You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by "kirby zhou (Jira)" <ji...@apache.org> on 2022/04/07 06:14:00 UTC
[jira] [Created] (RANGER-3701) Establish plug-in system for KMS MasterKeyProvider
kirby zhou created RANGER-3701:
----------------------------------
Summary: Establish plug-in system for KMS MasterKeyProvider
Key: RANGER-3701
URL: https://issues.apache.org/jira/browse/RANGER-3701
Project: Ranger
Issue Type: Improvement
Components: kms
Affects Versions: 3.0.0, 2.3.0
Reporter: kirby zhou
At present, RangerKMS has six different MasterKey Provider. Among them, three types can access MK, and KMS can complete the encryption and decryption of ZoneKey by itself, and three types can only entrust the encryption and decryption of ZoneKey to MasterKey Provider.
Except the built-in JDBC-based RangerMasterKey class, other provider have more or less introduced a large number of dependencies. This makes the dependence of KMS quite complicated and confusing. In the future, these dependencies may conflict. Therefore, it is necessary to refine MasterKey Provider into a plug-in mechanism, similar to plugin shim of Ranger Admin.
A preliminary idea, we can define a MKProviderFactory interface which can create instance of RangerKMSMKI from a URL. Then we use ServiceLoader<MKProviderFactory> to create MK Provider at runtime. The dependencies of actual MK Provider is hidden by plugin class loader.
URL schema can like "mkp-azure://conffile/keyprefix", "mkp-jdbc://connectionstring", ...
At last we can unify the way of key import / export / migration CLI utilities.
Task Blocked on: https://issues.apache.org/jira/browse/RANGER-3682
--
This message was sent by Atlassian Jira
(v8.20.1#820001)