New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
rgw: support full object encryption stack on compression #46188
rgw: support full object encryption stack on compression #46188
Conversation
@Zhiwei-Dai thanks for the contribution, this is a great feature! i'm seeing some test failures though, could you please take a look? this is with a vstart cluster with rgw compression enabled:
and running the ceph-master branch of ceph's s3-tests for sse encryption:
in addition to those 3 test failures, i also found that GET requests hung if i configured rgw with |
for automated test coverage, we'll want to enable compression in rgw's encryption suite: diff --git a/qa/suites/rgw/crypt/3-rgw/rgw.yaml b/qa/suites/rgw/crypt/3-rgw/rgw.yaml
index ee8d62af05c..764d216aade 100644
--- a/qa/suites/rgw/crypt/3-rgw/rgw.yaml
+++ b/qa/suites/rgw/crypt/3-rgw/rgw.yaml
@@ -6,6 +6,8 @@ overrides:
setgroup: ceph
rgw crypt require ssl: false
debug rgw: 20
+ rgw:
+ compression type: random
tasks:
- rgw: can you please add this to the PR? |
ths your testing, i'll recheck it. |
ok, of course |
8132569
to
8f5c35a
Compare
add implementation for full object encryption stack on compression. Compressing first and then encrypting. Fixed: https://tracker.ceph.com/issues/19988 Signed-off-by: Dai Zhiwei <daizhiwei3@huawei.com> Signed-off-by: luo rixin <luorixin@huawei.com>
8f5c35a
to
fd6082e
Compare
@cbodley I have updated the implementation and ceph's s3-tests for sse encryption are all passed. |
@cbodley would you mind review the pr again? Thanks |
thanks @Zhiwei-Dai! |
adds release notes for the feature added in ceph#46188 Signed-off-by: Casey Bodley <cbodley@redhat.com>
i've opened #48609 to document this new feature in PendingReleaseNotes |
Nice work |
adds release notes for the feature added in ceph#46188 Signed-off-by: Casey Bodley <cbodley@redhat.com>
adds release notes for the feature added in ceph#46188 Signed-off-by: Casey Bodley <cbodley@redhat.com>
replace #36539
add implementation for full object encryption stack on compression. Compressing first and then encrypting.
Security and trustworthiness framework of ceph is important for data storage. Now, cephx and https base on openssl enhance the security of transport layer, and rgw encrytion implementation supports data protection for object store.
Nevertheless, as issues said, issues19988, space usage and data security are exclusive.
New compression and encryption filters do not stack, but logically could do so. Users must choose between at rest data reduction and data security.
The pr solves this problem. Why compressing first and then encrypting, discussion about data encryption and compression has answer
https://crypto.stackexchange.com/questions/33737/is-it-better-to-encrypt-before-compression-or-vice-versa
Fixed: https://tracker.ceph.com/issues/19988
Signed-off-by: Dai Zhiwei daizhiwei3@huawei.com
Signed-off-by: luo rixin luorixin@huawei.com
Contribution Guidelines
To sign and title your commits, please refer to Submitting Patches to Ceph.
If you are submitting a fix for a stable branch (e.g. "pacific"), please refer to Submitting Patches to Ceph - Backports for the proper workflow.
Checklist
Show available Jenkins commands
jenkins retest this please
jenkins test classic perf
jenkins test crimson perf
jenkins test signed
jenkins test make check
jenkins test make check arm64
jenkins test submodules
jenkins test dashboard
jenkins test dashboard cephadm
jenkins test api
jenkins test docs
jenkins render docs
jenkins test ceph-volume all
jenkins test ceph-volume tox
jenkins test windows