RepoMirrors/ceph
1
0
Fork 0
mirror of https://github.com/ceph/ceph synced 2025-01-12 14:10:27 +00:00
Code Issues Packages Projects Releases Wiki Activity
47777b9c0d
ceph/doc/radosgw/barbican.rst
Sergio de Carvalho 1e5b58ad50 rgw: add SSE-KMS with Vault using token auth 
Extend server-side encryption functionality in Rados Gateway to support
HashiCorp Vault as a Key Management System in addition to existing
support for OpenStack Barbican.

This is the first part of this change, supporting Vault's token-based
authentication only. Agent-based authentication as well as other
features such as Vault namespaces will be added in subsequent commits.

Note that Barbican remains the default backend for SSE-KMS
(rgw crypt s3 kms backend) to avoid breaking existing deployments.

Feature: https://tracker.ceph.com/issues/41062
Notes: https://pad.ceph.com/p/rgw_sse-kms

Implemented so far:
* Move existing SSE-KMS functions from rgw_crypt.cc to rgw_kms.cc
* Vault authentication with a token read from file
* Add new ceph.conf settings for Vault
* Document new ceph.conf settings
* Update main encryption documentation page
* Add documentation page for SSE-KMS using Vault

Signed-off-by: Andrea Baglioni <andrea.baglioni@workday.com>
Signed-off-by: Sergio de Carvalho <sergio.carvalho@workday.com>
2019-10-01 19:55:23 +01:00

122 lines
3.6 KiB
ReStructuredText
Raw Blame History

==============================
OpenStack Barbican Integration
==============================
OpenStack `Barbican`_ can be used as a secure key management service for
`Server-Side Encryption`_.
.. image:: ../images/rgw-encryption-barbican.png
#. `Configure Keystone`_
#. `Create a Keystone user`_
#. `Configure the Ceph Object Gateway`_
#. `Create a key in Barbican`_
Configure Keystone
==================
Barbican depends on Keystone for authorization and access control of its keys.
See `OpenStack Keystone Integration`_.
Create a Keystone user
======================
Create a new user that will be used by the Ceph Object Gateway to retrieve
keys.
For example::
user = rgwcrypt-user
pass = rgwcrypt-password
tenant = rgwcrypt
See OpenStack documentation for `Manage projects, users, and roles`_.
Create a key in Barbican
========================
See Barbican documentation for `How to Create a Secret`_. Requests to
Barbican must include a valid Keystone token in the ``X-Auth-Token`` header.
Example request::
POST /v1/secrets HTTP/1.1
Host: barbican.example.com:9311
Accept: */*
Content-Type: application/json
X-Auth-Token: 7f7d588dd29b44df983bc961a6b73a10
Content-Length: 299
{
"name": "my-key",
"expiration": "2016-12-28T19:14:44.180394",
"algorithm": "aes",
"bit_length": 256,
"mode": "cbc",
"payload": "6b+WOZ1T3cqZMxgThRcXAQBrS5mXKdDUphvpxptl9/4=",
"payload_content_type": "application/octet-stream",
"payload_content_encoding": "base64"
}
Response::
{"secret_ref": "http://barbican.example.com:9311/v1/secrets/d1e7ef3b-f841-4b7c-90b2-b7d90ca2d723"}
In the response, ``d1e7ef3b-f841-4b7c-90b2-b7d90ca2d723`` is the key id that
can be used in any `SSE-KMS`_ request.
This newly created key is not accessible by user ``rgwcrypt-user``. This
privilege must be added with an ACL. See `How to Set/Replace ACL`_ for more
details.
Example request (assuming that the Keystone id of ``rgwcrypt-user`` is
``906aa90bd8a946c89cdff80d0869460f``)::
PUT /v1/secrets/d1e7ef3b-f841-4b7c-90b2-b7d90ca2d723/acl HTTP/1.1
Host: barbican.example.com:9311
Accept: */*
Content-Type: application/json
X-Auth-Token: 7f7d588dd29b44df983bc961a6b73a10
Content-Length: 101
{
"read":{
"users":[ "906aa90bd8a946c89cdff80d0869460f" ],
"project-access": true
}
}
Response::
{"acl_ref": "http://barbican.example.com:9311/v1/secrets/d1e7ef3b-f841-4b7c-90b2-b7d90ca2d723/acl"}
Configure the Ceph Object Gateway
=================================
Edit the Ceph configuration file to enable Barbican as a KMS and add information
about the Barbican server and Keystone user::
rgw crypt s3 kms backend = barbican
rgw barbican url = http://barbican.example.com:9311
rgw keystone barbican user = rgwcrypt-user
rgw keystone barbican password = rgwcrypt-password
When using Keystone API version 2::
rgw keystone barbican tenant = rgwcrypt
When using API version 3::
rgw keystone barbican project
rgw keystone barbican domain
.. _Barbican: https://wiki.openstack.org/wiki/Barbican
.. _Server-Side Encryption: ../encryption
.. _OpenStack Keystone Integration: ../keystone
.. _Manage projects, users, and roles: https://docs.openstack.org/admin-guide/cli-manage-projects-users-and-roles.html#create-a-user
.. _How to Create a Secret: https://developer.openstack.org/api-guide/key-manager/secrets.html#how-to-create-a-secret
.. _SSE-KMS: http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingKMSEncryption.html
.. _How to Set/Replace ACL: https://developer.openstack.org/api-guide/key-manager/acls.html#how-to-set-replace-acl
Reference in New Issue View Git Blame Copy Permalink