Uploaded image for project: 'Drivers'
  1. Drivers
  2. DRIVERS-1353

CSFLE 1.0 KMIP Support

XMLWordPrintableJSON

    • Needed
    • Hide

      Upgrade libmongocrypt dependency to 1.3.0. Wrap the new mongocrypt_kms_ctx_get_kms_provider function in bindings.

      Implement changes from mongodb/specifications#1082 and mongodb/specifications#1096 to test KMIP and add TLS options:

      • Resync the new specification test kmipKMS.json
      • Update the CSFLE prose tests Corpus Test, Custom Endpoint Test, Data key and double encryption.
      • Add TLS options for KMS providers.
      • Add prose test KMS TLS Options Tests

      Drivers should sync with mongodb/specifications@11df644.

      Show
      Upgrade libmongocrypt dependency to 1.3.0. Wrap the new mongocrypt_kms_ctx_get_kms_provider function in bindings. Implement changes from mongodb/specifications#1082 and mongodb/specifications#1096 to test KMIP and add TLS options: Resync the new specification test kmipKMS.json Update the CSFLE prose tests Corpus Test , Custom Endpoint Test , Data key and double encryption . Add TLS options for KMS providers. Add prose test KMS TLS Options Tests Drivers should sync with mongodb/specifications@11df644 .
    • Hide

      Lead: Kevin

      Summary: A wrap up project for CSFLE 1.0 until we are able to deliver a new FLE experience to users.

      2021-11-02: Updating target date to 2021-11-05

      Status update:

      • libmongocrypt changes are merged.
      • Spec change is in review. C#, Java, and Go are working on implementations.
      • C PoC passes all tests.

      Rationale for delays:

      • Spec review added a request to add default ports in libmongocrypt

      Risks:

      • Delays push driver support of KMIP beyond 5.1 timeline.

      2021-10-19: Updating target date to 2021-10-22

      Status update:

      • libmongocrypt changes are in final review.
      • PoC of KMIP and tests working in C driver.
      • Working on getting C driver tests in Evergreen and updating spec.
      • Goal is to get spec change in review 2021-10-20.

      Rationale for delays:

      • No surprises came up in implementation. Delays are due to poor estimation and time management.

      Risks:

      • Further delays risk missing driver support of KMIP in the 5.1 timeline.

      2021-10-05: No update to target date.

      Status update:

      • PoC of KMIP working in libmongocrypt.
      • Preliminary refactoring in review.

      Rationale for delays:

      • No delays.

      Risks:

      • If libmongocrypt 1.3.0 is not released by 10/15, this risks missing driver support of KMIP in the 5.1 timeline.

      2021-09-21:

      • Scope approved
      • Kevin implementing changes in libmongocrypt. Current target end date is 10/15

      2021-08-24:

      • Scope is in review. Target date for libmongocrypt and C implementation is 9/27, to give sufficient time for other drivers to complete in time for 5.1 release.
      Show
      Lead: Kevin Summary: A wrap up project for CSFLE 1.0 until we are able to deliver a new FLE experience to users. 2021-11-02: Updating target date to 2021-11-05 Status update: libmongocrypt changes are merged. Spec change is in review. C#, Java, and Go are working on implementations. C PoC passes all tests. Rationale for delays: Spec review added a request to add default ports in libmongocrypt Risks: Delays push driver support of KMIP beyond 5.1 timeline. 2021-10-19: Updating target date to 2021-10-22 Status update: libmongocrypt changes are in final review. PoC of KMIP and tests working in C driver. Working on getting C driver tests in Evergreen and updating spec. Goal is to get spec change in review 2021-10-20. Rationale for delays: No surprises came up in implementation. Delays are due to poor estimation and time management. Risks: Further delays risk missing driver support of KMIP in the 5.1 timeline. 2021-10-05: No update to target date. Status update: PoC of KMIP working in libmongocrypt. Preliminary refactoring in review. Rationale for delays: No delays. Risks: If libmongocrypt 1.3.0 is not released by 10/15, this risks missing driver support of KMIP in the 5.1 timeline. 2021-09-21: Scope approved Kevin implementing changes in libmongocrypt. Current target end date is 10/15 2021-08-24: Scope is in review. Target date for libmongocrypt and C implementation is 9/27, to give sufficient time for other drivers to complete in time for 5.1 release.
    • $i18n.getText("admin.common.words.hide")
      Key Status/Resolution FixVersion
      CDRIVER-4100 Fixed 1.20.0
      CSHARP-3758 Fixed 2.14.0
      GODRIVER-2102 Done 1.8.0
      JAVA-4255 Fixed 4.4.0
      NODE-3471 Fixed mongodb-client-encryption-2.0.0
      MOTOR-793 Duplicate
      PYTHON-2835 Fixed 4.0
      PHPC-1912 Fixed 1.12.0
      RUBY-2749 Done 2.18.0
      RUST-936 Duplicate
      SWIFT-1280 Duplicate
      CXX-2410 Fixed 3.7.0
      $i18n.getText("admin.common.words.show")
      #scriptField, #scriptField *{ border: 1px solid black; } #scriptField{ border-collapse: collapse; } #scriptField td { text-align: center; /* Center-align text in table cells */ } #scriptField td.key { text-align: left; /* Left-align text in the Key column */ } #scriptField a { text-decoration: none; /* Remove underlines from links */ border: none; /* Remove border from links */ } /* Add green background color to cells with FixVersion */ #scriptField td.hasFixVersion { background-color: #00FF00; /* Green color code */ } /* Center-align the first row headers */ #scriptField th { text-align: center; } Key Status/Resolution FixVersion CDRIVER-4100 Fixed 1.20.0 CSHARP-3758 Fixed 2.14.0 GODRIVER-2102 Done 1.8.0 JAVA-4255 Fixed 4.4.0 NODE-3471 Fixed mongodb-client-encryption-2.0.0 MOTOR-793 Duplicate PYTHON-2835 Fixed 4.0 PHPC-1912 Fixed 1.12.0 RUBY-2749 Done 2.18.0 RUST-936 Duplicate SWIFT-1280 Duplicate CXX-2410 Fixed 3.7.0

      Summary

      Support KMIP as a KMS provider.

      Motivation

      • Supporting KMIP enables Hashicorp Vault as a KMS provider with Hashicorp Vault's KMIP Secrets Engine.

      Who is the affected end user?

      Users who are already using our client side field level encryption

      How does this affect the end user?

      It enables existing users to use KMIP supporting services as a KMS provider in CSFLE.

      Is this issue urgent?

      No.

      Is this ticket required by a downstream team?

      It is probably a prerequisite for the MongoDB shell and mongosh to support KMIP.

      Cast of Characters

      Engineering Lead: Kevin Albertson
      Document Author: Rachelle Palmer, Kevin Albertson
      POCers: Kevin Albertson, Jeff Yemin
      Product Owner: Rachelle Palmer
      Program Manager: Esha Bharghava
      Stakeholders: Mark Benvenuto

      Channels & Docs

      Slack Channel: drivers-1353-csfle-kmip

      KMIP Scope Document

            Assignee:
            rachelle.palmer@mongodb.com Rachelle Palmer
            Reporter:
            kevin.albertson@mongodb.com Kevin Albertson
            Votes:
            0 Vote for this issue
            Watchers:
            10 Start watching this issue

              Created:
              Updated:
              Resolved: