Add keymaster to fetch root secret from KMIP service

Code Issues Proposed changes

Add a new middleware that can be used to fetch an encryption root
secret from a KMIP service. The middleware uses a PyKMIP client
to interact with a KMIP endpoint. The middleware is configured with
a unique identifier for the key to be fetched and options required
for the PyKMIP client.
Co-Authored-By: Tim Burke <tim.burke@gmail.com>
Change-Id: Ib0943fb934b347060fc66c091673a33bcfac0a6d

This commit is contained in:

Alistair Coles

2018年06月26日 12:48:58 +01:00

parent 3378a48733

commit 1951dc7e9a

6 changed files with 449 additions and 9 deletions

Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL

Download Patch File Download Diff File Expand all files Collapse all files

20
etc/keymaster.conf-sample

View File

@@ -74,3 +74,23 @@

# reauthenticate = changeme

# domain_id = changeme

# domain_name = changeme

[kmip_keymaster]

# The kmip_keymaster section is used to configure a keymaster that fetches an

# encryption root secret from a KMIP service.

# The value of the ``key_id`` option should be the unique identifier for a

# secret that will be retrieved from the KMIP service. The secret should be an

# AES-256 symmetric key.

# key_id = <unique id of secret to be fetched from the KMIP service>

# The remaining options are used to configure a PyKMIP client and are shown

# below for information. The authoritative definition of these options can be

# found at: https://pykmip.readthedocs.io/en/latest/client.html.

# host = <KMIP server host>

# port = <KMIP server port>

# certfile = /path/to/client/cert.pem

# keyfile = /path/to/client/key.pem

# ca_certs = /path/to/server/cert.pem

# username = <KMIP username>

# password = <KMIP password>

19
etc/proxy-server.conf-sample

View File

@@ -1074,6 +1074,25 @@ use = egg:swift#kms_keymaster

# options.

# keymaster_config_path =

# kmip_keymaster middleware may be used to fetch an encryption root secret from

# a KMIP service. It should replace, in the same position, any other keymaster

# middleware in the proxy-server pipeline, so that the middleware order is as

# shown in this example:

# <other middleware> kmip_keymaster encryption proxy-logging proxy-server

[filter:kmip_keymaster]

use = egg:swift#kmip_keymaster

# Sets the path from which the keymaster config options should be read. This

# allows multiple processes which need to be encryption-aware (for example,

# proxy-server and container-sync) to share the same config file, ensuring

# that the encryption keys used are the same. As an added benefit the

# keymaster configuration file can have different permissions than the

# `proxy-server.conf` file. The format expected is similar

# to other config files, with a single [kmip_keymaster] section. See the

# keymaster.conf-sample file for details on the kmip_keymaster configuration

# options.

# keymaster_config_path =

[filter:encryption]

use = egg:swift#encryption