e.g. share-type B (netapp_flexvol_encryption \u003d False)"}],"source_content_type":"text/x-rst","patch_set":7,"id":"49b14a37_c3a1534b","line":234,"range":{"start_line":231,"start_character":0,"end_line":234,"end_character":41},"in_reply_to":"93d3cb17_49943c6e","updated":"2025-05-02 10:34:10.000000000","message":"The generic capability encryption support is for scheduling.\n\nthe netapp extra-spec is needed to support encryption. Based on this we support 4 scenarios (internally) as https://etherpad.opendev.org/p/share-encryption-with-barbican-secret-ref (line 179)","commit_id":"0cb3316bc029e25a86f0e569e9abffef2e1805d3"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"c620386dd9fdad5ab379b150d5f600c77adb1ec6","unresolved":true,"context_lines":[{"line_number":257,"context_line":"In short, whenever encryption key ref is provided, new encrypted share server"},{"line_number":258,"context_line":"will be created unless same key is used previously (i.e. share server exist)."},{"line_number":259,"context_line":"To restrict share server creation with different encryption keys new project"},{"line_number":260,"context_line":"level quota called \u0027server_encryption_keys\u0027 will be introduced. Once quota"},{"line_number":261,"context_line":"limit is reached, instead of creating new share server (and share), the share"},{"line_number":262,"context_line":"create API will keep share in error state and user message of quota error will"},{"line_number":263,"context_line":"be generated."}],"source_content_type":"text/x-rst","patch_set":7,"id":"5d9b46ba_e9ae344d","line":260,"range":{"start_line":260,"start_character":20,"end_line":260,"end_character":42},"updated":"2025-05-01 03:29:15.000000000","message":"shouldn\u0027t this be a restriction per network?","commit_id":"0cb3316bc029e25a86f0e569e9abffef2e1805d3"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"429c726ec9fd62eed1adce357d83b70a7070a1b3","unresolved":false,"context_lines":[{"line_number":257,"context_line":"In short, whenever encryption key ref is provided, new encrypted share server"},{"line_number":258,"context_line":"will be created unless same key is used previously (i.e. share server exist)."},{"line_number":259,"context_line":"To restrict share server creation with different encryption keys new project"},{"line_number":260,"context_line":"level quota called \u0027server_encryption_keys\u0027 will be introduced. Once quota"},{"line_number":261,"context_line":"limit is reached, instead of creating new share server (and share), the share"},{"line_number":262,"context_line":"create API will keep share in error state and user message of quota error will"},{"line_number":263,"context_line":"be generated."}],"source_content_type":"text/x-rst","patch_set":7,"id":"1309825e_0177165e","line":260,"range":{"start_line":260,"start_character":20,"end_line":260,"end_character":42},"in_reply_to":"5d9b46ba_e9ae344d","updated":"2025-05-02 10:34:10.000000000","message":"No, keeping this per network will create issue as customer can create multiple networks and exploit this quota. So we decided to keep at project level.","commit_id":"0cb3316bc029e25a86f0e569e9abffef2e1805d3"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"c620386dd9fdad5ab379b150d5f600c77adb1ec6","unresolved":true,"context_lines":[{"line_number":259,"context_line":"To restrict share server creation with different encryption keys new project"},{"line_number":260,"context_line":"level quota called \u0027server_encryption_keys\u0027 will be introduced. Once quota"},{"line_number":261,"context_line":"limit is reached, instead of creating new share server (and share), the share"},{"line_number":262,"context_line":"create API will keep share in error state and user message of quota error will"},{"line_number":263,"context_line":"be generated."},{"line_number":264,"context_line":""},{"line_number":265,"context_line":"Response(202 Accepted)::"},{"line_number":266,"context_line":""}],"source_content_type":"text/x-rst","patch_set":7,"id":"4c1db841_f6337c77","line":263,"range":{"start_line":262,"start_character":16,"end_line":263,"end_character":13},"updated":"2025-05-01 03:29:15.000000000","message":"if the quota is enforced in the API service, there\u0027s no need for async errors?\nWe could just reject the share creation request","commit_id":"0cb3316bc029e25a86f0e569e9abffef2e1805d3"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"429c726ec9fd62eed1adce357d83b70a7070a1b3","unresolved":false,"context_lines":[{"line_number":259,"context_line":"To restrict share server creation with different encryption keys new project"},{"line_number":260,"context_line":"level quota called \u0027server_encryption_keys\u0027 will be introduced. Once quota"},{"line_number":261,"context_line":"limit is reached, instead of creating new share server (and share), the share"},{"line_number":262,"context_line":"create API will keep share in error state and user message of quota error will"},{"line_number":263,"context_line":"be generated."},{"line_number":264,"context_line":""},{"line_number":265,"context_line":"Response(202 Accepted)::"},{"line_number":266,"context_line":""}],"source_content_type":"text/x-rst","patch_set":7,"id":"1e5df1da_b66b5e8c","line":263,"range":{"start_line":262,"start_character":16,"end_line":263,"end_character":13},"in_reply_to":"4c1db841_f6337c77","updated":"2025-05-02 10:34:10.000000000","message":"The quota limit or overquota error decided by Manila share manager and hence we move to Error state with message embedded.","commit_id":"0cb3316bc029e25a86f0e569e9abffef2e1805d3"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"c620386dd9fdad5ab379b150d5f600c77adb1ec6","unresolved":true,"context_lines":[{"line_number":301,"context_line":"            },"},{"line_number":302,"context_line":"            \"id\": \"011d21e2-fbc3-4e4a-9993-9ea223f73264\","},{"line_number":303,"context_line":"            \"size\": 1,"},{"line_number":304,"context_line":"            \"description\": \"My custom share London\","},{"line_number":305,"context_line":"        }"},{"line_number":306,"context_line":"   }"},{"line_number":307,"context_line":""}],"source_content_type":"text/x-rst","patch_set":7,"id":"ea711f91_3ef5612f","line":304,"range":{"start_line":304,"start_character":51,"end_line":304,"end_character":52},"updated":"2025-05-01 03:29:15.000000000","message":"drop trailing comma","commit_id":"0cb3316bc029e25a86f0e569e9abffef2e1805d3"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"429c726ec9fd62eed1adce357d83b70a7070a1b3","unresolved":false,"context_lines":[{"line_number":301,"context_line":"            },"},{"line_number":302,"context_line":"            \"id\": \"011d21e2-fbc3-4e4a-9993-9ea223f73264\","},{"line_number":303,"context_line":"            \"size\": 1,"},{"line_number":304,"context_line":"            \"description\": \"My custom share London\","},{"line_number":305,"context_line":"        }"},{"line_number":306,"context_line":"   }"},{"line_number":307,"context_line":""}],"source_content_type":"text/x-rst","patch_set":7,"id":"9e59455a_79fcfaae","line":304,"range":{"start_line":304,"start_character":51,"end_line":304,"end_character":52},"in_reply_to":"ea711f91_3ef5612f","updated":"2025-05-02 10:34:10.000000000","message":"Done","commit_id":"0cb3316bc029e25a86f0e569e9abffef2e1805d3"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"c620386dd9fdad5ab379b150d5f600c77adb1ec6","unresolved":true,"context_lines":[{"line_number":371,"context_line":"----------"},{"line_number":372,"context_line":""},{"line_number":373,"context_line":"* Implement \u0027bring you own key\u0027 in share create APIs."},{"line_number":374,"context_line":"* Update share-create command in python-manilaclient."},{"line_number":375,"context_line":"* Implement tempest support."},{"line_number":376,"context_line":"* Document about create share with encryption"},{"line_number":377,"context_line":""}],"source_content_type":"text/x-rst","patch_set":7,"id":"7b7db9c0_52c1c6d8","line":374,"range":{"start_line":374,"start_character":9,"end_line":374,"end_character":21},"updated":"2025-05-01 03:29:15.000000000","message":"just to clarify: \"openstack share create\"","commit_id":"0cb3316bc029e25a86f0e569e9abffef2e1805d3"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"429c726ec9fd62eed1adce357d83b70a7070a1b3","unresolved":false,"context_lines":[{"line_number":371,"context_line":"----------"},{"line_number":372,"context_line":""},{"line_number":373,"context_line":"* Implement \u0027bring you own key\u0027 in share create APIs."},{"line_number":374,"context_line":"* Update share-create command in python-manilaclient."},{"line_number":375,"context_line":"* Implement tempest support."},{"line_number":376,"context_line":"* Document about create share with encryption"},{"line_number":377,"context_line":""}],"source_content_type":"text/x-rst","patch_set":7,"id":"14c2802c_4c071263","line":374,"range":{"start_line":374,"start_character":9,"end_line":374,"end_character":21},"in_reply_to":"7b7db9c0_52c1c6d8","updated":"2025-05-02 10:34:10.000000000","message":"Done","commit_id":"0cb3316bc029e25a86f0e569e9abffef2e1805d3"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"41fb8aaad2cb34a39909f6692ef56e700777a52f","unresolved":true,"context_lines":[{"line_number":98,"context_line":""},{"line_number":99,"context_line":"  A tenant-visible extra-spec on share types called \"encryption_support\" will"},{"line_number":100,"context_line":"  be introduced. It can have a string value. Value can be \"share\" or"},{"line_number":101,"context_line":"  \"share-server\". A \"share\" meaning that the user can expect encryption keys"},{"line_number":102,"context_line":"  to be per-share. Value \"share_server\" meaning that the user can expect"},{"line_number":103,"context_line":"  encryption keys to apply at the share server level. Default will be None."},{"line_number":104,"context_line":""}],"source_content_type":"text/x-rst","patch_set":10,"id":"fca3d8bd_80947e38","line":101,"range":{"start_line":101,"start_character":18,"end_line":101,"end_character":35},"updated":"2025-05-09 22:55:44.000000000","message":"When set to \"share\", it means","commit_id":"1005c3a73cc9dd2508361d1f56be621ad9aa6199"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"355d891addbe13c507ffb31dcd77f4d23337cce8","unresolved":false,"context_lines":[{"line_number":98,"context_line":""},{"line_number":99,"context_line":"  A tenant-visible extra-spec on share types called \"encryption_support\" will"},{"line_number":100,"context_line":"  be introduced. It can have a string value. Value can be \"share\" or"},{"line_number":101,"context_line":"  \"share-server\". A \"share\" meaning that the user can expect encryption keys"},{"line_number":102,"context_line":"  to be per-share. Value \"share_server\" meaning that the user can expect"},{"line_number":103,"context_line":"  encryption keys to apply at the share server level. Default will be None."},{"line_number":104,"context_line":""}],"source_content_type":"text/x-rst","patch_set":10,"id":"07bbac95_1dbb9fd8","line":101,"range":{"start_line":101,"start_character":18,"end_line":101,"end_character":35},"in_reply_to":"fca3d8bd_80947e38","updated":"2025-05-12 07:36:48.000000000","message":"Done","commit_id":"1005c3a73cc9dd2508361d1f56be621ad9aa6199"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"41fb8aaad2cb34a39909f6692ef56e700777a52f","unresolved":true,"context_lines":[{"line_number":99,"context_line":"  A tenant-visible extra-spec on share types called \"encryption_support\" will"},{"line_number":100,"context_line":"  be introduced. It can have a string value. Value can be \"share\" or"},{"line_number":101,"context_line":"  \"share-server\". A \"share\" meaning that the user can expect encryption keys"},{"line_number":102,"context_line":"  to be per-share. Value \"share_server\" meaning that the user can expect"},{"line_number":103,"context_line":"  encryption keys to apply at the share server level. Default will be None."},{"line_number":104,"context_line":""},{"line_number":105,"context_line":"* Manila API and Share service changes"}],"source_content_type":"text/x-rst","patch_set":10,"id":"ac67bb38_3db88f29","line":102,"range":{"start_line":102,"start_character":5,"end_line":102,"end_character":7},"updated":"2025-05-09 22:55:44.000000000","message":"apply","commit_id":"1005c3a73cc9dd2508361d1f56be621ad9aa6199"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"41fb8aaad2cb34a39909f6692ef56e700777a52f","unresolved":true,"context_lines":[{"line_number":99,"context_line":"  A tenant-visible extra-spec on share types called \"encryption_support\" will"},{"line_number":100,"context_line":"  be introduced. It can have a string value. Value can be \"share\" or"},{"line_number":101,"context_line":"  \"share-server\". A \"share\" meaning that the user can expect encryption keys"},{"line_number":102,"context_line":"  to be per-share. Value \"share_server\" meaning that the user can expect"},{"line_number":103,"context_line":"  encryption keys to apply at the share server level. Default will be None."},{"line_number":104,"context_line":""},{"line_number":105,"context_line":"* Manila API and Share service changes"}],"source_content_type":"text/x-rst","patch_set":10,"id":"6c0ed4f4_98eddb51","line":102,"range":{"start_line":102,"start_character":40,"end_line":102,"end_character":47},"updated":"2025-05-09 22:55:44.000000000","message":"would mean","commit_id":"1005c3a73cc9dd2508361d1f56be621ad9aa6199"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"355d891addbe13c507ffb31dcd77f4d23337cce8","unresolved":false,"context_lines":[{"line_number":99,"context_line":"  A tenant-visible extra-spec on share types called \"encryption_support\" will"},{"line_number":100,"context_line":"  be introduced. It can have a string value. Value can be \"share\" or"},{"line_number":101,"context_line":"  \"share-server\". A \"share\" meaning that the user can expect encryption keys"},{"line_number":102,"context_line":"  to be per-share. Value \"share_server\" meaning that the user can expect"},{"line_number":103,"context_line":"  encryption keys to apply at the share server level. Default will be None."},{"line_number":104,"context_line":""},{"line_number":105,"context_line":"* Manila API and Share service changes"}],"source_content_type":"text/x-rst","patch_set":10,"id":"d33fb2c2_52ed8490","line":102,"range":{"start_line":102,"start_character":40,"end_line":102,"end_character":47},"in_reply_to":"6c0ed4f4_98eddb51","updated":"2025-05-12 07:36:48.000000000","message":"Done","commit_id":"1005c3a73cc9dd2508361d1f56be621ad9aa6199"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"355d891addbe13c507ffb31dcd77f4d23337cce8","unresolved":false,"context_lines":[{"line_number":99,"context_line":"  A tenant-visible extra-spec on share types called \"encryption_support\" will"},{"line_number":100,"context_line":"  be introduced. It can have a string value. Value can be \"share\" or"},{"line_number":101,"context_line":"  \"share-server\". A \"share\" meaning that the user can expect encryption keys"},{"line_number":102,"context_line":"  to be per-share. Value \"share_server\" meaning that the user can expect"},{"line_number":103,"context_line":"  encryption keys to apply at the share server level. Default will be None."},{"line_number":104,"context_line":""},{"line_number":105,"context_line":"* Manila API and Share service changes"}],"source_content_type":"text/x-rst","patch_set":10,"id":"416bec46_cbff4cf0","line":102,"range":{"start_line":102,"start_character":5,"end_line":102,"end_character":7},"in_reply_to":"ac67bb38_3db88f29","updated":"2025-05-12 07:36:48.000000000","message":"Done","commit_id":"1005c3a73cc9dd2508361d1f56be621ad9aa6199"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"41fb8aaad2cb34a39909f6692ef56e700777a52f","unresolved":true,"context_lines":[{"line_number":112,"context_line":"  When encryption key ref is provided, and share type has \"encryption_support\""},{"line_number":113,"context_line":"  set to either \"share\" or \"share_server\", Manila will validate the encryption"},{"line_number":114,"context_line":"  key ref with barbican and store the encryption key ref in the share instance"},{"line_number":115,"context_line":"  along-with type of encryption supported. Encryption key ref will be a valid"},{"line_number":116,"context_line":"  barbican secret_ref. Storage back end devices would need to obtain the key"},{"line_number":117,"context_line":"  out-of-band in order to perform the encryption. Manila will collate the"},{"line_number":118,"context_line":"  necessary information that allows a storage back end to identify and retrieve"}],"source_content_type":"text/x-rst","patch_set":10,"id":"e7b0667c_76a3fd5e","line":115,"range":{"start_line":115,"start_character":2,"end_line":115,"end_character":12},"updated":"2025-05-09 22:55:44.000000000","message":"nit: along with the","commit_id":"1005c3a73cc9dd2508361d1f56be621ad9aa6199"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"355d891addbe13c507ffb31dcd77f4d23337cce8","unresolved":false,"context_lines":[{"line_number":112,"context_line":"  When encryption key ref is provided, and share type has \"encryption_support\""},{"line_number":113,"context_line":"  set to either \"share\" or \"share_server\", Manila will validate the encryption"},{"line_number":114,"context_line":"  key ref with barbican and store the encryption key ref in the share instance"},{"line_number":115,"context_line":"  along-with type of encryption supported. Encryption key ref will be a valid"},{"line_number":116,"context_line":"  barbican secret_ref. Storage back end devices would need to obtain the key"},{"line_number":117,"context_line":"  out-of-band in order to perform the encryption. Manila will collate the"},{"line_number":118,"context_line":"  necessary information that allows a storage back end to identify and retrieve"}],"source_content_type":"text/x-rst","patch_set":10,"id":"262b5ee5_a49395a4","line":115,"range":{"start_line":115,"start_character":2,"end_line":115,"end_character":12},"in_reply_to":"e7b0667c_76a3fd5e","updated":"2025-05-12 07:36:48.000000000","message":"Done","commit_id":"1005c3a73cc9dd2508361d1f56be621ad9aa6199"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"41fb8aaad2cb34a39909f6692ef56e700777a52f","unresolved":true,"context_lines":[{"line_number":127,"context_line":"  service user. The credentials can not list secrets, or retrieve unrelated"},{"line_number":128,"context_line":"  secrets even if they belong to the same tenant."},{"line_number":129,"context_line":"  To restrict share server creation with different encryption key refs new"},{"line_number":130,"context_line":"  project level quota called \u0027server_encryption_keys\u0027 will be introduced. Once"},{"line_number":131,"context_line":"  quota limit is reached, instead of creating new share server (and share), the"},{"line_number":132,"context_line":"  share create API will keep share in error state and user message of quota"},{"line_number":133,"context_line":"  error will be generated."}],"source_content_type":"text/x-rst","patch_set":10,"id":"91e0ed9d_602f5f93","line":130,"range":{"start_line":130,"start_character":30,"end_line":130,"end_character":52},"updated":"2025-05-09 22:55:44.000000000","message":"@maurice.escher@sap.com @kiranpawarpict2010@gmail.com:\n\nIf we had this quota on \"encryption_keys\", would it solve your use case? I wonder why we wouldn\u0027t restrict share encryption keys the same way we would restrict server encryption keys.","commit_id":"1005c3a73cc9dd2508361d1f56be621ad9aa6199"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"355d891addbe13c507ffb31dcd77f4d23337cce8","unresolved":false,"context_lines":[{"line_number":127,"context_line":"  service user. The credentials can not list secrets, or retrieve unrelated"},{"line_number":128,"context_line":"  secrets even if they belong to the same tenant."},{"line_number":129,"context_line":"  To restrict share server creation with different encryption key refs new"},{"line_number":130,"context_line":"  project level quota called \u0027server_encryption_keys\u0027 will be introduced. Once"},{"line_number":131,"context_line":"  quota limit is reached, instead of creating new share server (and share), the"},{"line_number":132,"context_line":"  share create API will keep share in error state and user message of quota"},{"line_number":133,"context_line":"  error will be generated."}],"source_content_type":"text/x-rst","patch_set":10,"id":"a044f204_f7a0a43a","line":130,"range":{"start_line":130,"start_character":30,"end_line":130,"end_character":52},"in_reply_to":"91e0ed9d_602f5f93","updated":"2025-05-12 07:36:48.000000000","message":"Done","commit_id":"1005c3a73cc9dd2508361d1f56be621ad9aa6199"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"41fb8aaad2cb34a39909f6692ef56e700777a52f","unresolved":true,"context_lines":[{"line_number":298,"context_line":"The backend driver needs to implement:"},{"line_number":299,"context_line":""},{"line_number":300,"context_line":"* The driver needs to report \"encryption_support\" as a capability."},{"line_number":301,"context_line":"  The value will be set to [\"share_server\"] for NetApp ONTAP driver."},{"line_number":302,"context_line":""},{"line_number":303,"context_line":"* Return valid list of share servers to Manila-share Manager based on"},{"line_number":304,"context_line":"  requested parameters. This is supported today, however function needs to"}],"source_content_type":"text/x-rst","patch_set":10,"id":"0f7c578a_9838bb0f","line":301,"range":{"start_line":301,"start_character":2,"end_line":301,"end_character":68},"updated":"2025-05-09 22:55:44.000000000","message":"```suggestion\n  If encryption is supported, the value of this capability can be reported\n  as a list of capabilities with valid keys among \"share\" and \"share_server\".\n```\n\nNo need to mention the NetApp driver in particular..","commit_id":"1005c3a73cc9dd2508361d1f56be621ad9aa6199"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"355d891addbe13c507ffb31dcd77f4d23337cce8","unresolved":false,"context_lines":[{"line_number":298,"context_line":"The backend driver needs to implement:"},{"line_number":299,"context_line":""},{"line_number":300,"context_line":"* The driver needs to report \"encryption_support\" as a capability."},{"line_number":301,"context_line":"  The value will be set to [\"share_server\"] for NetApp ONTAP driver."},{"line_number":302,"context_line":""},{"line_number":303,"context_line":"* Return valid list of share servers to Manila-share Manager based on"},{"line_number":304,"context_line":"  requested parameters. This is supported today, however function needs to"}],"source_content_type":"text/x-rst","patch_set":10,"id":"24b736ce_5b4ed3d8","line":301,"range":{"start_line":301,"start_character":2,"end_line":301,"end_character":68},"in_reply_to":"0f7c578a_9838bb0f","updated":"2025-05-12 07:36:48.000000000","message":"Done","commit_id":"1005c3a73cc9dd2508361d1f56be621ad9aa6199"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"41fb8aaad2cb34a39909f6692ef56e700777a52f","unresolved":true,"context_lines":[{"line_number":302,"context_line":""},{"line_number":303,"context_line":"* Return valid list of share servers to Manila-share Manager based on"},{"line_number":304,"context_line":"  requested parameters. This is supported today, however function needs to"},{"line_number":305,"context_line":"  update and consider additional requirement i.e. encryption key ref."},{"line_number":306,"context_line":""},{"line_number":307,"context_line":"* Instruct the back end storage system to encrypt the share with key"},{"line_number":308,"context_line":"  data sent from key-store e.g. Barbican"}],"source_content_type":"text/x-rst","patch_set":10,"id":"c3269f89_db946e26","line":305,"range":{"start_line":305,"start_character":2,"end_line":305,"end_character":12},"updated":"2025-05-09 22:55:44.000000000","message":"be updated to","commit_id":"1005c3a73cc9dd2508361d1f56be621ad9aa6199"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"355d891addbe13c507ffb31dcd77f4d23337cce8","unresolved":false,"context_lines":[{"line_number":302,"context_line":""},{"line_number":303,"context_line":"* Return valid list of share servers to Manila-share Manager based on"},{"line_number":304,"context_line":"  requested parameters. This is supported today, however function needs to"},{"line_number":305,"context_line":"  update and consider additional requirement i.e. encryption key ref."},{"line_number":306,"context_line":""},{"line_number":307,"context_line":"* Instruct the back end storage system to encrypt the share with key"},{"line_number":308,"context_line":"  data sent from key-store e.g. Barbican"}],"source_content_type":"text/x-rst","patch_set":10,"id":"e724416b_2ef1ad5a","line":305,"range":{"start_line":305,"start_character":2,"end_line":305,"end_character":12},"in_reply_to":"c3269f89_db946e26","updated":"2025-05-12 07:36:48.000000000","message":"Done","commit_id":"1005c3a73cc9dd2508361d1f56be621ad9aa6199"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"41fb8aaad2cb34a39909f6692ef56e700777a52f","unresolved":true,"context_lines":[{"line_number":303,"context_line":"* Return valid list of share servers to Manila-share Manager based on"},{"line_number":304,"context_line":"  requested parameters. This is supported today, however function needs to"},{"line_number":305,"context_line":"  update and consider additional requirement i.e. encryption key ref."},{"line_number":306,"context_line":""},{"line_number":307,"context_line":"* Instruct the back end storage system to encrypt the share with key"},{"line_number":308,"context_line":"  data sent from key-store e.g. Barbican"},{"line_number":309,"context_line":""}],"source_content_type":"text/x-rst","patch_set":10,"id":"ef0c114e_2d419f7d","line":306,"updated":"2025-05-09 22:55:44.000000000","message":"to be abundantly clear, can you add:\n\n```\nIf controlling encryption keys is only possible for share\nservers as opposed to individual shares, the driver must ensure\nthat the list of compatible share servers is compiled by considering\nthe encryption key reference provided. When an encryption key reference\nis provided by Manila\u0027s share manager, care must be taken to\nspecifically eliminate share servers that don\u0027t match that key.\n```","commit_id":"1005c3a73cc9dd2508361d1f56be621ad9aa6199"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"355d891addbe13c507ffb31dcd77f4d23337cce8","unresolved":false,"context_lines":[{"line_number":303,"context_line":"* Return valid list of share servers to Manila-share Manager based on"},{"line_number":304,"context_line":"  requested parameters. This is supported today, however function needs to"},{"line_number":305,"context_line":"  update and consider additional requirement i.e. encryption key ref."},{"line_number":306,"context_line":""},{"line_number":307,"context_line":"* Instruct the back end storage system to encrypt the share with key"},{"line_number":308,"context_line":"  data sent from key-store e.g. Barbican"},{"line_number":309,"context_line":""}],"source_content_type":"text/x-rst","patch_set":10,"id":"d2cf6386_a753b185","line":306,"in_reply_to":"ef0c114e_2d419f7d","updated":"2025-05-12 07:36:48.000000000","message":"Acknowledged","commit_id":"1005c3a73cc9dd2508361d1f56be621ad9aa6199"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"d1cce5bb9e2150c756c2aa156e9be27fd22207bc","unresolved":true,"context_lines":[{"line_number":128,"context_line":"  service user. The credentials can not list secrets, or retrieve unrelated"},{"line_number":129,"context_line":"  secrets even if they belong to the same tenant."},{"line_number":130,"context_line":"  To restrict share server creation with different encryption key refs new"},{"line_number":131,"context_line":"  project level quota called \u0027server_encryption_keys\u0027 will be introduced. Once"},{"line_number":132,"context_line":"  quota limit is reached, instead of creating new share server (and share), the"},{"line_number":133,"context_line":"  share create API will keep share in error state and user message of quota"},{"line_number":134,"context_line":"  error will be generated."}],"source_content_type":"text/x-rst","patch_set":11,"id":"aaf375e5_41c37878","line":131,"range":{"start_line":131,"start_character":30,"end_line":131,"end_character":52},"updated":"2025-05-27 22:47:38.000000000","message":"Now that we have @maurice.escher@sap.com\u0027s opinion as well.. would you like to update this? \n\nhttps://review.opendev.org/c/openstack/manila-specs/+/940437/comment/91e0ed9d_602f5f93/","commit_id":"bad8d7d6e3c69775d522a72042fa232412c65f14"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"2b979f2c1c9817d5594f6c3b6a8cfbcffe8cbf00","unresolved":false,"context_lines":[{"line_number":128,"context_line":"  service user. The credentials can not list secrets, or retrieve unrelated"},{"line_number":129,"context_line":"  secrets even if they belong to the same tenant."},{"line_number":130,"context_line":"  To restrict share server creation with different encryption key refs new"},{"line_number":131,"context_line":"  project level quota called \u0027server_encryption_keys\u0027 will be introduced. Once"},{"line_number":132,"context_line":"  quota limit is reached, instead of creating new share server (and share), the"},{"line_number":133,"context_line":"  share create API will keep share in error state and user message of quota"},{"line_number":134,"context_line":"  error will be generated."}],"source_content_type":"text/x-rst","patch_set":11,"id":"bd0fb402_3177bd10","line":131,"range":{"start_line":131,"start_character":30,"end_line":131,"end_character":52},"in_reply_to":"aaf375e5_41c37878","updated":"2025-05-28 10:15:38.000000000","message":"Done","commit_id":"bad8d7d6e3c69775d522a72042fa232412c65f14"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"7cd06182aaef56c3be7f591af631230eebe6f929","unresolved":true,"context_lines":[{"line_number":128,"context_line":"  service user. The credentials can not list secrets, or retrieve unrelated"},{"line_number":129,"context_line":"  secrets even if they belong to the same tenant."},{"line_number":130,"context_line":"  To restrict share server creation with different encryption key refs new"},{"line_number":131,"context_line":"  project level quota called \u0027server_encryption_keys\u0027 will be introduced."},{"line_number":132,"context_line":"  API service will check the quota limit in case share type extra-spec is"},{"line_number":133,"context_line":"  \u0027share-server\u0027. Once quota limit is reached, API will throw error."},{"line_number":134,"context_line":""}],"source_content_type":"text/x-rst","patch_set":12,"id":"e81ceefd_3e982543","line":131,"range":{"start_line":131,"start_character":30,"end_line":131,"end_character":52},"updated":"2025-05-28 18:54:31.000000000","message":"i suspect there\u0027ll be a use case for a quota on \"share_encryption_keys\" as well, in the future.. but we\u0027ll implement it when its necessary","commit_id":"964d4b751292be106f37ee57d8d3ee0246b936d6"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"7c14d74cc618e6a3c8ff45662241ca0efc2a80bd","unresolved":false,"context_lines":[{"line_number":128,"context_line":"  service user. The credentials can not list secrets, or retrieve unrelated"},{"line_number":129,"context_line":"  secrets even if they belong to the same tenant."},{"line_number":130,"context_line":"  To restrict share server creation with different encryption key refs new"},{"line_number":131,"context_line":"  project level quota called \u0027server_encryption_keys\u0027 will be introduced."},{"line_number":132,"context_line":"  API service will check the quota limit in case share type extra-spec is"},{"line_number":133,"context_line":"  \u0027share-server\u0027. Once quota limit is reached, API will throw error."},{"line_number":134,"context_line":""}],"source_content_type":"text/x-rst","patch_set":12,"id":"b3d84704_9e9cdeb1","line":131,"range":{"start_line":131,"start_character":30,"end_line":131,"end_character":52},"in_reply_to":"e81ceefd_3e982543","updated":"2025-06-05 07:04:22.000000000","message":"Acknowledged","commit_id":"964d4b751292be106f37ee57d8d3ee0246b936d6"},{"author":{"_account_id":29632,"name":"Carlos Eduardo","email":"ces.eduardo98@gmail.com","username":"silvacarlos"},"change_message_id":"48aaee1e36d445baa61183d51d9d21f0df788304","unresolved":true,"context_lines":[{"line_number":152,"context_line":"  application credentails will be provided to backend hardware to perform the"},{"line_number":153,"context_line":"  encryption. The back end storage system will fetch the key directly, out of"},{"line_number":154,"context_line":"  band of manila using the ref that Manila shares via the back end driver. The"},{"line_number":155,"context_line":"  fetched key data will be used to encrypt the share data."},{"line_number":156,"context_line":""},{"line_number":157,"context_line":""},{"line_number":158,"context_line":"Alternatives"}],"source_content_type":"text/x-rst","patch_set":12,"id":"88281dd8_7e86e313","line":155,"updated":"2025-05-28 18:25:19.000000000","message":"should we mention that the initial implementation only contemplates share server and not share encryption?","commit_id":"964d4b751292be106f37ee57d8d3ee0246b936d6"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"7cd06182aaef56c3be7f591af631230eebe6f929","unresolved":true,"context_lines":[{"line_number":152,"context_line":"  application credentails will be provided to backend hardware to perform the"},{"line_number":153,"context_line":"  encryption. The back end storage system will fetch the key directly, out of"},{"line_number":154,"context_line":"  band of manila using the ref that Manila shares via the back end driver. The"},{"line_number":155,"context_line":"  fetched key data will be used to encrypt the share data."},{"line_number":156,"context_line":""},{"line_number":157,"context_line":""},{"line_number":158,"context_line":"Alternatives"}],"source_content_type":"text/x-rst","patch_set":12,"id":"df7a9ed0_ac35cbff","line":155,"in_reply_to":"88281dd8_7e86e313","updated":"2025-05-28 18:54:31.000000000","message":"The core implementation is designed now to cater to both \"share\" and \"share_server\" encryption.. \n\nNo specific backend implementation is discussed on the spec.. we know that NetApp plans to report \"encryption_support\" with \"share_server\" for now.. but in theory, nothing in this spec needs to change if a driver were to implement the same for \"share\" or both [\"share\", \"share_server\"]","commit_id":"964d4b751292be106f37ee57d8d3ee0246b936d6"},{"author":{"_account_id":32919,"name":"kiran pawar","display_name":"Kiran Pawar","email":"kinpaa@gmail.com","username":"kpdev"},"change_message_id":"64000bb8feaade224c8cf60d61fab46012f50ce8","unresolved":false,"context_lines":[{"line_number":152,"context_line":"  application credentails will be provided to backend hardware to perform the"},{"line_number":153,"context_line":"  encryption. The back end storage system will fetch the key directly, out of"},{"line_number":154,"context_line":"  band of manila using the ref that Manila shares via the back end driver. The"},{"line_number":155,"context_line":"  fetched key data will be used to encrypt the share data."},{"line_number":156,"context_line":""},{"line_number":157,"context_line":""},{"line_number":158,"context_line":"Alternatives"}],"source_content_type":"text/x-rst","patch_set":12,"id":"6543e0a4_db926abd","line":155,"in_reply_to":"97c666e5_f3b4de4e","updated":"2025-05-29 08:35:42.000000000","message":"Thanks for +2. Lets wait for Sai to confirm on POC and we can merge before due date.","commit_id":"964d4b751292be106f37ee57d8d3ee0246b936d6"},{"author":{"_account_id":29632,"name":"Carlos Eduardo","email":"ces.eduardo98@gmail.com","username":"silvacarlos"},"change_message_id":"7d23dac00dc1cb0833b9a316f630174f8ffb67a0","unresolved":true,"context_lines":[{"line_number":152,"context_line":"  application credentails will be provided to backend hardware to perform the"},{"line_number":153,"context_line":"  encryption. The back end storage system will fetch the key directly, out of"},{"line_number":154,"context_line":"  band of manila using the ref that Manila shares via the back end driver. The"},{"line_number":155,"context_line":"  fetched key data will be used to encrypt the share data."},{"line_number":156,"context_line":""},{"line_number":157,"context_line":""},{"line_number":158,"context_line":"Alternatives"}],"source_content_type":"text/x-rst","patch_set":12,"id":"97c666e5_f3b4de4e","line":155,"in_reply_to":"df7a9ed0_ac35cbff","updated":"2025-05-28 19:31:03.000000000","message":"ack, thanks!","commit_id":"964d4b751292be106f37ee57d8d3ee0246b936d6"}]}
