Block attempts to transfer encrypted volumes
Block attempts to transfer encrypted volumes until [1] gets resolved. [1] documents the fact that encryption keys are not properly transferred to the new volume owner. Resolving this will be tricky because Key Managers such as Barbican currently provide no API for transferring ownership, and Key Manager ACLs are insufficient because they don't allow the new volume owner to delete the key. [1] https://bugs.launchpad.net/cinder/+bug/1735285 Related-Bug: #1735285 Change-Id: I5dbeb46adc9da1fce6359a96b981aa8d673d50c4
This commit is contained in:
parent
5419ca908c
commit
04d7e2d80d
@ -17,6 +17,7 @@ import mock
|
|||||||
from oslo_utils import timeutils
|
from oslo_utils import timeutils
|
||||||
|
|
||||||
from cinder import context
|
from cinder import context
|
||||||
|
from cinder import db
|
||||||
from cinder import exception
|
from cinder import exception
|
||||||
from cinder import objects
|
from cinder import objects
|
||||||
from cinder import quota
|
from cinder import quota
|
||||||
@ -68,6 +69,16 @@ class VolumeTransferTestCase(test.TestCase):
|
|||||||
volume = objects.Volume.get_by_id(self.ctxt, volume.id)
|
volume = objects.Volume.get_by_id(self.ctxt, volume.id)
|
||||||
self.assertEqual('in-use', volume['status'], 'Unexpected state')
|
self.assertEqual('in-use', volume['status'], 'Unexpected state')
|
||||||
|
|
||||||
|
def test_transfer_invalid_encrypted_volume(self):
|
||||||
|
tx_api = transfer_api.API()
|
||||||
|
volume = utils.create_volume(self.ctxt, updated_at=self.updated_at)
|
||||||
|
db.volume_update(self.ctxt,
|
||||||
|
volume.id,
|
||||||
|
{'encryption_key_id': fake.ENCRYPTION_KEY_ID})
|
||||||
|
self.assertRaises(exception.InvalidVolume,
|
||||||
|
tx_api.create,
|
||||||
|
self.ctxt, volume.id, 'Description')
|
||||||
|
|
||||||
@mock.patch('cinder.volume.utils.notify_about_volume_usage')
|
@mock.patch('cinder.volume.utils.notify_about_volume_usage')
|
||||||
def test_transfer_accept_invalid_authkey(self, mock_notify):
|
def test_transfer_accept_invalid_authkey(self, mock_notify):
|
||||||
svc = self.start_service('volume', host='test_host')
|
svc = self.start_service('volume', host='test_host')
|
||||||
|
@ -120,6 +120,9 @@ class API(base.Base):
|
|||||||
volume_ref = self.db.volume_get(context, volume_id)
|
volume_ref = self.db.volume_get(context, volume_id)
|
||||||
if volume_ref['status'] != "available":
|
if volume_ref['status'] != "available":
|
||||||
raise exception.InvalidVolume(reason=_("status must be available"))
|
raise exception.InvalidVolume(reason=_("status must be available"))
|
||||||
|
if volume_ref['encryption_key_id'] is not None:
|
||||||
|
raise exception.InvalidVolume(
|
||||||
|
reason=_("transferring encrypted volume is not supported"))
|
||||||
|
|
||||||
volume_utils.notify_about_volume_usage(context, volume_ref,
|
volume_utils.notify_about_volume_usage(context, volume_ref,
|
||||||
"transfer.create.start")
|
"transfer.create.start")
|
||||||
|
Loading…
Reference in New Issue
Block a user