Review Request 75272: RANGER-3641: New KMS API to generate EDEK and DEK in one request

Thu, 14 Nov 2024 07:07:49 -0800 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/75272/
-----------------------------------------------------------

Review request for ranger, bhavik patel, Dhaval Shah, Madhan Neethiraj, Pradeep 
Agrawal, and Sailaja Polavarapu.


Repository: ranger


Description
-------

RANGER-3641: New KMS API to generate EDEK and DEK in one requestto avoid two 
trips to KMS

Many times client app creates EDEK when they need to encrypt any data. And at 
that time, they need to make one call to get EDEK and subsequent call to 
decrypt that EDEK to get plain DEK. And there it makes sense to have one API 
that should return both EDEK and DEK together. 

I saw similar API in AWS KMS API, it returns both.

Existing generateEncryptionkey is still there, and can be used for bulk EDEK 
generation, may be for not immediate consumption, or to keep in client caching 
and decrypt it when required.


Diffs
-----

  kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMS.java 5bc0e7132 


Diff: https://reviews.apache.org/r/75272/diff/1/


Testing
-------

Testing:

1. KMS build command is successful
2. I patched one of my internal cluster with dev jar ( that contains this code) 
and performed following operation:

Step1: Create one Zone key, "dektestkey"
Step2: Hit the new API to generate EDEK and corresponding DEK
Request:   

curl -ivk  -H "Content-Type: application/json" -H  -X GET 
'http://apacheprtest.site:9292/kms/v1/key/dektestkey/_dek?user.name=keyadmin'

Response:

{
  "edek" : {
    "encryptedKeyVersion" : {
      "material" : "gsndrW4VzpnTsC3PHC7sjw",
      "name" : "dektestkey",
      "versionName" : "EEK"
    },
    "versionName" : "dektestkey@0",
    "iv" : "S4FpjpscEhf6ELWKRTG8OQ"
  },
  "dek" : {
    "material" : "WiKLo1A79s-cGW5Sbb8pSw",
    "name" : "dektestkey",
    "versionName" : "EK"
  }
}

Step3: To cross check, I hit the existing decryptkey API with above EDEK 
material and got the same DEK.

Req: 
curl -ivk  -H "Content-Type: application/json" -H  -X POST --data 
'{"name":"dektestkey","iv":"S4FpjpscEhf6ELWKRTG8OQ","material":"gsndrW4VzpnTsC3PHC7sjw"}'
 
'http://ccycloud-1.dektest.root.comops.site:9292/kms/v1/keyversion/dektestkey@0/_eek?eek_op=decrypt&user.name=keyadmin'


Res:
{
  "material" : "WiKLo1A79s-cGW5Sbb8pSw",
  "name" : "dektestkey",
  "versionName" : "EK"

}


Thanks,

Vikas Kumar

Reply via email to