Uploaded image for project: 'Node.js Driver'
  1. Node.js Driver
  2. NODE-5801

CSFLE/QE Support for more than 1 KMS provider per type

XMLWordPrintableJSON

    • Type: Icon: New Feature New Feature
    • Resolution: Fixed
    • Priority: Icon: Major - P3 Major - P3
    • 6.8.0
    • Affects Version/s: None
    • Component/s: Client Side Encryption
    • None
    • 3
    • Hide

      DRIVERS-2731:

      Summary

      Driver Changes

      Some drivers may need API changes to accept an arbitrary string where a KMS provider is accepted: kmsProviders, KMSProvidersTLSOptions, ClientEncryption.createDataKey(), and RewrapManyDataKeyOpts.provider

      Can current drivers accept arbitrary strings for KMS identifier? suggests Node and Rust will need API changes.

      Drivers may need changes to support named KMS providers in the KMSProvidersTLSOptions map.

      Test Changes

      Specification tests are added. This introduces use of the encrypt and decrypt operations in the unified test format.

      The Unified Test Format schema 1.18 is added to allow patternProperties in kmsProviders.

      Tests refer to additional KMS providers: local:name1, aws:name1, gcp:name1, azure:name1, and kmip:name1.

      The name1 KMS providers may be configured exactly as the unnamed KMS providers. I.e. aws:name1 is configured the same as aws.

      To test configuring two KMS providers of the same type referring to distinct credentials, two more test KMS providers are defined: local:name2 and aws:name2.

      Test credentials for aws:name2 are available in AWS Secrets Manager under drivers/csfle. The aws:name2 account credentials are in FLE_AWS_SECRET2 and FLE_AWS_KEY2. See https://wiki.corp.mongodb.com/display/DRIVERS/Using+AWS+Secrets+Manager+to+Store+Testing+Secrets for more background on how the secrets are managed.

      Prose Test 11 (KMS TLS Options Tests) is extended to test named KMS providers.

      References

      https://github.com/mongodb/specifications/pull/1492 includes the specification change and tests.

      https://github.com/mongodb/mongo-c-driver/pull/1509 is a reference implementation in the C driver.

      Show
      DRIVERS-2731 : Summary Driver Changes Some drivers may need API changes to accept an arbitrary string where a KMS provider is accepted: kmsProviders , KMSProvidersTLSOptions , ClientEncryption.createDataKey() , and RewrapManyDataKeyOpts.provider Can current drivers accept arbitrary strings for KMS identifier? suggests Node and Rust will need API changes. Drivers may need changes to support named KMS providers in the KMSProvidersTLSOptions map. Test Changes Specification tests are added. This introduces use of the encrypt and decrypt  operations in the unified test format. The Unified Test Format schema 1.18 is added to allow patternProperties in kmsProviders. Tests refer to additional KMS providers: local:name1 , aws:name1 , gcp:name1 , azure:name1 , and kmip:name1 . The name1 KMS providers may be configured exactly as the unnamed KMS providers. I.e. aws:name1 is configured the same as aws . To test configuring two KMS providers of the same type referring to distinct credentials, two more test KMS providers are defined: local:name2 and aws:name2 . Test credentials for aws:name2 are available in AWS Secrets Manager under drivers/csfle . The aws:name2 account credentials are in FLE_AWS_SECRET2 and FLE_AWS_KEY2 . See https://wiki.corp.mongodb.com/display/DRIVERS/Using+AWS+Secrets+Manager+to+Store+Testing+Secrets for more background on how the secrets are managed. Prose Test 11 ( KMS TLS Options Tests ) is extended to test named KMS providers. References https://github.com/mongodb/specifications/pull/1492 includes the specification change and tests. https://github.com/mongodb/mongo-c-driver/pull/1509 is a reference implementation in the C driver.
    • Not Needed
    • Hide

      Create a copy of the Kickoff Template with the issue key (NODE-XXX) in the filename and share a link to the new doc via this field.

      Show
      Create a copy of the Kickoff Template with the issue key (NODE-XXX) in the filename and share a link to the new doc via this field.
    • Not Needed
    • Hide

      1. What would you like to communicate to the user about this feature?
      2. Would you like the user to see examples of the syntax and/or executable code and its output?
      3. Which versions of the driver/connector does this apply to?

      Show
      1. What would you like to communicate to the user about this feature? 2. Would you like the user to see examples of the syntax and/or executable code and its output? 3. Which versions of the driver/connector does this apply to?

      This ticket was split from DRIVERS-2731, please see that ticket for a detailed description.

            Assignee:
            bailey.pearson@mongodb.com Bailey Pearson
            Reporter:
            dbeng-pm-bot PM Bot
            Neal Beeken
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: