integrate volume encryption with kms

Author: vishesh92

api/src/main/java/com/cloud/event/EventTypes.java

@@ -278,6 +278,7 @@ public class EventTypes {
     public static final String EVENT_KMS_KEK_ROTATE = "KMS.KEK.ROTATE";
     public static final String EVENT_KMS_KEK_DELETE = "KMS.KEK.DELETE";
     public static final String EVENT_KMS_HEALTH_CHECK = "KMS.HEALTH.CHECK";
+    public static final String EVENT_VOLUME_MIGRATE_TO_KMS = "VOLUME.MIGRATE.TO.KMS";
 
     // Account events
     public static final String EVENT_ACCOUNT_ENABLE = "ACCOUNT.ENABLE";

api/src/main/java/com/cloud/storage/Volume.java

@@ -275,6 +275,14 @@ enum Event {
 
     void setPassphraseId(Long id);
 
+    Long getKmsKeyId();
+
+    void setKmsKeyId(Long id);
+
+    Long getKmsWrappedKeyId();
+
+    void setKmsWrappedKeyId(Long id);
+
     String getEncryptFormat();
 
     void setEncryptFormat(String encryptFormat);

api/src/main/java/org/apache/cloudstack/api/command/admin/kms/MigrateVolumesToKMSCmd.java

@@ -0,0 +1,130 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.api.command.admin.kms;
+
+import com.cloud.user.Account;
+import org.apache.cloudstack.acl.RoleType;
+import org.apache.cloudstack.api.APICommand;
+import org.apache.cloudstack.api.ApiCommandResourceType;
+import org.apache.cloudstack.api.ApiConstants;
+import org.apache.cloudstack.api.ApiErrorCode;
+import org.apache.cloudstack.api.BaseAsyncCmd;
+import org.apache.cloudstack.api.Parameter;
+import org.apache.cloudstack.api.ServerApiException;
+import org.apache.cloudstack.api.response.AsyncJobResponse;
+import org.apache.cloudstack.api.response.DomainResponse;
+import org.apache.cloudstack.api.response.ZoneResponse;
+import org.apache.cloudstack.framework.kms.KMSException;
+import org.apache.cloudstack.kms.KMSManager;
+
+import javax.inject.Inject;
+
+@APICommand(name = "migrateVolumesToKMS",
+            description = "Migrates passphrase-based volumes to KMS (admin only)",
+            responseObject = AsyncJobResponse.class,
+            since = "4.23.0",
+            authorized = {RoleType.Admin},
+            requestHasSensitiveInfo = false,
+            responseHasSensitiveInfo = false)
+public class MigrateVolumesToKMSCmd extends BaseAsyncCmd {
+    private static final String s_name = "migratevolumestokmsresponse";
+
+    @Inject
+    private KMSManager kmsManager;
+
+    /////////////////////////////////////////////////////
+    //////////////// API parameters /////////////////////
+    /////////////////////////////////////////////////////
+
+    @Parameter(name = ApiConstants.ZONE_ID,
+               required = true,
+               type = CommandType.UUID,
+               entityType = ZoneResponse.class,
+               description = "Zone ID")
+    private Long zoneId;
+
+    @Parameter(name = ApiConstants.ACCOUNT,
+               type = CommandType.STRING,
+               description = "Migrate volumes for specific account")
+    private String accountName;
+
+    @Parameter(name = ApiConstants.DOMAIN_ID,
+               type = CommandType.UUID,
+               entityType = DomainResponse.class,
+               description = "Domain ID")
+    private Long domainId;
+
+    /////////////////////////////////////////////////////
+    /////////////////// Accessors ///////////////////////
+    /////////////////////////////////////////////////////
+
+    public Long getZoneId() {
+        return zoneId;
+    }
+
+    public String getAccountName() {
+        return accountName;
+    }
+
+    public Long getDomainId() {
+        return domainId;
+    }
+
+    /////////////////////////////////////////////////////
+    /////////////// API Implementation///////////////////
+    /////////////////////////////////////////////////////
+
+    @Override
+    public void execute() {
+        try {
+            kmsManager.migrateVolumesToKMS(this);
+        } catch (KMSException e) {
+            throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR,
+                    "Failed to migrate volumes to KMS: " + e.getMessage());
+        }
+    }
+
+    @Override
+    public String getCommandName() {
+        return s_name;
+    }
+
+    @Override
+    public long getEntityOwnerId() {
+        return Account.ACCOUNT_ID_SYSTEM;
+    }
+
+    @Override
+    public String getEventType() {
+        return com.cloud.event.EventTypes.EVENT_VOLUME_MIGRATE_TO_KMS;
+    }
+
+    @Override
+    public String getEventDescription() {
+        return "Migrating volumes to KMS for zone: " + _uuidMgr.getUuid(ZoneResponse.class, zoneId);
+    }
+
+    @Override
+    public ApiCommandResourceType getApiResourceType() {
+        return ApiCommandResourceType.Zone;
+    }
+
+    @Override
+    public Long getApiResourceId() {
+        return zoneId;
+    }
+}

api/src/main/java/org/apache/cloudstack/api/command/admin/kms/RotateKMSKeyCmd.java

@@ -0,0 +1,119 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.api.command.admin.kms;
+
+import com.cloud.user.Account;
+import org.apache.cloudstack.acl.RoleType;
+import org.apache.cloudstack.api.APICommand;
+import org.apache.cloudstack.api.ApiCommandResourceType;
+import org.apache.cloudstack.api.ApiConstants;
+import org.apache.cloudstack.api.ApiErrorCode;
+import org.apache.cloudstack.api.BaseAsyncCmd;
+import org.apache.cloudstack.api.Parameter;
+import org.apache.cloudstack.api.ServerApiException;
+import org.apache.cloudstack.api.response.AsyncJobResponse;
+import org.apache.cloudstack.api.response.KMSKeyResponse;
+import org.apache.cloudstack.framework.kms.KMSException;
+import org.apache.cloudstack.kms.KMSManager;
+
+import javax.inject.Inject;
+
+@APICommand(name = "rotateKMSKey",
+            description = "Rotates KEK by creating new version and scheduling gradual re-encryption (admin only)",
+            responseObject = AsyncJobResponse.class,
+            since = "4.23.0",
+            authorized = {RoleType.Admin},
+            requestHasSensitiveInfo = false,
+            responseHasSensitiveInfo = false)
+public class RotateKMSKeyCmd extends BaseAsyncCmd {
+    private static final String s_name = "rotatekmskeyresponse";
+
+    @Inject
+    private KMSManager kmsManager;
+
+    /////////////////////////////////////////////////////
+    //////////////// API parameters /////////////////////
+    /////////////////////////////////////////////////////
+
+    @Parameter(name = ApiConstants.ID,
+               required = true,
+               type = CommandType.UUID,
+               entityType = KMSKeyResponse.class,
+               description = "KMS Key UUID to rotate")
+    private Long id;
+
+    @Parameter(name = ApiConstants.KEY_BITS,
+               type = CommandType.INTEGER,
+               description = "Key size for new KEK (default: same as current)")
+    private Integer keyBits;
+
+    /////////////////////////////////////////////////////
+    /////////////////// Accessors ///////////////////////
+    /////////////////////////////////////////////////////
+
+    public Long getId() {
+        return id;
+    }
+
+    public Integer getKeyBits() {
+        return keyBits;
+    }
+
+    /////////////////////////////////////////////////////
+    /////////////// API Implementation///////////////////
+    /////////////////////////////////////////////////////
+
+    @Override
+    public void execute() {
+        try {
+            kmsManager.rotateKMSKey(this);
+        } catch (KMSException e) {
+            throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR,
+                    "Failed to rotate KMS key: " + e.getMessage());
+        }
+    }
+
+    @Override
+    public String getCommandName() {
+        return s_name;
+    }
+
+    @Override
+    public long getEntityOwnerId() {
+        return Account.ACCOUNT_ID_SYSTEM;
+    }
+
+    @Override
+    public String getEventType() {
+        return com.cloud.event.EventTypes.EVENT_KMS_KEK_ROTATE;
+    }
+
+    @Override
+    public String getEventDescription() {
+        return "Rotating KMS key: " + _uuidMgr.getUuid(KMSKeyResponse.class, id);
+    }
+
+    @Override
+    public ApiCommandResourceType getApiResourceType() {
+        return ApiCommandResourceType.KmsKey;
+    }
+
+    @Override
+    public Long getApiResourceId() {
+        return id;
+    }
+}

api/src/main/java/org/apache/cloudstack/api/command/user/kms/CreateKMSKeyCmd.java

@@ -47,7 +47,6 @@
             requestHasSensitiveInfo = false,
             responseHasSensitiveInfo = false)
 public class CreateKMSKeyCmd extends BaseCmd implements UserCmd {
-    private static final String s_name = "createkmskeyresponse";
 
     @Inject
     private KMSManager kmsManager;
@@ -70,7 +69,7 @@ public class CreateKMSKeyCmd extends BaseCmd implements UserCmd {
     @Parameter(name = ApiConstants.PURPOSE,
                required = true,
                type = CommandType.STRING,
-               description = "Purpose of the key: VOLUME_ENCRYPTION, TLS_CERT, CONFIG_SECRET")
+               description = "Purpose of the key: volume, tls")
     private String purpose;
 
     @Parameter(name = ApiConstants.ZONE_ID,
@@ -144,11 +143,6 @@ public void execute() throws ResourceAllocationException {
         }
     }
 
-    @Override
-    public String getCommandName() {
-        return s_name;
-    }
-
     @Override
     public long getEntityOwnerId() {
         Account caller = CallContext.current().getCallingAccount();
@@ -163,4 +157,3 @@ public ApiCommandResourceType getApiResourceType() {
         return ApiCommandResourceType.KmsKey;
     }
 }
-

api/src/main/java/org/apache/cloudstack/api/command/user/kms/DeleteKMSKeyCmd.java

@@ -45,7 +45,6 @@
             requestHasSensitiveInfo = false,
             responseHasSensitiveInfo = false)
 public class DeleteKMSKeyCmd extends BaseAsyncCmd implements UserCmd {
-    private static final String s_name = "deletekmskeyresponse";
 
     @Inject
     private KMSManager kmsManager;
@@ -85,11 +84,6 @@ public void execute() {
         }
     }
 
-    @Override
-    public String getCommandName() {
-        return s_name;
-    }
-
     @Override
     public long getEntityOwnerId() {
         return CallContext.current().getCallingAccount().getId();
@@ -110,4 +104,3 @@ public ApiCommandResourceType getApiResourceType() {
         return ApiCommandResourceType.KmsKey;
     }
 }
-

api/src/main/java/org/apache/cloudstack/api/command/user/kms/ListKMSKeysCmd.java

@@ -59,7 +59,7 @@ public class ListKMSKeysCmd extends BaseListAccountResourcesCmd implements UserC
 
     @Parameter(name = ApiConstants.PURPOSE,
                type = CommandType.STRING,
-               description = "Filter by purpose: VOLUME_ENCRYPTION, TLS_CERT, CONFIG_SECRET")
+               description = "Filter by purpose: volume, tls")
     private String purpose;
 
     @Parameter(name = ApiConstants.ZONE_ID,
@@ -109,4 +109,3 @@ public String getCommandName() {
         return s_name;
     }
 }
-

api/src/main/java/org/apache/cloudstack/api/command/user/kms/UpdateKMSKeyCmd.java

@@ -44,7 +44,6 @@
             requestHasSensitiveInfo = false,
             responseHasSensitiveInfo = false)
 public class UpdateKMSKeyCmd extends BaseAsyncCmd implements UserCmd {
-    private static final String s_name = "updatekmskeyresponse";
 
     @Inject
     private KMSManager kmsManager;
@@ -111,11 +110,6 @@ public void execute() {
         }
     }
 
-    @Override
-    public String getCommandName() {
-        return s_name;
-    }
-
     @Override
     public long getEntityOwnerId() {
         return CallContext.current().getCallingAccount().getId();

api/src/main/java/org/apache/cloudstack/api/command/user/volume/CreateVolumeCmd.java

@@ -30,6 +30,7 @@
 import org.apache.cloudstack.api.command.user.UserCmd;
 import org.apache.cloudstack.api.response.DiskOfferingResponse;
 import org.apache.cloudstack.api.response.DomainResponse;
+import org.apache.cloudstack.api.response.KMSKeyResponse;
 import org.apache.cloudstack.api.response.ProjectResponse;
 import org.apache.cloudstack.api.response.SnapshotResponse;
 import org.apache.cloudstack.api.response.UserVmResponse;
@@ -109,6 +110,13 @@ public class CreateVolumeCmd extends BaseAsyncCreateCustomIdCmd implements UserC
                description = "The ID of the Instance; to be used with snapshot Id, Instance to which the volume gets attached after creation")
     private Long virtualMachineId;
 
+    @Parameter(name = ApiConstants.KMS_KEY_ID,
+               type = CommandType.UUID,
+               entityType = KMSKeyResponse.class,
+               description = "ID of the KMS Key for volume encryption (required if encryption enabled for zone)",
+               since = "4.23.0")
+    private Long kmsKeyId;
+
     /////////////////////////////////////////////////////
     /////////////////// Accessors ///////////////////////
     /////////////////////////////////////////////////////
@@ -169,6 +177,10 @@ public Long getVirtualMachineId() {
         return virtualMachineId;
     }
 
+    public Long getKmsKeyId() {
+        return kmsKeyId;
+    }
+
     /////////////////////////////////////////////////////
     /////////////// API Implementation///////////////////
     /////////////////////////////////////////////////////