On 11/20/2015 01:19 PM, Daniel P. Berrange wrote:
On Fri, Nov 20, 2015 at 02:45:15PM +0200, Duncan Thomas wrote:
Brick does not have to take over the decisions in order to be a useful
repository for the code. The motivation for this work is to avoid having
the dm setup code copied wholesale into cinder, where it becomes difficult
to keep in sync with the code in nova.
Cinder needs a copy of this code since it is on the data path for certain
operations (create from image, copy to image, backup/restore, migrate).
A core goal of using volume encryption in Nova to provide protection for
tenant data, from a malicious storage service. ie if the decryption key
is only ever used by Nova on the compute node, then cinder only ever sees
ciphertext, never plaintext. Thus if cinder is compromised, then it can
not compromise any data stored in any encrypted volumes.
There is a difference between the cinder service and the storage
controller (or software system) that cinder manages. You can give the
decryption keys to the cinder service without allowing the storage
controller to see any plaintext.
As Walt says in the relevant patch [1], expecting cinder to do data
management without ever performing I/O is unrealistic. The scenario
where the compute admin doesn't trust the storage admin is
understandable (although less important than other potential types of
attacks IMO) but the scenario where the guy managing nova doesn't trust
the guy managing cinder makes no sense at all.
I support moving the code into a common place, and doing responsible key
management, and letting the cinder guys make sure that storage
controllers never see plaintext in the cases when they're not supposed to.
-Ben
[1] https://review.openstack.org/#/c/247372/
If cinder is looking to get access to the dm-seutp code, this seems to
imply that cinder will be getting access to the plaintext data, which
feels to me like it de-values the volume encryption feature somewhat.
I'm fuzzy on the details of just what code paths cinder needs to be
able to convert from plaintext to ciphertext or vica-verca, but in
general I think it is desirable if we can avoid any such operation
in cinder, and keep it so that only Nova compute nodes ever see the
decrypted data.
Regards,
Daniel
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
