Skip to content

Commit 691377b

Browse files
author
zhong.zhou
committed
<fix>[kvm]: define secret on migrate destination
Resolves: ZSV-11729 Change-Id: I616a776e78666179637976616c776162626c6533
1 parent 78c679d commit 691377b

9 files changed

Lines changed: 307 additions & 90 deletions

File tree

compute/src/main/java/org/zstack/compute/vm/devices/DummyEncryptedResourceKeyManager.java

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -19,6 +19,14 @@ public void getOrCreateKey(GetOrCreateResourceKeyContext ctx,
1919
completion.fail(operr("crypto module is not installed, cannot manage resource encryption keys"));
2020
}
2121

22+
@Override
23+
public void getKey(GetOrCreateResourceKeyContext ctx,
24+
ReturnValueCompletion<ResourceKeyResult> completion) {
25+
logger.warn(String.format("crypto module not installed, cannot get resource key for %s[uuid:%s]",
26+
ctx.getResourceType(), ctx.getResourceUuid()));
27+
completion.fail(operr("crypto module is not installed, cannot manage resource encryption keys"));
28+
}
29+
2230
@Override
2331
public void rollbackCreatedKey(ResourceKeyResult result, Completion completion) {
2432
completion.success();

header/src/main/java/org/zstack/header/keyprovider/EncryptedResourceKeyManager.java

Lines changed: 21 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -26,11 +26,30 @@ public interface EncryptedResourceKeyManager {
2626
void getOrCreateKey(GetOrCreateResourceKeyContext ctx,
2727
ReturnValueCompletion<ResourceKeyResult> completion);
2828

29+
/**
30+
* Load the existing resource encryption key material only.
31+
* <p>
32+
* Requires an {@code EncryptedResourceKeyRef} row and a usable secret reference already stored
33+
* for the resource. Does <strong>not</strong> insert a ref row and does <strong>not</strong> call
34+
* key-tool/KMS <em>create</em> APIs.
35+
* <p>
36+
* The implementation may still call key-tool/KMS <em>get/unwrap</em> for the <strong>existing</strong>
37+
* secret ref in order to return the plaintext DEK (for example defining the secret on the destination
38+
* host during hot migration). That RPC is read-side materialization, not secret creation.
39+
*
40+
* @param ctx same fields as {@link #getOrCreateKey}; identifies resource and provider
41+
* @param completion returns {@link ResourceKeyResult} with {@code createdNewKey == false} on success
42+
*/
43+
void getKey(GetOrCreateResourceKeyContext ctx,
44+
ReturnValueCompletion<ResourceKeyResult> completion);
45+
2946
/**
3047
* Roll back a newly created resource key during upper-layer workflow rollback.
3148
* <p>
32-
* If the key record already existed before creation, implementation should restore it
33-
* to its previous empty-placeholder state instead of deleting the relationship.
49+
* When {@link ResourceKeyResult#isCreatedNewKey()} is true, the implementation deletes the
50+
* key-tool secret if one was materialized, then removes the {@code EncryptedResourceKeyRef} row
51+
* for the resource (same storage effect as detaching the key provider from the resource).
52+
* When {@code createdNewKey} is false (existing secret was reused), this is a no-op.
3453
*/
3554
void rollbackCreatedKey(ResourceKeyResult result, Completion completion);
3655

@@ -91,7 +110,6 @@ class ResourceKeyResult {
91110
private String dekBase64;
92111
private String secretRef;
93112
private boolean createdNewKey;
94-
private boolean refExistedBeforeCreate;
95113

96114
public String getResourceUuid() {
97115
return resourceUuid;
@@ -156,13 +174,5 @@ public boolean isCreatedNewKey() {
156174
public void setCreatedNewKey(boolean createdNewKey) {
157175
this.createdNewKey = createdNewKey;
158176
}
159-
160-
public boolean isRefExistedBeforeCreate() {
161-
return refExistedBeforeCreate;
162-
}
163-
164-
public void setRefExistedBeforeCreate(boolean refExistedBeforeCreate) {
165-
this.refExistedBeforeCreate = refExistedBeforeCreate;
166-
}
167177
}
168178
}

header/src/main/java/org/zstack/header/secret/SecretHostDefineMsg.java

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,8 @@ public class SecretHostDefineMsg extends NeedReplyMessage implements HostMessage
1616
private String vmUuid;
1717
private String purpose;
1818
private Integer keyVersion;
19+
private String usageInstance;
20+
private String secretUuid;
1921
private String description;
2022

2123
@Override
@@ -59,6 +61,22 @@ public void setKeyVersion(Integer keyVersion) {
5961
this.keyVersion = keyVersion;
6062
}
6163

64+
public String getUsageInstance() {
65+
return usageInstance;
66+
}
67+
68+
public void setUsageInstance(String usageInstance) {
69+
this.usageInstance = usageInstance;
70+
}
71+
72+
public String getSecretUuid() {
73+
return secretUuid;
74+
}
75+
76+
public void setSecretUuid(String secretUuid) {
77+
this.secretUuid = secretUuid;
78+
}
79+
6280
public String getDescription() {
6381
return description;
6482
}

header/src/main/java/org/zstack/header/secret/SecretHostDeleteMsg.java

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,7 @@ public class SecretHostDeleteMsg extends NeedReplyMessage implements HostMessage
88
private String vmUuid;
99
private String purpose;
1010
private Integer keyVersion;
11+
private String usageInstance;
1112

1213
@Override
1314
public String getHostUuid() {
@@ -41,4 +42,12 @@ public Integer getKeyVersion() {
4142
public void setKeyVersion(Integer keyVersion) {
4243
this.keyVersion = keyVersion;
4344
}
45+
46+
public String getUsageInstance() {
47+
return usageInstance;
48+
}
49+
50+
public void setUsageInstance(String usageInstance) {
51+
this.usageInstance = usageInstance;
52+
}
4453
}

header/src/main/java/org/zstack/header/secret/SecretHostGetMsg.java

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,7 @@ public class SecretHostGetMsg extends NeedReplyMessage implements HostMessage {
1111
private String vmUuid;
1212
private String purpose;
1313
private Integer keyVersion;
14+
private String usageInstance;
1415

1516
@Override
1617
public String getHostUuid() {
@@ -44,4 +45,12 @@ public Integer getKeyVersion() {
4445
public void setKeyVersion(Integer keyVersion) {
4546
this.keyVersion = keyVersion;
4647
}
48+
49+
public String getUsageInstance() {
50+
return usageInstance;
51+
}
52+
53+
public void setUsageInstance(String usageInstance) {
54+
this.usageInstance = usageInstance;
55+
}
4756
}

plugin/kvm/src/main/java/org/zstack/kvm/KVMAgentCommands.java

Lines changed: 18 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -411,8 +411,9 @@ public static class SecretHostDefineCmd extends AgentCommand {
411411
private String vmUuid;
412412
private String purpose;
413413
private Integer keyVersion;
414-
private String description;
415414
private String usageInstance;
415+
private String secretUuid;
416+
private String description;
416417

417418
public String getEncryptedDek() {
418419
return encryptedDek;
@@ -446,21 +447,29 @@ public void setKeyVersion(Integer keyVersion) {
446447
this.keyVersion = keyVersion;
447448
}
448449

449-
public String getDescription() {
450-
return description;
451-
}
452-
453-
public void setDescription(String description) {
454-
this.description = description;
455-
}
456-
457450
public String getUsageInstance() {
458451
return usageInstance;
459452
}
460453

461454
public void setUsageInstance(String usageInstance) {
462455
this.usageInstance = usageInstance;
463456
}
457+
458+
public String getSecretUuid() {
459+
return secretUuid;
460+
}
461+
462+
public void setSecretUuid(String secretUuid) {
463+
this.secretUuid = secretUuid;
464+
}
465+
466+
public String getDescription() {
467+
return description;
468+
}
469+
470+
public void setDescription(String description) {
471+
this.description = description;
472+
}
464473
}
465474

466475
public static class SecretHostDefineResponse extends AgentResponse {

0 commit comments

Comments
 (0)