Uploaded image for project: 'Libmongocrypt'
  1. Libmongocrypt
  2. MONGOCRYPT-382

Support on-demand credentials

    • Type: Icon: New Feature New Feature
    • Resolution: Fixed
    • Priority: Icon: Major - P3 Major - P3
    • 1.4.0-alpha0
    • Affects Version/s: None
    • Component/s: C library
    • None

      Background & Motivation

      KMS credentials are set on a mongocrypt_t with mongocrypt_setopt_kms_providers.

      Once set, the KMS credentials cannot be changed for the lifetime of the mongocrypt_t.

      This poses a problem for users wanting to use temporary credentials that may expire. There is no way to update the credentials on a mongocrypt_t

      Here is an example of getting AWS temporary credentials and using them with Go driver for CSFLE.

      Scope

      • Add a new state, MONGOCRYPT_CTX_NEED_CREDENTIALS.
        • Rationale: Refreshing credentials may require I/O from the wrapping driver. For async drivers, a mongocrypt_ctx_t entering a new state allows the async driver to schedule an async routine.
      • Add a new function on mongocrypt_ctx_t to provide credentials.
        • If a mongocrypt_ctx_t enters the state MONGOCRYPT_CTX_NEED_CREDENTIALS, the driver may call a new function on the mongocrypt_ctx_t to provide credentials.
        • This can override credentials set in the mongocrypt_t.
      • Add a new function on mongocrypt_t to opt in to the new behavior.
        • Rationale: The new state requires bindings updates. Making this opt-in will not break existing drivers.

            Assignee:
            kevin.albertson@mongodb.com Kevin Albertson
            Reporter:
            kevin.albertson@mongodb.com Kevin Albertson
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: