[jira] [Comment Edited] (RANGER-3641) Add API to enhance KMS capabilities

Wed, 27 Nov 2024 10:11:06 -0800 


    [ 
https://issues.apache.org/jira/browse/RANGER-3641?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17901553#comment-17901553
 ] 

Vikas Kumar edited comment on RANGER-3641 at 11/27/24 6:09 PM:
---------------------------------------------------------------

Code has been tested, reviewed and merged. Hence marking it resolved.

Thanks to [~bpatel] and [~dhavalshah9131] for the code review.

Following is the API and the response taken for reference from test cluster:
*Request:*

curl -ivk -H "Content-Type: application/json" -H -X GET 
'[http://apacheprtest.site:9292/kms/v1/key/dektestkey/_dek?user.name=keyadmin]'

*Response:*

 
{code:java}
{
  "edek": {
    "encryptedKeyVersion": {
      "material": "gsndrW4VzpnTsC3PHC7sjw",
      "name": "dektestkey",
      "versionName": "EEK"
    },
    "versionName": "dektestkey@0",
    "iv": "S4FpjpscEhf6ELWKRTG8OQ"
  },
  "dek": {
    "material": "WiKLo1A79s-cGW5Sbb8pSw",
    "name": "dektestkey",
    "versionName": "EK"
  }
} {code}
 

 

 To cross check, I hit the existing decryptkey API with above EDEK material and 
got the same DEK.

*Req:* 
curl -ivk -H "Content-Type: application/json" -H -X POST --data 
'\{"name":"dektestkey","iv":"S4FpjpscEhf6ELWKRTG8OQ","material":"gsndrW4VzpnTsC3PHC7sjw"}'
 
'http://apacheprtest.site:9292/kms/v1/keyversion/dektestkey@0/_eek?eek_op=decrypt&user.name=keyadmin|http://ccycloud-1.dektest.root.comops.site:9292/kms/v1/keyversion/dektestkey@0/_eek?eek_op=decrypt&user.name=keyadmin'

 

*Response:*
{code:java}
{
  "material": "WiKLo1A79s-cGW5Sbb8pSw",
  "name": "dektestkey",
  "versionName": "EK"
}{code}


was (Author: JIRAUSER295683):
Code has been tested, reviewed and merged. Hence marking it resolved.

Thanks to [~bpatel] and [~dhavalshah9131] for the code review.

Following is the API and the response taken for reference from test cluster:
Request:   

curl -ivk  -H "Content-Type: application/json" -H  -X GET 
'[http://apacheprtest.site:9292/kms/v1/key/dektestkey/_dek?user.name=keyadmin]'

Response:

{
  "edek" : \{
    "encryptedKeyVersion" : {
      "material" : "gsndrW4VzpnTsC3PHC7sjw",
      "name" : "dektestkey",
      "versionName" : "EEK"
    },
    "versionName" : "dektestkey@0",
    "iv" : "S4FpjpscEhf6ELWKRTG8OQ"
  },
  "dek" : \{
    "material" : "WiKLo1A79s-cGW5Sbb8pSw",
    "name" : "dektestkey",
    "versionName" : "EK"
  }
}

Step3: To cross check, I hit the existing decryptkey API with above EDEK 
material and got the same DEK.

Req: 
curl -ivk  -H "Content-Type: application/json" -H  -X POST --data 
'\{"name":"dektestkey","iv":"S4FpjpscEhf6ELWKRTG8OQ","material":"gsndrW4VzpnTsC3PHC7sjw"}'
 
'http://apacheprtest.site:9292[/kms/v1/keyversion/dektestkey@0/_eek?eek_op=decrypt&user.name=keyadmin|http://ccycloud-1.dektest.root.comops.site:9292/kms/v1/keyversion/dektestkey@0/_eek?eek_op=decrypt&user.name=keyadmin]'

 

Res:
{
  "material" : "WiKLo1A79s-cGW5Sbb8pSw",
  "name" : "dektestkey",
  "versionName" : "EK"

}

> Add API to enhance KMS capabilities
> -----------------------------------
>
>                 Key: RANGER-3641
>                 URL: https://issues.apache.org/jira/browse/RANGER-3641
>             Project: Ranger
>          Issue Type: Improvement
>          Components: kms
>    Affects Versions: 3.0.0, 2.3.0
>            Reporter: kirby zhou
>            Assignee: Vikas Kumar
>            Priority: Major
>
> Some APIs are very useful.
>  
>  * GenerateEEK with decrypted EEK returned together
> Like:
> {EEK, EK} = GenerateEEK2(KeyVersion)
> This helps Program which request a EEK to encrypt something itself such like 
> KUDU or MySQL.
> It now takes 2 RPC calls to complete encryption. If a API can return EEK and 
> EK together, we can save 1 RPC call.
>  
>  * Simple Encryption and Decryption API
> Like:
> {EncryptedData} = Encrypt(KeyVersion, PlainData)
> {PlainData} = Decrypt(KeyVersion, EncryptedData)
> This helps Ranger KMS works for some simple situation such as encrypting 
> password.
>  
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to