You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by "kirby zhou (Jira)" <ji...@apache.org> on 2022/03/25 02:23:00 UTC
[jira] [Created] (RANGER-3682) Unify the ways that rangerkeystore to encapsulate zonekey
kirby zhou created RANGER-3682:
----------------------------------
Summary: Unify the ways that rangerkeystore to encapsulate zonekey
Key: RANGER-3682
URL: https://issues.apache.org/jira/browse/RANGER-3682
Project: Ranger
Issue Type: Improvement
Components: kms
Affects Versions: 3.0.0, 2.3.0
Reporter: kirby zhou
Unify the ways that rangerkeystore to encapsulate zonekey
Now we have 2 styles of MasterKeyProvider:
# RangerMasterKey, RangerHSM, RangerSafenetKeySecure
# RangerAzureKeyVaultKeyGenerator, RangerGoogleCloudHSMProvider, RangerTencentKMSProvider
Style 1 can get out master key string from provider, Style 2 can not.
In old, I add a flag KeyVaultEnabled to distinguish them. KeyVaultEnabled=false means style1, true means style2
RangerKeyStore with style1 use SecretKeyEntry with SealedObject to store a key and do encryption / decryption by itself.
RangerKeyStore with style2 use SecretKeyByteEntry to store a key and let MK provider to encryption / decryption.
These are ugly and hard to maintain. I refactor it by removing SecretKeyEntry, and let providers of style1 do encryption / decryption.
Add a common base class of RangerMasterKey, RangerHSM andd RangerSafenetKeySecure, named AbstractRangerMasterKey. It provides the common logic of encryptZoneKey and decryptZoneKey.
And, there is no unified method to initialize a master key provider. Duplicate code is distributed in RangerKeyStoreProvider and a bunch of CLI classes.
I made a new RangerKMSMKIFactory class to unify it.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)