[openstack-dev] [glance] Unable to set metadata_encryption_key

Nikhil Komawar nik.komawar at gmail.com
Thu May 19 23:38:17 UTC 2016

Hi Djimeli,

Thanks for working through this issues. It's a problem indeed with the
existing metadata not being set.

I think the solution you propose sounds fair -- let's see if existing
non-encrypted metadata can be encrypted whenever the key has been set. I
do however, want us to ensure that it does not break the API call and
hopefully doesn't make it any slower.

You can go ahead with prototyping a solution, we may need to discuss
this over a lite-spec (I will explain later) and on your review when
it's up.

Thanks again.

On 5/19/16 7:29 PM, Djimeli Konrad wrote:
> Hello Nikhil,
> On 19 May 2016 at 04:11, Nikhil Komawar <nik.komawar at gmail.com
> <mailto:nik.komawar at gmail.com>> wrote:
>     Here's something to get started:
>     * Change your tests here glance/tests/functional/__init__.py to
>     metadata_encryption_key to the value you want to set.
>     * See if they pass or fail.
> I made the change to the test as you suggested and the test still passes.
> I have just found out that "ValueError: Input strings must be a
> multiple of 16 in length" and "TypeError: Incorrect padding" are
> caused by calling crypt.urlsafe_decrypt(...) on a data that was not
> previously encrypted. For example when the metadata_encryption_key is
> set, and there is existing data which had not been encrypted, "glance
> image-list" would invoke the decrypt function on the data which was
> not previously encrypted leading to errors.
> A solution to this may be to encrypt existing data when
> metadata_encryption_key is set and decrypt the data if it is reset. I
> would like get some more ideas/opinions in this issue.
> Thanks
> Konrad



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20160519/0226f2c5/attachment.html>

More information about the OpenStack-dev mailing list