Re: Disabling RGW Encryption support in Luminous

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

My idea was the setting, which disables encryption on rgw, so rgw anounces, it doesn't support it (I don't know how client and server are comunicating this now, so maybe I am oversimplyfing it). 
Anyway, workaround with rgw_crypt_s3_kms_encryption_keys looks great.
Thank you!


Arvydas Opulskis
IT Systems Engineer
Email: Arvydas.Opulskis@xxxxxxxxxx
Mobile: +370 614 19604
Rotušės a. 17, LT-44279 Kaunas, Lithuania
Adform Insider News
Disclaimer: The information contained in this message and attachments is intended solely for the attention and use of the named addressee and may be confidential. If you are not the intended recipient, you are reminded that the information remains the property of the sender. You must not use, disclose, distribute, copy, print or rely on this e-mail. If you have received this message in error, please contact the sender immediately and irrevocably delete this message and any copies.
On Tue, 2018-10-16 at 09:10 -0400, Casey Bodley wrote:
That's not currently possible, no. And I don't think it's a good idea to 
add such a feature; if the client requests that something be encrypted, 
the server should either encrypt it or reject the request.

There is a config called rgw_crypt_s3_kms_encryption_keys that we use 
for testing, though, which allows you to specify a mapping of kms keyids 
to actual keys. If your client is using a limited number of kms keyids, 
you can provide keys for them and get limited sse-kms support without 
setting up an actual kms.

For example, this is our test configuration for use with s3tests:

rgw crypt s3 kms encryption keys = 
testkey-1=YmluCmJvb3N0CmJvb3N0LWJ1aWxkCmNlcGguY29uZgo= 
testkey-2=aWIKTWFrZWZpbGUKbWFuCm91dApzcmMKVGVzdGluZwo=

Where s3tests is sending requests with header 
x-amz-server-side-encryption-aws-kms-key-id: testkey1 or testkey2.

I hope that helps!
Casey

On 10/16/18 8:43 AM, Arvydas Opulskis wrote:
Hi,

got no success on IRC, maybe someone will help me here.

After RGW upgrade from Jewel to Luminous, one S3 user started to 
receive errors from his postgre wal-e solution. Error is like this: 
"Server Side Encryption with KMS managed key requires HTTP header 
x-amz-server-side-encryption : aws:kms".
After some reading, seems, like this client is forcing Server side 
encryption (SSE) on RGW and it is not configured. Because user can't 
disable encryption in his solution for now (it will be possible in 
future release), can I somehow disable Encryption support on Luminous 
RGW?

Thank you for your insights.



_______________________________________________
ceph-users mailing list
ceph-users@xxxxxxxxxxxxxx
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com


_______________________________________________


ceph-users mailing list


ceph-users@xxxxxxxxxxxxxx


http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com









_______________________________________________
ceph-users mailing list
ceph-users@xxxxxxxxxxxxxx
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com





















[Index of Archives]
 
 
[Information on CEPH]
 
 
[Linux Filesystem Development]
 
 
[Ceph Development]
 
 
[Ceph Large]
 
 
[Ceph Dev]
 
 
[Linux USB Development]
 
 
[Video for Linux]
 
 
[Linux Audio Users]
 
 
[Yosemite News]
 
 
[Linux Kernel]
 
 
[Linux SCSI]
 
 
[xfs]

















 
Powered by Linux