Delete unused key when rekeying volume

The new volume's encryption key that was cloned earlier in the volume creation process should be delete after rekey succeeds, because it is no longer used. Change-Id: I243d1b47f3996ccdda977ef21b979fd3fc49a2f9 Closes-Bug: #1844556
2019-09-18 12:24:25 -04:00 · 2019-09-18 12:24:25 -04:00 · 5f05d8e18a
commit 5f05d8e18a
parent 2222ae6f75
2 changed files with 12 additions and 3 deletions
--- a/cinder/tests/unit/volume/test_volume.py
+++ b/cinder/tests/unit/volume/test_volume.py
@ -1655,8 +1655,6 @@ class VolumeTestCase(base.BaseVolumeTestCase):
        db.volume_destroy(self.context, src_vol_id)
        db.volume_destroy(self.context, dst_vol['id'])

-        mock_del_enc_key.assert_not_called()
-
        if rekey_supported:
            mock_setup_enc_keys.assert_called_once_with(
                mock.ANY,
@ -1681,9 +1679,13 @@ class VolumeTestCase(base.BaseVolumeTestCase):
                    '--key-file=-', '/some/device/thing',
                    process_input='asdfg',
                    run_as_root=True)
+            mock_del_enc_key.assert_called_once_with(mock.ANY,  # context
+                                                     mock.ANY,  # keymgr
+                                                     fake.ENCRYPTION_KEY2_ID)
        else:
            mock_setup_enc_keys.assert_not_called()
            mock_execute.assert_not_called()
+            mock_del_enc_key.assert_not_called()
        mock_at.assert_called()
        mock_det.assert_called()

--- a/cinder/volume/flows/manager/create_volume.py
+++ b/cinder/volume/flows/manager/create_volume.py
@ -516,6 +516,8 @@ class CreateVolumeFromSpecTask(flow_utils.CinderTask):
        attach_info = None
        model_update = {}
        new_key_id = None
+        original_key_id = volume.encryption_key_id
+        key_mgr = key_manager.API(CONF)

        try:
            attach_info, volume = self.driver._attach_volume(context,
@ -591,6 +593,11 @@ class CreateVolumeFromSpecTask(flow_utils.CinderTask):
                del new_pass
                model_update = {'encryption_key_id': new_key_id}

+            # delete the original key that was cloned for this volume
+            # earlier
+            volume_utils.delete_encryption_key(context,
+                                               key_mgr,
+                                               original_key_id)
        except exception.RekeyNotSupported:
            pass
        except Exception:
@ -599,7 +606,7 @@ class CreateVolumeFromSpecTask(flow_utils.CinderTask):
                    # Remove newly cloned key since it will not be used.
                    volume_utils.delete_encryption_key(
                        context,
-                        key_manager.API(CONF),
+                        key_mgr,
                        new_key_id)
        finally:
            if attach_info: