openstack
/
manila-specs
Code Issues Proposed changes

Update patch set 5 

Patch Set 5: Code-Review-1

(29 comments)

Patch-set: 5
Reviewer: Gerrit User 16643 <16643@4a232e18-c5a9-48ee-94c0-e04e7cca6543>
Label: Code-Review=-1, 2052d3e2ed164062b0236c7a864af4104b79782d
Attention: {"person_ident":"Gerrit User 18816 \u003c18816@4a232e18-c5a9-48ee-94c0-e04e7cca6543\u003e","operation":"ADD","reason":"\u003cGERRIT_ACCOUNT_16643\u003e replied on the change"}
Attention: {"person_ident":"Gerrit User 16643 \u003c16643@4a232e18-c5a9-48ee-94c0-e04e7cca6543\u003e","operation":"REMOVE","reason":"\u003cGERRIT_ACCOUNT_16643\u003e replied on the change"}
This commit is contained in:
Gerrit User 16643 2024-01-18 01:01:42 +00:00 committed by Gerrit Code Review
parent e98d005ee7
commit ce20c78e71
2 changed files with 642 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

582
7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc
View File

@ -34,6 +34,23 @@
"revId": "7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc",
"serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543"
},
{
"unresolved": false,
"key": {
"uuid": "eeafb32f_a082e67d",
"filename": "/PATCHSET_LEVEL",
"patchSetId": 5
},
"lineNbr": 0,
"author": {
"id": 16643
},
"writtenOn": "2024-01-18T01:01:42Z",
"side": 1,
"message": "Thanks for your work on this Kiran; please take a look at my comments inline",
"revId": "7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc",
"serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543"
},
{
"unresolved": true,
"key": {
@ -115,6 +132,52 @@
"revId": "7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc",
"serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543"
},
{
"unresolved": true,
"key": {
"uuid": "6a5cb950_fa4874bc",
"filename": "specs/caracal/share_encryption.rst",
"patchSetId": 5
},
"lineNbr": 16,
"author": {
"id": 16643
},
"writtenOn": "2024-01-18T01:01:42Z",
"side": 1,
"message": "imho, the introduction needs to suggest what is being done about the problem that exists in a succinct way. Would this be a good statement?\n\n\n\u0027\u0027\u0027\nEncrypting OpenStack Manila shares is crucial for ensuring the security and confidentiality of users\u0027 data. There are broadly two levels of encryption: \"front-end\" (data in-transit) and \"back-end\" (data at-rest). Currently, users can request back-end data encryption via share types that have custom extra-specs. These custom-extra specs direct the back end driver to encrypt the share data at rest, however, there is no mechanism for the user to control much else regarding the encryption process. Ideally, users must be allowed to create and manage their own encryption keys. This specification proposes an approach that enables Manila to coordinate user defined encryption keys for \"back-end\" (at rest) encryption of share data.\n\u0027\u0027\u0027",
"range": {
"startLine": 13,
"startChar": 0,
"endLine": 16,
"endChar": 36
},
"revId": "7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc",
"serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543"
},
{
"unresolved": true,
"key": {
"uuid": "8ed377f9_e50a12d6",
"filename": "specs/caracal/share_encryption.rst",
"patchSetId": 5
},
"lineNbr": 21,
"author": {
"id": 16643
},
"writtenOn": "2024-01-18T01:01:42Z",
"side": 1,
"message": "This is incorrect; \n\nWhat you mean to say is that the encryption workflow implemented today is sub-optimal.\n\nPerhaps replace with this\n\n\"\"\"\nWhile manila users can create encrypted shares with some storage back ends, they cannot create or control their encryption keys via OpenStack. Encryption keys are made up by the storage back end or the Manila driver, and any one with access to the keys could access the data if they gain access to the back end storage. So the main problem that this specification is addressing is user control of encryption keys.\n\"\"\"\n\n\nI\u0027d also, for the sake of completeness, mention why we should even care about encryption. Your write up for that is good; here\u0027s a blurb Chat GPT generated when i asked it a question.. maybe it can help:\n\n\n```\n\nHere are some reasons why you should consider encrypting OpenStack Manila shares:\n\n1. **Data Confidentiality:** Encryption protects the confidentiality of your data by converting it into unreadable ciphertext. If unauthorized users gain access to the storage, they won\u0027t be able to make sense of the encrypted data without the appropriate decryption key.\n\n2. **Compliance Requirements:** Many industries and regulatory standards require the encryption of sensitive data. Encrypting OpenStack Manila shares helps you comply with data protection regulations and industry standards, ensuring that your organization meets legal requirements.\n\n3. **Protection Against Unauthorized Access:** Encrypting shares adds an extra layer of security against unauthorized access. Even if someone gains access to the underlying storage, they won\u0027t be able to access the data without the encryption key.\n\n4. **Secure Data Transfer:** When data is transferred between different components of your OpenStack environment or across the network, encryption ensures that the data remains secure during transit. This is especially important in multi-tenant environments where multiple users or projects may share the same infrastructure.\n\n5. **Mitigation of Insider Threats:** Encryption can help mitigate the risk of insider threats. Even if an authorized user with access to the storage attempts to misuse the data, encryption prevents them from reading or tampering with sensitive information without the proper decryption key.\n\n6. **Protection Against Data Breaches:** In the event of a security breach or data leak, encrypted data is much more difficult for attackers to exploit. This can significantly reduce the impact of a data breach, as the stolen information remains unreadable without the encryption key.\n\n7. **Risk Management:** Encryption is a fundamental component of a comprehensive risk management strategy. By implementing encryption for OpenStack Manila shares, you enhance your overall security posture and reduce the potential impact of security incidents.\n\n```\n\nIf you decide to use any of this, we should omit the 4th point, we\u0027re not solving \"in-transit\" data encryption with this effort...",
"range": {
"startLine": 21,
"startChar": 0,
"endLine": 21,
"endChar": 54
},
"revId": "7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc",
"serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543"
},
{
"unresolved": true,
"key": {
@ -161,6 +224,29 @@
"revId": "7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc",
"serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543"
},
{
"unresolved": true,
"key": {
"uuid": "45a35b2f_eed787a3",
"filename": "specs/caracal/share_encryption.rst",
"patchSetId": 5
},
"lineNbr": 36,
"author": {
"id": 16643
},
"writtenOn": "2024-01-18T01:01:42Z",
"side": 1,
"message": "by virtue of default RBAC, a user cannot create a share type in Manila; an administrator can..",
"range": {
"startLine": 35,
"startChar": 37,
"endLine": 36,
"endChar": 45
},
"revId": "7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc",
"serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543"
},
{
"unresolved": true,
"key": {
@ -184,6 +270,52 @@
"revId": "7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc",
"serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543"
},
{
"unresolved": true,
"key": {
"uuid": "4b283625_064a77c7",
"filename": "specs/caracal/share_encryption.rst",
"patchSetId": 5
},
"lineNbr": 47,
"author": {
"id": 16643
},
"writtenOn": "2024-01-18T01:01:42Z",
"side": 1,
"message": "I didn\u0027t understand this: \n\nHow can a user provide their own key? Is this done when creating a share? Also, how is the key provided? Will they give us the ID of the secret from barbican?\n\n\nYour examples below don\u0027t clarify this",
"range": {
"startLine": 42,
"startChar": 0,
"endLine": 47,
"endChar": 27
},
"revId": "7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc",
"serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543"
},
{
"unresolved": true,
"key": {
"uuid": "8d8c8425_435a75fc",
"filename": "specs/caracal/share_encryption.rst",
"patchSetId": 5
},
"lineNbr": 49,
"author": {
"id": 16643
},
"writtenOn": "2024-01-18T01:01:42Z",
"side": 1,
"message": "the storage back end via the storage back end driver",
"range": {
"startLine": 49,
"startChar": 67,
"endLine": 49,
"endChar": 74
},
"revId": "7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc",
"serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543"
},
{
"unresolved": true,
"key": {
@ -207,6 +339,98 @@
"revId": "7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc",
"serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543"
},
{
"unresolved": true,
"key": {
"uuid": "b9791f32_6cde283d",
"filename": "specs/caracal/share_encryption.rst",
"patchSetId": 5
},
"lineNbr": 50,
"author": {
"id": 16643
},
"writtenOn": "2024-01-18T01:01:42Z",
"side": 1,
"message": "storage back end",
"range": {
"startLine": 50,
"startChar": 4,
"endLine": 50,
"endChar": 11
},
"revId": "7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc",
"serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543"
},
{
"unresolved": true,
"key": {
"uuid": "9f7a46fd_13280d94",
"filename": "specs/caracal/share_encryption.rst",
"patchSetId": 5
},
"lineNbr": 51,
"author": {
"id": 16643
},
"writtenOn": "2024-01-18T01:01:42Z",
"side": 1,
"message": "nit: retrieves",
"range": {
"startLine": 51,
"startChar": 31,
"endLine": 51,
"endChar": 44
},
"revId": "7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc",
"serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543"
},
{
"unresolved": true,
"key": {
"uuid": "53c9e54a_2a96b4e3",
"filename": "specs/caracal/share_encryption.rst",
"patchSetId": 5
},
"lineNbr": 52,
"author": {
"id": 16643
},
"writtenOn": "2024-01-18T01:01:42Z",
"side": 1,
"message": "nit: \"share\u0027s data within the storage back end.\"",
"range": {
"startLine": 52,
"startChar": 25,
"endLine": 52,
"endChar": 41
},
"revId": "7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc",
"serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543"
},
{
"unresolved": true,
"key": {
"uuid": "d9f44492_5a2edaee",
"filename": "specs/caracal/share_encryption.rst",
"patchSetId": 5
},
"lineNbr": 53,
"author": {
"id": 16643
},
"writtenOn": "2024-01-18T01:01:42Z",
"side": 1,
"message": "\"proprietary\" is inappropriate... \n\nperhaps replace with:\n\n\n\"\"\"\nThe actual encryption of the data at-rest is performed by the back end storage system. The scope of Manila\u0027s involvement ends with coordinating the user\u0027s secret with the Key Store.\n\"\"\"",
"range": {
"startLine": 53,
"startChar": 65,
"endLine": 53,
"endChar": 76
},
"revId": "7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc",
"serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543"
},
{
"unresolved": true,
"key": {
@ -230,6 +454,144 @@
"revId": "7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc",
"serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543"
},
{
"unresolved": true,
"key": {
"uuid": "37385415_5633a7ef",
"filename": "specs/caracal/share_encryption.rst",
"patchSetId": 5
},
"lineNbr": 57,
"author": {
"id": 16643
},
"writtenOn": "2024-01-18T01:01:42Z",
"side": 1,
"message": "What does this mean?\n\nI see two workflows:\n\n \n\u003d\u003d\u003d\u003d\u003d\n\n1) Manila generates encryption key and stores it on the keystore:\n\na) Admin configures Manila with key manager\nb) Admin creates a share type, and an encryption type\nc) User uses encryption-enabled share type to create a share\nd) Internally manila creates an encryption secret and stores it on the keystore; and provides all data to the storage system via its driver\ne) storage system reaches out to key store, and encrypts share data at rest with the key\n\n\u003d\u003d\u003d\u003d\u003d\n\n2) User provides key stored on the keystore\n\na) Admin configures Manila with key manager\nb) DOES Admin need to a share type, and an encryption type anymore?\nc) User specifies key reference when creating a share\nd) Internally manila ensures the encryption secret exists, and provides data to the storage system via its driver\ne) storage system reaches out to key store, and encrypts share data at rest with the key\n\n\n\u003d\u003d\u003d\u003d\u003d\n\n\nam i understanding this correctly?\nwhat does this note mean?",
"range": {
"startLine": 56,
"startChar": 0,
"endLine": 57,
"endChar": 72
},
"revId": "7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc",
"serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543"
},
{
"unresolved": true,
"key": {
"uuid": "3853aae6_38a2327c",
"filename": "specs/caracal/share_encryption.rst",
"patchSetId": 5
},
"lineNbr": 64,
"author": {
"id": 16643
},
"writtenOn": "2024-01-18T01:01:42Z",
"side": 1,
"message": "creating \"encryption specs\"",
"range": {
"startLine": 64,
"startChar": 25,
"endLine": 64,
"endChar": 35
},
"revId": "7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc",
"serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543"
},
{
"unresolved": true,
"key": {
"uuid": "ddddbaa6_feffbc0b",
"filename": "specs/caracal/share_encryption.rst",
"patchSetId": 5
},
"lineNbr": 66,
"author": {
"id": 16643
},
"writtenOn": "2024-01-18T01:01:42Z",
"side": 1,
"message": "please drop \"basic\"",
"range": {
"startLine": 66,
"startChar": 72,
"endLine": 66,
"endChar": 77
},
"revId": "7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc",
"serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543"
},
{
"unresolved": true,
"key": {
"uuid": "927baaa9_549ddd1b",
"filename": "specs/caracal/share_encryption.rst",
"patchSetId": 5
},
"lineNbr": 67,
"author": {
"id": 16643
},
"writtenOn": "2024-01-18T01:01:42Z",
"side": 1,
"message": "encryption specs associated with a share type.",
"range": {
"startLine": 67,
"startChar": 44,
"endLine": 67,
"endChar": 59
},
"revId": "7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc",
"serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543"
},
{
"unresolved": true,
"key": {
"uuid": "01d9ac1b_9ee99d9b",
"filename": "specs/caracal/share_encryption.rst",
"patchSetId": 5
},
"lineNbr": 74,
"author": {
"id": 16643
},
"writtenOn": "2024-01-18T01:01:42Z",
"side": 1,
"message": "everything specified here is a change in manila... \n\nDo you mean:\n\n \"Manila API service changes\"",
"range": {
"startLine": 74,
"startChar": 2,
"endLine": 74,
"endChar": 18
},
"revId": "7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc",
"serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543"
},
{
"unresolved": true,
"key": {
"uuid": "f0992cd8_ea28959c",
"filename": "specs/caracal/share_encryption.rst",
"patchSetId": 5
},
"lineNbr": 76,
"author": {
"id": 16643
},
"writtenOn": "2024-01-18T01:01:42Z",
"side": 1,
"message": "\"allow configuration of a key manager. We will introduce an interface for the Manila API service to communicate with an external key manager (e.g. Castellan), which internally works with a key store (e.g. Barbican).\"",
"range": {
"startLine": 76,
"startChar": 27,
"endLine": 76,
"endChar": 69
},
"revId": "7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc",
"serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543"
},
{
"unresolved": true,
"key": {
@ -253,6 +615,109 @@
"revId": "7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc",
"serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543"
},
{
"unresolved": true,
"key": {
"uuid": "2c4b33a0_df0ee1d6",
"filename": "specs/caracal/share_encryption.rst",
"patchSetId": 5
},
"lineNbr": 79,
"author": {
"id": 16643
},
"writtenOn": "2024-01-18T01:01:42Z",
"side": 1,
"message": "you mentioned that if an encryption key is not specified during creation, manila will need to create an encryption key.. is that correct? if yes, please add that detail here",
"revId": "7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc",
"serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543"
},
{
"unresolved": true,
"key": {
"uuid": "d8f6de16_cb584521",
"filename": "specs/caracal/share_encryption.rst",
"patchSetId": 5
},
"lineNbr": 83,
"author": {
"id": 16643
},
"writtenOn": "2024-01-18T01:01:42Z",
"side": 1,
"message": "which is it? \"encryption key data\" or \"key ref\"?",
"range": {
"startLine": 82,
"startChar": 0,
"endLine": 83,
"endChar": 48
},
"revId": "7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc",
"serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543"
},
{
"unresolved": true,
"key": {
"uuid": "6ee965b5_5f006277",
"filename": "specs/caracal/share_encryption.rst",
"patchSetId": 5
},
"lineNbr": 91,
"author": {
"id": 16643
},
"writtenOn": "2024-01-18T01:01:42Z",
"side": 1,
"message": "nit: provide",
"range": {
"startLine": 91,
"startChar": 60,
"endLine": 91,
"endChar": 68
},
"revId": "7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc",
"serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543"
},
{
"unresolved": true,
"key": {
"uuid": "2cda8415_3cf9c406",
"filename": "specs/caracal/share_encryption.rst",
"patchSetId": 5
},
"lineNbr": 97,
"author": {
"id": 16643
},
"writtenOn": "2024-01-18T01:01:42Z",
"side": 1,
"message": "This section should answer the question:\n\n\"What are my alternatives if OpenStack Manila doesn\u0027t provide a way for users to use their own encryption keys?\"\n\n\n\nPerhaps:\n\n\n\n\"\"\"\n\nIf OpenStack Manila doesn\u0027t provide a way for users to manage their own encryption keys, the cloud may need an out-of-band solution, such as:\n\n- External or third party key management services that support integration with OpenStack Manila\n- Client-Side Encryption: forego data encryption at-rest. Users must encrypt their data locally on their clients before storing it in Manila shares\n- File-Level Encryption: encrypting individual files or directories within the clients using tools or libraries instead of encrypting the share data as a whole.\n- Custom Scripts or Tools: Deployment-local scripts that enable users to manage their encryption keys outside of OpenStack Manila. This may involve creating a user interface or command-line tool that interacts with OpenStack Manila and external key management systems.\n- OpenStack Manila Extensions: unofficial API extensions that can enhance the functionality of Manila to deal with encryption metadata.\n\nIn all, these alternatives are inferior to the convenience that we would provide by implementing the proposal in this specification.\n\n\"\"\"",
"revId": "7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc",
"serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543"
},
{
"unresolved": true,
"key": {
"uuid": "a1dfb262_a9893fcd",
"filename": "specs/caracal/share_encryption.rst",
"patchSetId": 5
},
"lineNbr": 124,
"author": {
"id": 16643
},
"writtenOn": "2024-01-18T01:01:42Z",
"side": 1,
"message": "\"back-end\" ?",
"range": {
"startLine": 124,
"startChar": 56,
"endLine": 124,
"endChar": 60
},
"revId": "7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc",
"serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543"
},
{
"unresolved": true,
"key": {
@ -276,6 +741,30 @@
"revId": "7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc",
"serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543"
},
{
"unresolved": true,
"key": {
"uuid": "96615198_52a2edb8",
"filename": "specs/caracal/share_encryption.rst",
"patchSetId": 5
},
"lineNbr": 128,
"author": {
"id": 16643
},
"writtenOn": "2024-01-18T01:01:42Z",
"side": 1,
"message": "I do think its relevant to snapshots... \n\nbackups and replicas less so... I expect that all replicas of the share would have the same encryption key",
"parentUuid": "aea3954e_41d55424",
"range": {
"startLine": 128,
"startChar": 0,
"endLine": 128,
"endChar": 27
},
"revId": "7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc",
"serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543"
},
{
"unresolved": true,
"key": {
@ -299,6 +788,30 @@
"revId": "7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc",
"serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543"
},
{
"unresolved": true,
"key": {
"uuid": "2211c54f_88812c59",
"filename": "specs/caracal/share_encryption.rst",
"patchSetId": 5
},
"lineNbr": 150,
"author": {
"id": 16643
},
"writtenOn": "2024-01-18T01:01:42Z",
"side": 1,
"message": "then you\u0027ll also need a \"resource_type\"",
"parentUuid": "1d93b7a7_15c15229",
"range": {
"startLine": 150,
"startChar": 4,
"endLine": 150,
"endChar": 12
},
"revId": "7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc",
"serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543"
},
{
"unresolved": true,
"key": {
@ -322,6 +835,52 @@
"revId": "7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc",
"serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543"
},
{
"unresolved": true,
"key": {
"uuid": "55b138ed_ed2b1409",
"filename": "specs/caracal/share_encryption.rst",
"patchSetId": 5
},
"lineNbr": 310,
"author": {
"id": 16643
},
"writtenOn": "2024-01-18T01:01:42Z",
"side": 1,
"message": "Does the driver need to do this?",
"range": {
"startLine": 310,
"startChar": 3,
"endLine": 310,
"endChar": 54
},
"revId": "7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc",
"serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543"
},
{
"unresolved": true,
"key": {
"uuid": "34716572_e803fe46",
"filename": "specs/caracal/share_encryption.rst",
"patchSetId": 5
},
"lineNbr": 312,
"author": {
"id": 16643
},
"writtenOn": "2024-01-18T01:01:42Z",
"side": 1,
"message": "Instruct the back end storage system to Encrypt the share with key data sent from key-store e.g. Barbican",
"range": {
"startLine": 312,
"startChar": 0,
"endLine": 312,
"endChar": 68
},
"revId": "7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc",
"serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543"
},
{
"unresolved": true,
"key": {
@ -344,6 +903,29 @@
},
"revId": "7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc",
"serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543"
},
{
"unresolved": true,
"key": {
"uuid": "f6e001df_e7b3e4a6",
"filename": "specs/caracal/share_encryption.rst",
"patchSetId": 5
},
"lineNbr": 316,
"author": {
"id": 16643
},
"writtenOn": "2024-01-18T01:01:42Z",
"side": 1,
"message": "I think this is confusing.. \n\n\nFirstly, a \"share server\" always exists, whether DHSS\u003dTrue or False; with DHSS\u003dTrue, drivers can create share servers on the fly, with DHSS\u003dFalse, it is assumed there is one share server for all the shares. \n\nSecond, I think you need to clarify that this specification does not target encryption at the share server level. If a share server has any sort of encryption settings, the expectation on the back end storage system and its driver is that the per-share encryption settings from Manila will override the encryption settings of the share server for the given share.",
"range": {
"startLine": 314,
"startChar": 2,
"endLine": 316,
"endChar": 15
},
"revId": "7073bfe6e2eb52a56586b4e46ad0506d84f9e6fc",
"serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543"
}
]
}

60
7e375d234c48fb3e6c33584ea12452ec0e29ee60
View File

@ -52,6 +52,24 @@
"revId": "7e375d234c48fb3e6c33584ea12452ec0e29ee60",
"serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543"
},
{
"unresolved": false,
"key": {
"uuid": "97586e3d_5c9c3304",
"filename": "specs/caracal/share_encryption.rst",
"patchSetId": 4
},
"lineNbr": 53,
"author": {
"id": 16643
},
"writtenOn": "2024-01-18T01:01:42Z",
"side": 1,
"message": "please \"resolve\" comments when you address them...",
"parentUuid": "25dbe89b_465c2231",
"revId": "7e375d234c48fb3e6c33584ea12452ec0e29ee60",
"serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543"
},
{
"unresolved": true,
"key": {
@ -462,6 +480,24 @@
"revId": "7e375d234c48fb3e6c33584ea12452ec0e29ee60",
"serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543"
},
{
"unresolved": false,
"key": {
"uuid": "9f373e5a_ec1e8651",
"filename": "specs/caracal/share_encryption.rst",
"patchSetId": 4
},
"lineNbr": 306,
"author": {
"id": 16643
},
"writtenOn": "2024-01-18T01:01:42Z",
"side": 1,
"message": "I agree with beginning with per-share-encryption. \n\nIn the \"driver impact\" section, there\u0027s a call out to \"share server encryption\" that can be removed; or moved to a different section rather than \"Driver Impact\". I\u0027ll leave a comment there.",
"parentUuid": "0f8baeae_8d0b17fb",
"revId": "7e375d234c48fb3e6c33584ea12452ec0e29ee60",
"serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543"
},
{
"unresolved": true,
"key": {
@ -508,6 +544,30 @@
},
"revId": "7e375d234c48fb3e6c33584ea12452ec0e29ee60",
"serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543"
},
{
"unresolved": true,
"key": {
"uuid": "c0f96cc2_abecd8bd",
"filename": "specs/caracal/share_encryption.rst",
"patchSetId": 4
},
"lineNbr": 330,
"author": {
"id": 16643
},
"writtenOn": "2024-01-18T01:01:42Z",
"side": 1,
"message": "+1",
"parentUuid": "d2fb1fa0_f9890dd7",
"range": {
"startLine": 330,
"startChar": 3,
"endLine": 330,
"endChar": 35
},
"revId": "7e375d234c48fb3e6c33584ea12452ec0e29ee60",
"serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543"
}
]
}