d59e41fb3c
A new microversion 3.70 adds the ability to transfer a volume's encryption key when transferring a volume to another project. When the volume transfer is initiated, the volume's encryption secret is essentially transferred to the cinder service. - The cinder service creates a new encryption_key_id that contains a copy of the volume's encryption secret. - The volume (and its snapshots) is updated with the new encryption_key_id (the one owned by the cinder service). - The volume's original encryption_key_id (owned by the volume's owner) is deleted. When the transfer is accepted, the secret is transferred to the user accepting the transfer. - A new encryption_key_id is generated on behalf of the new user that contains a copy of the volume's encryption secret. - The volume (and its snapshots) is updated with the new encryption_key_id (the one owned by the user). - The intermediate encryption_key_id owned by the cinder service is deleted. When a transfer is cancelled (deleted), the same process is used to transfer ownship back to the user that cancelled the transfer. Implements: blueprint transfer-encrypted-volume Change-Id: I459f06504e90025c9c0b539981d3d56a2a9394c7
9 lines
377 B
YAML
9 lines
377 B
YAML
---
|
|
features:
|
|
- |
|
|
Starting with API microversion 3.70, encrypted volumes can be transferred
|
|
to a user in a different project. Prior to microversion 3.70, the transfer
|
|
is blocked due to the inability to transfer ownership of the volume's
|
|
encryption key. With microverson 3.70, ownership of the encryption key is
|
|
transferred when the volume is transferred.
|