librbd/migration: optionally pull S3 keys from MON config store

This allows the S3 keys to be better protected since the MON can
be configured to restrict access to keys by user and the results
can be encrypted in transit.

Signed-off-by: Jason Dillaman <dillaman@redhat.com>

diff --git a/src/librbd/migration/S3Stream.cc b/src/librbd/migration/S3Stream.cc
index f812ef0294ad17bcab555b00883ebc53fa9766fe..222a08ee3fe969987cf10b59b786e25f47489043 100644 (file)
--- a/src/librbd/migration/S3Stream.cc
+++ b/src/librbd/migration/S3Stream.cc
@@ -89,8 +89,31 @@ void S3Stream<I>::open(Context* on_finish) {
   }
 
   m_url = url_value.get_str();
+
+  librados::Rados rados(m_image_ctx->md_ctx);
+  int r = 0;
   m_access_key = access_key.get_str();
+  if (util::is_config_key_uri(m_access_key)) {
+    r = util::get_config_key(rados, m_access_key, &m_access_key);
+    if (r < 0) {
+      lderr(m_cct) << "failed to retrieve access key from config: "
+                   << cpp_strerror(r) << dendl;
+      on_finish->complete(r);
+      return;
+    }
+  }
+
   m_secret_key = secret_key.get_str();
+  if (util::is_config_key_uri(m_secret_key)) {
+    r = util::get_config_key(rados, m_secret_key, &m_secret_key);
+    if (r < 0) {
+      lderr(m_cct) << "failed to retrieve secret key from config: "
+                   << cpp_strerror(r) << dendl;
+      on_finish->complete(r);
+      return;
+    }
+  }
+
   ldout(m_cct, 10) << "url=" << m_url << ", "
                    << "access_key=" << m_access_key << dendl;