Uploaded image for project: 'Drivers'
  1. Drivers
  2. DRIVERS-2781

Add option to configure DEK cache lifetime

    • Needed
    • Hide

      Summary of necessary driver changes

      •  

      Commits for syncing spec/prose tests
      (and/or refer to an existing language POC if needed)

      •  

      Context for other referenced/linked tickets

      •  
      Show
      Summary of necessary driver changes   Commits for syncing spec/prose tests (and/or refer to an existing language POC if needed)   Context for other referenced/linked tickets  
    • $i18n.getText("admin.common.words.hide")
      Key Status/Resolution FixVersion
      CDRIVER-5644 Blocked
      CXX-3080 Blocked
      CSHARP-5205 Blocked
      GODRIVER-3289 Blocked
      JAVA-5547 Blocked
      NODE-6294 Blocked
      MOTOR-1348 Blocked
      PYTHON-4580 Blocked
      PHPLIB-1496 Blocked
      RUBY-3524 Blocked
      RUST-2006 Blocked
      $i18n.getText("admin.common.words.show")
      #scriptField, #scriptField *{ border: 1px solid black; } #scriptField{ border-collapse: collapse; } #scriptField td { text-align: center; /* Center-align text in table cells */ } #scriptField td.key { text-align: left; /* Left-align text in the Key column */ } #scriptField a { text-decoration: none; /* Remove underlines from links */ border: none; /* Remove border from links */ } /* Add green background color to cells with FixVersion */ #scriptField td.hasFixVersion { background-color: #00FF00; /* Green color code */ } /* Center-align the first row headers */ #scriptField th { text-align: center; } Key Status/Resolution FixVersion CDRIVER-5644 Blocked CXX-3080 Blocked CSHARP-5205 Blocked GODRIVER-3289 Blocked JAVA-5547 Blocked NODE-6294 Blocked MOTOR-1348 Blocked PYTHON-4580 Blocked PHPLIB-1496 Blocked RUBY-3524 Blocked RUST-2006 Blocked

      Summary

      Add option to configure DEK cache lifetime.

      Motivation

      At present, libmongocrypt caches the decrypted DEK for a fixed lifetime of 1 minute. There is a report of observed errors decrypting DEKs with KMS on heavy load. This may be due to the high rate of KMS requests. Adding an option to increase the lifetime may help these use cases reduce the rate of KMS requests.

      Who is the affected end user?

      Users of In-Use Encryption (CSFLE and/or QE) with heavy workloads requiring many KMS requests.

      How does this affect the end user?

      May result in more KMS requests than desired on heavy load. There is a report of observed errors decrypting DEKs with KMS on heavy load.

      How likely is it that this problem or use case will occur?

      Likely. There is a report of observed errors decrypting DEKs with KMS on heavy load. The high rate of KMS requests is the presumed cause.

      JAVA-5297 notes errors observed for Azure KMS requests that may benefit from a configurable DEK cache timeout.

      If the problem does occur, what are the consequences and how severe are they?

      Application errors.

      Is this issue urgent?

      Not sure.

      Is this ticket required by a downstream team?

      No?

      Is this ticket only for tests?

      No.

      Acceptance Criteria

      Update libmongocrypt to enable configuring the DEK cache lifetime.
      Add API to drivers to enable configuring the DEK cache lifetime.

            Assignee:
            adrian.dole@mongodb.com Adrian Dole
            Reporter:
            kevin.albertson@mongodb.com Kevin Albertson
            Kevin Albertson Kevin Albertson
            Esha Bhargava Esha Bhargava
            Esha Bhargava Esha Bhargava
            Votes:
            9 Vote for this issue
            Watchers:
            9 Start watching this issue

              Created:
              Updated: