Project

General

Profile

Feature #41062

Extend SSE-KMS in Rados Gateway to support HashiCorp Vault

Added by Sergio de Carvalho 20 days ago. Updated about 19 hours ago.

Status:
In Progress
Priority:
Normal
Assignee:
-
Target version:
Start date:
08/02/2019
Due date:
% Done:

0%

Source:
Tags:
Backport:
Reviewed:
Affected Versions:
Pull request ID:

Description

Extend SSE-KMS functionality (server-side encryption with a Key Management System) in Rados Gateway to support HashiCorp Vault, in addition to existing OpenStack Barbican support. The proposed solution is to extend the SSE-KMS code in Rados Gateway, introducing an abstraction to plug-in other KMS systems, and adding support for HashiCorp Vault.

While Vault supports many authentication methods, the initial implementation will be restricted to the following methods:
- Token - if set, the token is used to call Vault (useful for development and simple use-cases),
- Vault Agent - the Vault agent automatically authenticates to Vault and manages the token renewal process for locally-retrieved dynamic secrets

More details: https://pad.ceph.com/p/rgw_sse-kms

History

#1 Updated by Casey Bodley 14 days ago

  • Tracker changed from Bug to Feature
  • Status changed from New to In Progress

Also available in: Atom PDF