Re: [openstack-dev] [glance] Unable to set metadata_encryption_key

2016-05-25 Thread Djimeli Konrad 
Hello Nikhil,

Looking at how my proposed solution ( https://review.openstack.org/319659)
was inefficient. Instead of using a dummy string to identify encrypted
data, I have been thinking about handling the exceptions that are generated
when you try to decrypt unencrypted data, since it would either cause a
"TypeError" or "ValueError" as seen  here


https://github.com/openstack/glance/blob/24fae90c179d306c3f6763e9b4412a3e7ebd67e9/glance/db/sqlalchemy/migrate_repo/versions/017_quote_encrypted_swift_credentials.py#L125
.

But I am still waiting a review and proposed solution.

Thanks
Konrad
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [glance] Unable to set metadata_encryption_key

2016-05-22 Thread Nikhil Komawar 
Thanks!

On 5/22/16 8:46 AM, Djimeli Konrad wrote:
> Hello Nikhil,
>
> I have submitted a prototype solution to the problem
> https://review.openstack.org/319659 . I know it is not very exhaustive
> or efficient, but I would like to get your review and option on the issue.
>
> Thanks
> Konrad
>

-- 

Thanks,
Nikhil

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [glance] Unable to set metadata_encryption_key

2016-05-22 Thread Djimeli Konrad 
Hello Nikhil,

I have submitted a prototype solution to the problem
https://review.openstack.org/319659 . I know it is not very exhaustive or
efficient, but I would like to get your review and option on the issue.

Thanks
Konrad
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [glance] Unable to set metadata_encryption_key

2016-05-19 Thread Nikhil Komawar 
Hi Djimeli,

Thanks for working through this issues. It's a problem indeed with the
existing metadata not being set.

I think the solution you propose sounds fair -- let's see if existing
non-encrypted metadata can be encrypted whenever the key has been set. I
do however, want us to ensure that it does not break the API call and
hopefully doesn't make it any slower.

You can go ahead with prototyping a solution, we may need to discuss
this over a lite-spec (I will explain later) and on your review when
it's up.

Thanks again.

On 5/19/16 7:29 PM, Djimeli Konrad wrote:
> Hello Nikhil,
>
> On 19 May 2016 at 04:11, Nikhil Komawar  > wrote:
>
>
> Here's something to get started:
>
> * Change your tests here glance/tests/functional/__init__.py to
> metadata_encryption_key to the value you want to set.
>
> * See if they pass or fail.
>
>
> I made the change to the test as you suggested and the test still passes.
>
> I have just found out that "ValueError: Input strings must be a
> multiple of 16 in length" and "TypeError: Incorrect padding" are
> caused by calling crypt.urlsafe_decrypt(...) on a data that was not
> previously encrypted. For example when the metadata_encryption_key is
> set, and there is existing data which had not been encrypted, "glance
> image-list" would invoke the decrypt function on the data which was
> not previously encrypted leading to errors.
>
> A solution to this may be to encrypt existing data when
> metadata_encryption_key is set and decrypt the data if it is reset. I
> would like get some more ideas/opinions in this issue.
>
> Thanks
> Konrad

-- 

Thanks,
Nikhil

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [glance] Unable to set metadata_encryption_key

2016-05-19 Thread Djimeli Konrad 
Hello Nikhil,

On 19 May 2016 at 04:11, Nikhil Komawar  wrote:

>
> Here's something to get started:
>
> * Change your tests here glance/tests/functional/__init__.py to
> metadata_encryption_key to the value you want to set.
>
> * See if they pass or fail.
>

I made the change to the test as you suggested and the test still passes.

I have just found out that "ValueError: Input strings must be a multiple of
16 in length" and "TypeError: Incorrect padding" are caused by calling
crypt.urlsafe_decrypt(...) on a data that was not previously encrypted. For
example when the metadata_encryption_key is set, and there is existing data
which had not been encrypted, "glance image-list" would invoke the decrypt
function on the data which was not previously encrypted leading to errors.

A solution to this may be to encrypt existing data when
metadata_encryption_key is set and decrypt the data if it is reset. I would
like get some more ideas/opinions in this issue.

Thanks
Konrad
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

[openstack-dev] [glance] Unable to set metadata_encryption_key

2016-05-17 Thread Djimeli Konrad 
Hello,

Please I am working on a bug
(https://bugs.launchpad.net/glance/+bug/1569937), but when trying to
replicate the bug by setting

metadata_encryption_key = AoAMaVuEEJVYRvWgWrfHJoThUPmvniTi

I get the following error from glance-api

ValueError: Input strings must be a multiple of 16 in length

but the string above is actualy  32 characters. I would like to know
if there is something I am doing wrong.


Thanks
Konrad

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev