You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ranger.apache.org by "kirby zhou (Jira)" <ji...@apache.org> on 2022/03/25 02:23:00 UTC

[jira] [Created] (RANGER-3682) Unify the ways that rangerkeystore to encapsulate zonekey

kirby zhou created RANGER-3682:
----------------------------------

             Summary: Unify the ways that rangerkeystore to encapsulate zonekey
                 Key: RANGER-3682
                 URL: https://issues.apache.org/jira/browse/RANGER-3682
             Project: Ranger
          Issue Type: Improvement
          Components: kms
    Affects Versions: 3.0.0, 2.3.0
            Reporter: kirby zhou


Unify the ways that rangerkeystore to encapsulate zonekey

Now we have 2 styles of MasterKeyProvider:
 # RangerMasterKey, RangerHSM, RangerSafenetKeySecure
 # RangerAzureKeyVaultKeyGenerator, RangerGoogleCloudHSMProvider, RangerTencentKMSProvider

Style 1 can get out master key string from provider, Style 2 can not.

In old, I add a flag KeyVaultEnabled to distinguish them. KeyVaultEnabled=false means style1, true means style2

RangerKeyStore with  style1 use SecretKeyEntry with SealedObject to store a key and do encryption / decryption by itself.

RangerKeyStore with  style2 use SecretKeyByteEntry to store a key and let MK provider to encryption / decryption.

These are ugly and hard to maintain. I refactor it by removing SecretKeyEntry, and let providers of style1 do encryption / decryption.

Add a  common base class of RangerMasterKey, RangerHSM andd RangerSafenetKeySecure, named AbstractRangerMasterKey. It provides the common logic of encryptZoneKey and decryptZoneKey.

And, there is no unified method to initialize a master key provider. Duplicate code is distributed in RangerKeyStoreProvider and a bunch of CLI classes.

I made a new RangerKMSMKIFactory class to unify it.

 

 



--
This message was sent by Atlassian Jira
(v8.20.1#820001)