-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73807/
-----------------------------------------------------------
(Updated 一月 19, 2022, 3:30 a.m.)
Review request for ranger, Dhaval Shah, Dineshkumar Yadav, Gautam Borad,
Jayendra Parab, Kishor Gollapalliwar, Abhay Kulkarni, Mehul Parikh, Pradeep
Agrawal, VaradreawiZTV VaradreawiZTV, Vishal Suvagia, and Velmurugan Periasamy.
Bugs: RANGER-3580
https://issues.apache.org/jira/browse/RANGER-3580
Repository: ranger
Description
-------
Ranger KMS integration with TencentKMS
- This task is to integrate the RANGER KMS Service with TencentKMS.
- To Configure RANGER KMS Service with TencentKMS below configurations need to
be added in install.properties file bfore running the setup.sh
```
# Do you use Tencent Cloud KMS?
TENCENT_KMS_ENABLED=true
# MasterKeyID on Tencent Cloud
TENCENT_MASTERKEY_ID=YourKeyID
# Login ID
TENCENT_CLIENT_ID=YourClientLoginId
# Login password
TENCENT_CLIENT_SECRET=YourClientLoginSecret
# Tencent Cloud area, see Tencent Cloud SDK for details.
TENCENT_CLIENT_REGION=ap-beijing
```
Run the setup.sh, It will add the below configs in dbks-site.xml
```
<!--Tencent KMS START-->
<property>
<name>ranger.kms.tencentkms.enabled</name>
<value>false</value>
<description>Flag for Tencent KMS</description>
</property>
<property>
<name>ranger.kms.tencent.client.id</name>
<value></value>
<description>Tencent Client Id</description>
</property>
<property>
<name>ranger.kms.tencent.client.secret</name>
<value></value>
<description>Tencent Client Secret</description>
</property>
<property>
<name>ranger.kms.tencent.client.secret.alias</name>
<value>ranger.ks.tencent.client.secret</value>
<description>Tencent Client Secret Alias</description>
</property>
<property>
<name>ranger.kms.tencent.client.region</name>
<value>ap-beijing</value>
<description>Tencent Client Id</description>
</property>
<property>
<name>ranger.kms.tencent.masterkey.id</name>
<value></value>
<description>Tencent master key name</description>
</property>
<!--Tencent KMS END-->
```
Generally, we don't want the account bound by KMS to have the right to create a
Key in TencentKMS. So we have to create Master Key on TencentKMS web console at
first.
Start the kms service, On start Master Key from TencentKMS should be used.
Diffs
-----
distro/src/main/assembly/kms.xml 32bbefa44e372f3abb41d60cd35aa0d706ca3100
kms/config/kms-webapp/dbks-site.xml 07de4d494b5d72609b47752109fc40a9e016f6ab
kms/pom.xml 908e8841a4a8c0627622d35486ffe2dac7bbdc61
kms/scripts/install.properties 31143d3426565a338c308dc1a7ea8304f3f4e102
kms/scripts/setup.sh 2051df59a8bb0be11ba7a54e547f78cf5a0dca36
kms/src/main/java/org/apache/hadoop/crypto/key/AzureKeyVaultClientAuthenticator.java
19335893a4d875743fcf71b12124b1c40a4ee6e1
kms/src/main/java/org/apache/hadoop/crypto/key/DBToAzureKeyVault.java
bacc928570283708daef7a2573707fddd7ca096e
kms/src/main/java/org/apache/hadoop/crypto/key/JKS2RangerUtil.java
4324439ba66f9f0fb68d570f1964ed6caa8c07bd
kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStore.java
12d485a36423d1c25a3b59cc8436e0a40863a78f
kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStoreProvider.java
bd85c0d364ad06691a0f5d8f19b5124189261db3
kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyVaultKeyGenerator.java
d21d32320bbd32e4efbe83c701d11c94dc804765
kms/src/main/java/org/apache/hadoop/crypto/key/RangerTencentKMSProvider.java
PRE-CREATION
kms/src/main/resources/log4j.properties
5cd037a49c670a3a0eec9e85fdcafeeeabff1405
pom.xml c663937eba452321b4e2400cc6d3f528f74596de
Diff: https://reviews.apache.org/r/73807/diff/2/
Testing (updated)
-------
+ mvn clean compile test verify
+ Fresh setup
File Attachments
----------------
0001-add-TencentKMS-as-MasterKeyProvider.patch
https://reviews.apache.org/media/uploaded/files/2022/01/19/c0ec963d-95f0-4e77-823d-b7de9d5d54e6__0001-add-TencentKMS-as-MasterKeyProvider.patch
Thanks,
Kirby Zhou
