Uploaded image for project: 'Drivers'
  1. Drivers
  2. DRIVERS-1353

CSFLE 1.0 KMIP Support

    XMLWordPrintableJSON

Details

    • Needed
    • Hide

      Upgrade libmongocrypt dependency to 1.3.0. Wrap the new mongocrypt_kms_ctx_get_kms_provider function in bindings.

      Implement changes from mongodb/specifications#1082 and mongodb/specifications#1096 to test KMIP and add TLS options:

      • Resync the new specification test kmipKMS.json
      • Update the CSFLE prose tests Corpus Test, Custom Endpoint Test, Data key and double encryption.
      • Add TLS options for KMS providers.
      • Add prose test KMS TLS Options Tests

      Drivers should sync with mongodb/specifications@11df644.

      Show
      Upgrade libmongocrypt dependency to 1.3.0. Wrap the new mongocrypt_kms_ctx_get_kms_provider function in bindings. Implement changes from mongodb/specifications#1082 and mongodb/specifications#1096 to test KMIP and add TLS options: Resync the new specification test kmipKMS.json Update the CSFLE prose tests Corpus Test , Custom Endpoint Test , Data key and double encryption . Add TLS options for KMS providers. Add prose test KMS TLS Options Tests Drivers should sync with mongodb/specifications@11df644 .
    • Hide

      Lead: Kevin

      Summary: A wrap up project for CSFLE 1.0 until we are able to deliver a new FLE experience to users.

      2021-11-02: Updating target date to 2021-11-05

      Status update:

      • libmongocrypt changes are merged.
      • Spec change is in review. C#, Java, and Go are working on implementations.
      • C PoC passes all tests.

      Rationale for delays:

      • Spec review added a request to add default ports in libmongocrypt

      Risks:

      • Delays push driver support of KMIP beyond 5.1 timeline.

      2021-10-19: Updating target date to 2021-10-22

      Status update:

      • libmongocrypt changes are in final review.
      • PoC of KMIP and tests working in C driver.
      • Working on getting C driver tests in Evergreen and updating spec.
      • Goal is to get spec change in review 2021-10-20.

      Rationale for delays:

      • No surprises came up in implementation. Delays are due to poor estimation and time management.

      Risks:

      • Further delays risk missing driver support of KMIP in the 5.1 timeline.

      2021-10-05: No update to target date.

      Status update:

      • PoC of KMIP working in libmongocrypt.
      • Preliminary refactoring in review.

      Rationale for delays:

      • No delays.

      Risks:

      • If libmongocrypt 1.3.0 is not released by 10/15, this risks missing driver support of KMIP in the 5.1 timeline.

      2021-09-21:

      • Scope approved
      • Kevin implementing changes in libmongocrypt. Current target end date is 10/15

      2021-08-24:

      • Scope is in review. Target date for libmongocrypt and C implementation is 9/27, to give sufficient time for other drivers to complete in time for 5.1 release.
      Show
      Lead: Kevin Summary: A wrap up project for CSFLE 1.0 until we are able to deliver a new FLE experience to users. 2021-11-02: Updating target date to 2021-11-05 Status update: libmongocrypt changes are merged. Spec change is in review. C#, Java, and Go are working on implementations. C PoC passes all tests. Rationale for delays: Spec review added a request to add default ports in libmongocrypt Risks: Delays push driver support of KMIP beyond 5.1 timeline. 2021-10-19: Updating target date to 2021-10-22 Status update: libmongocrypt changes are in final review. PoC of KMIP and tests working in C driver. Working on getting C driver tests in Evergreen and updating spec. Goal is to get spec change in review 2021-10-20. Rationale for delays: No surprises came up in implementation. Delays are due to poor estimation and time management. Risks: Further delays risk missing driver support of KMIP in the 5.1 timeline. 2021-10-05: No update to target date. Status update: PoC of KMIP working in libmongocrypt. Preliminary refactoring in review. Rationale for delays: No delays. Risks: If libmongocrypt 1.3.0 is not released by 10/15, this risks missing driver support of KMIP in the 5.1 timeline. 2021-09-21: Scope approved Kevin implementing changes in libmongocrypt. Current target end date is 10/15 2021-08-24: Scope is in review. Target date for libmongocrypt and C implementation is 9/27, to give sufficient time for other drivers to complete in time for 5.1 release.

    Description

      Summary

      Support KMIP as a KMS provider.

      Motivation

      • Supporting KMIP enables Hashicorp Vault as a KMS provider with Hashicorp Vault's KMIP Secrets Engine.

      Who is the affected end user?

      Users who are already using our client side field level encryption

      How does this affect the end user?

      It enables existing users to use KMIP supporting services as a KMS provider in CSFLE.

      Is this issue urgent?

      No.

      Is this ticket required by a downstream team?

      It is probably a prerequisite for the MongoDB shell and mongosh to support KMIP.

      Cast of Characters

      Engineering Lead: Kevin Albertson
      Document Author: Rachelle Palmer, Kevin Albertson
      POCers: Kevin Albertson, Jeff Yemin
      Product Owner: Rachelle Palmer
      Program Manager: Esha Bharghava
      Stakeholders: Mark Benvenuto

      Channels & Docs

      Slack Channel: drivers-1353-csfle-kmip

      KMIP Scope Document

      Attachments

        Issue Links

          Activity

            People

              rachelle.palmer@mongodb.com Rachelle Palmer
              kevin.albertson@mongodb.com Kevin Albertson
              Votes:
              0 Vote for this issue
              Watchers:
              10 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: