Encrypt keys before saving in OMAP file

Fixes ceph#960 Signed-off-by: Gil Bregman <[email protected]>
gbregman · Jan 26, 2025 · 4ddbb04 · 4ddbb04
1 parent 4e45b8e
commit 4ddbb04
Show file tree

Hide file tree

Showing 17 changed files with 1,415 additions and 459 deletions.
diff --git a/ceph-nvmeof.conf b/ceph-nvmeof.conf
@@ -17,6 +17,7 @@ state_update_notify = True
 state_update_timeout_in_msec = 2000
 state_update_interval_sec = 5
 enable_spdk_discovery_controller = False
+encryption_key = /etc/ceph/encryption.key
 rebalance_period_sec = 7
 max_gws_in_grp = 16
 max_ns_to_change_lb_grp = 8

diff --git a/control/cli.py b/control/cli.py
@@ -890,6 +890,11 @@ def subsystem_list(self, args):
         if args.format == "text" or args.format == "plain":
             if subsystems.status == 0:
                 subsys_list = []
+                created_without_key = False
+                for s in subsystems.subsystems:
+                    if s.created_without_key:
+                        created_without_key = True
+                        break
                 for s in subsystems.subsystems:
                     if args.subsystem and args.subsystem != s.nqn:
                         err_func(f"Failure listing subsystem {args.subsystem}: "
@@ -911,21 +916,21 @@ def subsystem_list(self, args):
                                   s.max_namespaces,
                                   allow_any,
                                   has_dhchap]
+                    if created_without_key:
+                        one_subsys.append("Yes" if s.created_without_key else "No")
                     subsys_list.append(one_subsys)
                 if len(subsys_list) > 0:
                     if args.format == "text":
                         table_format = "fancy_grid"
                     else:
                         table_format = "plain"
+                    headers_list = ["Subtype", "NQN", "Serial\nNumber", "Controller IDs",
+                                    "Namespace\nCount", "Max\nNamespaces", "Allow\nAny Host",
+                                    "DHCHAP\nKey"]
+                    if created_without_key:
+                        headers_list.append("Created\nWithout Key")
                     subsys_out = tabulate(subsys_list,
-                                          headers=["Subtype",
-                                                   "NQN",
-                                                   "Serial\nNumber",
-                                                   "Controller IDs",
-                                                   "Namespace\nCount",
-                                                   "Max\nNamespaces",
-                                                   "Allow\nAny Host",
-                                                   "DHCHAP\nKey"],
+                                          headers=headers_list,
                                           tablefmt=table_format)
                     prefix = "Subsystems"
                     if args.subsystem:
@@ -1357,6 +1362,12 @@ def host_add(self, args):
             if len(args.host_nqn) > 1:
                 self.cli.parser.error("Can't have more than one host NQN when PSK keys are used")
 
+        if args.dhchap_key == "":
+            self.cli.parser.error("DH-HMAC-CHAP key can't be empty")
+
+        if args.psk == "":
+            self.cli.parser.error("PSK key can't be empty")
+
         if args.dhchap_key:
             if len(args.host_nqn) > 1:
                 self.cli.parser.error("Can't have more than one host NQN when "
@@ -1472,6 +1483,9 @@ def host_change_key(self, args):
         if args.host_nqn == "*":
             self.cli.parser.error("Can't change keys for host NQN '*', please use a real NQN")
 
+        if args.dhchap_key == "":
+            self.cli.parser.error("DH-HMAC-CHAP key can't be empty")
+
         req = pb2.change_host_key_req(subsystem_nqn=args.subsystem, host_nqn=args.host_nqn,
                                       dhchap_key=args.dhchap_key)
         try:
@@ -1522,14 +1536,16 @@ def host_list(self, args):
                 for h in hosts_info.hosts:
                     use_psk = "Yes" if h.use_psk else "No"
                     use_dhchap = "Yes" if h.use_dhchap else "No"
-                    hosts_list.append([h.nqn, use_psk, use_dhchap])
+                    one_host = [h.nqn, use_psk, use_dhchap]
+                    hosts_list.append(one_host)
                 if len(hosts_list) > 0:
                     if args.format == "text":
                         table_format = "fancy_grid"
                     else:
                         table_format = "plain"
+                    headers_list = ["Host NQN", "Uses PSK", "Uses DHCHAP"]
                     hosts_out = tabulate(hosts_list,
-                                         headers=["Host NQN", "Uses PSK", "Uses DHCHAP"],
+                                         headers=headers_list,
                                          tablefmt=table_format, stralign="center")
                     out_func(f"Hosts allowed to access {args.subsystem}:\n{hosts_out}")
                 else:

diff --git a/control/discovery.py b/control/discovery.py
@@ -12,6 +12,7 @@
 from .config import GatewayConfig
 from .state import GatewayState, LocalGatewayState, OmapGatewayState, GatewayStateHandler
 from .utils import GatewayLogger
+from .utils import GatewayUtilsCrypto
 
 from typing import Dict
 
@@ -1152,10 +1153,11 @@ def start_service(self):
         t.start()
 
         local_state = LocalGatewayState()
+        dummy_crypto = GatewayUtilsCrypto(None)
         gateway_state = GatewayStateHandler(self.config, local_state,
                                             self.omap_state,
                                             self._state_notify_update,
-                                            f"discovery-{socket.gethostname()}")
+                                            dummy_crypto, f"discovery-{socket.gethostname()}")
         gateway_state.start_update()
 
         try: