Uploaded image for project: 'Ruby Driver'
  1. Ruby Driver
  2. RUBY-3363

CSFLE/QE Support for more than 1 KMS provider per type

    • Type: Icon: New Feature New Feature
    • Resolution: Unresolved
    • Priority: Icon: Major - P3 Major - P3
    • None
    • Affects Version/s: None
    • None
    • Hide

      DRIVERS-2731:

      Summary

      Driver Changes

      Some drivers may need API changes to accept an arbitrary string where a KMS provider is accepted: kmsProviders, KMSProvidersTLSOptions, ClientEncryption.createDataKey(), and RewrapManyDataKeyOpts.provider

      Can current drivers accept arbitrary strings for KMS identifier? suggests Node and Rust will need API changes.

      Drivers may need changes to support named KMS providers in the KMSProvidersTLSOptions map.

      Test Changes

      Specification tests are added. This introduces use of the encrypt and decrypt operations in the unified test format.

      The Unified Test Format schema 1.18 is added to allow patternProperties in kmsProviders.

      Tests refer to additional KMS providers: local:name1, aws:name1, gcp:name1, azure:name1, and kmip:name1.

      The name1 KMS providers may be configured exactly as the unnamed KMS providers. I.e. aws:name1 is configured the same as aws.

      To test configuring two KMS providers of the same type referring to distinct credentials, two more test KMS providers are defined: local:name2 and aws:name2.

      Test credentials for aws:name2 are available in AWS Secrets Manager under drivers/csfle. The aws:name2 account credentials are in FLE_AWS_SECRET2 and FLE_AWS_KEY2. See https://wiki.corp.mongodb.com/display/DRIVERS/Using+AWS+Secrets+Manager+to+Store+Testing+Secrets for more background on how the secrets are managed.

      Prose Test 11 (KMS TLS Options Tests) is extended to test named KMS providers.

      References

      https://github.com/mongodb/specifications/pull/1492 includes the specification change and tests.

      https://github.com/mongodb/mongo-c-driver/pull/1509 is a reference implementation in the C driver.

      Show
      DRIVERS-2731 : Summary Driver Changes Some drivers may need API changes to accept an arbitrary string where a KMS provider is accepted: kmsProviders , KMSProvidersTLSOptions , ClientEncryption.createDataKey() , and RewrapManyDataKeyOpts.provider Can current drivers accept arbitrary strings for KMS identifier? suggests Node and Rust will need API changes. Drivers may need changes to support named KMS providers in the KMSProvidersTLSOptions map. Test Changes Specification tests are added. This introduces use of the encrypt and decrypt  operations in the unified test format. The Unified Test Format schema 1.18 is added to allow patternProperties in kmsProviders. Tests refer to additional KMS providers: local:name1 , aws:name1 , gcp:name1 , azure:name1 , and kmip:name1 . The name1 KMS providers may be configured exactly as the unnamed KMS providers. I.e. aws:name1 is configured the same as aws . To test configuring two KMS providers of the same type referring to distinct credentials, two more test KMS providers are defined: local:name2 and aws:name2 . Test credentials for aws:name2 are available in AWS Secrets Manager under drivers/csfle . The aws:name2 account credentials are in FLE_AWS_SECRET2 and FLE_AWS_KEY2 . See https://wiki.corp.mongodb.com/display/DRIVERS/Using+AWS+Secrets+Manager+to+Store+Testing+Secrets for more background on how the secrets are managed. Prose Test 11 ( KMS TLS Options Tests ) is extended to test named KMS providers. References https://github.com/mongodb/specifications/pull/1492 includes the specification change and tests. https://github.com/mongodb/mongo-c-driver/pull/1509 is a reference implementation in the C driver.

      This ticket was split from DRIVERS-2731, please see that ticket for a detailed description.

            Assignee:
            Unassigned Unassigned
            Reporter:
            dbeng-pm-bot PM Bot
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 2 weeks
                2w
                Logged:
                Time Spent - Not Specified
                Not Specified