Create key manager interface

This interface provides a thin wrapper around an underlying key management
implementation such as Barbican or a KMIP server. The key manager interface is
used by the volume encryption code to retrieve keys for volumes.

Implements: blueprint encrypt-cinder-volumes
Change-Id: I9b0dcb7d648ee6809185c71ba457c8a8a6c90d50
SecurityImpact

nova/keymgr/__init__.py

@@ -0,0 +1,37 @@
+# vim: tabstop=4 shiftwidth=4 softtabstop=4
+# Copyright (c) 2013 The Johns Hopkins University/Applied Physics Laboratory
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from oslo.config import cfg
+
+from nova.openstack.common import importutils
+from nova.openstack.common import log as logging
+
+keymgr_opts = [
+    cfg.StrOpt('keymgr_api_class',
+               default='nova.keymgr.key_mgr.KeyManager',
+               help='The full class name of the key manager API class'),
+]
+
+CONF = cfg.CONF
+CONF.register_opts(keymgr_opts)
+
+LOG = logging.getLogger(__name__)
+
+
+def API():
+    keymgr_api_class = CONF.keymgr_api_class
+    cls = importutils.import_class(keymgr_api_class)
+    return cls()

nova/keymgr/key.py

@@ -0,0 +1,76 @@
+# vim: tabstop=4 shiftwidth=4 softtabstop=4
+
+# Copyright (c) 2013 The Johns Hopkins University/Applied Physics Laboratory
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+"""
+Base Key and SymmetricKey Classes
+
+This module defines the Key and SymmetricKey classes. The Key class is the base
+class to represent all encryption keys. The basis for this class was copied
+from Java.
+"""
+
+import abc
+
+
+class Key(object):
+    """Base class to represent all keys."""
+
+    __metaclass__ = abc.ABCMeta
+
+    @abc.abstractmethod
+    def get_algorithm(self):
+        """Returns this key's algorithm. For example, "DSA" would indicate
+        that this key is a DSA key.
+        """
+        pass
+
+    @abc.abstractmethod
+    def get_format(self):
+        """Returns the encoding format of this key or None if this key is not
+        encoded.
+        """
+        pass
+
+    @abc.abstractmethod
+    def get_encoded(self):
+        """Returns the key in the format specified by its encoding."""
+        pass
+
+
+class SymmetricKey(Key):
+    """
+    This class represents symmetric keys
+    """
+
+    def __init__(self, alg, key):
+        """Create a new SymmetricKey object. This specifies the algorithm for
+        the symmetric encryption and the bytes for the key.
+        """
+        self.alg = alg
+        self.key = key
+
+    def get_algorithm(self):
+        """Returns the algorithm for symmetric encryption."""
+        return self.alg
+
+    def get_format(self):
+        """This returns 'RAW'."""
+        return "RAW"
+
+    def get_encoded(self):
+        """Returns the key in its encoded format."""
+        return self.key

nova/keymgr/key_mgr.py

@@ -0,0 +1,85 @@
+# vim: tabstop=4 shiftwidth=4 softtabstop=4
+# Copyright (c) 2013 The Johns Hopkins University/Applied Physics Laboratory
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+"""
+Key manager API
+"""
+
+import abc
+
+
+class KeyManager(object):
+    """Base Key Manager Interface
+
+    A Key Manager is responsible for managing encryption keys for volumes. A
+    Key Manager is responsible for creating, reading, and deleting keys.
+    """
+
+    __metaclass__ = abc.ABCMeta
+
+    @abc.abstractmethod
+    def create_key(self, ctxt, algorithm='AES', length=256, expiration=None,
+                   **kwargs):
+        """Creates a key.
+
+        This method creates a key and returns the key's UUID. If the specified
+        context does not permit the creation of keys, then a NotAuthorized
+        exception should be raised.
+        """
+        pass
+
+    @abc.abstractmethod
+    def store_key(self, ctxt, key, expiration=None, **kwargs):
+        """Stores (i.e., registers) a key with the key manager.
+
+        This method stores the specified key and returns its UUID that
+        identifies it within the key manager. If the specified context does
+        not permit the creation of keys, then a NotAuthorized exception should
+        be raised.
+        """
+        pass
+
+    @abc.abstractmethod
+    def get_key(self, ctxt, key_id, **kwargs):
+        """Retrieves the specified key.
+
+        Implementations should verify that the caller has permissions to
+        retrieve the key by checking the context object passed in as ctxt. If
+        the user lacks permission then a NotAuthorized exception is raised.
+
+        If the specified key does not exist, then a KeyError should be raised.
+        Implementations should preclude users from discerning the UUIDs of
+        keys that belong to other users by repeatedly calling this method.
+        That is, keys that belong to other users should be considered "non-
+        existent" and completely invisible.
+        """
+        pass
+
+    @abc.abstractmethod
+    def delete_key(self, ctxt, key_id, **kwargs):
+        """Deletes the specified key.
+
+        Implementations should verify that the caller has permission to delete
+        the key by checking the context object (ctxt). A NotAuthorized
+        exception should be raised if the caller lacks permission.
+
+        If the specified key does not exist, then a KeyError should be raised.
+        Implementations should preclude users from discerning the UUIDs of
+        keys that belong to other users by repeatedly calling this method.
+        That is, keys that belong to other users should be considered "non-
+        existent" and completely invisible.
+        """
+        pass