Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improvement: osis 147 stop osis failure on decryption #141

Merged
merged 2 commits into from
May 22, 2024
Merged

Improvement: osis 147 stop osis failure on decryption #141

merged 2 commits into from
May 22, 2024

Conversation

anurag4DSB
Copy link
Contributor

@anurag4DSB anurag4DSB commented May 20, 2024
edited by jira bot
Loading

Context: VMware needs secret keys to be available on-demand which is contrary to AWS standard where secret keys are only shown at creation time. To achieve this OSIS stores any created access keys via OSIS in redis in AWS GCM in encrypted format.

Issue: Due to S3C-7645 not being done, an issue occurs when doing a rolling deployment with new nodes on a cluster where OSIS is already enabled. This issue makes VMware cloud director UI un-usable by the end users.

The resolution/changes per discussion with product/customer/CS and Accounts team

This adds the capability of handling decryption failures for secret key data stored in Redis Sentinel using the method retrieveSecretKey used by the get and get credentials APIs.

  • Does not throw any error for any decryption failure
  • Logs all decryption failures
  • Removes the keys from Redis automatically for any decryption failure,
    the keys remain in vault and can be used the user if secret key is
    accessible

Note to reviewers: We are fixing this in RING 9, for RING 8 we have a TSKB for internal CS and for customers as well: https://github.com/scality/tskb/pull/457

anurag4DSB added 2 commits May 20, 2024 15:12
@anurag4DSB
OSIS-147: handle decryption failure for secret key
a76452e 
Adds the capability of handling decryption faulire for secret key data
stored in redis sentinel by the method `retrieveSecretKey` used by get
and get credentials APIs.
- Does not throw any error for any decryption failure
- Logs all decryption failures
- Removes the keys from Redis automatically for any decryption failure,
  the keys remain in vault and can be used the user if secret key is
  accessible
@anurag4DSB
OSIS-147-bump-version-to-2.2.3
4e97906
@anurag4DSB anurag4DSB requested a review from a team as a code owner May 20, 2024 13:42
@anurag4DSB anurag4DSB requested review from KillianG, BourgoisMickael and fredmnl and removed request for a team May 20, 2024 13:43
@anurag4DSB
Copy link
Contributor Author

/approve

@anurag4DSB anurag4DSB merged commit 357f00e into main May 22, 2024
9 checks passed
@anurag4DSB anurag4DSB deleted the improvement/OSIS-147-stop-osis-failure-on-decryption branch May 22, 2024 08:33
@anurag4DSB anurag4DSB mentioned this pull request May 22, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fredmnl fredmnl fredmnl approved these changes

@BourgoisMickael BourgoisMickael BourgoisMickael approved these changes

@KillianG KillianG Awaiting requested review from KillianG KillianG is a code owner automatically assigned from scality/object

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@anurag4DSB @BourgoisMickael @fredmnl