Encrypt keys before saving in OMAP file.

Fixes #960

Signed-off-by: Gil Bregman <gbregman@il.ibm.com>

Author: gbregman

.env

@@ -101,3 +101,5 @@ DHCHAP_KEY6="DHHC-1:01:Bu4tZd7X2oW7XxmVH5tGCdoS30pDX6bZvexHYoudeVlJW9yz:"
 DHCHAP_KEY7="DHHC-1:01:JPJkDQ2po2FfLmKYlTF/sJ2HzVO/FKWxgXKE/H6XfL8ogQ1T:"
 DHCHAP_KEY8="DHHC-1:01:e0B0vDxKleDzYVtG42xqFvoWZfiufkoywmfRKrETzayRdf1j:"
 DHCHAP_KEY9="DHHC-1:01:KD+sfH3/o2bRQoV0ESjBUywQlMnSaYpZISUbVa0k0nsWpNST:"
+DHCHAP_KEY10="DHHC-1:00:rWf0ZFYO7IgWGttM8w6jUrAY4cTQyqyXPdmxHeOSve3w5QU9:"
+DHCHAP_KEY11="DHHC-1:02:j3uUz05r5aQy42vX4tDXqVf9HgUPPdEp3kXTgUWl9EphsG7jwpr9KSIt3bmRLXBijPTIDQ==:"

ceph-nvmeof.conf

@@ -17,6 +17,8 @@ state_update_notify = True
 state_update_timeout_in_msec = 2000
 state_update_interval_sec = 5
 enable_spdk_discovery_controller = False
+enable_key_encryption = True
+encryption_key = ./encryption.key
 #omap_file_lock_duration = 20
 #omap_file_lock_retries = 30
 #omap_file_lock_retry_sleep_interval = 1.0
@@ -29,7 +31,7 @@ enable_spdk_discovery_controller = False
 #verify_nqns = True
 #allowed_consecutive_spdk_ping_failures = 1
 #spdk_ping_interval_in_seconds = 2.0
-#max_hosts_per_namespace = 1
+#max_hosts_per_namespace = 8
 #max_namespaces_with_netmask = 1000
 #max_subsystems = 128
 #max_namespaces = 1024

control/discovery.py

@@ -13,6 +13,7 @@
 from .config import GatewayConfig
 from .state import GatewayState, LocalGatewayState, OmapGatewayState, GatewayStateHandler
 from .utils import GatewayLogger
+from .utils import GatewayUtilsCrypto
 from .proto import gateway_pb2 as pb2
 
 import rados
@@ -1129,8 +1130,10 @@ def start_service(self):
         t.start()
 
         local_state = LocalGatewayState()
+        dummy_crypto = GatewayUtilsCrypto(None)
         gateway_state = GatewayStateHandler(self.config, local_state,
-                                            self.omap_state, self._state_notify_update, f"discovery-{socket.gethostname()}")
+                                            self.omap_state, self._state_notify_update,
+                                            dummy_crypto, f"discovery-{socket.gethostname()}")
         gateway_state.start_update()
 
         try:

control/grpc.py

@@ -324,13 +324,14 @@ def __init__(self, config: GatewayConfig, gateway_state: GatewayStateHandler, rp
             self.host_name = socket.gethostname()
         self.verify_nqns = self.config.getboolean_with_default("gateway", "verify_nqns", True)
         self.gateway_group = self.config.get_with_default("gateway", "group", "")
-        self.max_hosts_per_namespace = self.config.getint_with_default("gateway", "max_hosts_per_namespace", 1)
+        self.max_hosts_per_namespace = self.config.getint_with_default("gateway", "max_hosts_per_namespace", 8)
         self.max_namespaces_with_netmask = self.config.getint_with_default("gateway", "max_namespaces_with_netmask", 1000)
         self.max_subsystems = self.config.getint_with_default("gateway", "max_subsystems", GatewayService.MAX_SUBSYSTEMS_DEFAULT)
         self.max_namespaces = self.config.getint_with_default("gateway", "max_namespaces", GatewayService.MAX_NAMESPACES_DEFAULT)
         self.max_namespaces_per_subsystem = self.config.getint_with_default("gateway", "max_namespaces_per_subsystem", GatewayService.MAX_NAMESPACES_PER_SUBSYSTEM_DEFAULT)
         self.max_hosts_per_subsystem = self.config.getint_with_default("gateway", "max_hosts_per_subsystem", GatewayService.MAX_HOSTS_PER_SUBSYS_DEFAULT)
         self.gateway_pool = self.config.get_with_default("ceph", "pool", "")
+        self.enable_key_encryption = self.config.getboolean_with_default("gateway", "enable_key_encryption", True)
         self.ana_map = defaultdict(dict)
         self.cluster_nonce = {}
         self.bdev_cluster = {}
@@ -672,6 +673,7 @@ def create_bdev(self, anagrp: int, name, uuid, rbd_pool_name, rbd_image_name, bl
                 self.logger.exception(errmsg)
                 return BdevStatus(status=errcode, error_message=f"Failure creating bdev {name}: {errmsg}")
 
+        cluster_name = None
         try:
             cluster_name=self._get_cluster(anagrp)
             bdev_name = rpc_bdev.bdev_rbd_create(
@@ -689,7 +691,8 @@ def create_bdev(self, anagrp: int, name, uuid, rbd_pool_name, rbd_image_name, bl
 
             self.logger.debug(f"bdev_rbd_create: {bdev_name}, cluster_name {cluster_name}")
         except Exception as ex:
-            self._put_cluster(cluster_name)
+            if cluster_name != None:
+                self._put_cluster(cluster_name)
             errmsg = f"bdev_rbd_create {name} failed"
             self.logger.exception(errmsg)
             errmsg = f"{errmsg} with:\n{ex}"
@@ -978,6 +981,10 @@ def create_subsystem_safe(self, request, context):
             if context:
                 # Update gateway state
                 try:
+                    request.encrypted_dhchap_key = b""
+                    if self.enable_key_encryption and request.dhchap_key:
+                        request.encrypted_dhchap_key = self.gateway_state.crypto.encrypt_text(request.dhchap_key)
+                        request.dhchap_key = ""
                     json_req = json_format.MessageToJson(
                         request, preserving_proto_field_name=True, including_default_value_fields=True)
                     self.gateway_state.add_subsystem(request.subsystem_nqn, json_req)
@@ -2547,6 +2554,13 @@ def add_host_safe(self, request, context):
             if context:
                 # Update gateway state
                 try:
+                    if self.enable_key_encryption:
+                        if request.dhchap_key:
+                            request.encrypted_dhchap_key = self.gateway_state.crypto.encrypt_text(request.dhchap_key)
+                            request.dhchap_key = ""
+                        if request.psk:
+                            request.encrypted_psk = self.gateway_state.crypto.encrypt_text(request.psk)
+                            request.psk = ""
                     json_req = json_format.MessageToJson(
                         request, preserving_proto_field_name=True, including_default_value_fields=True)
                     self.gateway_state.add_host(request.subsystem_nqn, request.host_nqn, json_req)
@@ -2793,12 +2807,17 @@ def change_host_key_safe(self, request, context):
             if context:
                 # Update gateway state
                 try:
+                    encrypted_dhchap_key = b""
+                    if self.enable_key_encryption and request.dhchap_key:
+                        encrypted_dhchap_key = self.gateway_state.crypto.encrypt_text(request.dhchap_key)
+                        request.dhchap_key = ""
                     add_req = pb2.add_host_req(subsystem_nqn=request.subsystem_nqn,
                                                host_nqn=request.host_nqn,
                                                psk=host_psk,
-                                               dhchap_key=request.dhchap_key)
+                                               dhchap_key=request.dhchap_key,
+                                               encrypted_dhchap_key=encrypted_dhchap_key)
                     json_req = json_format.MessageToJson(
-                        add_req, preserving_proto_field_name=True, including_default_value_fields=True)
+                                  add_req, preserving_proto_field_name=True, including_default_value_fields=True)
                     self.gateway_state.add_host(request.subsystem_nqn, request.host_nqn, json_req)
                 except Exception as ex:
                     errmsg = f"Error persisting host change key for host {request.host_nqn} in {request.subsystem_nqn}"
@@ -3501,12 +3520,18 @@ def change_subsystem_key_safe(self, request, context):
 
                 assert subsys_entry, f"Can't find entry for subsystem {request.subsystem_nqn}"
                 try:
+                    dhchap_key = request.dhchap_key
+                    encrypted_dhchap_key = b""
+                    if self.enable_key_encryption and request.dhchap_key:
+                        encrypted_dhchap_key = self.gateway_state.crypto.encrypt_text(request.dhchap_key)
+                        dhchap_key = ""
                     create_req = pb2.create_subsystem_req(subsystem_nqn=request.subsystem_nqn,
                                                     serial_number=subsys_entry["serial_number"],
                                                     max_namespaces=subsys_entry["max_namespaces"],
                                                     enable_ha=subsys_entry["enable_ha"],
                                                     no_group_append=subsys_entry["no_group_append"],
-                                                    dhchap_key=request.dhchap_key)
+                                                    dhchap_key=dhchap_key,
+                                                    encrypted_dhchap_key=encrypted_dhchap_key)
                     json_req = json_format.MessageToJson(
                         create_req, preserving_proto_field_name=True, including_default_value_fields=True)
                     self.gateway_state.add_subsystem(request.subsystem_nqn, json_req)
@@ -3532,7 +3557,6 @@ def change_subsystem_key_safe(self, request, context):
             except Excpetion:
                 pass
 
-
         return pb2.req_status(status=0, error_message=os.strerror(0))
 
     def change_subsystem_key(self, request, context=None):

control/proto/gateway.proto

@@ -192,6 +192,7 @@ message create_subsystem_req {
 	bool enable_ha = 4;
 	optional bool no_group_append = 5;
 	optional string dhchap_key = 6;
+	optional bytes encrypted_dhchap_key = 7;
 }
 
 message delete_subsystem_req {
@@ -215,6 +216,8 @@ message add_host_req {
 	string host_nqn = 2;
 	optional string psk = 3;
 	optional string dhchap_key = 4;
+	optional bytes encrypted_psk = 5;
+	optional bytes encrypted_dhchap_key = 6;
 }
 
 message change_host_key_req {

control/server.py

@@ -33,6 +33,7 @@
 from .config import GatewayConfig
 from .utils import GatewayLogger
 from .utils import GatewayUtils
+from .utils import GatewayUtilsCrypto
 from .cephutils import CephUtils
 from .prometheus import start_exporter
 
@@ -114,6 +115,18 @@ def __init__(self, config: GatewayConfig):
         self.monitor_client_log_file_path = None
         self.omap_state = None
         self.omap_lock = None
+        enc_key = None
+        enc_key_file = self.config.get_with_default("gateway", "encryption_key", "")
+        if enc_key_file:
+            try:
+                enc_key = GatewayUtilsCrypto.read_encryption_key(enc_key_file)
+            except Exception:
+                self.logger.exception(f"Got an error trying to read encryption key {enc_key_file}, will use fallback key")
+        if not enc_key:
+            # Use this key as the fallback in case the user didn't set his/her own key
+            self.logger.info(f"No valid key file was set, will use fallback encryption key")
+            enc_key = b"Ubp_Ll9pnyXtluCvqyBrnta2Y7ju9qexc_f0iWYnhWI="
+        self.crypto = GatewayUtilsCrypto(enc_key)
 
         self.name = self.config.get("gateway", "name")
         if not self.name:
@@ -235,7 +248,8 @@ def serve(self):
         self._start_discovery_service()
 
         # Register service implementation with server
-        gateway_state = GatewayStateHandler(self.config, local_state, omap_state, self.gateway_rpc_caller, f"gateway-{self.name}")
+        gateway_state = GatewayStateHandler(self.config, local_state, omap_state,
+                                            self.gateway_rpc_caller, self.crypto, f"gateway-{self.name}")
         self.omap_lock = OmapLock(omap_state, gateway_state, self.rpc_lock)
         self.gateway_rpc = GatewayService(self.config, gateway_state, self.rpc_lock, self.omap_lock, self.group_id, self.spdk_rpc_client, self.spdk_rpc_subsystems_client, self.ceph_utils)
         self.server = self._grpc_server(self._gateway_address())
@@ -764,6 +778,9 @@ def gateway_rpc_caller(self, requests, is_add_req):
             if key.startswith(GatewayState.SUBSYSTEM_PREFIX):
                 if is_add_req:
                     req = json_format.Parse(val, pb2.create_subsystem_req(), ignore_unknown_fields=True)
+                    if req.encrypted_dhchap_key:
+                        req.dhchap_key = self.crypto.decrypt_text(req.encrypted_dhchap_key)
+                        req.encrypted_dhchap_key = b""
                     self.gateway_rpc.create_subsystem(req)
                 else:
                     req = json_format.Parse(val,
@@ -789,6 +806,12 @@ def gateway_rpc_caller(self, requests, is_add_req):
             elif key.startswith(GatewayState.HOST_PREFIX):
                 if is_add_req:
                     req = json_format.Parse(val, pb2.add_host_req(), ignore_unknown_fields=True)
+                    if req.encrypted_dhchap_key:
+                        req.dhchap_key = self.crypto.decrypt_text(req.encrypted_dhchap_key)
+                        req.encrypted_dhchap_key = b""
+                    if req.encrypted_psk:
+                        req.psk = self.crypto.decrypt_text(req.encrypted_psk)
+                        req.encrypted_psk = b""
                     self.gateway_rpc.add_host(req)
                 else:
                     req = json_format.Parse(val, pb2.remove_host_req(), ignore_unknown_fields=True)