git.apps.os.sepia.ceph.com Git - ceph-ci.git/commit

author	Sergio de Carvalho <scarvalhojr@gmail.com>
	Mon, 14 Oct 2019 10:39:45 +0000 (11:39 +0100)
committer	Sergio de Carvalho <scarvalhojr@gmail.com>
	Tue, 12 Nov 2019 13:51:25 +0000 (13:51 +0000)
commit	2650ebe8afa2c9a4e72789fc877995edb91e1a6c
tree	279b031aa6c3d3d67afb8e00e48042d32b699a15	tree \| snapshot
parent	72c63fe228b5b7114dd679e8de922df8d9f14a2f	commit \| diff

rgw: improvements to SSE-KMS with Vault

* add 'rgw crypt vault prefix' config setting to allow restricting
  secret space in Vault where RGW can retrieve keys from
* refuse Vault token file if permissions are too open
* improve concatenation of URL paths to avoid constructing an invalid
  URL (missing or double '/')
* doc: clarify SSE-KMS keys must be 256-bit long and base64 encoded,
  document Vault policies and tokens, plus other minor doc improvements
* qa: check SHA256 signature of Vault zip download
* qa: fix teuthology tests broken by previous PR which made SSE-KMS
  backend default to Barbican

Signed-off-by: Andrea Baglioni <andrea.baglioni@workday.com>
Signed-off-by: Sergio de Carvalho <sergio.carvalho@workday.com>

doc/radosgw/barbican.rst		diff \| blob \| history
doc/radosgw/config-ref.rst		diff \| blob \| history
doc/radosgw/encryption.rst		diff \| blob \| history
doc/radosgw/vault.rst		diff \| blob \| history
qa/suites/rgw/crypt/2-kms/vault.yaml		diff \| blob \| history
qa/suites/rgw/crypt/4-tests/s3tests.yaml		diff \| blob \| history
qa/suites/smoke/basic/tasks/rgw_ec_s3tests.yaml		diff \| blob \| history
qa/suites/smoke/basic/tasks/rgw_s3tests.yaml		diff \| blob \| history
qa/tasks/rgw.py		diff \| blob \| history
qa/tasks/vault.py		diff \| blob \| history
src/common/legacy_config_opts.h		diff \| blob \| history
src/common/options.cc		diff \| blob \| history
src/rgw/rgw_kms.cc		diff \| blob \| history
src/test/rgw/test_rgw_kms.cc		diff \| blob \| history
src/vstart.sh		diff \| blob \| history