[ceph-users] Disabling RGW Encryption support in Luminous

Arvydas Opulskis Arvydas.Opulskis at adform.com
Wed Oct 17 02:10:30 PDT 2018


My idea was the setting, which disables encryption on rgw, so rgw anounces, it doesn't support it (I don't know how client and server are comunicating this now, so maybe I am oversimplyfing it).
Anyway, workaround with rgw_crypt_s3_kms_encryption_keys looks great.
Thank you!


[cid:adform_logo_1884183f-e12d-4814-94e9-345e0c828435.png]<https://site.adform.com/>
Arvydas Opulskis
IT Systems Engineer
Email: Arvydas.Opulskis at adform.com<mailto:Arvydas.Opulskis at adform.com>
Mobile: +370 614 19604
Rotušės a. 17, LT-44279 Kaunas, Lithuania
Adform Insider News<http://blog.adform.com/>


[cid:MRC_b412ba15-8053-4742-aeae-8c9f04d24ef1.png]<http://blog.adform.com/press-releases/adform-receives-accreditation-from-media-rating-council/>

Disclaimer: The information contained in this message and attachments is intended solely for the attention and use of the named addressee and may be confidential. If you are not the intended recipient, you are reminded that the information remains the property of the sender. You must not use, disclose, distribute, copy, print or rely on this e-mail. If you have received this message in error, please contact the sender immediately and irrevocably delete this message and any copies.
On Tue, 2018-10-16 at 09:10 -0400, Casey Bodley wrote:

That's not currently possible, no. And I don't think it's a good idea to

add such a feature; if the client requests that something be encrypted,

the server should either encrypt it or reject the request.


There is a config called rgw_crypt_s3_kms_encryption_keys that we use

for testing, though, which allows you to specify a mapping of kms keyids

to actual keys. If your client is using a limited number of kms keyids,

you can provide keys for them and get limited sse-kms support without

setting up an actual kms.


For example, this is our test configuration for use with s3tests:


rgw crypt s3 kms encryption keys =

testkey-1=YmluCmJvb3N0CmJvb3N0LWJ1aWxkCmNlcGguY29uZgo=

testkey-2=aWIKTWFrZWZpbGUKbWFuCm91dApzcmMKVGVzdGluZwo=


Where s3tests is sending requests with header

x-amz-server-side-encryption-aws-kms-key-id: testkey1 or testkey2.


I hope that helps!

Casey


On 10/16/18 8:43 AM, Arvydas Opulskis wrote:

Hi,


got no success on IRC, maybe someone will help me here.


After RGW upgrade from Jewel to Luminous, one S3 user started to

receive errors from his postgre wal-e solution. Error is like this:

"Server Side Encryption with KMS managed key requires HTTP header

x-amz-server-side-encryption : aws:kms".

After some reading, seems, like this client is forcing Server side

encryption (SSE) on RGW and it is not configured. Because user can't

disable encryption in his solution for now (it will be possible in

future release), can I somehow disable Encryption support on Luminous

RGW?


Thank you for your insights.




_______________________________________________

ceph-users mailing list

ceph-users at lists.ceph.com<mailto:ceph-users at lists.ceph.com>

http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com

_______________________________________________

ceph-users mailing list

ceph-users at lists.ceph.com<mailto:ceph-users at lists.ceph.com>

http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ceph.com/pipermail/ceph-users-ceph.com/attachments/20181017/13842f53/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: adform_logo_1884183f-e12d-4814-94e9-345e0c828435.png
Type: image/png
Size: 2630 bytes
Desc: adform_logo_1884183f-e12d-4814-94e9-345e0c828435.png
URL: <http://lists.ceph.com/pipermail/ceph-users-ceph.com/attachments/20181017/13842f53/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: MRC_b412ba15-8053-4742-aeae-8c9f04d24ef1.png
Type: image/png
Size: 9953 bytes
Desc: MRC_b412ba15-8053-4742-aeae-8c9f04d24ef1.png
URL: <http://lists.ceph.com/pipermail/ceph-users-ceph.com/attachments/20181017/13842f53/attachment-0001.png>


More information about the ceph-users mailing list