[
https://issues.apache.org/jira/browse/IGNITE-13520?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Pavel Pereslegin updated IGNITE-13520:
--------------------------------------
Description:
Currently, when a client node joins a cluster with a static encrypted cache
configuration, it generates an encryption key for that cache and sends it to
the cluster (just like the server node does).
_SpringEncryptedCacheRestartClientTest_ reproduces this behavior and it is
unexpected, it happens due to IGNITE-13567 (see
_GridEncryptionManager#collectJoiningNodeData_).
The client node should not generate encryption keys and should be able to start
without configuring EncryptionSPI.
After doing some research on possible solutions, we decided to reject node
joining in such a situation, because there is no clean and simple way to
distribute the same encryption key between server nodes that are already in the
cluster (we have to either add discovery overhead, block the exchange, or add
an additional exchange to be able to distribute keys between server nodes that
are already in the cluster).
was:
Currently, when a client node joins a cluster with a static encrypted cache
configuration, it generates an encryption key for that cache and sends it to
the cluster (just like the server node does).
This is unexpected behavior, it happens due to IGNITE-13567 (see
GridEncryptionManager#collectJoiningNodeData). The client node should not
generate encryption keys and should be able to start without configuring
EncryptionSPI.
After doing some research on possible solutions, we decided to reject node
joining in such a situation, because there is no clean and simple way to
distribute the same encryption key between server nodes that are already in the
cluster (we have to either add discovery overhead, block the exchange, or add
an additional exchange to be able to distribute keys between server nodes that
are already in the cluster).
> Client node with a static encrypted cache configuration cannot join a cluster
> without EncryptionSPI configured.
> ---------------------------------------------------------------------------------------------------------------
>
> Key: IGNITE-13520
> URL: https://issues.apache.org/jira/browse/IGNITE-13520
> Project: Ignite
> Issue Type: Bug
> Affects Versions: 2.9
> Reporter: Pavel Pereslegin
> Assignee: Pavel Pereslegin
> Priority: Major
> Labels: encryption
> Fix For: 2.10
>
> Time Spent: 40m
> Remaining Estimate: 0h
>
> Currently, when a client node joins a cluster with a static encrypted cache
> configuration, it generates an encryption key for that cache and sends it to
> the cluster (just like the server node does).
> _SpringEncryptedCacheRestartClientTest_ reproduces this behavior and it is
> unexpected, it happens due to IGNITE-13567 (see
> _GridEncryptionManager#collectJoiningNodeData_).
> The client node should not generate encryption keys and should be able to
> start without configuring EncryptionSPI.
> After doing some research on possible solutions, we decided to reject node
> joining in such a situation, because there is no clean and simple way to
> distribute the same encryption key between server nodes that are already in
> the cluster (we have to either add discovery overhead, block the exchange, or
> add an additional exchange to be able to distribute keys between server nodes
> that are already in the cluster).
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
