Commit 8b15b3e6 authored by Thomas Goirand's avatar Thomas Goirand

Add API to set encryption key for Swift.

parent 59b1f077
......@@ -118,8 +118,14 @@ _ocicli() {
COMPREPLY=( $(compgen -W "${cluster_list}" -- ${cur}) )
return 0
;;
3|5)
COMPREPLY=( $(compgen -W "--time-server-host --swift-part-power" -- ${cur}) )
3|5|7|9)
COMPREPLY=( $(compgen -W "--time-server-host --swift-part-power --swift-encryption-key-id --swift-disable-encryption" -- ${cur}) )
return 0
;;
4|6|8|10)
if [ "${prev}" = "--swift-disable-encryption" ] ; then
COMPREPLY=( $(compgen -W "yes no" -- ${cur}) )
fi
return 0
;;
*)
......
......@@ -52,7 +52,7 @@ usage (){
echo " cluster-create <cluster-name> <domaine-name.com>"
echo " cluster-delete <cluster-name>"
echo " cluster-show <cluster-name>"
echo " cluster-set <cluster-name> [--swift-part-power <int>] [--time-server-host <hostname>]"
echo " cluster-set <cluster-name> [--swift-part-power <int>] [--time-server-host <hostname>] [--swift-encryption-key-id <UUID>] [--swift-disable-encryption yes/no]"
echo " cluster-show-networks <cluster-name>"
echo " cluster-show-machines <cluster-name>"
echo " cluster-show-ips <cluster-name>"
......@@ -243,6 +243,7 @@ ocicli_cluster_show (){
OCICLI_CLUSTER_SHOW_SWIFT_MIN_PART_HOURS=$(cat ${API_RESPONSE_FILE} | jq -r '.["data"]| "\(.swift_min_part_hours)"')
OCICLI_CLUSTER_SHOW_SWIFT_PROXY_HOSTNAME=$(cat ${API_RESPONSE_FILE} | jq -r '.["data"]| "\(.swift_proxy_hostname)"')
OCICLI_CLUSTER_SHOW_SWIFT_ENCRYPTION_KEY=$(cat ${API_RESPONSE_FILE} | jq -r '.["data"]| "\(.swift_encryption_key_id)"')
OCICLI_CLUSTER_SHOW_SWIFT_DISABLE_ENCRYPTION=$(cat ${API_RESPONSE_FILE} | jq -r '.["data"]| "\(.swift_disable_encryption)"')
OCICLI_CLUSTER_SHOW_HAPROXY_CUSTOM_URL=$(cat ${API_RESPONSE_FILE} | jq -r '.["data"]| "\(.haproxy_custom_url)"')
OCICLI_CLUSTER_SHOW_STATSD_HOSTNAME=$(cat ${API_RESPONSE_FILE} | jq -r '.["data"]| "\(.statsd_hostname)"')
OCICLI_CLUSTER_SHOW_TIME_SERVER_HOST=$(cat ${API_RESPONSE_FILE} | jq -r '.["data"]| "\(.time_server_host)"')
......@@ -254,6 +255,7 @@ ocicli_cluster_show (){
echo "Swift min part hours:,${OCICLI_CLUSTER_SHOW_SWIFT_MIN_PART_HOURS}"
echo "Swift proxy hostname:,${OCICLI_CLUSTER_SHOW_SWIFT_PROXY_HOSTNAME}"
echo "Swift encryption key uuid:,${OCICLI_CLUSTER_SHOW_SWIFT_ENCRYPTION_KEY}"
echo "Swift disable encryption:,${OCICLI_CLUSTER_SHOW_SWIFT_DISABLE_ENCRYPTION}"
echo "Haproxy custom url:,${OCICLI_CLUSTER_SHOW_HAPROXY_CUSTOM_URL}"
echo "Statsd hostname:,${OCICLI_CLUSTER_SHOW_STATSD_HOSTNAME}"
echo "Time server host:,${OCICLI_CLUSTER_SHOW_TIME_SERVER_HOST}"
......@@ -468,6 +470,31 @@ case "${ACTION}" in
shift
shift
;;
"--swift-encryption-key-id")
if [ -z "${2}" ] ; then
echo "No parameter for --swift-encryption-key-id"
usage
exit 1
fi
CALL="${CALL}&swift_encryption_key_id=${2}"
shift
shift
;;
"--swift-disable-encryption")
if [ -z "${2}" ] ; then
echo "No parameter for --swift-disable-encryption"
usage
exit 1
fi
if [ "${2}" != "yes" ] && [ "${2}" != "no" ] ; then
echo "Wrong parameter for --swift-disable-encryption"
usage
exit 1
fi
CALL="${CALL}&swift_disable_encryption=${2}"
shift
shift
;;
*)
;;
esac
......
......@@ -25,6 +25,7 @@ class oci::swiftproxy(
$max_containers_per_account = 0,
$max_containers_whitelist = undef,
$use_ssl = true,
$swift_disable_encryption = undef,
){
if $use_ssl {
......@@ -167,15 +168,16 @@ class oci::swiftproxy(
# Because there's no ca_file option in castellan, we must
# allow swiftproxy to run without encryption in case we're
# running on a PoC without a real certificate for the API
if($swift_disable_encryption =='yes' or $swift_encryption_key_id == ''){
$disable_encryption = true
}
$pipeline_start = [ 'catch_errors', 'healthcheck', 'proxy-logging', 'cache', 'container_sync', 'bulk', 'ratelimit', 's3api', 's3token', 'authtoken', 'keystone', 'copy', 'container-quotas', 'account-quotas', 'slo', 'dlo', 'versioned_writes' ]
if $swift_encryption_key_id == "" {
$disable_encryption = true
$pipeline_kms = $pipeline_start
} else {
$disable_encryption = false
$pipeline_kms = concat($pipeline_start, [ 'kms_keymaster', 'encryption' ])
}
$pipeline = concat($pipeline_kms, [ 'proxy-server' ])
$pipeline = concat($pipeline_kms, [ 'proxy-logging', 'proxy-server' ])
package { 'barbicanclient':
name => 'python-barbicanclient',
......@@ -201,18 +203,14 @@ class oci::swiftproxy(
}
include ::swift::proxy::catch_errors
include ::swift::proxy::healthcheck
if $swift_encryption_key_id != "" {
include ::swift::proxy::kms_keymaster
class { '::swift::proxy::encryption':
disable_encryption => $disable_encryption,
}
include ::swift::proxy::kms_keymaster
class { '::swift::proxy::encryption':
disable_encryption => $disable_encryption,
}
class { '::swift::proxy::cache':
memcache_servers => ["${::fqdn}:11211"],
}
if $swift_encryption_key_id != "" {
include ::swift::proxy::encryption
}
include ::swift::proxy::encryption
include ::swift::proxy::proxy_logging
include ::swift::proxy::container_sync
include ::swift::proxy::bulk
......@@ -246,13 +244,11 @@ class oci::swiftproxy(
}
}
if $swift_encryption_key_id != "" {
class { '::swift::keymaster':
api_class => 'barbican',
key_id => $swift_encryption_key_id,
password => $pass_swift_authtoken,
auth_endpoint => "${keystone_auth_uri}/v3",
project_name => 'services',
}
class { '::swift::keymaster':
api_class => 'barbican',
key_id => $swift_encryption_key_id,
password => $pass_swift_authtoken,
auth_endpoint => "${keystone_auth_uri}/v3",
project_name => 'services',
}
}
......@@ -882,6 +882,8 @@ function api_actions($con,$conf){
$enc_file .= " swiftproxy_hostname: " . $cluster["swift_proxy_hostname"] ."\n";
}
$enc_file .= " swift_disable_encryption: " . $cluster["swift_disable_encryption"] ."\n";
$q = "SELECT swiftregions.id AS region_id FROM machines,locations,swiftregions WHERE locations.swiftregion=swiftregions.name AND locations.id=machines.location_id AND machines.id='$machine_id'";
$r = mysqli_query($con, $q);
if($r === FALSE){
......@@ -1318,6 +1320,32 @@ function api_actions($con,$conf){
$update .= "swift_part_power='$safe_swift_part_power'";
}
// Swift encryption key ID
if(isset($_REQUEST["swift_encryption_key_id"])){
$safe_swift_encryption_key_id = safe_uuid("swift_encryption_key_id");
if($safe_swift_encryption_key_id === FALSE){
$json["status"] = "error";
$json["message"] = "Error: swift_encryption_key_id is not an UUID.";
}
if($update != ""){
$update .= ", ";
}
$update .= "swift_encryption_key_id='$safe_swift_encryption_key_id'";
}
// Swift disable encryption
if(isset($_REQUEST["swift_disable_encryption"])){
if($_REQUEST["swift_disable_encryption"] == "yes"){
$safe_swift_disable_encryption = "yes";
}else{
$safe_swift_disable_encryption = "no";
}
if($update != ""){
$update .= ", ";
}
$update .= "swift_disable_encryption='$safe_swift_disable_encryption'";
}
// Time server host
if(isset($_REQUEST["time_server_host"])){
$safe_time_server_host = safe_fqdn("time_server_host");
......
......@@ -25,6 +25,7 @@ $database = array(
"swift_min_part_hours" => "int(11) NOT NULL default '1'",
"swift_proxy_hostname" => "varchar(255) NOT NULL default ''",
"swift_encryption_key_id" => "varchar(255) NOT NULL default ''",
"swift_disable_encryption" => "enum('yes','no') NOT NULL default 'yes'",
"haproxy_custom_url" => "varchar(255) NOT NULL default ''",
"statsd_hostname" => "varchar(255) NOT NULL default ''",
"time_server_host" => "varchar(255) NOT NULL default '0.debian.pool.ntp.org'",
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment