This is an automated email from the ASF dual-hosted git repository.
laiyingchun pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/kudu.git
The following commit(s) were added to refs/heads/master by this push:
new b341d099a [multi-tenancy] add tenant key generate api
b341d099a is described below
commit b341d099afee51f3ed6dac8a272d46ce975fb3d1
Author: kedeng <[email protected]>
AuthorDate: Thu Jul 6 16:57:50 2023 +0800
[multi-tenancy] add tenant key generate api
In the data at rest encryption scenario, we can
obtain the encryption key from KMS by specifying
the "cluster_key_name_". However, this cannot meet
the needs of multi-tenant scenario.
For multi-tenant scenario, it needs to obtain the
corresponding encryption key based on different
tenant IDs. Therefore, I added this implementation
in this patch.
Change-Id: Ib10fa08afe80e7314a7841ee962d910e2a57ee9b
Reviewed-on: http://gerrit.cloudera.org:8080/20165
Tested-by: Kudu Jenkins
Reviewed-by: Zoltan Martonka <[email protected]>
Reviewed-by: Yingchun Lai <[email protected]>
---
src/kudu/fs/default_key_provider-test.cc | 11 +++++++++++
src/kudu/fs/default_key_provider.h | 8 ++++++++
src/kudu/fs/key_provider.h | 6 ++++++
src/kudu/fs/ranger_kms_key_provider.cc | 22 +++++++++++++++-------
src/kudu/fs/ranger_kms_key_provider.h | 5 +++++
src/kudu/ranger-kms/ranger_kms_client.cc | 22 ++++++++++++++++++----
src/kudu/ranger-kms/ranger_kms_client.h | 10 ++++++++++
7 files changed, 73 insertions(+), 11 deletions(-)
diff --git a/src/kudu/fs/default_key_provider-test.cc
b/src/kudu/fs/default_key_provider-test.cc
index bc98644b2..b19414192 100644
--- a/src/kudu/fs/default_key_provider-test.cc
+++ b/src/kudu/fs/default_key_provider-test.cc
@@ -44,5 +44,16 @@ TEST_F(DefaultKeyProviderTest, TestEncryptAndDecrypt) {
ASSERT_NE(encryption_key, decrypted_key);
}
+TEST_F(DefaultKeyProviderTest, TestEncryptAndDecryptWithTenant) {
+ string encryption_key;
+ string iv;
+ string version;
+ string decrypted_key;
+ const string tenant_id = "00000000000000000000000000000000";
+ ASSERT_OK(key_provider_.GenerateTenantKey(tenant_id, &encryption_key, &iv,
&version));
+ ASSERT_OK(key_provider_.DecryptEncryptionKey(encryption_key, iv, version,
&decrypted_key));
+ ASSERT_NE(encryption_key, decrypted_key);
+}
+
} // namespace security
} // namespace kudu
diff --git a/src/kudu/fs/default_key_provider.h
b/src/kudu/fs/default_key_provider.h
index 928ec6caf..807ede669 100644
--- a/src/kudu/fs/default_key_provider.h
+++ b/src/kudu/fs/default_key_provider.h
@@ -67,6 +67,14 @@ public:
*key_version = "encryptionkey@0";
return Status::OK();
}
+
+ // The tenant id is useless in 'DefaultKeyProvider'.
+ Status GenerateTenantKey(const std::string& /* tenant_id */,
+ std::string* encryption_key,
+ std::string* iv,
+ std::string* key_version) override {
+ return GenerateEncryptionKey(encryption_key, iv, key_version);
+ }
};
} // namespace security
} // namespace kudu
diff --git a/src/kudu/fs/key_provider.h b/src/kudu/fs/key_provider.h
index c2e00a68d..d74e94599 100644
--- a/src/kudu/fs/key_provider.h
+++ b/src/kudu/fs/key_provider.h
@@ -40,6 +40,12 @@ class KeyProvider {
std::string* iv,
std::string* key_version) = 0;
+ // Generates an encryption key with the tenant_id.
+ virtual Status GenerateTenantKey(const std::string& tenant_id,
+ std::string* encryption_key,
+ std::string* iv,
+ std::string* key_version) = 0;
+
};
} // namespace security
} // namespace kudu
diff --git a/src/kudu/fs/ranger_kms_key_provider.cc
b/src/kudu/fs/ranger_kms_key_provider.cc
index 2bdecd7a1..be2eb2c4c 100644
--- a/src/kudu/fs/ranger_kms_key_provider.cc
+++ b/src/kudu/fs/ranger_kms_key_provider.cc
@@ -24,17 +24,25 @@ using std::string;
namespace kudu {
namespace security {
-Status RangerKMSKeyProvider::DecryptEncryptionKey(const std::string&
encryption_key,
- const std::string& iv,
- const std::string&
key_version,
- std::string* decrypted_key) {
+Status RangerKMSKeyProvider::DecryptEncryptionKey(const string& encryption_key,
+ const string& iv,
+ const string& key_version,
+ string* decrypted_key) {
return client_.DecryptEncryptionKey(encryption_key, iv, key_version,
decrypted_key);
}
-Status RangerKMSKeyProvider::GenerateEncryptionKey(std::string* encryption_key,
- std::string* iv,
- std::string* key_version) {
+Status RangerKMSKeyProvider::GenerateEncryptionKey(string* encryption_key,
+ string* iv,
+ string* key_version) {
return client_.GenerateEncryptionKey(encryption_key, iv, key_version);
}
+
+Status RangerKMSKeyProvider::GenerateTenantKey(const string& tenant_id,
+ string* encryption_key,
+ string* iv,
+ string* key_version) {
+ return client_.GenerateTenantKey(tenant_id, encryption_key, iv, key_version);
+}
+
} // namespace security
} // namespace kudu
diff --git a/src/kudu/fs/ranger_kms_key_provider.h
b/src/kudu/fs/ranger_kms_key_provider.h
index d99d2a362..f05968a69 100644
--- a/src/kudu/fs/ranger_kms_key_provider.h
+++ b/src/kudu/fs/ranger_kms_key_provider.h
@@ -44,6 +44,11 @@ class RangerKMSKeyProvider : public KeyProvider {
std::string* iv,
std::string* key_version) override;
+ // Generates an encryption key with the tenant_id.
+ Status GenerateTenantKey(const std::string& tenant_id,
+ std::string* encryption_key,
+ std::string* iv,
+ std::string* key_version) override;
private:
RangerKMSClient client_;
};
diff --git a/src/kudu/ranger-kms/ranger_kms_client.cc
b/src/kudu/ranger-kms/ranger_kms_client.cc
index ad6ab3010..79cd44c17 100644
--- a/src/kudu/ranger-kms/ranger_kms_client.cc
+++ b/src/kudu/ranger-kms/ranger_kms_client.cc
@@ -79,16 +79,17 @@ Status RangerKMSClient::DecryptEncryptionKey(const string&
encryption_key,
return Status::OK();
}
-Status RangerKMSClient::GenerateEncryptionKey(string* encryption_key,
- string* iv,
- string* key_version) {
+Status RangerKMSClient::GenerateEncryptionKeyFromKMS(const string& key_name,
+ string* encryption_key,
+ string* iv,
+ string* key_version) {
EasyCurl curl;
curl.set_auth(CurlAuthType::SPNEGO);
vector<string> urls;
urls.reserve(kms_urls_.size());
for (const auto& url : kms_urls_) {
urls.emplace_back(Substitute("$0/v1/key/$1/_eek?eek_op=generate&num_keys=1",
- url, cluster_key_name_));
+ url, key_name));
}
faststring resp;
RETURN_NOT_OK_PREPEND(curl.FetchURL(urls, &resp), "failed to generate
encryption key");
@@ -118,5 +119,18 @@ Status RangerKMSClient::GenerateEncryptionKey(string*
encryption_key,
return Status::OK();
}
+Status RangerKMSClient::GenerateTenantKey(const string& tenant_id,
+ string* encryption_key,
+ string* iv,
+ string* key_version) {
+ return GenerateEncryptionKeyFromKMS(tenant_id, encryption_key, iv,
key_version);
+}
+
+Status RangerKMSClient::GenerateEncryptionKey(string* encryption_key,
+ string* iv,
+ string* key_version) {
+ return GenerateEncryptionKeyFromKMS(cluster_key_name_, encryption_key, iv,
key_version);
+}
+
} // namespace security
} // namespace kudu
diff --git a/src/kudu/ranger-kms/ranger_kms_client.h
b/src/kudu/ranger-kms/ranger_kms_client.h
index 7180f40f7..28122b871 100644
--- a/src/kudu/ranger-kms/ranger_kms_client.h
+++ b/src/kudu/ranger-kms/ranger_kms_client.h
@@ -41,7 +41,17 @@ class RangerKMSClient {
std::string* iv,
std::string* key_version);
+ Status GenerateTenantKey(const std::string& tenant_id,
+ std::string* encryption_key,
+ std::string* iv,
+ std::string* key_version);
+
private:
+ Status GenerateEncryptionKeyFromKMS(const std::string& key_name,
+ std::string* encryption_key,
+ std::string* iv,
+ std::string* key_version);
+
std::vector<std::string> kms_urls_;
std::string cluster_key_name_;
