diff options
| author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-21 11:54:28 +0000 |
|---|---|---|
| committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-21 11:54:28 +0000 |
| commit | e6918187568dbd01842d8d1d2c808ce16a894239 (patch) | |
| tree | 64f88b554b444a49f656b6c656111a145cbbaa28 /src/rgw/rgw_kms.h | |
| parent | Initial commit. (diff) | |
| download | ceph-e6918187568dbd01842d8d1d2c808ce16a894239.tar.xz ceph-e6918187568dbd01842d8d1d2c808ce16a894239.zip | |
Adding upstream version 18.2.2.upstream/18.2.2
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'src/rgw/rgw_kms.h')
| -rw-r--r-- | src/rgw/rgw_kms.h | 64 |
1 files changed, 64 insertions, 0 deletions
diff --git a/src/rgw/rgw_kms.h b/src/rgw/rgw_kms.h new file mode 100644 index 000000000..f8e8655f2 --- /dev/null +++ b/src/rgw/rgw_kms.h @@ -0,0 +1,64 @@ +// -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*- +// vim: ts=8 sw=2 smarttab + +/** + * Server-side encryption integrations with Key Management Systems (SSE-KMS) + */ + +#pragma once + +#include <string> + +static const std::string RGW_SSE_KMS_BACKEND_TESTING = "testing"; +static const std::string RGW_SSE_KMS_BACKEND_BARBICAN = "barbican"; +static const std::string RGW_SSE_KMS_BACKEND_VAULT = "vault"; +static const std::string RGW_SSE_KMS_BACKEND_KMIP = "kmip"; + +static const std::string RGW_SSE_KMS_VAULT_AUTH_TOKEN = "token"; +static const std::string RGW_SSE_KMS_VAULT_AUTH_AGENT = "agent"; + +static const std::string RGW_SSE_KMS_VAULT_SE_TRANSIT = "transit"; +static const std::string RGW_SSE_KMS_VAULT_SE_KV = "kv"; + +static const std::string RGW_SSE_KMS_KMIP_SE_KV = "kv"; + +/** + * Retrieves the actual server-side encryption key from a KMS system given a + * key ID. Currently supported KMS systems are OpenStack Barbican and HashiCorp + * Vault, but keys can also be retrieved from Ceph configuration file (if + * kms is set to 'local'). + * + * \params + * TODO + * \return + */ +int make_actual_key_from_kms(const DoutPrefixProvider *dpp, CephContext *cct, + std::map<std::string, bufferlist>& attrs, + std::string& actual_key); +int reconstitute_actual_key_from_kms(const DoutPrefixProvider *dpp, CephContext *cct, + std::map<std::string, bufferlist>& attrs, + std::string& actual_key); +int make_actual_key_from_sse_s3(const DoutPrefixProvider *dpp, CephContext *cct, + std::map<std::string, bufferlist>& attrs, + std::string& actual_key); +int reconstitute_actual_key_from_sse_s3(const DoutPrefixProvider *dpp, CephContext *cct, + std::map<std::string, bufferlist>& attrs, + std::string& actual_key); + +int create_sse_s3_bucket_key(const DoutPrefixProvider *dpp, CephContext *cct, + const std::string& actual_key); + +int remove_sse_s3_bucket_key(const DoutPrefixProvider *dpp, CephContext *cct, + const std::string& actual_key); + +/** + * SecretEngine Interface + * Defining interface here such that we can use both a real implementation + * of this interface, and a mock implementation in tests. +**/ +class SecretEngine { + +public: + virtual int get_key(const DoutPrefixProvider *dpp, std::string_view key_id, std::string& actual_key) = 0; + virtual ~SecretEngine(){}; +}; |