From 5f05d8e18acd25442bb8ece10d70f5a0e277240b Mon Sep 17 00:00:00 2001 From: Eric Harney Date: Wed, 18 Sep 2019 12:24:25 -0400 Subject: [PATCH] Delete unused key when rekeying volume The new volume's encryption key that was cloned earlier in the volume creation process should be delete after rekey succeeds, because it is no longer used. Change-Id: I243d1b47f3996ccdda977ef21b979fd3fc49a2f9 Closes-Bug: #1844556 --- cinder/tests/unit/volume/test_volume.py | 6 ++++-- cinder/volume/flows/manager/create_volume.py | 9 ++++++++- 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/cinder/tests/unit/volume/test_volume.py b/cinder/tests/unit/volume/test_volume.py index da52cd23b01..3b2f2f5d389 100644 --- a/cinder/tests/unit/volume/test_volume.py +++ b/cinder/tests/unit/volume/test_volume.py @@ -1655,8 +1655,6 @@ class VolumeTestCase(base.BaseVolumeTestCase): db.volume_destroy(self.context, src_vol_id) db.volume_destroy(self.context, dst_vol['id']) - mock_del_enc_key.assert_not_called() - if rekey_supported: mock_setup_enc_keys.assert_called_once_with( mock.ANY, @@ -1681,9 +1679,13 @@ class VolumeTestCase(base.BaseVolumeTestCase): '--key-file=-', '/some/device/thing', process_input='asdfg', run_as_root=True) + mock_del_enc_key.assert_called_once_with(mock.ANY, # context + mock.ANY, # keymgr + fake.ENCRYPTION_KEY2_ID) else: mock_setup_enc_keys.assert_not_called() mock_execute.assert_not_called() + mock_del_enc_key.assert_not_called() mock_at.assert_called() mock_det.assert_called() diff --git a/cinder/volume/flows/manager/create_volume.py b/cinder/volume/flows/manager/create_volume.py index 0efd9611c3e..01fc5d78849 100644 --- a/cinder/volume/flows/manager/create_volume.py +++ b/cinder/volume/flows/manager/create_volume.py @@ -516,6 +516,8 @@ class CreateVolumeFromSpecTask(flow_utils.CinderTask): attach_info = None model_update = {} new_key_id = None + original_key_id = volume.encryption_key_id + key_mgr = key_manager.API(CONF) try: attach_info, volume = self.driver._attach_volume(context, @@ -591,6 +593,11 @@ class CreateVolumeFromSpecTask(flow_utils.CinderTask): del new_pass model_update = {'encryption_key_id': new_key_id} + # delete the original key that was cloned for this volume + # earlier + volume_utils.delete_encryption_key(context, + key_mgr, + original_key_id) except exception.RekeyNotSupported: pass except Exception: @@ -599,7 +606,7 @@ class CreateVolumeFromSpecTask(flow_utils.CinderTask): # Remove newly cloned key since it will not be used. volume_utils.delete_encryption_key( context, - key_manager.API(CONF), + key_mgr, new_key_id) finally: if attach_info: