Commit Graph

7 Commits

Author SHA1 Message Date
Rahul Dev Parashar
95acefb2f5 rgw: Introduce BucketEncryption APIs to support SSE-S3 feature
This patch introduces support for 3 new BucketEncryption APIs which are listed
below and are helpful in supporting AWS SSE-S3 encryption mode.
PutBucketEncryption: https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html
GetBucketEncryption: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketEncryption.html
DeleteBucketEncryption: https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketEncryption.html

The user provided parameters are parsed and stored in the bucket's extended
attributes RGW_ATTR_BUCKET_ENCRYPTION and
RGW_ATTR_BUCKET_ENCRYPTION_SSE_S3_KEY_ID.

Signed-off-by: Rahul Dev Parashar <rahul.dev@flipkart.com>
2021-07-19 12:48:14 +05:30
Marcus Watts
891bf1a622 rgw/kms/kmip - document configuration for a new feature: kmip kms
I've written up a brief description of using kmip
with ceph.  Major features:
* ceph configuration.
* making keys with a "paste-in" python script.
* pointers to PyKMIP and IBM SKLM.

Signed-off-by: Marcus Watts <mwatts@redhat.com>
2021-03-03 19:14:10 -05:00
Sergio de Carvalho
2650ebe8af rgw: improvements to SSE-KMS with Vault
* add 'rgw crypt vault prefix' config setting to allow restricting
  secret space in Vault where RGW can retrieve keys from
* refuse Vault token file if permissions are too open
* improve concatenation of URL paths to avoid constructing an invalid
  URL (missing or double '/')
* doc: clarify SSE-KMS keys must be 256-bit long and base64 encoded,
  document Vault policies and tokens, plus other minor doc improvements
* qa: check SHA256 signature of Vault zip download
* qa: fix teuthology tests broken by previous PR which made SSE-KMS
  backend default to Barbican

Signed-off-by: Andrea Baglioni <andrea.baglioni@workday.com>
Signed-off-by: Sergio de Carvalho <sergio.carvalho@workday.com>
2019-11-12 13:51:25 +00:00
Sergio de Carvalho
1e5b58ad50 rgw: add SSE-KMS with Vault using token auth
Extend server-side encryption functionality in Rados Gateway to support
HashiCorp Vault as a Key Management System in addition to existing
support for OpenStack Barbican.

This is the first part of this change, supporting Vault's token-based
authentication only. Agent-based authentication as well as other
features such as Vault namespaces will be added in subsequent commits.

Note that Barbican remains the default backend for SSE-KMS
(rgw crypt s3 kms backend) to avoid breaking existing deployments.

Feature: https://tracker.ceph.com/issues/41062
Notes: https://pad.ceph.com/p/rgw_sse-kms

Implemented so far:
* Move existing SSE-KMS functions from rgw_crypt.cc to rgw_kms.cc
* Vault authentication with a token read from file
* Add new ceph.conf settings for Vault
* Document new ceph.conf settings
* Update main encryption documentation page
* Add documentation page for SSE-KMS using Vault

Signed-off-by: Andrea Baglioni <andrea.baglioni@workday.com>
Signed-off-by: Sergio de Carvalho <sergio.carvalho@workday.com>
2019-10-01 19:55:23 +01:00
Casey Bodley
d3dd5a996d common: add config option rgw_trust_forwarded_https
Signed-off-by: Casey Bodley <cbodley@redhat.com>
2018-10-22 14:56:22 -04:00
Drunkard Zhang
5e3ae6d9d3 doc: typo fixes
Signed-off-by: Drunkard Zhang <gongfan193@gmail.com>
2017-05-19 09:34:48 +08:00
Casey Bodley
a1cf8ac4cd doc: rgw server-side encryption and barbican
Signed-off-by: Adam Kupczyk <akupczyk@mirantis.com>
Signed-off-by: Casey Bodley <cbodley@redhat.com>
2017-04-03 10:50:04 -04:00