smb: add keybridge support and fscrypt configuration#64641
Open
phlogistonjohn wants to merge 16 commits intoceph:mainfrom
Open
smb: add keybridge support and fscrypt configuration#64641phlogistonjohn wants to merge 16 commits intoceph:mainfrom
phlogistonjohn wants to merge 16 commits intoceph:mainfrom
Conversation
0c54b44 to
2231533
Compare
|
This pull request can no longer be automatically merged: a rebase is needed and changes have to be manually resolved |
14 tasks
2231533 to
f95c0ea
Compare
|
This pull request can no longer be automatically merged: a rebase is needed and changes have to be manually resolved |
f95c0ea to
0902e8f
Compare
|
This pull request can no longer be automatically merged: a rebase is needed and changes have to be manually resolved |
0902e8f to
3c3bd94
Compare
Contributor
|
jenkins test make check |
3c3bd94 to
7fc1ff4
Compare
cb5f8b7 to
0d5f34e
Compare
14 tasks
54f2c89 to
f6bf9a3
Compare
e6aeb26 to
55f2fb7
Compare
9bf6c29 to
2523fa8
Compare
Contributor
Author
|
Errors include only known flakes. This indicates that #67406 resolves prior issues for our use-case. |
fc1d8d1 to
9c01eb6
Compare
14 tasks
|
This pull request can no longer be automatically merged: a rebase is needed and changes have to be manually resolved |
9c01eb6 to
5404095
Compare
Contributor
|
jenkins test make check arm64 |
|
This pull request can no longer be automatically merged: a rebase is needed and changes have to be manually resolved |
The keybridge sidecar is enabled by the keybridge feature flag. This sidecar will be used to help fetch keys over various protocols for the ceph module to use to set up fs encryption. Signed-off-by: John Mulligan <jmulligan@redhat.com>
Signed-off-by: John Mulligan <jmulligan@redhat.com>
The keybridge uses the sambacc configuration but can also be passed CLI options. Since cephadm writes the cert files, cephadm must also pass the file names to use to the container args. Signed-off-by: John Mulligan <jmulligan@redhat.com>
Add special handling for the case where a string is passed instead of a list. Without this fix a string will be converted into a list of single letter items, something pretty much no one ever wants. Raise an exception instead. Signed-off-by: John Mulligan <jmulligan@redhat.com>
Add the set_data/get_data methods to the MemConfigStore so that future test updates will not fail to save tls credential objects. Signed-off-by: John Mulligan <jmulligan@redhat.com>
Add a pair of enum types that will be used for configuring the keybridge. The scope type identifies what kind of scope is being used. The peer policy can be used to allow a dev or other user more access to the keybridge api for development purposes. Signed-off-by: John Mulligan <jmulligan@redhat.com>
Add keybridge service configuration classes and parameters to the resources module. This supports enabling the keybridge, setting up scopes for the keybridge and it's access control. A helper class is added that parses and helps validate the scope names. Signed-off-by: John Mulligan <jmulligan@redhat.com>
Add a new field to the cephfs configuration section for shares. This section selects the keybridge scope and key name to use when acquiring the key to use for fscrypt. Signed-off-by: John Mulligan <jmulligan@redhat.com>
Validate that scope names are not re-used, etc. Check on things that can't be done in single object validation. Signed-off-by: John Mulligan <jmulligan@redhat.com>
Add support for generating the sambacc configuration section for keybridge. Add support for configuring smb shares for keybridge access. Signed-off-by: John Mulligan <jmulligan@redhat.com>
Signed-off-by: John Mulligan <jmulligan@redhat.com>
Add docs for the keybrige configuration and cephfs fscrypt options added to the smb mgr module resource definitions. Signed-off-by: John Mulligan <jmulligan@redhat.com>
The unit test was looking for the wrong string (but the right condition). This fixes the string to check. Signed-off-by: John Mulligan <jmulligan@redhat.com>
Signed-off-by: John Mulligan <jmulligan@redhat.com>
This will enable the config watch sidecar to signal processes with a SIGHUP to tell them to reload configuration when config watch has detected a configuration change. Currently only used by keybridge. Signed-off-by: John Mulligan <jmulligan@redhat.com>
Update the authorizer class in fs.py to request all caps (*) for our volume. This is necessary in order to make use of the fscrypt feature from smbd. Signed-off-by: John Mulligan <jmulligan@redhat.com>
5404095 to
49bca23
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
7 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Depends
on #64372Depends
on #65069Depends
on #61137Depends
on #64743Depends on #67406
Ceph smb mgr module and cephadm patches to add keybridge (KMIP proxy) and basic fscrypt support.
Contribution Guidelines
To sign and title your commits, please refer to Submitting Patches to Ceph.
If you are submitting a fix for a stable branch (e.g. "quincy"), please refer to Submitting Patches to Ceph - Backports for the proper workflow.
When filling out the below checklist, you may click boxes directly in the GitHub web UI. When entering or editing the entire PR message in the GitHub web UI editor, you may also select a checklist item by adding an
xbetween the brackets:[x]. Spaces and capitalization matter when checking off items this way.Checklist
Show available Jenkins commands
jenkins test classic perfJenkins Job | Jenkins Job Definitionjenkins test crimson perfJenkins Job | Jenkins Job Definitionjenkins test signedJenkins Job | Jenkins Job Definitionjenkins test make checkJenkins Job | Jenkins Job Definitionjenkins test make check arm64Jenkins Job | Jenkins Job Definitionjenkins test submodulesJenkins Job | Jenkins Job Definitionjenkins test dashboardJenkins Job | Jenkins Job Definitionjenkins test dashboard cephadmJenkins Job | Jenkins Job Definitionjenkins test apiJenkins Job | Jenkins Job Definitionjenkins test docsReadTheDocs | Github Workflow Definitionjenkins test ceph-volume allJenkins Jobs | Jenkins Jobs Definitionjenkins test windowsJenkins Job | Jenkins Job Definitionjenkins test rook e2eJenkins Job | Jenkins Job Definition