Block attempts to transfer encrypted volumes

Block attempts to transfer encrypted volumes until [1] gets resolved.

[1] documents the fact that encryption keys are not properly transferred
to the new volume owner. Resolving this will be tricky because Key
Managers such as Barbican currently provide no API for transferring
ownership, and Key Manager ACLs are insufficient because they don't
allow the new volume owner to delete the key.

[1] https://bugs.launchpad.net/cinder/+bug/1735285

Related-Bug: #1735285
Change-Id: I5dbeb46adc9da1fce6359a96b981aa8d673d50c4
This commit is contained in:
Alan Bishop 2018-01-04 16:26:25 +00:00
parent 5419ca908c
commit 04d7e2d80d
2 changed files with 14 additions and 0 deletions

View File

@ -17,6 +17,7 @@ import mock
from oslo_utils import timeutils from oslo_utils import timeutils
from cinder import context from cinder import context
from cinder import db
from cinder import exception from cinder import exception
from cinder import objects from cinder import objects
from cinder import quota from cinder import quota
@ -68,6 +69,16 @@ class VolumeTransferTestCase(test.TestCase):
volume = objects.Volume.get_by_id(self.ctxt, volume.id) volume = objects.Volume.get_by_id(self.ctxt, volume.id)
self.assertEqual('in-use', volume['status'], 'Unexpected state') self.assertEqual('in-use', volume['status'], 'Unexpected state')
def test_transfer_invalid_encrypted_volume(self):
tx_api = transfer_api.API()
volume = utils.create_volume(self.ctxt, updated_at=self.updated_at)
db.volume_update(self.ctxt,
volume.id,
{'encryption_key_id': fake.ENCRYPTION_KEY_ID})
self.assertRaises(exception.InvalidVolume,
tx_api.create,
self.ctxt, volume.id, 'Description')
@mock.patch('cinder.volume.utils.notify_about_volume_usage') @mock.patch('cinder.volume.utils.notify_about_volume_usage')
def test_transfer_accept_invalid_authkey(self, mock_notify): def test_transfer_accept_invalid_authkey(self, mock_notify):
svc = self.start_service('volume', host='test_host') svc = self.start_service('volume', host='test_host')

View File

@ -120,6 +120,9 @@ class API(base.Base):
volume_ref = self.db.volume_get(context, volume_id) volume_ref = self.db.volume_get(context, volume_id)
if volume_ref['status'] != "available": if volume_ref['status'] != "available":
raise exception.InvalidVolume(reason=_("status must be available")) raise exception.InvalidVolume(reason=_("status must be available"))
if volume_ref['encryption_key_id'] is not None:
raise exception.InvalidVolume(
reason=_("transferring encrypted volume is not supported"))
volume_utils.notify_about_volume_usage(context, volume_ref, volume_utils.notify_about_volume_usage(context, volume_ref,
"transfer.create.start") "transfer.create.start")