----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/73783/#review223936 -----------------------------------------------------------
kms/src/main/java/org/apache/hadoop/crypto/key/MigrateDBMKeyToGCP.java Lines 35 (patched) <https://reviews.apache.org/r/73783/#comment312978> Hi Mateen, It seems you aren't taking any inputs from user while executing the migration utility. So probably your approach might be updating the conf and restartig the Ranger KMS service and then executing the migration utiltity. Migration utility is decrypting the EZ keys with the master key present in DB and encrypting it again with master key created on GCP. During this process if some concurrent request is made then KEY might go into inconsistent state and Ranger KMS Product will be resposible for any loss to HDFS encryption zone. Migration utlity is always recommneded to be executed by keeping Ranger KMS down. - Dhaval Shah On Jan. 4, 2022, 11:20 a.m., Mateen Mansoori wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/73783/ > ----------------------------------------------------------- > > (Updated Jan. 4, 2022, 11:20 a.m.) > > > Review request for ranger, Dhaval Shah, Dineshkumar Yadav, Gautam Borad, > Jayendra Parab, Kishor Gollapalliwar, Abhay Kulkarni, Mehul Parikh, Pradeep > Agrawal, VaradreawiZTV VaradreawiZTV, Vishal Suvagia, and Velmurugan > Periasamy. > > > Bugs: RANGER-3569 > https://issues.apache.org/jira/browse/RANGER-3569 > > > Repository: ranger > > > Description > ------- > > Ranger KMS integration with Google cloud HSM > - This task is to integrate the RANGER KMS Service with Google Cloud HSM. > - To Configure RANGER KMS Service with Google Cloud HSM below configurations > need to be added in install.properties file bfore running the setup.sh > > IS_GCP_ENABLED=true > GCP_KEYRING_ID=YourKeyRingId > GCP_CRED_JSON_FILE=/full/path/to/downloadedCredfile.json > GCP_PROJECT_ID=YourProjectId > GCP_LOCATION_ID=LocationId > GCP_MASTER_KEY_NAME=MyMasterKeyNameChangeIt > > - Run the setup.sh, It will add the below configs in dbks-site.xml > > <property> > <name>ranger.kms.gcp.enabled</name> > <value>false</value> > <description></description> > </property> > <property> > <name>ranger.kms.gcp.keyring.id</name> > <value></value> > <description></description> > </property> > <property> > <name>ranger.kms.gcp.cred.file</name> > <value></value> > <description></description> > </property> > <property> > <name>ranger.kms.gcp.project.id</name> > <value></value> > <description></description> > </property> > <property> > <name>ranger.kms.gcp.location.id</name> > <value></value> > <description></description> > </property> > <property> > <name>ranger.kms.gcp.masterkey.name</name> > <value></value> > <description></description> > </property> > > - Start the kms service, On start Master Key should be created in Google > Cloud HSM. > > > Diffs > ----- > > distro/src/main/assembly/kms.xml aacdcf103 > kms/config/kms-webapp/dbks-site.xml 75f21c80e > kms/pom.xml b940e75c0 > kms/scripts/MigrateMKeyStorageDbToGCP.sh PRE-CREATION > kms/scripts/install.properties 4cf79080f > kms/scripts/setup.sh 60c026b80 > kms/src/main/java/org/apache/hadoop/crypto/key/MigrateDBMKeyToGCP.java > PRE-CREATION > > kms/src/main/java/org/apache/hadoop/crypto/key/RangerGoogleCloudHSMProvider.java > PRE-CREATION > kms/src/main/java/org/apache/hadoop/crypto/key/RangerKMSMKI.java 75e70fffa > kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStore.java > b9e7cb2fd > kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStoreProvider.java > db8fa69e0 > > kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyVaultKeyGenerator.java > 854d7f0b6 > kms/src/main/resources/META-INF/context.xml PRE-CREATION > pom.xml 5c621a5b4 > > > Diff: https://reviews.apache.org/r/73783/diff/2/ > > > Testing > ------- > > Build Succeeded - mvn clean compile test verify install > Testing : Verified fresh and upgrade scenarios. > > > Thanks, > > Mateen Mansoori > >