File: kms_keymaster-allow-specifying-barbican_endpoint.patch

package info (click to toggle)
swift 2.30.1-0%2Bdeb12u1
  • links: PTS, VCS
  • area: main
  • in suites: bookworm-proposed-updates
  • size: 21,316 kB
  • sloc: python: 250,094; javascript: 1,059; sh: 645; pascal: 295; makefile: 86; xml: 32
file content (51 lines) | stat: -rw-r--r-- 2,322 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
 
Description: kms_keymaster: allow specifying barbican_endpoint
 Under a multi-region deployment with a single Keystone server,
 specifying the Keystone auth credentials isn't enough. Indeed,
 Castellan succeeds when logging-in, but may use the wrong
 Barbican endpoint (if there are 2 Barbican deployed). This is
 what happened to us, when deploying our 2nd region.
 .
 They way to fix it would be to tell Castellan what region to use,
 unfortunately, there's no such option in Castellan. Though we may
 specify the barbican_endpoint, which is what this patch allows.
Author: Thomas Goirand <zigo@debian.org>
Date: Thu, 13 Jun 2024 11:27:55 +0200
Change-Id: Ib7f4219ef5fdef65e9cfd5701e28b5288741783e
Forwarded: https://review.opendev.org/c/openstack/swift/+/921927
Last-Update: 2024-06-13

diff --git a/swift/common/middleware/crypto/kms_keymaster.py b/swift/common/middleware/crypto/kms_keymaster.py
index f9a542e..4c0b250 100644
--- a/swift/common/middleware/crypto/kms_keymaster.py
+++ b/swift/common/middleware/crypto/kms_keymaster.py
@@ -34,7 +34,7 @@
                       'domain_id', 'domain_name', 'project_id',
                       'project_domain_id', 'reauthenticate',
                       'auth_endpoint', 'api_class', 'key_id*',
-                      'active_root_secret_id')
+                      'barbican_endpoint', 'active_root_secret_id')
     keymaster_conf_section = 'kms_keymaster'
 
     def _get_root_secret(self, conf):
@@ -65,10 +65,17 @@
             project_domain_id=conf.get('project_domain_id'),
             reauthenticate=conf.get('reauthenticate'))
         oslo_conf = cfg.ConfigOpts()
-        options.set_defaults(
-            oslo_conf, auth_endpoint=conf.get('auth_endpoint'),
-            api_class=conf.get('api_class')
-        )
+        if conf.get('barbican_endpoint'):
+            options.set_defaults(
+                oslo_conf, auth_endpoint=conf.get('auth_endpoint'),
+                barbican_endpoint=conf.get('barbican_endpoint'),
+                api_class=conf.get('api_class')
+            )
+        else:
+            options.set_defaults(
+                oslo_conf, auth_endpoint=conf.get('auth_endpoint'),
+                api_class=conf.get('api_class')
+            )
         options.enable_logging()
         manager = key_manager.API(oslo_conf)