MCPcopy
hub / github.com/scality/cloudserver / createBucketKey

Method createBucketKey

lib/kms/wrapper.js:187–222  ·  view source on GitHub ↗

* Create a new bucket encryption key. * * This function is responsible for creating an encryption key for a bucket. * If the client supports using a default master encryption key per account * and one is configured, the key is managed at the account level by Vault. * Ot

(bucket, log, cb)

Source from the content-addressed store, hash-verified

185 * @callback called with (err, { masterKeyId: string, masterKeyArn: string, isAccountEncryptionEnabled: boolean })
186 */
187 static createBucketKey(bucket, log, cb) {
188 // always use current client for create
189 log.debug('creating a new bucket key');
190 // Check if the client supports the use of a default master encryption key per account
191 // and one is configured.
192 // If so, retrieve or create the encryption key for the account from Vault.
193 // Later its id will be stored at the bucket metadata level.
194 if (client.supportsDefaultKeyPerAccount && config.defaultEncryptionKeyPerAccount) {
195 return vault.getOrCreateEncryptionKeyId(bucket.getOwner(), log, (err, data) => {
196 if (err) {
197 log.debug('error retrieving or creating the default encryption key at the account level from vault',
198 { implName, error: err });
199 return cb(err);
200 }
201
202 const { encryptionKeyId, action } = data;
203 log.trace('default encryption key retrieved or created at the account level from vault',
204 { implName, encryptionKeyId, action });
205 return cb(null, {
206 // vault only return arn
207 masterKeyId: encryptionKeyId,
208 masterKeyArn: encryptionKeyId,
209 isAccountEncryptionEnabled: true,
210 });
211 });
212 }
213 // Otherwise, create a default master encryption key, later its id will be stored at the bucket metadata level.
214 return client.createBucketKey(bucket.getName(), log, (err, masterKeyId, masterKeyArn) => {
215 if (err) {
216 log.debug('error from kms', { implName, error: err });
217 return cb(err);
218 }
219 log.trace('bucket key created in kms');
220 return cb(null, { masterKeyId, masterKeyArn });
221 });
222 }
223
224 /**
225 *

Callers 4

bucketLevelEncryptionMethod · 0.95
updateBucketEncryptionFunction · 0.80
createKmsKeyFunction · 0.80

Calls 3

debugMethod · 0.80
getOwnerMethod · 0.80
traceMethod · 0.80

Tested by

no test coverage detected