This is an automated email from the ASF dual-hosted git repository. laiyingchun pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/kudu.git
commit 195e1b51b141a78c20e5846273624b825c4d40fb Author: kedeng <[email protected]> AuthorDate: Wed May 17 17:10:26 2023 +0800 KUDU-3413 [multi-tenancy] add some renames for multi-tenancy For the convenience of introducing multi-tenancy feature, I have performed the following renaming operations in this patch: * rename server_key to encryption_key; * rename SetServerKey() to SetEncryptionKey(); * rename GenerateEncryptedServerKey(...) to GenerateEncryptionKey(...); * rename DecryptServerKey(...) to DecryptEncryptionKey(...); * rename DecryptKey(...) to DecryptEncryptionKey(...). Because no logical changes were made, no unit tests were added in this patch. Change-Id: Ic5bf51df9e7b9ebdaeb353049274cb18fa73a43a Reviewed-on: http://gerrit.cloudera.org:8080/19899 Tested-by: Kudu Jenkins Reviewed-by: Alexey Serbin <[email protected]> Reviewed-by: Yingchun Lai <[email protected]> --- src/kudu/consensus/raft_consensus_quorum-test.cc | 17 +++---- src/kudu/fs/default_key_provider-test.cc | 8 ++-- src/kudu/fs/default_key_provider.h | 28 ++++++------ src/kudu/fs/fs_manager.cc | 52 +++++++++++----------- src/kudu/fs/fs_manager.h | 16 +++---- src/kudu/fs/key_provider.h | 20 ++++----- src/kudu/fs/ranger_kms_key_provider.cc | 18 ++++---- src/kudu/fs/ranger_kms_key_provider.h | 26 +++++------ src/kudu/integration-tests/raft_consensus-itest.cc | 15 ++++--- src/kudu/mini-cluster/external_mini_cluster.cc | 14 +++--- src/kudu/mini-cluster/external_mini_cluster.h | 2 +- src/kudu/mini-cluster/internal_mini_cluster.h | 8 ++-- src/kudu/ranger-kms/ranger_kms_client.cc | 22 ++++----- src/kudu/ranger-kms/ranger_kms_client.h | 16 +++---- src/kudu/tools/tool_action_common.cc | 15 ++++--- src/kudu/tools/tool_action_common.h | 4 +- src/kudu/tools/tool_action_fs.cc | 16 +++---- src/kudu/tools/tool_action_pbc.cc | 4 +- src/kudu/tools/tool_action_wal.cc | 2 +- src/kudu/tserver/tablet_copy_client-test.cc | 16 +++---- src/kudu/util/env.h | 2 +- src/kudu/util/env_posix.cc | 44 +++++++++--------- 22 files changed, 184 insertions(+), 181 deletions(-) diff --git a/src/kudu/consensus/raft_consensus_quorum-test.cc b/src/kudu/consensus/raft_consensus_quorum-test.cc index 0a06db858..214d2282b 100644 --- a/src/kudu/consensus/raft_consensus_quorum-test.cc +++ b/src/kudu/consensus/raft_consensus_quorum-test.cc @@ -22,6 +22,7 @@ #include <optional> #include <ostream> #include <string> +#include <type_traits> #include <unordered_map> #include <unordered_set> #include <vector> @@ -134,17 +135,17 @@ class RaftConsensusQuorumTest : public KuduTest { opts.wal_root = test_path; opts.data_roots = { test_path }; unique_ptr<FsManager> fs_manager(new FsManager(env_, opts)); - string server_key; - string server_key_iv; - string server_key_version; - GetEncryptionKey(&server_key, &server_key_iv, &server_key_version); - if (server_key.empty()) { + string encryption_key; + string encryption_key_iv; + string encryption_key_version; + GetEncryptionKey(&encryption_key, &encryption_key_iv, &encryption_key_version); + if (encryption_key.empty()) { RETURN_NOT_OK(fs_manager->CreateInitialFileSystemLayout()); } else { RETURN_NOT_OK(fs_manager->CreateInitialFileSystemLayout(nullopt, - server_key, - server_key_iv, - server_key_version)); + encryption_key, + encryption_key_iv, + encryption_key_version)); } RETURN_NOT_OK(fs_manager->Open()); diff --git a/src/kudu/fs/default_key_provider-test.cc b/src/kudu/fs/default_key_provider-test.cc index fa9700f8f..bc98644b2 100644 --- a/src/kudu/fs/default_key_provider-test.cc +++ b/src/kudu/fs/default_key_provider-test.cc @@ -35,13 +35,13 @@ class DefaultKeyProviderTest : public KuduTest { }; TEST_F(DefaultKeyProviderTest, TestEncryptAndDecrypt) { - string encrypted_key; + string encryption_key; string iv; string version; string decrypted_key; - ASSERT_OK(key_provider_.GenerateEncryptedServerKey(&encrypted_key, &iv, &version)); - ASSERT_OK(key_provider_.DecryptServerKey(encrypted_key, iv, version, &decrypted_key)); - ASSERT_NE(encrypted_key, decrypted_key); + ASSERT_OK(key_provider_.GenerateEncryptionKey(&encryption_key, &iv, &version)); + ASSERT_OK(key_provider_.DecryptEncryptionKey(encryption_key, iv, version, &decrypted_key)); + ASSERT_NE(encryption_key, decrypted_key); } } // namespace security diff --git a/src/kudu/fs/default_key_provider.h b/src/kudu/fs/default_key_provider.h index 35eb4e15a..928ec6caf 100644 --- a/src/kudu/fs/default_key_provider.h +++ b/src/kudu/fs/default_key_provider.h @@ -30,29 +30,29 @@ namespace security { class DefaultKeyProvider : public KeyProvider { public: ~DefaultKeyProvider() override {} - Status DecryptServerKey(const std::string& encrypted_server_key, - const std::string& /*iv*/, - const std::string& /*key_version*/, - std::string* server_key) override { - *server_key = strings::a2b_hex(encrypted_server_key); + Status DecryptEncryptionKey(const std::string& encryption_key, + const std::string& /*iv*/, + const std::string& /*key_version*/, + std::string* decrypted_key) override { + *decrypted_key = strings::a2b_hex(encryption_key); #ifdef __linux__ - memfrob(server_key->data(), server_key->length()); + memfrob(decrypted_key->data(), decrypted_key->length()); #else // On Linux, memfrob() bitwise XORs the data with the magic number that is // the answer to the ultimate question of life, the universe, and // everything. On Mac, we do this manually. const uint8_t kMagic = 42; - for (auto i = 0; i < server_key->length(); ++i) { - server_key->data()[i] ^= kMagic; + for (auto i = 0; i < decrypted_key->length(); ++i) { + decrypted_key->data()[i] ^= kMagic; } #endif - *server_key = strings::b2a_hex(*server_key); + *decrypted_key = strings::b2a_hex(*decrypted_key); return Status::OK(); } - Status GenerateEncryptedServerKey(std::string* server_key, - std::string* iv, - std::string* key_version) override { + Status GenerateEncryptionKey(std::string* encryption_key, + std::string* iv, + std::string* key_version) override { uint8_t key_bytes[32]; uint8_t iv_bytes[32]; int num_bytes = 16; @@ -63,8 +63,8 @@ public: OPENSSL_RET_NOT_OK(RAND_bytes(iv_bytes, num_bytes), "Failed to generate random key"); strings::b2a_hex(iv_bytes, iv, num_bytes); - DecryptServerKey(dek, *iv, *key_version, server_key); - *key_version = "clusterkey@0"; + DecryptEncryptionKey(dek, *iv, *key_version, encryption_key); + *key_version = "encryptionkey@0"; return Status::OK(); } }; diff --git a/src/kudu/fs/fs_manager.cc b/src/kudu/fs/fs_manager.cc index 9f52001f5..c78cda902 100644 --- a/src/kudu/fs/fs_manager.cc +++ b/src/kudu/fs/fs_manager.cc @@ -505,16 +505,16 @@ Status FsManager::Open(FsReport* report, Timer* read_instance_metadata_files, } if (!server_key().empty() && key_provider_) { - string server_key; - RETURN_NOT_OK(key_provider_->DecryptServerKey(this->server_key(), - this->server_key_iv(), - this->server_key_version(), - &server_key)); - // 'server_key' is a hexadecimal string and SetEncryptionKey expects bits + string decrypted_key; + RETURN_NOT_OK(key_provider_->DecryptEncryptionKey(this->server_key(), + this->server_key_iv(), + this->server_key_version(), + &decrypted_key)); + // 'decrypted_key' is a hexadecimal string and SetEncryptionKey expects bits // (hex / 2 = bytes * 8 = bits). env_->SetEncryptionKey(reinterpret_cast<const uint8_t*>( - a2b_hex(server_key).c_str()), - server_key.length() * 4); + a2b_hex(decrypted_key).c_str()), + decrypted_key.length() * 4); } // Open the directory manager if it has not been opened already. @@ -597,9 +597,9 @@ Status FsManager::Open(FsReport* report, Timer* read_instance_metadata_files, } Status FsManager::CreateInitialFileSystemLayout(optional<string> uuid, - optional<string> server_key, - optional<string> server_key_iv, - optional<string> server_key_version) { + optional<string> encryption_key, + optional<string> encryption_key_iv, + optional<string> encryption_key_version) { CHECK(!opts_.read_only); RETURN_NOT_OK(Init()); @@ -624,9 +624,9 @@ Status FsManager::CreateInitialFileSystemLayout(optional<string> uuid, // Files/directories created will NOT be synchronized to disk. InstanceMetadataPB metadata; RETURN_NOT_OK_PREPEND(CreateInstanceMetadata(std::move(uuid), - std::move(server_key), - std::move(server_key_iv), - std::move(server_key_version), + std::move(encryption_key), + std::move(encryption_key_iv), + std::move(encryption_key_version), &metadata), "unable to create instance metadata"); RETURN_NOT_OK_PREPEND(FsManager::CreateFileSystemRoots( @@ -722,9 +722,9 @@ Status FsManager::CreateFileSystemRoots( } Status FsManager::CreateInstanceMetadata(optional<string> uuid, - optional<string> server_key, - optional<string> server_key_iv, - optional<string> server_key_version, + optional<string> encryption_key, + optional<string> encryption_key_iv, + optional<string> encryption_key_version, InstanceMetadataPB* metadata) { if (uuid) { string canonicalized_uuid; @@ -733,20 +733,20 @@ Status FsManager::CreateInstanceMetadata(optional<string> uuid, } else { metadata->set_uuid(oid_generator_.Next()); } - if (server_key && server_key_iv && server_key_version) { - metadata->set_server_key(*server_key); - metadata->set_server_key_iv(*server_key_iv); - metadata->set_server_key_version(*server_key_version); - } else if (server_key || server_key_iv || server_key_version) { + if (encryption_key && encryption_key_iv && encryption_key_version) { + metadata->set_server_key(*encryption_key); + metadata->set_server_key_iv(*encryption_key_iv); + metadata->set_server_key_version(*encryption_key_version); + } else if (encryption_key || encryption_key_iv || encryption_key_version) { return Status::InvalidArgument( - "'server_key', 'server_key_iv', and 'server_key_version' must be specified " + "'encryption_key', 'encryption_key_iv', and 'encryption_key_version' must be specified " "together (either all of them must be specified, or none of them)."); } else if (FLAGS_encrypt_data_at_rest) { string key_version; RETURN_NOT_OK_PREPEND( - key_provider_->GenerateEncryptedServerKey(metadata->mutable_server_key(), - metadata->mutable_server_key_iv(), - &key_version), + key_provider_->GenerateEncryptionKey(metadata->mutable_server_key(), + metadata->mutable_server_key_iv(), + &key_version), "failed to generate encrypted server key"); metadata->set_server_key_version(key_version); } diff --git a/src/kudu/fs/fs_manager.h b/src/kudu/fs/fs_manager.h index 42fa2d840..f38d8a2c3 100644 --- a/src/kudu/fs/fs_manager.h +++ b/src/kudu/fs/fs_manager.h @@ -205,17 +205,17 @@ class FsManager { std::atomic<int>* containers_total = nullptr ); // Create the initial filesystem layout. If 'uuid' is provided, uses it as - // uuid of the filesystem. Otherwise generates one at random. If 'server_key', - // 'server_key_iv', and 'server_key_version' are provided, they are used as + // uuid of the filesystem. Otherwise generates one at random. If 'encryption_key', + // 'encryption_key_iv', and 'encryption_key_version' are provided, they are used as // the server key of the filesystem. Otherwise, if encryption is enabled, // generates one at random. // // Returns an error if the file system is already initialized. Status CreateInitialFileSystemLayout( std::optional<std::string> uuid = std::nullopt, - std::optional<std::string> server_key = std::nullopt, - std::optional<std::string> server_key_iv = std::nullopt, - std::optional<std::string> server_key_version = std::nullopt); + std::optional<std::string> encryption_key = std::nullopt, + std::optional<std::string> encryption_key_iv = std::nullopt, + std::optional<std::string> encryption_key_version = std::nullopt); // ========================================================================== // Error handling helpers @@ -372,9 +372,9 @@ class FsManager { // Create a new InstanceMetadataPB. Status CreateInstanceMetadata(std::optional<std::string> uuid, - std::optional<std::string> server_key, - std::optional<std::string> server_key_iv, - std::optional<std::string> server_key_version, + std::optional<std::string> encryption_key, + std::optional<std::string> encryption_key_iv, + std::optional<std::string> encryption_key_version, InstanceMetadataPB* metadata); // Save a InstanceMetadataPB to the filesystem. diff --git a/src/kudu/fs/key_provider.h b/src/kudu/fs/key_provider.h index b5a558402..c2e00a68d 100644 --- a/src/kudu/fs/key_provider.h +++ b/src/kudu/fs/key_provider.h @@ -24,21 +24,21 @@ namespace kudu { namespace security { -// An interface for encrypting and decrypting Kudu's server keys. +// An interface for encrypting and decrypting Kudu's encryption keys. class KeyProvider { public: virtual ~KeyProvider() = default; - // Decrypts the server key. - virtual Status DecryptServerKey(const std::string& encrypted_server_key, - const std::string& iv, - const std::string& key_version, - std::string* server_key) = 0; + // Decrypts the encryption key. + virtual Status DecryptEncryptionKey(const std::string& encryption_key, + const std::string& iv, + const std::string& key_version, + std::string* decrypted_key) = 0; - // Generates an encrypted server key. - virtual Status GenerateEncryptedServerKey(std::string* encrypted_server_key, - std::string* iv, - std::string* key_version) = 0; + // Generates an encryption key (the generated key is encrypted). + virtual Status GenerateEncryptionKey(std::string* encryption_key, + std::string* iv, + std::string* key_version) = 0; }; } // namespace security diff --git a/src/kudu/fs/ranger_kms_key_provider.cc b/src/kudu/fs/ranger_kms_key_provider.cc index d0beb493f..2bdecd7a1 100644 --- a/src/kudu/fs/ranger_kms_key_provider.cc +++ b/src/kudu/fs/ranger_kms_key_provider.cc @@ -24,17 +24,17 @@ using std::string; namespace kudu { namespace security { -Status RangerKMSKeyProvider::DecryptServerKey(const std::string& encrypted_server_key, - const std::string& iv, - const std::string& key_version, - std::string* server_key) { - return client_.DecryptKey(encrypted_server_key, iv, key_version, server_key); +Status RangerKMSKeyProvider::DecryptEncryptionKey(const std::string& encryption_key, + const std::string& iv, + const std::string& key_version, + std::string* decrypted_key) { + return client_.DecryptEncryptionKey(encryption_key, iv, key_version, decrypted_key); } -Status RangerKMSKeyProvider::GenerateEncryptedServerKey(std::string* encrypted_server_key, - std::string* iv, - std::string* key_version) { - return client_.GenerateEncryptedServerKey(encrypted_server_key, iv, key_version); +Status RangerKMSKeyProvider::GenerateEncryptionKey(std::string* encryption_key, + std::string* iv, + std::string* key_version) { + return client_.GenerateEncryptionKey(encryption_key, iv, key_version); } } // namespace security } // namespace kudu diff --git a/src/kudu/fs/ranger_kms_key_provider.h b/src/kudu/fs/ranger_kms_key_provider.h index eef22b3c2..d99d2a362 100644 --- a/src/kudu/fs/ranger_kms_key_provider.h +++ b/src/kudu/fs/ranger_kms_key_provider.h @@ -30,19 +30,19 @@ class RangerKMSKeyProvider : public KeyProvider { public: ~RangerKMSKeyProvider() override {} - RangerKMSKeyProvider(std::string kms_url, std::string cluster_key_name) - : client_(std::move(kms_url), std::move(cluster_key_name)) {} - - // Decrypts the server key. - Status DecryptServerKey(const std::string& encrypted_server_key, - const std::string& iv, - const std::string& key_version, - std::string* server_key) override; - - // Generates an encrypted server key. - Status GenerateEncryptedServerKey(std::string* encrypted_server_key, - std::string* iv, - std::string* key_version) override; + RangerKMSKeyProvider(const std::string& kms_url, std::string cluster_key_name) + : client_(kms_url, std::move(cluster_key_name)) {} + + // Decrypts the encryption key. + Status DecryptEncryptionKey(const std::string& encryption_key, + const std::string& iv, + const std::string& key_version, + std::string* decrypted_key) override; + + // Generates an encryption key (the generated key is encrypted). + Status GenerateEncryptionKey(std::string* encryption_key, + std::string* iv, + std::string* key_version) override; private: RangerKMSClient client_; diff --git a/src/kudu/integration-tests/raft_consensus-itest.cc b/src/kudu/integration-tests/raft_consensus-itest.cc index bfefe1abd..ee1055710 100644 --- a/src/kudu/integration-tests/raft_consensus-itest.cc +++ b/src/kudu/integration-tests/raft_consensus-itest.cc @@ -22,6 +22,7 @@ #include <ostream> #include <string> #include <thread> +#include <type_traits> #include <unordered_map> #include <utility> #include <vector> @@ -828,13 +829,13 @@ TEST_P(RaftConsensusParamEncryptionITest, TestCatchupAfterOpsEvicted) { // process, as both of them access encrypted files. SetEncryptionFlags(true); kTsFlags.emplace_back("--encrypt_data_at_rest=true"); - string server_key; - string server_key_iv; - string server_key_version; - GetEncryptionKey(&server_key, &server_key_iv, &server_key_version); - kTsFlags.emplace_back("--test_server_key=" + server_key); - kTsFlags.emplace_back("--test_server_key_iv=" + server_key_iv); - kTsFlags.emplace_back("--test_server_key_version=" + server_key_version); + string encryption_key; + string encryption_key_iv; + string encryption_key_version; + GetEncryptionKey(&encryption_key, &encryption_key_iv, &encryption_key_version); + kTsFlags.emplace_back("--test_server_key=" + encryption_key); + kTsFlags.emplace_back("--test_server_key_iv=" + encryption_key_iv); + kTsFlags.emplace_back("--test_server_key_version=" + encryption_key_version); } NO_FATALS(BuildAndStart(kTsFlags)); diff --git a/src/kudu/mini-cluster/external_mini_cluster.cc b/src/kudu/mini-cluster/external_mini_cluster.cc index 66bc8d2da..079857852 100644 --- a/src/kudu/mini-cluster/external_mini_cluster.cc +++ b/src/kudu/mini-cluster/external_mini_cluster.cc @@ -603,7 +603,7 @@ Status ExternalMiniCluster::StartMasters() { scoped_refptr<ExternalMaster> peer; RETURN_NOT_OK(CreateMaster(master_rpc_addrs, i, &peer)); RETURN_NOT_OK_PREPEND(peer->Start(), Substitute("Unable to start Master at index $0", i)); - RETURN_NOT_OK(peer->SetServerKey()); + RETURN_NOT_OK(peer->SetEncryptionKey()); masters_.emplace_back(std::move(peer)); } return Status::OK(); @@ -680,7 +680,7 @@ Status ExternalMiniCluster::AddTabletServer() { } RETURN_NOT_OK(ts->Start()); - RETURN_NOT_OK(ts->SetServerKey()); + RETURN_NOT_OK(ts->SetEncryptionKey()); tablet_servers_.push_back(ts); return Status::OK(); } @@ -1370,17 +1370,17 @@ Env* ExternalDaemon::env() const { return Env::Default(); } -Status ExternalDaemon::SetServerKey() { +Status ExternalDaemon::SetEncryptionKey() { string path = JoinPathSegments(this->wal_dir(), "instance");; LOG(INFO) << "Reading " << path; InstanceMetadataPB instance; RETURN_NOT_OK(pb_util::ReadPBContainerFromPath(env(), path, &instance, pb_util::NOT_SENSITIVE)); if (!instance.server_key().empty()) { string key; - RETURN_NOT_OK(key_provider_->DecryptServerKey(instance.server_key(), - instance.server_key_iv(), - instance.server_key_version(), - &key)); + RETURN_NOT_OK(key_provider_->DecryptEncryptionKey(instance.server_key(), + instance.server_key_iv(), + instance.server_key_version(), + &key)); LOG(INFO) << "Setting key " << key; env()->SetEncryptionKey(reinterpret_cast<const uint8_t*>(a2b_hex(key).c_str()), key.size() * 4); } diff --git a/src/kudu/mini-cluster/external_mini_cluster.h b/src/kudu/mini-cluster/external_mini_cluster.h index 5cf7abe69..41dd7076d 100644 --- a/src/kudu/mini-cluster/external_mini_cluster.h +++ b/src/kudu/mini-cluster/external_mini_cluster.h @@ -716,7 +716,7 @@ class ExternalDaemon : public RefCountedThreadSafe<ExternalDaemon> { const std::string& principal_base, const std::string& bind_host); - Status SetServerKey(); + Status SetEncryptionKey(); // Sends a SIGSTOP signal to the daemon. Status Pause() WARN_UNUSED_RESULT; diff --git a/src/kudu/mini-cluster/internal_mini_cluster.h b/src/kudu/mini-cluster/internal_mini_cluster.h index 185bb91ce..422078378 100644 --- a/src/kudu/mini-cluster/internal_mini_cluster.h +++ b/src/kudu/mini-cluster/internal_mini_cluster.h @@ -165,16 +165,16 @@ class InternalMiniCluster : public MiniCluster { } // Returns the default environment. As the servers in an internal mini-cluster - // share the same Env, each tablet server uses the same server key, so the + // share the same Env, each tablet server uses the same encryption key, so the // default Env can be used here. - Env* ts_env(int ts_idx) const override { + Env* ts_env(int /* ts_idx */) const override { return env_; } // Returns the default environment. As the servers in an internal mini-cluster - // share the same Env, each master uses the same server key, so the default + // share the same Env, each master uses the same encryption key, so the default // Env can be used here. - Env* master_env(int master_idx) const override { + Env* master_env(int /* master_idx */) const override { return env_; } diff --git a/src/kudu/ranger-kms/ranger_kms_client.cc b/src/kudu/ranger-kms/ranger_kms_client.cc index d2e380432..279735c31 100644 --- a/src/kudu/ranger-kms/ranger_kms_client.cc +++ b/src/kudu/ranger-kms/ranger_kms_client.cc @@ -42,17 +42,17 @@ using strings::WebSafeBase64Unescape; namespace kudu { namespace security { -Status RangerKMSClient::DecryptKey(const string& encrypted_key, - const string& iv, - const string& key_version, - string* decrypted_key) { +Status RangerKMSClient::DecryptEncryptionKey(const string& encryption_key, + const string& iv, + const string& key_version, + string* decrypted_key) { EasyJson payload; payload.Set("name", cluster_key_name_); string iv_plain = a2b_hex(iv); string iv_b64; WebSafeBase64Escape(iv_plain, &iv_b64); payload.Set("iv", iv_b64); - string eek_plain = a2b_hex(encrypted_key); + string eek_plain = a2b_hex(encryption_key); string eek_b64; WebSafeBase64Escape(eek_plain, &eek_b64); payload.Set("material", eek_b64); @@ -67,7 +67,7 @@ Status RangerKMSClient::DecryptKey(const string& encrypted_key, faststring resp; RETURN_NOT_OK_PREPEND( curl.PostToURL(urls, payload.ToString(), &resp, {"Content-Type: application/json"}), - "failed to decrypt server key"); + "failed to decrypt encryption key"); JsonReader r(resp.ToString()); RETURN_NOT_OK(r.Init()); string dek_b64; @@ -78,9 +78,9 @@ Status RangerKMSClient::DecryptKey(const string& encrypted_key, return Status::OK(); } -Status RangerKMSClient::GenerateEncryptedServerKey(string* encrypted_key, - string* iv, - string* key_version) { +Status RangerKMSClient::GenerateEncryptionKey(string* encryption_key, + string* iv, + string* key_version) { EasyCurl curl; curl.set_auth(CurlAuthType::SPNEGO); vector<string> urls; @@ -90,7 +90,7 @@ Status RangerKMSClient::GenerateEncryptedServerKey(string* encrypted_key, url, cluster_key_name_)); } faststring resp; - RETURN_NOT_OK_PREPEND(curl.FetchURL(urls, &resp), "failed to generate server key"); + RETURN_NOT_OK_PREPEND(curl.FetchURL(urls, &resp), "failed to generate encryption key"); JsonReader r(resp.ToString()); RETURN_NOT_OK(r.Init()); vector<const Value*> keys; @@ -113,7 +113,7 @@ Status RangerKMSClient::GenerateEncryptedServerKey(string* encrypted_key, if (!WebSafeBase64Unescape(key_b64, &key_plain)) { return Status::Corruption("Invalid encryption key received"); } - *encrypted_key = b2a_hex(key_plain); + *encryption_key = b2a_hex(key_plain); return Status::OK(); } diff --git a/src/kudu/ranger-kms/ranger_kms_client.h b/src/kudu/ranger-kms/ranger_kms_client.h index df144ffca..7180f40f7 100644 --- a/src/kudu/ranger-kms/ranger_kms_client.h +++ b/src/kudu/ranger-kms/ranger_kms_client.h @@ -32,14 +32,14 @@ class RangerKMSClient { : kms_urls_(strings::Split(kms_url, ",", strings::SkipEmpty())), cluster_key_name_(std::move(cluster_key_name)) {} - Status DecryptKey(const std::string& encrypted_key, - const std::string& iv, - const std::string& key_version, - std::string* decrypted_key); - - Status GenerateEncryptedServerKey(std::string* encrypted_key, - std::string* iv, - std::string* key_version); + Status DecryptEncryptionKey(const std::string& encryption_key, + const std::string& iv, + const std::string& key_version, + std::string* decrypted_key); + + Status GenerateEncryptionKey(std::string* encryption_key, + std::string* iv, + std::string* key_version); private: std::vector<std::string> kms_urls_; diff --git a/src/kudu/tools/tool_action_common.cc b/src/kudu/tools/tool_action_common.cc index f8413ee7f..e39b506b7 100644 --- a/src/kudu/tools/tool_action_common.cc +++ b/src/kudu/tools/tool_action_common.cc @@ -951,7 +951,7 @@ Status GetKuduToolAbsolutePathSafe(string* path) { return Status::OK(); } -Status SetServerKey() { +Status SetEncryptionKey() { if (FLAGS_instance_file.empty()) { return Status::OK(); } @@ -972,12 +972,13 @@ Status SetServerKey() { key_provider.reset(new DefaultKeyProvider()); } - string server_key; - RETURN_NOT_OK(key_provider->DecryptServerKey(instance.server_key(), - instance.server_key_iv(), - instance.server_key_version(), - &server_key)); - Env::Default()->SetEncryptionKey(reinterpret_cast<const uint8_t*>(a2b_hex(server_key).c_str()), + string decrypted_key; + RETURN_NOT_OK(key_provider->DecryptEncryptionKey(instance.server_key(), + instance.server_key_iv(), + instance.server_key_version(), + &decrypted_key)); + Env::Default()->SetEncryptionKey(reinterpret_cast<const uint8_t*>( + a2b_hex(decrypted_key).c_str()), key.length() * 4); } diff --git a/src/kudu/tools/tool_action_common.h b/src/kudu/tools/tool_action_common.h index 157c4aa86..061b4c677 100644 --- a/src/kudu/tools/tool_action_common.h +++ b/src/kudu/tools/tool_action_common.h @@ -246,8 +246,8 @@ Status MasterAddressesToSet( Status VerifyMasterAddressList(const std::vector<std::string>& master_addresses); // Parses the instance file set by the 'instance_file' flag, and sets the -// server key on the default Env. -Status SetServerKey(); +// encryption key on the default Env. +Status SetEncryptionKey(); // A table of data to present to the user. // diff --git a/src/kudu/tools/tool_action_fs.cc b/src/kudu/tools/tool_action_fs.cc index 98de4c9ff..505e0da13 100644 --- a/src/kudu/tools/tool_action_fs.cc +++ b/src/kudu/tools/tool_action_fs.cc @@ -247,21 +247,21 @@ Status Check(const RunnerContext& /*context*/) { Status Format(const RunnerContext& /*context*/) { FsManager fs_manager(Env::Default()); optional<string> uuid; - optional<string> server_key; - optional<string> server_key_iv; - optional<string> server_key_version; + optional<string> encryption_key; + optional<string> encryption_key_iv; + optional<string> encryption_key_version; if (!FLAGS_uuid.empty()) { uuid = FLAGS_uuid; } if (!FLAGS_server_key.empty() && !FLAGS_server_key_iv.empty() && !FLAGS_server_key_version.empty()) { - server_key = FLAGS_server_key; - server_key_iv = FLAGS_server_key_iv; - server_key_version = FLAGS_server_key_version; + encryption_key = FLAGS_server_key; + encryption_key_iv = FLAGS_server_key_iv; + encryption_key_version = FLAGS_server_key_version; } - return fs_manager.CreateInitialFileSystemLayout(uuid, server_key, - server_key_iv, server_key_version); + return fs_manager.CreateInitialFileSystemLayout(uuid, encryption_key, + encryption_key_iv, encryption_key_version); } Status DumpUuid(const RunnerContext& /*context*/) { diff --git a/src/kudu/tools/tool_action_pbc.cc b/src/kudu/tools/tool_action_pbc.cc index 37ce9f37a..88dc49672 100644 --- a/src/kudu/tools/tool_action_pbc.cc +++ b/src/kudu/tools/tool_action_pbc.cc @@ -127,7 +127,7 @@ Status DumpPBContainerFile(const RunnerContext& context) { format = ReadablePBContainerFile::Format::DEBUG; } - RETURN_NOT_OK(SetServerKey()); + RETURN_NOT_OK(SetEncryptionKey()); Env* env = Env::Default(); unique_ptr<RandomAccessFile> reader; RandomAccessFileOptions opts; @@ -160,7 +160,7 @@ Status RunEditor(const string& path) { } Status EditFile(const RunnerContext& context) { - RETURN_NOT_OK(SetServerKey()); + RETURN_NOT_OK(SetEncryptionKey()); Env* env = Env::Default(); const string& path = FindOrDie(context.required_args, kPathArg); const string& dir = DirName(path); diff --git a/src/kudu/tools/tool_action_wal.cc b/src/kudu/tools/tool_action_wal.cc index 11128ce42..6489a1455 100644 --- a/src/kudu/tools/tool_action_wal.cc +++ b/src/kudu/tools/tool_action_wal.cc @@ -41,7 +41,7 @@ namespace { const char* const kPathArg = "path"; Status Dump(const RunnerContext& context) { - RETURN_NOT_OK(SetServerKey()); + RETURN_NOT_OK(SetEncryptionKey()); const string& segment_path = FindOrDie(context.required_args, kPathArg); scoped_refptr<ReadableLogSegment> segment; diff --git a/src/kudu/tserver/tablet_copy_client-test.cc b/src/kudu/tserver/tablet_copy_client-test.cc index 6fff5dbe3..ed1f87380 100644 --- a/src/kudu/tserver/tablet_copy_client-test.cc +++ b/src/kudu/tserver/tablet_copy_client-test.cc @@ -124,17 +124,17 @@ class TabletCopyClientTest : public TabletCopyTest { metric_entity_ = METRIC_ENTITY_server.Instantiate(&metric_registry_, "test"); opts.metric_entity = metric_entity_; fs_manager_.reset(new FsManager(Env::Default(), opts)); - string server_key; - string server_key_iv; - string server_key_version; - GetEncryptionKey(&server_key, &server_key_iv, &server_key_version); - if (server_key.empty()) { + string encryption_key; + string encryption_key_iv; + string encryption_key_version; + GetEncryptionKey(&encryption_key, &encryption_key_iv, &encryption_key_version); + if (encryption_key.empty()) { ASSERT_OK(fs_manager_->CreateInitialFileSystemLayout()); } else { ASSERT_OK(fs_manager_->CreateInitialFileSystemLayout(std::nullopt, - server_key, - server_key_iv, - server_key_version)); + encryption_key, + encryption_key_iv, + encryption_key_version)); } ASSERT_OK(fs_manager_->Open()); ASSERT_OK(ResetTabletCopyClient()); diff --git a/src/kudu/util/env.h b/src/kudu/util/env.h index b4674b34b..15d1c13dc 100644 --- a/src/kudu/util/env.h +++ b/src/kudu/util/env.h @@ -426,7 +426,7 @@ class Fifo : public File { // Initializes the default environment with encryption enabled using the // given AES key. - static Status InitializeEncryptedEnv(int key_size, uint8_t* server_key); + static Status InitializeEncryptedEnv(int key_size, uint8_t* encryption_key); // Returns the write fd, set when opened for writes. The fifo must have been // opened for writes before calling. diff --git a/src/kudu/util/env_posix.cc b/src/kudu/util/env_posix.cc index 82b4d9398..3f8302971 100644 --- a/src/kudu/util/env_posix.cc +++ b/src/kudu/util/env_posix.cc @@ -751,7 +751,7 @@ Status GenerateHeader(EncryptionHeader* eh) { return Status::OK(); } -Status WriteEncryptionHeader(int fd, const string& filename, const EncryptionHeader& server_key, +Status WriteEncryptionHeader(int fd, const string& filename, const EncryptionHeader& encryption_key, const EncryptionHeader& eh) { vector<Slice> headerv = { kEncryptionHeaderMagic }; uint32_t key_size; @@ -781,7 +781,7 @@ Status WriteEncryptionHeader(int fd, const string& filename, const EncryptionHea Slice efk(encrypted_file_key, key_size); vector<Slice> clear = {file_key}; vector<Slice> cipher = {efk}; - RETURN_NOT_OK(DoEncryptV(&server_key, 0, clear, cipher)); + RETURN_NOT_OK(DoEncryptV(&encryption_key, 0, clear, cipher)); // Add the encrypted file key and trailing zeros to the header. headerv.emplace_back(efk); @@ -810,10 +810,10 @@ Status DoIsOnXfsFilesystem(const string& path, bool* result) { return Status::OK(); } -Status ReadEncryptionHeader(int fd, const string& filename, const EncryptionHeader& server_key, +Status ReadEncryptionHeader(int fd, const string& filename, const EncryptionHeader& encryption_key, EncryptionHeader* eh) { char magic[7]; - uint8_t algorithm[1]; + uint8_t algorithm[1] = {0}; char file_key[32]; vector<Slice> headerv({ Slice(magic, 7), Slice(algorithm, 1), Slice(file_key, 32) }); RETURN_NOT_OK(DoReadV(fd, filename, 0, headerv, nullptr)); @@ -839,7 +839,7 @@ Status ReadEncryptionHeader(int fd, const string& filename, const EncryptionHead // the file. The actual key size can be used when storing the key in memory. // See WriteEncryptionHeader for more info. vector<Slice> v = {Slice(file_key, (key_size + 15) & -16)}; - RETURN_NOT_OK(DoDecryptV(&server_key, 0, v)); + RETURN_NOT_OK(DoDecryptV(&encryption_key, 0, v)); memcpy(&eh->key, file_key, key_size); return Status::OK(); } @@ -1531,10 +1531,10 @@ class PosixEnv : public Env { bool encrypted = opts.is_sensitive && IsEncryptionEnabled(); EncryptionHeader header; if (encrypted) { - DCHECK(server_key_); + DCHECK(encryption_key_); int fd; RETURN_NOT_OK(DoOpen(fname, OpenMode::MUST_EXIST, &fd)); - RETURN_NOT_OK(ReadEncryptionHeader(fd, fname, *server_key_, &header)); + RETURN_NOT_OK(ReadEncryptionHeader(fd, fname, *encryption_key_, &header)); if (fseek(f, kEncryptionHeaderSize, SEEK_CUR)) { return IOError(fname, errno); } @@ -1562,8 +1562,8 @@ class PosixEnv : public Env { EncryptionHeader header; bool encrypted = opts.is_sensitive && IsEncryptionEnabled(); if (encrypted) { - DCHECK(server_key_); - RETURN_NOT_OK(ReadEncryptionHeader(fd, fname, *server_key_, &header)); + DCHECK(encryption_key_); + RETURN_NOT_OK(ReadEncryptionHeader(fd, fname, *encryption_key_, &header)); } result->reset(new PosixRandomAccessFile(fname, fd, encrypted, header)); @@ -1606,7 +1606,7 @@ class PosixEnv : public Env { const string& fname, unique_ptr<RWFile>* result) OVERRIDE { TRACE_EVENT1("io", "PosixEnv::NewRWFile", "path", fname); - int fd; + int fd = 0; bool encrypt = opts.is_sensitive && IsEncryptionEnabled(); uint64_t size = 0; if (opts.mode == MUST_EXIST) { @@ -1618,12 +1618,12 @@ class PosixEnv : public Env { RETURN_NOT_OK(DoOpen(fname, opts.mode, &fd)); EncryptionHeader eh; if (encrypt) { - DCHECK(server_key_); + DCHECK(encryption_key_); if (size >= kEncryptionHeaderSize) { - RETURN_NOT_OK(ReadEncryptionHeader(fd, fname, *server_key_, &eh)); + RETURN_NOT_OK(ReadEncryptionHeader(fd, fname, *encryption_key_, &eh)); } else { RETURN_NOT_OK(GenerateHeader(&eh)); - RETURN_NOT_OK(WriteEncryptionHeader(fd, fname, *server_key_, eh)); + RETURN_NOT_OK(WriteEncryptionHeader(fd, fname, *encryption_key_, eh)); } } result->reset(new PosixRWFile(fname, fd, opts.sync_on_close, @@ -1639,9 +1639,9 @@ class PosixEnv : public Env { bool encrypt = opts.is_sensitive && IsEncryptionEnabled(); EncryptionHeader eh; if (encrypt) { - DCHECK(server_key_); + DCHECK(encryption_key_); RETURN_NOT_OK(GenerateHeader(&eh)); - RETURN_NOT_OK(WriteEncryptionHeader(fd, *created_filename, *server_key_, eh)); + RETURN_NOT_OK(WriteEncryptionHeader(fd, *created_filename, *encryption_key_, eh)); } res->reset(new PosixRWFile(*created_filename, fd, opts.sync_on_close, encrypt, eh)); @@ -2262,7 +2262,7 @@ class PosixEnv : public Env { bool IsEncryptionEnabled() const override { return FLAGS_encrypt_data_at_rest; } - void SetEncryptionKey(const uint8_t* server_key, size_t key_size) override { + void SetEncryptionKey(const uint8_t* encryption_key, size_t key_size) override { EncryptionHeader eh; switch (key_size) { case 128: @@ -2277,8 +2277,8 @@ class PosixEnv : public Env { default: LOG(FATAL) << "Illegal key size: " << key_size; } - memcpy(eh.key, server_key, key_size / 8); - server_key_ = eh; + memcpy(eh.key, encryption_key, key_size / 8); + encryption_key_ = eh; } private: @@ -2329,13 +2329,13 @@ class PosixEnv : public Env { bool encrypt = opts.is_sensitive && IsEncryptionEnabled(); EncryptionHeader eh; if (encrypt) { - DCHECK(server_key_); + DCHECK(encryption_key_); if (file_size < kEncryptionHeaderSize) { RETURN_NOT_OK(GenerateHeader(&eh)); - RETURN_NOT_OK(WriteEncryptionHeader(fd, fname, *server_key_, eh)); + RETURN_NOT_OK(WriteEncryptionHeader(fd, fname, *encryption_key_, eh)); file_size = kEncryptionHeaderSize; } else { - RETURN_NOT_OK(ReadEncryptionHeader(fd, fname, *server_key_, &eh)); + RETURN_NOT_OK(ReadEncryptionHeader(fd, fname, *encryption_key_, &eh)); } } result->reset(new PosixWritableFile(fname, fd, file_size, opts.sync_on_close, @@ -2387,7 +2387,7 @@ class PosixEnv : public Env { return Status::OK(); } - std::optional<EncryptionHeader> server_key_; + std::optional<EncryptionHeader> encryption_key_; }; } // namespace
