[DRIVERS-1353] CSFLE 1.0 KMIP Support Created: 03/Aug/20  Updated: 29/Sep/22  Resolved: 09/Sep/22

Status: Closed
Project: Drivers
Component/s: Client Side Encryption
Fix Version/s: None

Type: Epic Priority: Major - P3
Reporter: Kevin Albertson Assignee: Rachelle Palmer
Resolution: Done Votes: 0
Labels: big-rock, phase1, rp-track
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Duplicate
Initiative
Issue split
split to CDRIVER-4100 CSFLE 1.0 KMIP Support Closed
split to CSHARP-3758 CSFLE 1.0 KMIP Support Closed
split to GODRIVER-2102 CSFLE 1.0 KMIP Support Closed
split to JAVA-4255 CSFLE 1.0 KMIP Support Closed
split to MOTOR-793 CSFLE 1.0 KMIP Support Closed
split to NODE-3471 CSFLE 1.0 KMIP Support Closed
split to PHPC-1912 CSFLE 1.0 KMIP Support Closed
split to PYTHON-2835 CSFLE 1.0 KMIP Support Closed
split to RUBY-2749 CSFLE 1.0 Wrap Up Closed
split to RUST-936 CSFLE 1.0 KMIP Support Closed
split to CXX-2410 Support KMIP provider Closed
Related
related to DRIVERS-1844 CSFLE 2.0 Work Closed
related to DRIVERS-1986 Consolidate "KMS TLS Tests" and "KMS ... Backlog
Driver Changes: Needed
Quarter: FY22Q4
Downstream Changes Summary:

Upgrade libmongocrypt dependency to 1.3.0. Wrap the new mongocrypt_kms_ctx_get_kms_provider function in bindings.

Implement changes from mongodb/specifications#1082 and mongodb/specifications#1096 to test KMIP and add TLS options:

  • Resync the new specification test kmipKMS.json
  • Update the CSFLE prose tests Corpus Test, Custom Endpoint Test, Data key and double encryption.
  • Add TLS options for KMS providers.
  • Add prose test KMS TLS Options Tests

Drivers should sync with mongodb/specifications@11df644.

Detailed Project Statuses:

Lead: Kevin

Summary: A wrap up project for CSFLE 1.0 until we are able to deliver a new FLE experience to users.

2021-11-02: Updating target date to 2021-11-05

Status update:

  • libmongocrypt changes are merged.
  • Spec change is in review. C#, Java, and Go are working on implementations.
  • C PoC passes all tests.

Rationale for delays:

  • Spec review added a request to add default ports in libmongocrypt

Risks:

  • Delays push driver support of KMIP beyond 5.1 timeline.

2021-10-19: Updating target date to 2021-10-22

Status update:

  • libmongocrypt changes are in final review.
  • PoC of KMIP and tests working in C driver.
  • Working on getting C driver tests in Evergreen and updating spec.
  • Goal is to get spec change in review 2021-10-20.

Rationale for delays:

  • No surprises came up in implementation. Delays are due to poor estimation and time management.

Risks:

  • Further delays risk missing driver support of KMIP in the 5.1 timeline.

2021-10-05: No update to target date.

Status update:

  • PoC of KMIP working in libmongocrypt.
  • Preliminary refactoring in review.

Rationale for delays:

  • No delays.

Risks:

  • If libmongocrypt 1.3.0 is not released by 10/15, this risks missing driver support of KMIP in the 5.1 timeline.

2021-09-21:

  • Scope approved
  • Kevin implementing changes in libmongocrypt. Current target end date is 10/15

2021-08-24:

  • Scope is in review. Target date for libmongocrypt and C implementation is 9/27, to give sufficient time for other drivers to complete in time for 5.1 release.
Driver Compliance:
Key Status/Resolution FixVersion
CDRIVER-4100 Fixed 1.20.0
CSHARP-3758 Fixed 2.14.0
GODRIVER-2102 Done 1.8.0
JAVA-4255 Fixed 4.4.0
NODE-3471 Fixed mongodb-client-encryption-2.0.0
MOTOR-793 Duplicate
PYTHON-2835 Fixed 4.0
PHPC-1912 Fixed 1.12.0
RUBY-2749 Done 2.18.0
RUST-936 Duplicate
SWIFT-1280 Duplicate
CXX-2410 Fixed 3.7.0

 Description   

Summary

Support KMIP as a KMS provider.

Motivation

  • Supporting KMIP enables Hashicorp Vault as a KMS provider with Hashicorp Vault's KMIP Secrets Engine.

Who is the affected end user?

Users who are already using our client side field level encryption

How does this affect the end user?

It enables existing users to use KMIP supporting services as a KMS provider in CSFLE.

Is this issue urgent?

No.

Is this ticket required by a downstream team?

It is probably a prerequisite for the MongoDB shell and mongosh to support KMIP.

Cast of Characters

Engineering Lead: Kevin Albertson
Document Author: Rachelle Palmer, Kevin Albertson
POCers: Kevin Albertson, Jeff Yemin
Product Owner: Rachelle Palmer
Program Manager: Esha Bharghava
Stakeholders: Mark Benvenuto

Channels & Docs

Slack Channel: drivers-1353-csfle-kmip

KMIP Scope Document



 Comments   
Comment by Githook User [ 09/Nov/21 ]

Author:

{'name': 'Kevin Albertson', 'email': 'kevin.albertson@mongodb.com', 'username': 'kevinAlbs'}

Message: DRIVERS-1353 clarify defaults of OCSP options (#1099)
Branch: master
https://github.com/mongodb/specifications/commit/11df6444a1c9db56153a7cda0525d5c857894fcf

Comment by Githook User [ 09/Nov/21 ]

Author:

{'name': 'Kevin Albertson', 'email': 'kevin.albertson@mongodb.com', 'username': 'kevinAlbs'}

Message: DRIVERS-1353 fix AWS cases KMS TLS Options Tests (#1096)
Branch: master
https://github.com/mongodb/specifications/commit/f679da74caadf103ab372fcf8b4aa70d2d54fcd1

Comment by Githook User [ 08/Nov/21 ]

Author:

{'name': 'Kevin Albertson', 'email': 'kevin.albertson@mongodb.com', 'username': 'kevinAlbs'}

Message: DRIVERS-1353 client_encryption_no_tls => client_encryption_no_client_cert (#1097)
Branch: master
https://github.com/mongodb/specifications/commit/676a4623379b211d2e29a81c73ab5bf5d47ab708

Comment by Githook User [ 04/Nov/21 ]

Author:

{'name': 'Kevin Albertson', 'email': 'kevin.albertson@mongodb.com', 'username': 'kevinAlbs'}

Message: DRIVERS-1353 add "kmip" KMS provider (#1082)
Branch: master
https://github.com/mongodb/specifications/commit/5964c134a85707dcfa3c54b7f9f88d3451f4a175

Comment by Githook User [ 04/Nov/21 ]

Author:

{'name': 'Kevin Albertson', 'email': 'kevin.albertson@mongodb.com', 'username': 'kevinAlbs'}

Message: DRIVERS-1353 add kms_kmip_server.py (#171)
Branch: master
https://github.com/mongodb-labs/drivers-evergreen-tools/commit/62f34e8fb7f2f50a2d709deb8aa66d7fb1bcf799

Generated at Thu Feb 08 08:23:15 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.