rgw/sse-s3: remove make_kek_s3/generate_kek_sse_s3

author Marcus Watts <mwatts@redhat.com>

Sat, 18 Dec 2021 09:27:51 +0000 (04:27 -0500)

committer Marcus Watts <mwatts@redhat.com>

Thu, 12 May 2022 07:33:51 +0000 (03:33 -0400)
author Marcus Watts <mwatts@redhat.com>
Sat, 18 Dec 2021 09:27:51 +0000 (04:27 -0500)
committer Marcus Watts <mwatts@redhat.com>
Thu, 12 May 2022 07:33:51 +0000 (03:33 -0400)
diff --git a/src/rgw/rgw_kms.cc b/src/rgw/rgw_kms.cc

index afe83b29392ebb4cb1e65f9513ed1194fdaf0e1e..bfea30989b536c4ac752a56fbf36d5d4e4f39e92 100644 (file)
--- a/src/rgw/rgw_kms.cc
+++ b/src/rgw/rgw_kms.cc
@@ -700,16 +700,6 @@ public:
      }
      return 0;
    }
-
-  int make_kek_s3(std::string key_id)
-  {
-    bufferlist secret_bl;
-    int res = send_request("POST", "/keys/", key_id,
-       string{}, secret_bl);
-
-    ldout(cct, 20) << "Generate KEK Response: " << res << dendl;
-    return res;
-  }
  };
  
  class KvSecretEngine: public VaultSecretEngine {
@@ -1142,7 +1132,7 @@ public:
      return cct->_conf->rgw_crypt_sse_s3_vault_prefix;
    };
    const std::string & secret_engine() override {
-    return sse_s3_secret_engine;
+    return cct->_conf->rgw_crypt_sse_s3_vault_secret_engine;
    };
    const std::string & ssl_cacert() override {
      return cct->_conf->rgw_crypt_sse_s3_vault_ssl_cacert;
@@ -1160,7 +1150,6 @@ public:
      return cct->_conf->rgw_crypt_sse_s3_vault_verify_ssl;
    };
  };
-const std::string SseS3Context::sse_s3_secret_engine = "transit";
  
  int reconstitute_actual_key_from_kms(const DoutPrefixProvider *dpp, CephContext *cct,
                              map<string, bufferlist>& attrs,
@@ -1240,7 +1229,7 @@ int make_actual_key_from_sse_s3(const DoutPrefixProvider *dpp,
  }
  
  
-int create_ss3_s3_bucket_key(const DoutPrefixProvider *dpp,
+int create_sse_s3_bucket_key(const DoutPrefixProvider *dpp,
                                       CephContext *cct,
                                       const std::string& bucket_key)
  {
@@ -1255,7 +1244,7 @@ int create_ss3_s3_bucket_key(const DoutPrefixProvider *dpp,
    std::string secret_engine_str = kctx.secret_engine();
    EngineParmMap secret_engine_parms;
    auto secret_engine { config_to_engine_and_parms(
-    cct, "rgw_crypt_vault_secret_engine",      // XXX wrong, but...
+    cct, "rgw_crypt_sse_s3_vault_secret_engine",
      secret_engine_str, secret_engine_parms) };
    if (RGW_SSE_KMS_VAULT_SE_TRANSIT == secret_engine){
      TransitSecretEngine engine(cct, kctx, std::move(secret_engine_parms));
@@ -1267,7 +1256,7 @@ int create_ss3_s3_bucket_key(const DoutPrefixProvider *dpp,
    }
  }
  
-int remove_ss3_s3_bucket_key(const DoutPrefixProvider *dpp,
+int remove_sse_s3_bucket_key(const DoutPrefixProvider *dpp,
                                       CephContext *cct,
                                       const std::string& bucket_key)
  {
@@ -1275,7 +1264,7 @@ int remove_ss3_s3_bucket_key(const DoutPrefixProvider *dpp,
    std::string secret_engine_str = kctx.secret_engine();
    EngineParmMap secret_engine_parms;
    auto secret_engine { config_to_engine_and_parms(
-    cct, "rgw_crypt_vault_secret_engine",      // XXX wrong, but...
+    cct, "rgw_crypt_sse_s3_vault_secret_engine",
      secret_engine_str, secret_engine_parms) };
    if (RGW_SSE_KMS_VAULT_SE_TRANSIT == secret_engine){
      TransitSecretEngine engine(cct, kctx, std::move(secret_engine_parms));
@@ -1286,30 +1275,3 @@ int remove_ss3_s3_bucket_key(const DoutPrefixProvider *dpp,
      return -EINVAL;
    }
  }
-
-int generate_kek_sse_s3(CephContext *cct, string kek_id)
-{
-  SseS3Context kctx { cct };
-  std::string kms_backend { kctx.backend() };
-  if (RGW_SSE_KMS_BACKEND_VAULT != kms_backend) {
-    ldout(cct, 0) << "ERROR: Unsupported rgw_crypt_s3_backend: " << kms_backend << dendl;
-    return -EINVAL;
-  }
-
-  std::string secret_engine_str = kctx.secret_engine();
-  EngineParmMap secret_engine_parms;
-  auto secret_engine { config_to_engine_and_parms(
-    cct, "rgw_crypt_vault_secret_engine",
-    secret_engine_str, secret_engine_parms) };
-  ldout(cct, 20) << "Vault authentication method: " << kctx.auth() << dendl;
-  ldout(cct, 20) << "Vault Secrets Engine: " << secret_engine << dendl;
-
-  if (RGW_SSE_KMS_VAULT_SE_TRANSIT == secret_engine){
-    TransitSecretEngine engine(cct, kctx, std::move(secret_engine_parms));
-    return engine.make_kek_s3(kek_id);
-  } else {
-    ldout(cct, 0) << "Missing or invalid/unsupported secret engine" << dendl;
-    return -EINVAL;
-  }
-
-}
diff --git a/src/rgw/rgw_kms.h b/src/rgw/rgw_kms.h

index 1ae574d39609f2f9a16595e5e7ba96bf31411eb9..a5b83fa99f65f9d89bb987aa1e780eb4268dd2c8 100644 (file)
--- a/src/rgw/rgw_kms.h
+++ b/src/rgw/rgw_kms.h
@@ -45,7 +45,6 @@ int make_actual_key_from_sse_s3(const DoutPrefixProvider *dpp, CephContext *cct,
  int reconstitute_actual_key_from_sse_s3(const DoutPrefixProvider *dpp, CephContext *cct,
                              std::map<std::string, bufferlist>& attrs,
                              std::string& actual_key);
-int generate_kek_sse_s3(CephContext *cct, string kek_id);
  
  int create_sse_s3_bucket_key(const DoutPrefixProvider *dpp, CephContext *cct,
                              const std::string& actual_key);
author	Marcus Watts <mwatts@redhat.com>
	Sat, 18 Dec 2021 09:27:51 +0000 (04:27 -0500)
committer	Marcus Watts <mwatts@redhat.com>
	Thu, 12 May 2022 07:33:51 +0000 (03:33 -0400)
src/rgw/rgw_kms.cc		patch \| blob \| history
src/rgw/rgw_kms.h		patch \| blob \| history