From 0c51b58f67176304515bb1f3d7b460b9a3722572 Mon Sep 17 00:00:00 2001
From: Jason Dillaman <dillaman@redhat.com>
Date: Tue, 22 Dec 2020 13:36:57 -0500
Subject: [PATCH] librbd/migration: optionally pull S3 keys from MON config
 store

This allows the S3 keys to be better protected since the MON can
be configured to restrict access to keys by user and the results
can be encrypted in transit.

Signed-off-by: Jason Dillaman <dillaman@redhat.com>
---
 src/librbd/migration/S3Stream.cc | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/src/librbd/migration/S3Stream.cc b/src/librbd/migration/S3Stream.cc
index f812ef0294ad1..222a08ee3fe96 100644
--- a/src/librbd/migration/S3Stream.cc
+++ b/src/librbd/migration/S3Stream.cc
@@ -89,8 +89,31 @@ void S3Stream<I>::open(Context* on_finish) {
   }
 
   m_url = url_value.get_str();
+
+  librados::Rados rados(m_image_ctx->md_ctx);
+  int r = 0;
   m_access_key = access_key.get_str();
+  if (util::is_config_key_uri(m_access_key)) {
+    r = util::get_config_key(rados, m_access_key, &m_access_key);
+    if (r < 0) {
+      lderr(m_cct) << "failed to retrieve access key from config: "
+                   << cpp_strerror(r) << dendl;
+      on_finish->complete(r);
+      return;
+    }
+  }
+
   m_secret_key = secret_key.get_str();
+  if (util::is_config_key_uri(m_secret_key)) {
+    r = util::get_config_key(rados, m_secret_key, &m_secret_key);
+    if (r < 0) {
+      lderr(m_cct) << "failed to retrieve secret key from config: "
+                   << cpp_strerror(r) << dendl;
+      on_finish->complete(r);
+      return;
+    }
+  }
+
   ldout(m_cct, 10) << "url=" << m_url << ", "
                    << "access_key=" << m_access_key << dendl;
 
-- 
2.39.5