You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ranger.apache.org by "kirby zhou (Jira)" <ji...@apache.org> on 2022/04/07 06:14:00 UTC

[jira] [Created] (RANGER-3701) Establish plug-in system for KMS MasterKeyProvider

kirby zhou created RANGER-3701:
----------------------------------

             Summary: Establish plug-in system for KMS MasterKeyProvider
                 Key: RANGER-3701
                 URL: https://issues.apache.org/jira/browse/RANGER-3701
             Project: Ranger
          Issue Type: Improvement
          Components: kms
    Affects Versions: 3.0.0, 2.3.0
            Reporter: kirby zhou


At present, RangerKMS has six different MasterKey Provider. Among them, three types can access MK, and KMS can complete the encryption and decryption of ZoneKey by itself, and three types can only entrust the encryption and decryption of ZoneKey to MasterKey Provider. 

Except the built-in JDBC-based RangerMasterKey class, other provider have more or less introduced a large number of dependencies. This makes the dependence of KMS quite complicated and confusing. In the future, these dependencies may conflict. Therefore, it is necessary to refine MasterKey Provider into a plug-in mechanism, similar to plugin shim of Ranger Admin.

 

A preliminary idea,  we can define a MKProviderFactory interface which can create instance of RangerKMSMKI from a URL. Then we use ServiceLoader<MKProviderFactory> to create MK Provider at runtime.  The dependencies of actual MK Provider is hidden by plugin class loader.

 

URL schema can like "mkp-azure://conffile/keyprefix", "mkp-jdbc://connectionstring", ...

 

At last we can unify the way of key import / export / migration CLI utilities.

 

Task Blocked on: https://issues.apache.org/jira/browse/RANGER-3682

 



--
This message was sent by Atlassian Jira
(v8.20.1#820001)