Enhance cta-readtp to handle encryption

https://gitlab.cern.ch/cta/operations/-/issues/913

Enhance cta-readtp to handle encryption.

added Operator Tools workflowin progress labels

assigned to @lwardena

created branch 211-enhance-cta-readtp-to-handle-encryption to address this issue

mentioned in merge request !103 (merged)

There was a similar issue to this one: #39 (closed) I will close it to avoid duplicates.

mentioned in issue #39 (closed)

closed with merge request !103 (merged)

changed milestone to %Release 4.8.0

reopened

Reopening the issue as there are still several issues with the version in production:

1. The list of all options is still printed.

2. When using cta-readtp on a tape that does not have encryption enabled, the command should simply not do anything with the encryption.

3. If the encryption is enabled, it should first check that the user has all necessary access and only then continue.

Example of bad handling of a tape that does not have an encryption:

Jan  5 14:04:50.873752 tpsrv404.cern.ch cta-readtp: LVL="ERROR" PID="5457" TID="5457" MSG="Failed to read file from tape" userName="mducruet" tapeVid="L86019" destinationFile="file:///dev/null" tapeDrive="S1L91013" logicalLibrary="SPC1L9" useLbp="true" driveSupportLbp="true" fSeq="50" tapeReadError="In EncryptionControl::enableEncryption: failed to enable encryption: script returned: 1 called='/usr/local/bin/cta-get-encryption-key --vid L86019' stdout={'response': {'code': 1, 'description': 'ERROR'}, 'message': 'Could not open the file /etc/cta/tape-encryption-keys.json. Permission denied', 'key_id': '', 'encryption_key': ''}  stderr="

The command tries to enable it, but it fails because it can not read the configuration file. Then it continues to the next file.

All this should be properly handled.

My two cents:

2. To know that the tape is not encrypted, the command should still run cta-get-encryption-key and get "-".

Encryption in readtp works in the same way as in the tapeserver, but the difference is that the latter runs as cta user and has access to

-r--------. 1 cta     tape  783 Jul  6  2022 tape-encryption-keys.json

Maybe it would be easier just to add group read permissions to this file?

We should have discussed this at at the today's operations meeting. I will try to remember this for next week.

No need to discuss this: everything that is tape handling/writing/device related is managed using the standard tape system group.

This json must be readable by tape group members and the encryption scripts executable by tape group members.

Same for all our log files: owned by cta:tape and rw for cta user and tape group.

This rule must be written and enforced for operations and dev aspects.

created branch 211-enhance-cta-readtp-to-handle-encryption to address this issue

mentioned in merge request !144 (merged)

As just discussed, there are 3 isues to resolve:

1. Check that the tape has encryption. If it does not, do not bother reading the configuration files and executing external script.

2. If the tape has encryption enabled, check that you can execute the external script = you have access to all relevant information.

3. If the command to configure encryption fails on one file, STOP, there is no point to continue.

closed with merge request !144 (merged)

reopened

created branch 211-enhance-cta-readtp-to-handle-encryption to address this issue

mentioned in merge request !148 (merged)

closed with merge request !148 (merged)

changed milestone to %Release 4.8.5