[jira] [Commented] (RANGER-3998) Support Ranger KMS integration with AWS KMS

Sun, 07 Apr 2024 21:07:05 -0700 


    [ 
https://issues.apache.org/jira/browse/RANGER-3998?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17834769#comment-17834769
 ] 

kirby zhou commented on RANGER-3998:
------------------------------------

This patch is just a simple imitation of RangerGoogleCloudHSMProvider.

The work is done for using the key stored in AWS KMS as the master key of 
Ranger KMS.
 
class RangerAWSKMSProvider just implements RangerKMSMKI interface. 
 
The generateMasterKey method does not actually create a masterkey, It calls 
AWSKMS.listAliases and AWSKMS.getKeyMetadata to verify whether the masterkey 
exists.
 
The encryptZoneKey method calls AWSKMS.encrypt to encrypt zone key, and the 
decryptZoneKey calls AWSKMS.decrypt to decrypt.
 
RangerKeyStoreProvider.java is modified to load and activate 
RangerAWSKMSProvider according to the configuration.
 
I add 5 lines in install.properties, the meaning is 
 * #------------------------- Ranger AWS KMS ------------------------------
AWS_KMS_ENABLED=false
AWS_KMS_MASTERKEY_ID=#The id of master key in AWS KMS
AWS_CLIENT_ACCESSKEY=#The access key to AWS service
AWS_CLIENT_SECRETKEY=#The secret key to AWS service
AWS_CLIENT_REGION=#The region of AWS service
 
The modification of setup.sh will map the 5 properties into dbks-site.xml as
 * AWS_KMS_ENABLED = "ranger.kms.awskms.enabled";
 
 * AWSKMS_MASTER_KEY_ID = "ranger.kms.awskms.masterkey.id";
 * AWS_CLIENT_ACCESSKEY = "ranger.kms.aws.client.accesskey";
 * AWS_CLIENT_SECRETKEY = "ranger.kms.aws.client.secretkey";
 * AWS_CLIENT_REGION = "ranger.kms.aws.client.region";
 

And the patch do some minor changes to prevent conflicting of Tencent KMS.

 

BTW: AWS KMS API is here:

[https://docs.aws.amazon.com/kms/latest/developerguide/programming-top.html]

 

 

> Support Ranger KMS integration with AWS KMS
> -------------------------------------------
>
>                 Key: RANGER-3998
>                 URL: https://issues.apache.org/jira/browse/RANGER-3998
>             Project: Ranger
>          Issue Type: Improvement
>          Components: kms
>    Affects Versions: 3.0.0, 2.4.0
>            Reporter: kirby zhou
>            Assignee: kirby zhou
>            Priority: Major
>
> AWS KMS is widely used by many customers.
> Therefore, RangerKMS should support hosting MasterKey to AWS KMS.
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to