NSAmelchev commented on a change in pull request #7941:
URL: https://github.com/apache/ignite/pull/7941#discussion_r472854600
##########
File path:
modules/core/src/main/java/org/apache/ignite/internal/managers/encryption/GridEncryptionManager.java
##########
@@ -503,58 +549,96 @@ else if (newKeys != null) {
/** {@inheritDoc} */
@Override public void onGridDataReceived(GridDiscoveryData data) {
+ assert !writeToMetaStoreEnabled;
+
if (ctx.clientNode())
return;
- Map<Integer, byte[]> encKeysFromCluster = (Map<Integer,
byte[]>)data.commonData();
+ Map<Integer, Object> encKeysFromCluster = (Map<Integer,
Object>)data.commonData();
if (F.isEmpty(encKeysFromCluster))
return;
- for (Map.Entry<Integer, byte[]> entry : encKeysFromCluster.entrySet())
{
- if (groupKey(entry.getKey()) == null) {
- U.quietAndInfo(log, "Store group key received from coordinator
[grp=" + entry.getKey() + "]");
+ for (Map.Entry<Integer, Object> entry : encKeysFromCluster.entrySet())
{
+ int grpId = entry.getKey();
- groupKey(entry.getKey(), entry.getValue());
- }
- else {
+ GroupKeyEncrypted rmtKey;
+
+ if (entry.getValue() instanceof GroupKeyEncrypted)
+ rmtKey = (GroupKeyEncrypted)entry.getValue();
+ else
+ rmtKey = new GroupKeyEncrypted(INITIAL_KEY_ID,
(byte[])entry.getValue());
+
+ GroupKey locGrpKey = groupKey(grpId);
+
+ if (locGrpKey != null && locGrpKey.unsignedId() == rmtKey.id()) {
U.quietAndInfo(log, "Skip group key received from coordinator.
Already exists. [grp=" +
- entry.getKey() + "]");
+ grpId + ", keyId=" + rmtKey.id() + "]");
+
+ continue;
}
+
+ U.quietAndInfo(log, "Store group key received from coordinator
[grp=" + grpId +
+ ", keyId=" + rmtKey.id() + "]");
+
+ //changeActiveKey
+ GroupKey prevKey = grpKeys.changeActiveKey(grpId, rmtKey);
+
+ if (prevKey == null)
+ continue;
+
+ grpKeys.reserveWalKey(grpId, prevKey.unsignedId(),
ctx.cache().context().wal().currentSegment());
+
+ reencryptGroupsForced.put(grpId, rmtKey.id());
}
}
/**
* Returns group encryption key.
*
- * @param grpId Group id.
- * @return Group encryption key.
+ * @param grpId Cache group ID.
+ * @return Group encryption key with identifier, that was set for writing.
*/
- @Nullable public Serializable groupKey(int grpId) {
- if (grpEncKeys.isEmpty())
- return null;
-
- return grpEncKeys.get(grpId);
+ @Nullable public GroupKey groupKey(int grpId) {
+ return grpKeys.getActiveKey(grpId);
}
/**
- * Store group encryption key.
+ * Returns group encryption key with specified identifier.
*
- * @param grpId Group id.
- * @param encGrpKey Encrypted group key.
+ * @param grpId Cache group ID.
+ * @param keyId Encryption key ID.
+ * @return Group encryption key.
*/
- public void groupKey(int grpId, byte[] encGrpKey) {
- assert !grpEncKeys.containsKey(grpId);
-
- Serializable encKey = withMasterKeyChangeReadLock(() ->
getSpi().decryptKey(encGrpKey));
+ @Nullable public GroupKey groupKey(int grpId, int keyId) {
+ return grpKeys.getKey(grpId, keyId);
+ }
- synchronized (metaStorageMux) {
- if (log.isDebugEnabled())
- log.debug("Key added. [grp=" + grpId + "]");
+ /**
+ * Gets the existing encryption key IDs for the specified cache group.
+ *
+ * @param grpId Cache group ID.
+ * @return List of the key identifiers.
+ */
+ @Nullable public List<Integer> groupKeyIds(int grpId) {
+ return grpKeys.keyIds(grpId);
+ }
- grpEncKeys.put(grpId, encKey);
+ /**
+ * Adds new cache group encryption key.
+ *
+ * @param grpId Cache group ID.
+ * @param key Encryption key.
+ */
+ private void addGroupKey(int grpId, GroupKeyEncrypted key) {
+ try {
+ synchronized (metaStorageMux) {
+ withMasterKeyChangeReadLock(() ->
grpKeys.changeActiveKey(grpId, key));
Review comment:
There is possible deadlock with the `doChangeMasterKey` method in order
of locks acquire
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
