From e6918187568dbd01842d8d1d2c808ce16a894239 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Sun, 21 Apr 2024 13:54:28 +0200 Subject: Adding upstream version 18.2.2. Signed-off-by: Daniel Baumann --- src/rgw/rgw_kms.h | 64 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 64 insertions(+) create mode 100644 src/rgw/rgw_kms.h (limited to 'src/rgw/rgw_kms.h') diff --git a/src/rgw/rgw_kms.h b/src/rgw/rgw_kms.h new file mode 100644 index 000000000..f8e8655f2 --- /dev/null +++ b/src/rgw/rgw_kms.h @@ -0,0 +1,64 @@ +// -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*- +// vim: ts=8 sw=2 smarttab + +/** + * Server-side encryption integrations with Key Management Systems (SSE-KMS) + */ + +#pragma once + +#include + +static const std::string RGW_SSE_KMS_BACKEND_TESTING = "testing"; +static const std::string RGW_SSE_KMS_BACKEND_BARBICAN = "barbican"; +static const std::string RGW_SSE_KMS_BACKEND_VAULT = "vault"; +static const std::string RGW_SSE_KMS_BACKEND_KMIP = "kmip"; + +static const std::string RGW_SSE_KMS_VAULT_AUTH_TOKEN = "token"; +static const std::string RGW_SSE_KMS_VAULT_AUTH_AGENT = "agent"; + +static const std::string RGW_SSE_KMS_VAULT_SE_TRANSIT = "transit"; +static const std::string RGW_SSE_KMS_VAULT_SE_KV = "kv"; + +static const std::string RGW_SSE_KMS_KMIP_SE_KV = "kv"; + +/** + * Retrieves the actual server-side encryption key from a KMS system given a + * key ID. Currently supported KMS systems are OpenStack Barbican and HashiCorp + * Vault, but keys can also be retrieved from Ceph configuration file (if + * kms is set to 'local'). + * + * \params + * TODO + * \return + */ +int make_actual_key_from_kms(const DoutPrefixProvider *dpp, CephContext *cct, + std::map& attrs, + std::string& actual_key); +int reconstitute_actual_key_from_kms(const DoutPrefixProvider *dpp, CephContext *cct, + std::map& attrs, + std::string& actual_key); +int make_actual_key_from_sse_s3(const DoutPrefixProvider *dpp, CephContext *cct, + std::map& attrs, + std::string& actual_key); +int reconstitute_actual_key_from_sse_s3(const DoutPrefixProvider *dpp, CephContext *cct, + std::map& attrs, + std::string& actual_key); + +int create_sse_s3_bucket_key(const DoutPrefixProvider *dpp, CephContext *cct, + const std::string& actual_key); + +int remove_sse_s3_bucket_key(const DoutPrefixProvider *dpp, CephContext *cct, + const std::string& actual_key); + +/** + * SecretEngine Interface + * Defining interface here such that we can use both a real implementation + * of this interface, and a mock implementation in tests. +**/ +class SecretEngine { + +public: + virtual int get_key(const DoutPrefixProvider *dpp, std::string_view key_id, std::string& actual_key) = 0; + virtual ~SecretEngine(){}; +}; -- cgit v1.2.3