Add keymaster to fetch root secret from KMIP service
Add a new middleware that can be used to fetch an encryption root secret from a KMIP service. The middleware uses a PyKMIP client to interact with a KMIP endpoint. The middleware is configured with a unique identifier for the key to be fetched and options required for the PyKMIP client. Co-Authored-By: Tim Burke <tim.burke@gmail.com> Change-Id: Ib0943fb934b347060fc66c091673a33bcfac0a6d
This commit is contained in:
Alistair Coles
@@ -74,3 +74,23 @@
|
||||
# reauthenticate = changeme
|
||||
# domain_id = changeme
|
||||
# domain_name = changeme
|
||||
|
||||
[kmip_keymaster]
|
||||
# The kmip_keymaster section is used to configure a keymaster that fetches an
|
||||
# encryption root secret from a KMIP service.
|
||||
|
||||
# The value of the ``key_id`` option should be the unique identifier for a
|
||||
# secret that will be retrieved from the KMIP service. The secret should be an
|
||||
# AES-256 symmetric key.
|
||||
# key_id = <unique id of secret to be fetched from the KMIP service>
|
||||
|
||||
# The remaining options are used to configure a PyKMIP client and are shown
|
||||
# below for information. The authoritative definition of these options can be
|
||||
# found at: https://pykmip.readthedocs.io/en/latest/client.html.
|
||||
# host = <KMIP server host>
|
||||
# port = <KMIP server port>
|
||||
# certfile = /path/to/client/cert.pem
|
||||
# keyfile = /path/to/client/key.pem
|
||||
# ca_certs = /path/to/server/cert.pem
|
||||
# username = <KMIP username>
|
||||
# password = <KMIP password>
|
||||
|
||||
@@ -1074,6 +1074,25 @@ use = egg:swift#kms_keymaster
|
||||
# options.
|
||||
# keymaster_config_path =
|
||||
|
||||
# kmip_keymaster middleware may be used to fetch an encryption root secret from
|
||||
# a KMIP service. It should replace, in the same position, any other keymaster
|
||||
# middleware in the proxy-server pipeline, so that the middleware order is as
|
||||
# shown in this example:
|
||||
# <other middleware> kmip_keymaster encryption proxy-logging proxy-server
|
||||
[filter:kmip_keymaster]
|
||||
use = egg:swift#kmip_keymaster
|
||||
|
||||
# Sets the path from which the keymaster config options should be read. This
|
||||
# allows multiple processes which need to be encryption-aware (for example,
|
||||
# proxy-server and container-sync) to share the same config file, ensuring
|
||||
# that the encryption keys used are the same. As an added benefit the
|
||||
# keymaster configuration file can have different permissions than the
|
||||
# `proxy-server.conf` file. The format expected is similar
|
||||
# to other config files, with a single [kmip_keymaster] section. See the
|
||||
# keymaster.conf-sample file for details on the kmip_keymaster configuration
|
||||
# options.
|
||||
# keymaster_config_path =
|
||||
|
||||
[filter:encryption]
|
||||
use = egg:swift#encryption
|
||||
|
||||
|
||||
Reference in New Issue
Block a user