a few cleanups: - Remove obsolete sections from setup.cfg - Switch to using sphinx-build - Remove install_command from tox.ini, the default is fine - Update pbr requirement - Fix build problems - Switch to py38 for testing following Victoria testing platforms Change-Id: I1ff3853020d69aeceb8b81c21ce608b269015ece
3.4 KiB
Encrypted Messages in Queue
https://blueprints.launchpad.net/zaqar/+spec/encrypted-messages-in-queue
The queue in Zaqar will support to encrypt messages before storing them into storage backends, also could support to decrypt (or not) messages when those are claimed by consumer. This feature will enhance the security of messaging service.
Problem description
Currently, Zaqar can't encrypt any messages and just store those messages into storage backends. That'll bring some security issues like information leakage or hacker attack.
Proposed change
- Add one new metadata in queue object that will indicate how to encrypt messages:
- "_enable_encrypt_messages=true/false" : this will tell Zaqar whether encrypt messages before storing them into backends or not.
- Support to use algorithms to encrypt messages in transport layer before storing them into backends. In V cycle, Zaqar may just support the global key for encryption and decryption, and it will be held by Zaqar service. Users don't need to encrypt/decypt message by themselves.
- Go a step further, Zaqar also could support to let user upload their public key and hold the private key by themselves. In this case, Zaqar just need to encrypt the message by using public key and return the encrypted messages to user.
- About the algorithms, in V cycle, Zaqar will introduce the AES-256 encryption at first. In next cycles, Zaqar can suppot asymmetric encryption to let user upload public key and keep the private key by their own.
Note
About the option of encryption algorithms and keys, Zaqar would support specify them throught more metadatas of queues, but it will be done in next serveral cycles. In Victoria, we will choose one algorithm (like AES256) to support and support to storage the keys by Zaqar itself or other service like Barbican.
API Impact
Create queue list:
POST: /v2/queues/queue_name
RESPONSE CODE: 200
REQUEST BODY:
{
"_enable_encrypt_messages": true
}
Drawbacks
The ecryption algorithms will impact the performance of storing messages into backends and getting the messages from the queue.
This depends on which kind of encryption algorithms we choose and support.
Alternatives
None
Implementation
Assignee(s)
- Primary assignee:
-
wanghao <sxmatch1986@gmail.com>
- Secondary assignee:
-
None
Milestones
- Target Milestone for completion:
-
victoria M-2
Work Items
- Modify api and transport code.
- Add support for encryption algorithm and key management.
- Add release note for this feature.
- Update API reference.
- Change unit, functional and tempest tests accordingly.
- Add client support.
Dependencies
None
References
None