[JAVA-5275] CSFLE/QE Support for more than 1 KMS provider per type Created: 20/Dec/23 Updated: 05/Feb/24 |
|
| Status: | Backlog |
| Project: | Java Driver |
| Component/s: | Client Side Encryption |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | New Feature | Priority: | Major - P3 |
| Reporter: | PM Bot | Assignee: | Unassigned |
| Resolution: | Unresolved | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||
| Quarter: | FY25Q2 | ||||||||
| Upstream Changes Summary: |
SummaryDriver ChangesSome drivers may need API changes to accept an arbitrary string where a KMS provider is accepted: kmsProviders, KMSProvidersTLSOptions, ClientEncryption.createDataKey(), and RewrapManyDataKeyOpts.provider Can current drivers accept arbitrary strings for KMS identifier? suggests Node and Rust will need API changes. Drivers may need changes to support named KMS providers in the KMSProvidersTLSOptions map. Test ChangesSpecification tests are added. This introduces use of the encrypt and decrypt operations in the unified test format. The Unified Test Format schema 1.18 is added to allow patternProperties in kmsProviders. Tests refer to additional KMS providers: local:name1, aws:name1, gcp:name1, azure:name1, and kmip:name1. The name1 KMS providers may be configured exactly as the unnamed KMS providers. I.e. aws:name1 is configured the same as aws. To test configuring two KMS providers of the same type referring to distinct credentials, two more test KMS providers are defined: local:name2 and aws:name2. Test credentials for aws:name2 are available in AWS Secrets Manager under drivers/csfle. The aws:name2 account credentials are in FLE_AWS_SECRET2 and FLE_AWS_KEY2. See https://wiki.corp.mongodb.com/display/DRIVERS/Using+AWS+Secrets+Manager+to+Store+Testing+Secrets for more background on how the secrets are managed. Prose Test 11 (KMS TLS Options Tests) is extended to test named KMS providers. Referenceshttps://github.com/mongodb/specifications/pull/1492 includes the specification change and tests. https://github.com/mongodb/mongo-c-driver/pull/1509 is a reference implementation in the C driver. |
||||||||
| Documentation Changes Summary: | 1. What would you like to communicate to the user about this feature? |
||||||||
| Description |
|
This ticket was split from DRIVERS-2731, please see that ticket for a detailed description. |