kirby zhou created RANGER-3682:
----------------------------------
Summary: Unify the ways that rangerkeystore to encapsulate zonekey
Key: RANGER-3682
URL: https://issues.apache.org/jira/browse/RANGER-3682
Project: Ranger
Issue Type: Improvement
Components: kms
Affects Versions: 3.0.0, 2.3.0
Reporter: kirby zhou
Unify the ways that rangerkeystore to encapsulate zonekey
Now we have 2 styles of MasterKeyProvider:
# RangerMasterKey, RangerHSM, RangerSafenetKeySecure
# RangerAzureKeyVaultKeyGenerator, RangerGoogleCloudHSMProvider,
RangerTencentKMSProvider
Style 1 can get out master key string from provider, Style 2 can not.
In old, I add a flag KeyVaultEnabled to distinguish them. KeyVaultEnabled=false
means style1, true means style2
RangerKeyStore with style1 use SecretKeyEntry with SealedObject to store a key
and do encryption / decryption by itself.
RangerKeyStore with style2 use SecretKeyByteEntry to store a key and let MK
provider to encryption / decryption.
These are ugly and hard to maintain. I refactor it by removing SecretKeyEntry,
and let providers of style1 do encryption / decryption.
Add a common base class of RangerMasterKey, RangerHSM andd
RangerSafenetKeySecure, named AbstractRangerMasterKey. It provides the common
logic of encryptZoneKey and decryptZoneKey.
And, there is no unified method to initialize a master key provider. Duplicate
code is distributed in RangerKeyStoreProvider and a bunch of CLI classes.
I made a new RangerKMSMKIFactory class to unify it.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
