[
https://issues.apache.org/jira/browse/RANGER-723?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14992718#comment-14992718
]
Varun Rao commented on RANGER-723:
----------------------------------
We can add the following properties:
ranger.ks.master.key.password.type=CloudHSM
ranger.ks.cloudhsm.partition.credential.path=<path to the encrypted cloudHSM
partition password file>
ranger.ks.cloudhsm.partition.credential.alias=ranger.ks.cloudhsm.partition.password
ranger.ks.cloudhsm.masterkey.name=RangerKMSMasterKey
ranger.ks.cloudhsm.partition.password=_
ranger.ks.master.key.password.type - can be used to indicate if the CloudHSM
will be used for encrypt the Master key. If this value is set to "TEXT" or not
set at all, it will use the default setup.
NOTE: we should be allowed to switch between the default and cloudHSM encryption
When the value is set back to "TEXT", it should decrypt master key using
CloudHSM, encrypt using the TEXT master key password, and update the database.
The reverse should hold true as well.
> Ranger-KMS – CloudHSM Integration
> ---------------------------------
>
> Key: RANGER-723
> URL: https://issues.apache.org/jira/browse/RANGER-723
> Project: Ranger
> Issue Type: New Feature
> Components: kms, Ranger
> Affects Versions: 0.5.0
> Reporter: Varun Rao
> Assignee: Varun Rao
> Priority: Minor
> Attachments: Hadoop KMS.png, Ranger KMS - CloudHSM integration.png
>
>
> Integrate Ranger KMS with CloudHSM to manage master keys.
> Currently Ranger KMS uses the database (rangerkms.ranger_masterkey) to store
> the master key.
> This Master key is encrypted using a property "KMS_MASTER_KEY_PASSWD".
> It would be nice if we can use CloudHSM instead of using
> "KMS_MASTER_KEY_PASSWD" to encrypt the master key.
> This will add an extra layer in the Key Hierarchy.
> Attached is the high level architecture of the current Hadoop KMS and the
> proposed change to integrate with CloudHSM.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
