* Revert "Revert "Refactor GetEncryptCipherKeys (#9600)" (#9708)"
This commit is contained in:
Nim Wijetunga
GitHub
parent
6b37163473
commit
6e4e6ab2f4
|
|
@ -26,7 +26,7 @@
|
|||
#include "fdbclient/CommitProxyInterface.h"
|
||||
#include "fdbclient/CommitTransaction.h"
|
||||
#include "fdbclient/FDBTypes.h"
|
||||
#include "fdbclient/GetEncryptCipherKeys.actor.h"
|
||||
#include "fdbclient/GetEncryptCipherKeys.h"
|
||||
#include "fdbclient/DatabaseContext.h"
|
||||
#include "fdbclient/ManagementAPI.actor.h"
|
||||
#include "fdbclient/MetaclusterRegistration.h"
|
||||
|
|
@ -372,12 +372,14 @@ ACTOR static Future<Void> decodeBackupLogValue(Arena* arena,
|
|||
Reference<AsyncVar<ClientDBInfo> const> dbInfo = cx->clientInfo;
|
||||
try {
|
||||
if (CLIENT_KNOBS->ENABLE_CONFIGURABLE_ENCRYPTION) {
|
||||
TextAndHeaderCipherKeys cipherKeys = wait(getEncryptCipherKeys(
|
||||
dbInfo, logValue.configurableEncryptionHeader(), BlobCipherMetrics::RESTORE));
|
||||
TextAndHeaderCipherKeys cipherKeys =
|
||||
wait(GetEncryptCipherKeys<ClientDBInfo>::getEncryptCipherKeys(
|
||||
dbInfo, logValue.configurableEncryptionHeader(), BlobCipherMetrics::RESTORE));
|
||||
logValue = logValue.decrypt(cipherKeys, tempArena, BlobCipherMetrics::RESTORE);
|
||||
} else {
|
||||
TextAndHeaderCipherKeys cipherKeys = wait(
|
||||
getEncryptCipherKeys(dbInfo, *logValue.encryptionHeader(), BlobCipherMetrics::RESTORE));
|
||||
TextAndHeaderCipherKeys cipherKeys =
|
||||
wait(GetEncryptCipherKeys<ClientDBInfo>::getEncryptCipherKeys(
|
||||
dbInfo, *logValue.encryptionHeader(), BlobCipherMetrics::RESTORE));
|
||||
logValue = logValue.decrypt(cipherKeys, tempArena, BlobCipherMetrics::RESTORE);
|
||||
}
|
||||
} catch (Error& e) {
|
||||
|
|
|
|||
|
|
@ -1,9 +1,11 @@
|
|||
#include "fdbclient/CommitProxyInterface.h"
|
||||
#include "fdbclient/CoordinationInterface.h"
|
||||
#include "fdbclient/GetEncryptCipherKeys_impl.actor.h"
|
||||
|
||||
// Instantiate ClientDBInfo related tempates
|
||||
template class ReplyPromise<struct ClientDBInfo>;
|
||||
template class ReplyPromise<CachedSerialization<ClientDBInfo>>;
|
||||
template class GetEncryptCipherKeys<ClientDBInfo>;
|
||||
|
||||
// Instantiate OpenDatabaseCoordRequest related templates
|
||||
template struct NetNotifiedQueue<OpenDatabaseCoordRequest, true>;
|
||||
|
|
|
|||
|
|
@ -18,6 +18,7 @@
|
|||
* limitations under the License.
|
||||
*/
|
||||
|
||||
#include "fdbclient/CommitProxyInterface.h"
|
||||
#include "fdbclient/DatabaseConfiguration.h"
|
||||
#include "fdbclient/TenantEntryCache.actor.h"
|
||||
#include "fdbclient/TenantManagement.actor.h"
|
||||
|
|
@ -32,7 +33,7 @@
|
|||
#include "fdbclient/ClientBooleanParams.h"
|
||||
#include "fdbclient/DatabaseContext.h"
|
||||
#include "fdbclient/FDBTypes.h"
|
||||
#include "fdbclient/GetEncryptCipherKeys.actor.h"
|
||||
#include "fdbclient/GetEncryptCipherKeys.h"
|
||||
#include "fdbclient/JsonBuilder.h"
|
||||
#include "fdbclient/KeyBackedTypes.h"
|
||||
#include "fdbclient/KeyRangeMap.h"
|
||||
|
|
@ -581,8 +582,8 @@ struct EncryptedRangeFileWriter : public IRangeFileWriter {
|
|||
Reference<AsyncVar<ClientDBInfo> const> dbInfo = cx->clientInfo;
|
||||
if (std::holds_alternative<BlobCipherEncryptHeaderRef>(headerVariant)) { // configurable encryption
|
||||
state BlobCipherEncryptHeaderRef headerRef = std::get<BlobCipherEncryptHeaderRef>(headerVariant);
|
||||
TextAndHeaderCipherKeys cipherKeys =
|
||||
wait(getEncryptCipherKeys(dbInfo, headerRef, BlobCipherMetrics::RESTORE));
|
||||
TextAndHeaderCipherKeys cipherKeys = wait(GetEncryptCipherKeys<ClientDBInfo>::getEncryptCipherKeys(
|
||||
dbInfo, headerRef, BlobCipherMetrics::RESTORE));
|
||||
EncryptHeaderCipherDetails cipherDetails = headerRef.getCipherDetails();
|
||||
cipherDetails.textCipherDetails.validateCipherDetailsWithCipherKey(cipherKeys.cipherTextKey);
|
||||
if (cipherDetails.headerCipherDetails.present()) {
|
||||
|
|
@ -593,7 +594,8 @@ struct EncryptedRangeFileWriter : public IRangeFileWriter {
|
|||
return decryptor.decrypt(dataP, dataLen, headerRef, *arena);
|
||||
} else {
|
||||
state BlobCipherEncryptHeader header = std::get<BlobCipherEncryptHeader>(headerVariant);
|
||||
TextAndHeaderCipherKeys cipherKeys = wait(getEncryptCipherKeys(dbInfo, header, BlobCipherMetrics::RESTORE));
|
||||
TextAndHeaderCipherKeys cipherKeys = wait(
|
||||
GetEncryptCipherKeys<ClientDBInfo>::getEncryptCipherKeys(dbInfo, header, BlobCipherMetrics::RESTORE));
|
||||
header.cipherTextDetails.validateCipherDetailsWithCipherKey(cipherKeys.cipherTextKey);
|
||||
if (header.cipherHeaderDetails.isValid()) {
|
||||
header.cipherHeaderDetails.validateCipherDetailsWithCipherKey(cipherKeys.cipherHeaderKey);
|
||||
|
|
@ -616,7 +618,8 @@ struct EncryptedRangeFileWriter : public IRangeFileWriter {
|
|||
EncryptCipherDomainId domainId) {
|
||||
Reference<AsyncVar<ClientDBInfo> const> dbInfo = self->cx->clientInfo;
|
||||
TextAndHeaderCipherKeys cipherKeys =
|
||||
wait(getLatestEncryptCipherKeysForDomain(dbInfo, domainId, BlobCipherMetrics::BACKUP));
|
||||
wait(GetEncryptCipherKeys<ClientDBInfo>::getLatestEncryptCipherKeysForDomain(
|
||||
dbInfo, domainId, BlobCipherMetrics::BACKUP));
|
||||
return cipherKeys.cipherTextKey;
|
||||
}
|
||||
|
||||
|
|
@ -674,7 +677,8 @@ struct EncryptedRangeFileWriter : public IRangeFileWriter {
|
|||
|
||||
// Get text and header cipher key
|
||||
TextAndHeaderCipherKeys textAndHeaderCipherKeys =
|
||||
wait(getLatestEncryptCipherKeysForDomain(dbInfo, curDomainId, BlobCipherMetrics::BACKUP));
|
||||
wait(GetEncryptCipherKeys<ClientDBInfo>::getLatestEncryptCipherKeysForDomain(
|
||||
dbInfo, curDomainId, BlobCipherMetrics::BACKUP));
|
||||
self->cipherKeys.textCipherKey = textAndHeaderCipherKeys.cipherTextKey;
|
||||
self->cipherKeys.headerCipherKey = textAndHeaderCipherKeys.cipherHeaderKey;
|
||||
|
||||
|
|
|
|||
|
|
@ -29,6 +29,7 @@
|
|||
#include "fdbclient/CommitTransaction.h"
|
||||
#include "fdbclient/EncryptKeyProxyInterface.h"
|
||||
#include "fdbclient/FDBTypes.h"
|
||||
#include "fdbclient/GetEncryptCipherKeys.h"
|
||||
#include "fdbclient/GlobalConfig.h"
|
||||
#include "fdbclient/GrvProxyInterface.h"
|
||||
#include "fdbclient/IdempotencyId.actor.h"
|
||||
|
|
@ -749,4 +750,7 @@ struct GlobalConfigRefreshRequest {
|
|||
}
|
||||
};
|
||||
|
||||
// Instantiated in CommitProxyInterface.cpp
|
||||
extern template class GetEncryptCipherKeys<ClientDBInfo>;
|
||||
|
||||
#endif
|
||||
|
|
|
|||
|
|
@ -24,7 +24,7 @@
|
|||
|
||||
#include "fdbclient/BlobCipher.h"
|
||||
#include "fdbclient/FDBTypes.h"
|
||||
#include "fdbclient/GetEncryptCipherKeys.actor.h"
|
||||
#include "fdbclient/GetEncryptCipherKeys.h"
|
||||
#include "fdbclient/Knobs.h"
|
||||
#include "fdbclient/Tracing.h"
|
||||
#include "flow/EncryptUtils.h"
|
||||
|
|
|
|||
|
|
@ -0,0 +1,88 @@
|
|||
/*
|
||||
* GetEncryptCipherKeys.h
|
||||
*
|
||||
* This source file is part of the FoundationDB open source project
|
||||
*
|
||||
* Copyright 2013-2022 Apple Inc. and the FoundationDB project authors
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
#ifndef FDBCLIENT_GETCIPHERKEYS_H
|
||||
#define FDBCLIENT_GETCIPHERKEYS_H
|
||||
#pragma once
|
||||
|
||||
#include "flow/EncryptUtils.h"
|
||||
#include "flow/genericactors.actor.h"
|
||||
#include "fdbclient/BlobCipher.h"
|
||||
#include "fdbclient/EncryptKeyProxyInterface.h"
|
||||
#include "fdbclient/Knobs.h"
|
||||
#include "fdbrpc/Stats.h"
|
||||
#include "fdbrpc/TenantInfo.h"
|
||||
#include "flow/Knobs.h"
|
||||
#include "flow/IRandom.h"
|
||||
|
||||
#include <algorithm>
|
||||
#include <unordered_map>
|
||||
#include <unordered_set>
|
||||
|
||||
using BaseCipherIndex = std::pair<EncryptCipherDomainId, EncryptCipherBaseKeyId>;
|
||||
|
||||
struct TextAndHeaderCipherKeys {
|
||||
Reference<BlobCipherKey> cipherTextKey;
|
||||
Reference<BlobCipherKey> cipherHeaderKey;
|
||||
};
|
||||
|
||||
template <class T>
|
||||
class GetEncryptCipherKeys {
|
||||
public:
|
||||
// Get latest cipher keys for given encryption domains. It tries to get the cipher keys from local cache.
|
||||
// In case of cache miss, it fetches the cipher keys from EncryptKeyProxy and put the result in the local cache
|
||||
// before return.
|
||||
static Future<std::unordered_map<EncryptCipherDomainId, Reference<BlobCipherKey>>> getLatestEncryptCipherKeys(
|
||||
Reference<AsyncVar<T> const> db,
|
||||
std::unordered_set<EncryptCipherDomainId> domainIds,
|
||||
BlobCipherMetrics::UsageType usageType);
|
||||
|
||||
// Get latest cipher key for given a encryption domain. It tries to get the cipher key from the local cache.
|
||||
// In case of cache miss, it fetches the cipher key from EncryptKeyProxy and put the result in the local cache
|
||||
// before return.
|
||||
static Future<Reference<BlobCipherKey>> getLatestEncryptCipherKey(Reference<AsyncVar<T> const> db,
|
||||
EncryptCipherDomainId domainId,
|
||||
BlobCipherMetrics::UsageType usageType);
|
||||
|
||||
// Get cipher keys specified by the list of cipher details. It tries to get the cipher keys from local cache.
|
||||
// In case of cache miss, it fetches the cipher keys from EncryptKeyProxy and put the result in the local cache
|
||||
// before return.
|
||||
static Future<std::unordered_map<BlobCipherDetails, Reference<BlobCipherKey>>> getEncryptCipherKeys(
|
||||
Reference<AsyncVar<T> const> db,
|
||||
std::unordered_set<BlobCipherDetails> cipherDetails,
|
||||
BlobCipherMetrics::UsageType usageType);
|
||||
|
||||
static Future<TextAndHeaderCipherKeys> getLatestEncryptCipherKeysForDomain(Reference<AsyncVar<T> const> db,
|
||||
EncryptCipherDomainId domainId,
|
||||
BlobCipherMetrics::UsageType usageType);
|
||||
|
||||
static Future<TextAndHeaderCipherKeys> getLatestSystemEncryptCipherKeys(const Reference<AsyncVar<T> const>& db,
|
||||
BlobCipherMetrics::UsageType usageType);
|
||||
|
||||
static Future<TextAndHeaderCipherKeys> getEncryptCipherKeys(Reference<AsyncVar<T> const> db,
|
||||
BlobCipherEncryptHeader header,
|
||||
BlobCipherMetrics::UsageType usageType);
|
||||
|
||||
static Future<TextAndHeaderCipherKeys> getEncryptCipherKeys(Reference<AsyncVar<T> const> db,
|
||||
BlobCipherEncryptHeaderRef header,
|
||||
BlobCipherMetrics::UsageType usageType);
|
||||
};
|
||||
|
||||
#endif
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* GetEncryptCipherKeys.actor.h
|
||||
* GetEncryptCipherKeys_impl.actor.h
|
||||
*
|
||||
* This source file is part of the FoundationDB open source project
|
||||
*
|
||||
|
|
@ -17,26 +17,23 @@
|
|||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
#pragma once
|
||||
#include "flow/EncryptUtils.h"
|
||||
#include "flow/genericactors.actor.h"
|
||||
#if defined(NO_INTELLISENSE) && !defined(FDBCLIENT_GETCIPHERKEYS_ACTOR_G_H)
|
||||
#define FDBCLIENT_GETCIPHERKEYS_ACTOR_G_H
|
||||
#include "fdbclient/GetEncryptCipherKeys.actor.g.h"
|
||||
#elif !defined(FDBCLIENT_GETCIPHERKEYS_ACTOR_H)
|
||||
#define FDBCLIENT_GETCIPHERKEYS_ACTOR_H
|
||||
#if defined(NO_INTELLISENSE) && !defined(FDBCLIENT_GETCIPHERKEYS_IMPL_ACTOR_G_H)
|
||||
#define FDBCLIENT_GETCIPHERKEYS_IMPL_ACTOR_G_H
|
||||
#include "fdbclient/GetEncryptCipherKeys_impl.actor.g.h"
|
||||
#elif !defined(FDBCLIENT_GETCIPHERKEYS_IMPL_ACTOR_H)
|
||||
#define FDBCLIENT_GETCIPHERKEYS_IMPL_ACTOR_H
|
||||
|
||||
#include "fdbclient/BlobCipher.h"
|
||||
#include "fdbclient/EncryptKeyProxyInterface.h"
|
||||
#include "fdbclient/Knobs.h"
|
||||
#include "fdbrpc/Stats.h"
|
||||
#include "fdbrpc/TenantInfo.h"
|
||||
#include "flow/Knobs.h"
|
||||
#include "flow/IRandom.h"
|
||||
|
||||
#include <algorithm>
|
||||
#include <unordered_map>
|
||||
#include <unordered_set>
|
||||
#include "fdbclient/CommitProxyInterface.h"
|
||||
#include "fdbclient/GlobalConfig.actor.h"
|
||||
#include "fdbclient/SpecialKeySpace.actor.h"
|
||||
#include "fdbclient/SystemData.h"
|
||||
#include "fdbclient/Tuple.h"
|
||||
#include "flow/flow.h"
|
||||
#include "flow/genericactors.actor.h"
|
||||
|
||||
#include "flow/actorcompiler.h" // This must be the last #include.
|
||||
|
||||
|
|
@ -46,7 +43,7 @@ Optional<UID> getEncryptKeyProxyId(const Reference<AsyncVar<T> const>& db) {
|
|||
}
|
||||
|
||||
ACTOR template <class T>
|
||||
Future<Void> onEncryptKeyProxyChange(Reference<AsyncVar<T> const> db) {
|
||||
Future<Void> _onEncryptKeyProxyChange(Reference<AsyncVar<T> const> db) {
|
||||
state Optional<UID> previousProxyId = getEncryptKeyProxyId(db);
|
||||
state Optional<UID> currentProxyId;
|
||||
loop {
|
||||
|
|
@ -63,9 +60,9 @@ Future<Void> onEncryptKeyProxyChange(Reference<AsyncVar<T> const> db) {
|
|||
}
|
||||
|
||||
ACTOR template <class T>
|
||||
Future<EKPGetLatestBaseCipherKeysReply> getUncachedLatestEncryptCipherKeys(Reference<AsyncVar<T> const> db,
|
||||
EKPGetLatestBaseCipherKeysRequest request,
|
||||
BlobCipherMetrics::UsageType usageType) {
|
||||
Future<EKPGetLatestBaseCipherKeysReply> _getUncachedLatestEncryptCipherKeys(Reference<AsyncVar<T> const> db,
|
||||
EKPGetLatestBaseCipherKeysRequest request,
|
||||
BlobCipherMetrics::UsageType usageType) {
|
||||
Optional<EncryptKeyProxyInterface> proxy = db->get().encryptKeyProxy;
|
||||
if (!proxy.present()) {
|
||||
// Wait for onEncryptKeyProxyChange.
|
||||
|
|
@ -90,11 +87,8 @@ Future<EKPGetLatestBaseCipherKeysReply> getUncachedLatestEncryptCipherKeys(Refer
|
|||
}
|
||||
}
|
||||
|
||||
// Get latest cipher keys for given encryption domains. It tries to get the cipher keys from local cache.
|
||||
// In case of cache miss, it fetches the cipher keys from EncryptKeyProxy and put the result in the local cache
|
||||
// before return.
|
||||
ACTOR template <class T>
|
||||
Future<std::unordered_map<EncryptCipherDomainId, Reference<BlobCipherKey>>> getLatestEncryptCipherKeys(
|
||||
Future<std::unordered_map<EncryptCipherDomainId, Reference<BlobCipherKey>>> _getLatestEncryptCipherKeys(
|
||||
Reference<AsyncVar<T> const> db,
|
||||
std::unordered_set<EncryptCipherDomainId> domainIds,
|
||||
BlobCipherMetrics::UsageType usageType) {
|
||||
|
|
@ -122,7 +116,8 @@ Future<std::unordered_map<EncryptCipherDomainId, Reference<BlobCipherKey>>> getL
|
|||
// Fetch any uncached cipher keys.
|
||||
state double startTime = now();
|
||||
loop choose {
|
||||
when(EKPGetLatestBaseCipherKeysReply reply = wait(getUncachedLatestEncryptCipherKeys(db, request, usageType))) {
|
||||
when(EKPGetLatestBaseCipherKeysReply reply =
|
||||
wait(_getUncachedLatestEncryptCipherKeys(db, request, usageType))) {
|
||||
// Insert base cipher keys into cache and construct result.
|
||||
for (const EKPBaseCipherDetails& details : reply.baseCipherDetails) {
|
||||
EncryptCipherDomainId domainId = details.encryptDomainId;
|
||||
|
|
@ -147,7 +142,7 @@ Future<std::unordered_map<EncryptCipherDomainId, Reference<BlobCipherKey>>> getL
|
|||
break;
|
||||
}
|
||||
// In case encryptKeyProxy has changed, retry the request.
|
||||
when(wait(onEncryptKeyProxyChange(db))) {}
|
||||
when(wait(_onEncryptKeyProxyChange(db))) {}
|
||||
}
|
||||
double elapsed = now() - startTime;
|
||||
BlobCipherMetrics::getInstance()->getLatestCipherKeysLatency.addMeasurement(elapsed);
|
||||
|
|
@ -155,24 +150,21 @@ Future<std::unordered_map<EncryptCipherDomainId, Reference<BlobCipherKey>>> getL
|
|||
return cipherKeys;
|
||||
}
|
||||
|
||||
// Get latest cipher key for given a encryption domain. It tries to get the cipher key from the local cache.
|
||||
// In case of cache miss, it fetches the cipher key from EncryptKeyProxy and put the result in the local cache
|
||||
// before return.
|
||||
ACTOR template <class T>
|
||||
Future<Reference<BlobCipherKey>> getLatestEncryptCipherKey(Reference<AsyncVar<T> const> db,
|
||||
EncryptCipherDomainId domainId,
|
||||
BlobCipherMetrics::UsageType usageType) {
|
||||
Future<Reference<BlobCipherKey>> _getLatestEncryptCipherKey(Reference<AsyncVar<T> const> db,
|
||||
EncryptCipherDomainId domainId,
|
||||
BlobCipherMetrics::UsageType usageType) {
|
||||
std::unordered_set<EncryptCipherDomainId> domainIds{ domainId };
|
||||
std::unordered_map<EncryptCipherDomainId, Reference<BlobCipherKey>> cipherKey =
|
||||
wait(getLatestEncryptCipherKeys(db, domainIds, usageType));
|
||||
wait(_getLatestEncryptCipherKeys(db, domainIds, usageType));
|
||||
|
||||
return cipherKey.at(domainId);
|
||||
}
|
||||
|
||||
ACTOR template <class T>
|
||||
Future<EKPGetBaseCipherKeysByIdsReply> getUncachedEncryptCipherKeys(Reference<AsyncVar<T> const> db,
|
||||
EKPGetBaseCipherKeysByIdsRequest request,
|
||||
BlobCipherMetrics::UsageType usageType) {
|
||||
Future<EKPGetBaseCipherKeysByIdsReply> _getUncachedEncryptCipherKeys(Reference<AsyncVar<T> const> db,
|
||||
EKPGetBaseCipherKeysByIdsRequest request,
|
||||
BlobCipherMetrics::UsageType usageType) {
|
||||
Optional<EncryptKeyProxyInterface> proxy = db->get().encryptKeyProxy;
|
||||
if (!proxy.present()) {
|
||||
// Wait for onEncryptKeyProxyChange.
|
||||
|
|
@ -209,13 +201,11 @@ Future<EKPGetBaseCipherKeysByIdsReply> getUncachedEncryptCipherKeys(Reference<As
|
|||
}
|
||||
}
|
||||
|
||||
using BaseCipherIndex = std::pair<EncryptCipherDomainId, EncryptCipherBaseKeyId>;
|
||||
|
||||
// Get cipher keys specified by the list of cipher details. It tries to get the cipher keys from local cache.
|
||||
// In case of cache miss, it fetches the cipher keys from EncryptKeyProxy and put the result in the local cache
|
||||
// before return.
|
||||
ACTOR template <class T>
|
||||
Future<std::unordered_map<BlobCipherDetails, Reference<BlobCipherKey>>> getEncryptCipherKeys(
|
||||
Future<std::unordered_map<BlobCipherDetails, Reference<BlobCipherKey>>> _getEncryptCipherKeys(
|
||||
Reference<AsyncVar<T> const> db,
|
||||
std::unordered_set<BlobCipherDetails> cipherDetails,
|
||||
BlobCipherMetrics::UsageType usageType) {
|
||||
|
|
@ -248,7 +238,7 @@ Future<std::unordered_map<BlobCipherDetails, Reference<BlobCipherKey>>> getEncry
|
|||
// Fetch any uncached cipher keys.
|
||||
state double startTime = now();
|
||||
loop choose {
|
||||
when(EKPGetBaseCipherKeysByIdsReply reply = wait(getUncachedEncryptCipherKeys(db, request, usageType))) {
|
||||
when(EKPGetBaseCipherKeysByIdsReply reply = wait(_getUncachedEncryptCipherKeys(db, request, usageType))) {
|
||||
std::unordered_map<BaseCipherIndex, EKPBaseCipherDetails, boost::hash<BaseCipherIndex>> baseCipherKeys;
|
||||
for (const EKPBaseCipherDetails& baseDetails : reply.baseCipherDetails) {
|
||||
BaseCipherIndex baseIdx = std::make_pair(baseDetails.encryptDomainId, baseDetails.baseCipherId);
|
||||
|
|
@ -280,7 +270,7 @@ Future<std::unordered_map<BlobCipherDetails, Reference<BlobCipherKey>>> getEncry
|
|||
break;
|
||||
}
|
||||
// In case encryptKeyProxy has changed, retry the request.
|
||||
when(wait(onEncryptKeyProxyChange(db))) {}
|
||||
when(wait(_onEncryptKeyProxyChange(db))) {}
|
||||
}
|
||||
double elapsed = now() - startTime;
|
||||
BlobCipherMetrics::getInstance()->getCipherKeysLatency.addMeasurement(elapsed);
|
||||
|
|
@ -288,19 +278,14 @@ Future<std::unordered_map<BlobCipherDetails, Reference<BlobCipherKey>>> getEncry
|
|||
return cipherKeys;
|
||||
}
|
||||
|
||||
struct TextAndHeaderCipherKeys {
|
||||
Reference<BlobCipherKey> cipherTextKey;
|
||||
Reference<BlobCipherKey> cipherHeaderKey;
|
||||
};
|
||||
|
||||
ACTOR template <class T>
|
||||
Future<TextAndHeaderCipherKeys> getLatestEncryptCipherKeysForDomain(Reference<AsyncVar<T> const> db,
|
||||
EncryptCipherDomainId domainId,
|
||||
BlobCipherMetrics::UsageType usageType) {
|
||||
Future<TextAndHeaderCipherKeys> _getLatestEncryptCipherKeysForDomain(Reference<AsyncVar<T> const> db,
|
||||
EncryptCipherDomainId domainId,
|
||||
BlobCipherMetrics::UsageType usageType) {
|
||||
// TODO: Do not fetch header cipher key if authentication is diabled.
|
||||
std::unordered_set<EncryptCipherDomainId> domainIds = { domainId, ENCRYPT_HEADER_DOMAIN_ID };
|
||||
std::unordered_map<EncryptCipherDomainId, Reference<BlobCipherKey>> cipherKeys =
|
||||
wait(getLatestEncryptCipherKeys(db, domainIds, usageType));
|
||||
wait(_getLatestEncryptCipherKeys(db, domainIds, usageType));
|
||||
ASSERT(cipherKeys.count(domainId) > 0);
|
||||
ASSERT(cipherKeys.count(ENCRYPT_HEADER_DOMAIN_ID) > 0);
|
||||
TextAndHeaderCipherKeys result{ cipherKeys.at(domainId), cipherKeys.at(ENCRYPT_HEADER_DOMAIN_ID) };
|
||||
|
|
@ -310,15 +295,15 @@ Future<TextAndHeaderCipherKeys> getLatestEncryptCipherKeysForDomain(Reference<As
|
|||
}
|
||||
|
||||
template <class T>
|
||||
Future<TextAndHeaderCipherKeys> getLatestSystemEncryptCipherKeys(const Reference<AsyncVar<T> const>& db,
|
||||
BlobCipherMetrics::UsageType usageType) {
|
||||
return getLatestEncryptCipherKeysForDomain(db, SYSTEM_KEYSPACE_ENCRYPT_DOMAIN_ID, usageType);
|
||||
Future<TextAndHeaderCipherKeys> _getLatestSystemEncryptCipherKeys(const Reference<AsyncVar<T> const>& db,
|
||||
BlobCipherMetrics::UsageType usageType) {
|
||||
return _getLatestEncryptCipherKeysForDomain(db, SYSTEM_KEYSPACE_ENCRYPT_DOMAIN_ID, usageType);
|
||||
}
|
||||
|
||||
ACTOR template <class T>
|
||||
Future<TextAndHeaderCipherKeys> getEncryptCipherKeys(Reference<AsyncVar<T> const> db,
|
||||
BlobCipherEncryptHeader header,
|
||||
BlobCipherMetrics::UsageType usageType) {
|
||||
Future<TextAndHeaderCipherKeys> _getEncryptCipherKeys(Reference<AsyncVar<T> const> db,
|
||||
BlobCipherEncryptHeader header,
|
||||
BlobCipherMetrics::UsageType usageType) {
|
||||
state bool authenticatedEncryption = header.flags.authTokenMode != ENCRYPT_HEADER_AUTH_TOKEN_MODE_NONE;
|
||||
|
||||
ASSERT(header.cipherTextDetails.isValid());
|
||||
|
|
@ -330,7 +315,7 @@ Future<TextAndHeaderCipherKeys> getEncryptCipherKeys(Reference<AsyncVar<T> const
|
|||
}
|
||||
|
||||
std::unordered_map<BlobCipherDetails, Reference<BlobCipherKey>> cipherKeys =
|
||||
wait(getEncryptCipherKeys(db, cipherDetails, usageType));
|
||||
wait(_getEncryptCipherKeys(db, cipherDetails, usageType));
|
||||
|
||||
TextAndHeaderCipherKeys result;
|
||||
auto setCipherKey = [&](const BlobCipherDetails& details, TextAndHeaderCipherKeys& result) {
|
||||
|
|
@ -350,9 +335,9 @@ Future<TextAndHeaderCipherKeys> getEncryptCipherKeys(Reference<AsyncVar<T> const
|
|||
}
|
||||
|
||||
ACTOR template <class T>
|
||||
Future<TextAndHeaderCipherKeys> getEncryptCipherKeys(Reference<AsyncVar<T> const> db,
|
||||
BlobCipherEncryptHeaderRef header,
|
||||
BlobCipherMetrics::UsageType usageType) {
|
||||
Future<TextAndHeaderCipherKeys> _getEncryptCipherKeys(Reference<AsyncVar<T> const> db,
|
||||
BlobCipherEncryptHeaderRef header,
|
||||
BlobCipherMetrics::UsageType usageType) {
|
||||
ASSERT(CLIENT_KNOBS->ENABLE_CONFIGURABLE_ENCRYPTION);
|
||||
|
||||
state bool authenticatedEncryption = header.getAuthTokenMode() != ENCRYPT_HEADER_AUTH_TOKEN_MODE_NONE;
|
||||
|
|
@ -368,7 +353,7 @@ Future<TextAndHeaderCipherKeys> getEncryptCipherKeys(Reference<AsyncVar<T> const
|
|||
}
|
||||
|
||||
std::unordered_map<BlobCipherDetails, Reference<BlobCipherKey>> cipherKeys =
|
||||
wait(getEncryptCipherKeys(db, cipherDetails, usageType));
|
||||
wait(_getEncryptCipherKeys(db, cipherDetails, usageType));
|
||||
TextAndHeaderCipherKeys result;
|
||||
|
||||
auto setCipherKey = [&](const BlobCipherDetails& details, TextAndHeaderCipherKeys& result) {
|
||||
|
|
@ -387,5 +372,58 @@ Future<TextAndHeaderCipherKeys> getEncryptCipherKeys(Reference<AsyncVar<T> const
|
|||
return result;
|
||||
}
|
||||
|
||||
template <class T>
|
||||
Future<std::unordered_map<EncryptCipherDomainId, Reference<BlobCipherKey>>>
|
||||
GetEncryptCipherKeys<T>::getLatestEncryptCipherKeys(Reference<AsyncVar<T> const> db,
|
||||
std::unordered_set<EncryptCipherDomainId> domainIds,
|
||||
BlobCipherMetrics::UsageType usageType) {
|
||||
return _getLatestEncryptCipherKeys(db, domainIds, usageType);
|
||||
}
|
||||
|
||||
template <class T>
|
||||
Future<Reference<BlobCipherKey>> GetEncryptCipherKeys<T>::getLatestEncryptCipherKey(
|
||||
Reference<AsyncVar<T> const> db,
|
||||
EncryptCipherDomainId domainId,
|
||||
BlobCipherMetrics::UsageType usageType) {
|
||||
return _getLatestEncryptCipherKey(db, domainId, usageType);
|
||||
}
|
||||
|
||||
template <class T>
|
||||
Future<std::unordered_map<BlobCipherDetails, Reference<BlobCipherKey>>> GetEncryptCipherKeys<T>::getEncryptCipherKeys(
|
||||
Reference<AsyncVar<T> const> db,
|
||||
std::unordered_set<BlobCipherDetails> cipherDetails,
|
||||
BlobCipherMetrics::UsageType usageType) {
|
||||
return _getEncryptCipherKeys(db, cipherDetails, usageType);
|
||||
}
|
||||
|
||||
template <class T>
|
||||
Future<TextAndHeaderCipherKeys> GetEncryptCipherKeys<T>::getLatestEncryptCipherKeysForDomain(
|
||||
Reference<AsyncVar<T> const> db,
|
||||
EncryptCipherDomainId domainId,
|
||||
BlobCipherMetrics::UsageType usageType) {
|
||||
return _getLatestEncryptCipherKeysForDomain(db, domainId, usageType);
|
||||
}
|
||||
|
||||
template <class T>
|
||||
Future<TextAndHeaderCipherKeys> GetEncryptCipherKeys<T>::getLatestSystemEncryptCipherKeys(
|
||||
const Reference<AsyncVar<T> const>& db,
|
||||
BlobCipherMetrics::UsageType usageType) {
|
||||
return _getLatestSystemEncryptCipherKeys(db, usageType);
|
||||
}
|
||||
|
||||
template <class T>
|
||||
Future<TextAndHeaderCipherKeys> GetEncryptCipherKeys<T>::getEncryptCipherKeys(Reference<AsyncVar<T> const> db,
|
||||
BlobCipherEncryptHeader header,
|
||||
BlobCipherMetrics::UsageType usageType) {
|
||||
return _getEncryptCipherKeys(db, header, usageType);
|
||||
}
|
||||
|
||||
template <class T>
|
||||
Future<TextAndHeaderCipherKeys> GetEncryptCipherKeys<T>::getEncryptCipherKeys(Reference<AsyncVar<T> const> db,
|
||||
BlobCipherEncryptHeaderRef header,
|
||||
BlobCipherMetrics::UsageType usageType) {
|
||||
return _getEncryptCipherKeys(db, header, usageType);
|
||||
}
|
||||
|
||||
#include "flow/unactorcompiler.h"
|
||||
#endif
|
||||
|
|
@ -26,10 +26,11 @@
|
|||
#include "fdbclient/SystemData.h"
|
||||
#include "fdbserver/BackupInterface.h"
|
||||
#include "fdbserver/BackupProgress.actor.h"
|
||||
#include "fdbclient/GetEncryptCipherKeys.actor.h"
|
||||
#include "fdbclient/GetEncryptCipherKeys.h"
|
||||
#include "fdbserver/Knobs.h"
|
||||
#include "fdbserver/LogProtocolMessage.h"
|
||||
#include "fdbserver/LogSystem.h"
|
||||
#include "fdbserver/ServerDBInfo.actor.h"
|
||||
#include "fdbserver/ServerDBInfo.h"
|
||||
#include "fdbserver/WaitFailure.h"
|
||||
#include "fdbserver/WorkerInterface.actor.h"
|
||||
|
|
@ -793,7 +794,8 @@ ACTOR Future<Void> saveMutationsToFile(BackupData* self,
|
|||
// Fetch cipher keys if any of the messages are encrypted.
|
||||
if (!cipherDetails.empty()) {
|
||||
std::unordered_map<BlobCipherDetails, Reference<BlobCipherKey>> getCipherKeysResult =
|
||||
wait(getEncryptCipherKeys(self->db, cipherDetails, BlobCipherMetrics::BLOB_GRANULE));
|
||||
wait(GetEncryptCipherKeys<ServerDBInfo>::getEncryptCipherKeys(
|
||||
self->db, cipherDetails, BlobCipherMetrics::BLOB_GRANULE));
|
||||
cipherKeys = getCipherKeysResult;
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -22,7 +22,7 @@
|
|||
#include "fdbclient/BlobCipher.h"
|
||||
#include "fdbclient/BlobGranuleFiles.h"
|
||||
#include "fdbclient/FDBTypes.h"
|
||||
#include "fdbclient/GetEncryptCipherKeys.actor.h"
|
||||
#include "fdbclient/GetEncryptCipherKeys.h"
|
||||
#include "fdbclient/KeyRangeMap.h"
|
||||
#include "fdbclient/SystemData.h"
|
||||
#include "fdbclient/BackupContainerFileSystem.h"
|
||||
|
|
@ -39,9 +39,10 @@
|
|||
|
||||
#include "fdbserver/BlobWorker.h"
|
||||
#include "fdbserver/BlobGranuleServerCommon.actor.h"
|
||||
#include "fdbclient/GetEncryptCipherKeys.actor.h"
|
||||
#include "fdbclient/GetEncryptCipherKeys.h"
|
||||
#include "fdbserver/Knobs.h"
|
||||
#include "fdbserver/MutationTracking.h"
|
||||
#include "fdbserver/ServerDBInfo.actor.h"
|
||||
#include "fdbserver/ServerDBInfo.h"
|
||||
#include "fdbserver/WaitFailure.h"
|
||||
#include "fdbserver/IKeyValueStore.h"
|
||||
|
|
@ -332,14 +333,16 @@ ACTOR Future<BlobGranuleCipherKeysCtx> getLatestGranuleCipherKeys(Reference<Blob
|
|||
std::unordered_set<EncryptCipherDomainId> domainIds;
|
||||
domainIds.emplace(domainId);
|
||||
std::unordered_map<EncryptCipherDomainId, Reference<BlobCipherKey>> domainKeyMap =
|
||||
wait(getLatestEncryptCipherKeys(bwData->dbInfo, domainIds, BlobCipherMetrics::BLOB_GRANULE));
|
||||
wait(GetEncryptCipherKeys<ServerDBInfo>::getLatestEncryptCipherKeys(
|
||||
bwData->dbInfo, domainIds, BlobCipherMetrics::BLOB_GRANULE));
|
||||
|
||||
auto domainKeyItr = domainKeyMap.find(domainId);
|
||||
ASSERT(domainKeyItr != domainKeyMap.end());
|
||||
cipherKeysCtx.textCipherKey = BlobGranuleCipherKey::fromBlobCipherKey(domainKeyItr->second, *arena);
|
||||
|
||||
TextAndHeaderCipherKeys systemCipherKeys =
|
||||
wait(getLatestSystemEncryptCipherKeys(bwData->dbInfo, BlobCipherMetrics::BLOB_GRANULE));
|
||||
wait(GetEncryptCipherKeys<ServerDBInfo>::getLatestSystemEncryptCipherKeys(bwData->dbInfo,
|
||||
BlobCipherMetrics::BLOB_GRANULE));
|
||||
ASSERT(systemCipherKeys.cipherHeaderKey.isValid());
|
||||
cipherKeysCtx.headerCipherKey = BlobGranuleCipherKey::fromBlobCipherKey(systemCipherKeys.cipherHeaderKey, *arena);
|
||||
|
||||
|
|
@ -366,7 +369,8 @@ ACTOR Future<BlobGranuleCipherKey> lookupCipherKey(Reference<BlobWorkerData> bwD
|
|||
std::unordered_set<BlobCipherDetails> cipherDetailsSet;
|
||||
cipherDetailsSet.emplace(cipherDetails);
|
||||
state std::unordered_map<BlobCipherDetails, Reference<BlobCipherKey>> cipherKeyMap =
|
||||
wait(getEncryptCipherKeys(bwData->dbInfo, cipherDetailsSet, BlobCipherMetrics::BLOB_GRANULE));
|
||||
wait(GetEncryptCipherKeys<ServerDBInfo>::getEncryptCipherKeys(
|
||||
bwData->dbInfo, cipherDetailsSet, BlobCipherMetrics::BLOB_GRANULE));
|
||||
|
||||
ASSERT(cipherKeyMap.size() == 1);
|
||||
|
||||
|
|
|
|||
|
|
@ -43,7 +43,7 @@
|
|||
#include "fdbserver/ConflictSet.h"
|
||||
#include "fdbserver/DataDistributorInterface.h"
|
||||
#include "fdbserver/FDBExecHelper.actor.h"
|
||||
#include "fdbclient/GetEncryptCipherKeys.actor.h"
|
||||
#include "fdbclient/GetEncryptCipherKeys.h"
|
||||
#include "fdbserver/IKeyValueStore.h"
|
||||
#include "fdbserver/Knobs.h"
|
||||
#include "fdbserver/LogSystem.h"
|
||||
|
|
@ -1014,7 +1014,8 @@ ACTOR Future<Void> getResolution(CommitBatchContext* self) {
|
|||
}
|
||||
}
|
||||
}
|
||||
getCipherKeys = getLatestEncryptCipherKeys(pProxyCommitData->db, encryptDomainIds, BlobCipherMetrics::TLOG);
|
||||
getCipherKeys = GetEncryptCipherKeys<ServerDBInfo>::getLatestEncryptCipherKeys(
|
||||
pProxyCommitData->db, encryptDomainIds, BlobCipherMetrics::TLOG);
|
||||
}
|
||||
|
||||
self->releaseFuture = releaseResolvingAfter(pProxyCommitData, self->releaseDelay, self->localBatchNumber);
|
||||
|
|
@ -1677,7 +1678,7 @@ ACTOR Future<Void> applyMetadataToCommittedTransactions(CommitBatchContext* self
|
|||
}
|
||||
if (!extraDomainIds.empty()) {
|
||||
std::unordered_map<EncryptCipherDomainId, Reference<BlobCipherKey>> extraCipherKeys =
|
||||
wait(getLatestEncryptCipherKeys(
|
||||
wait(GetEncryptCipherKeys<ServerDBInfo>::getLatestEncryptCipherKeys(
|
||||
pProxyCommitData->db, extraDomainIds, BlobCipherMetrics::TLOG_POST_RESOLUTION));
|
||||
self->cipherKeys.insert(extraCipherKeys.begin(), extraCipherKeys.end());
|
||||
}
|
||||
|
|
@ -1704,11 +1705,13 @@ ACTOR Future<WriteMutationRefVar> writeMutationEncryptedMutation(CommitBatchCont
|
|||
Reference<AsyncVar<ServerDBInfo> const> dbInfo = self->pProxyCommitData->db;
|
||||
if (CLIENT_KNOBS->ENABLE_CONFIGURABLE_ENCRYPTION) {
|
||||
headerRef = encryptedMutation.configurableEncryptionHeader();
|
||||
TextAndHeaderCipherKeys cipherKeys = wait(getEncryptCipherKeys(dbInfo, headerRef, BlobCipherMetrics::TLOG));
|
||||
TextAndHeaderCipherKeys cipherKeys =
|
||||
wait(GetEncryptCipherKeys<ServerDBInfo>::getEncryptCipherKeys(dbInfo, headerRef, BlobCipherMetrics::TLOG));
|
||||
decryptedMutation = encryptedMutation.decrypt(cipherKeys, *arena, BlobCipherMetrics::TLOG);
|
||||
} else {
|
||||
header = encryptedMutation.encryptionHeader();
|
||||
TextAndHeaderCipherKeys cipherKeys = wait(getEncryptCipherKeys(dbInfo, *header, BlobCipherMetrics::TLOG));
|
||||
TextAndHeaderCipherKeys cipherKeys =
|
||||
wait(GetEncryptCipherKeys<ServerDBInfo>::getEncryptCipherKeys(dbInfo, *header, BlobCipherMetrics::TLOG));
|
||||
decryptedMutation = encryptedMutation.decrypt(cipherKeys, *arena, BlobCipherMetrics::TLOG);
|
||||
}
|
||||
|
||||
|
|
@ -3394,8 +3397,9 @@ ACTOR Future<Void> processCompleteTransactionStateRequest(TransactionStateResolv
|
|||
|
||||
state std::unordered_map<EncryptCipherDomainId, Reference<BlobCipherKey>> systemCipherKeys;
|
||||
if (pContext->pCommitData->encryptMode.isEncryptionEnabled()) {
|
||||
std::unordered_map<EncryptCipherDomainId, Reference<BlobCipherKey>> cks = wait(getLatestEncryptCipherKeys(
|
||||
pContext->pCommitData->db, ENCRYPT_CIPHER_SYSTEM_DOMAINS, BlobCipherMetrics::TLOG));
|
||||
std::unordered_map<EncryptCipherDomainId, Reference<BlobCipherKey>> cks =
|
||||
wait(GetEncryptCipherKeys<ServerDBInfo>::getLatestEncryptCipherKeys(
|
||||
pContext->pCommitData->db, ENCRYPT_CIPHER_SYSTEM_DOMAINS, BlobCipherMetrics::TLOG));
|
||||
systemCipherKeys = cks;
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -24,7 +24,7 @@
|
|||
#include "fdbclient/Notified.h"
|
||||
#include "fdbclient/SystemData.h"
|
||||
#include "fdbserver/DeltaTree.h"
|
||||
#include "fdbclient/GetEncryptCipherKeys.actor.h"
|
||||
#include "fdbclient/GetEncryptCipherKeys.h"
|
||||
#include "fdbserver/IDiskQueue.h"
|
||||
#include "fdbserver/IKeyValueContainer.h"
|
||||
#include "fdbserver/IKeyValueStore.h"
|
||||
|
|
@ -599,8 +599,8 @@ private:
|
|||
if (CLIENT_KNOBS->ENABLE_CONFIGURABLE_ENCRYPTION) {
|
||||
state BlobCipherEncryptHeaderRef cipherHeaderRef =
|
||||
BlobCipherEncryptHeaderRef::fromStringRef(StringRef(data.begin(), encryptHeaderSize));
|
||||
TextAndHeaderCipherKeys cipherKeys =
|
||||
wait(getEncryptCipherKeys(self->db, cipherHeaderRef, BlobCipherMetrics::KV_MEMORY));
|
||||
TextAndHeaderCipherKeys cipherKeys = wait(GetEncryptCipherKeys<ServerDBInfo>::getEncryptCipherKeys(
|
||||
self->db, cipherHeaderRef, BlobCipherMetrics::KV_MEMORY));
|
||||
DecryptBlobCipherAes256Ctr cipher(cipherKeys.cipherTextKey,
|
||||
cipherKeys.cipherHeaderKey,
|
||||
cipherHeaderRef.getIV(),
|
||||
|
|
@ -608,8 +608,8 @@ private:
|
|||
plaintext = cipher.decrypt(data.begin() + encryptHeaderSize, h.len1 + h.len2, cipherHeaderRef, arena);
|
||||
} else {
|
||||
state BlobCipherEncryptHeader cipherHeader = *(BlobCipherEncryptHeader*)data.begin();
|
||||
TextAndHeaderCipherKeys cipherKeys =
|
||||
wait(getEncryptCipherKeys(self->db, cipherHeader, BlobCipherMetrics::KV_MEMORY));
|
||||
TextAndHeaderCipherKeys cipherKeys = wait(GetEncryptCipherKeys<ServerDBInfo>::getEncryptCipherKeys(
|
||||
self->db, cipherHeader, BlobCipherMetrics::KV_MEMORY));
|
||||
DecryptBlobCipherAes256Ctr cipher(
|
||||
cipherKeys.cipherTextKey, cipherKeys.cipherHeaderKey, cipherHeader.iv, BlobCipherMetrics::KV_MEMORY);
|
||||
plaintext =
|
||||
|
|
@ -1051,8 +1051,8 @@ private:
|
|||
}
|
||||
|
||||
ACTOR static Future<Void> updateCipherKeys(KeyValueStoreMemory* self) {
|
||||
TextAndHeaderCipherKeys cipherKeys =
|
||||
wait(getLatestSystemEncryptCipherKeys(self->db, BlobCipherMetrics::KV_MEMORY));
|
||||
TextAndHeaderCipherKeys cipherKeys = wait(GetEncryptCipherKeys<ServerDBInfo>::getLatestSystemEncryptCipherKeys(
|
||||
self->db, BlobCipherMetrics::KV_MEMORY));
|
||||
self->cipherKeys = cipherKeys;
|
||||
return Void();
|
||||
}
|
||||
|
|
|
|||
|
|
@ -257,7 +257,8 @@ ACTOR Future<Void> resolveBatch(Reference<Resolver> self,
|
|||
static const std::unordered_set<EncryptCipherDomainId> metadataDomainIds = { SYSTEM_KEYSPACE_ENCRYPT_DOMAIN_ID,
|
||||
ENCRYPT_HEADER_DOMAIN_ID };
|
||||
std::unordered_map<EncryptCipherDomainId, Reference<BlobCipherKey>> cks =
|
||||
wait(getLatestEncryptCipherKeys(db, metadataDomainIds, BlobCipherMetrics::TLOG));
|
||||
wait(GetEncryptCipherKeys<ServerDBInfo>::getLatestEncryptCipherKeys(
|
||||
db, metadataDomainIds, BlobCipherMetrics::TLOG));
|
||||
cipherKeys = cks;
|
||||
}
|
||||
|
||||
|
|
@ -693,7 +694,8 @@ ACTOR Future<Void> processTransactionStateRequestPart(Reference<Resolver> self,
|
|||
SYSTEM_KEYSPACE_ENCRYPT_DOMAIN_ID, ENCRYPT_HEADER_DOMAIN_ID
|
||||
};
|
||||
std::unordered_map<EncryptCipherDomainId, Reference<BlobCipherKey>> cks =
|
||||
wait(getLatestEncryptCipherKeys(db, metadataDomainIds, BlobCipherMetrics::TLOG));
|
||||
wait(GetEncryptCipherKeys<ServerDBInfo>::getLatestEncryptCipherKeys(
|
||||
db, metadataDomainIds, BlobCipherMetrics::TLOG));
|
||||
cipherKeys = cks;
|
||||
}
|
||||
wait(processCompleteTransactionStateRequest(
|
||||
|
|
|
|||
|
|
@ -22,10 +22,11 @@
|
|||
// The RestoreLoader role starts with the restoreLoaderCore actor
|
||||
|
||||
#include "fdbclient/BlobCipher.h"
|
||||
#include "fdbclient/CommitProxyInterface.h"
|
||||
#include "flow/UnitTest.h"
|
||||
#include "fdbclient/BackupContainer.h"
|
||||
#include "fdbclient/BackupAgent.actor.h"
|
||||
#include "fdbclient/GetEncryptCipherKeys.actor.h"
|
||||
#include "fdbclient/GetEncryptCipherKeys.h"
|
||||
#include "fdbclient/DatabaseContext.h"
|
||||
#include "fdbserver/RestoreLoader.actor.h"
|
||||
#include "fdbserver/RestoreRoleCommon.actor.h"
|
||||
|
|
@ -376,8 +377,8 @@ ACTOR static Future<MutationRef> _decryptMutation(MutationRef mutation, Database
|
|||
Reference<AsyncVar<ClientDBInfo> const> dbInfo = cx->clientInfo;
|
||||
std::unordered_set<BlobCipherDetails> cipherDetails;
|
||||
mutation.updateEncryptCipherDetails(cipherDetails);
|
||||
std::unordered_map<BlobCipherDetails, Reference<BlobCipherKey>> getCipherKeysResult =
|
||||
wait(getEncryptCipherKeys(dbInfo, cipherDetails, BlobCipherMetrics::BACKUP));
|
||||
std::unordered_map<BlobCipherDetails, Reference<BlobCipherKey>> getCipherKeysResult = wait(
|
||||
GetEncryptCipherKeys<ClientDBInfo>::getEncryptCipherKeys(dbInfo, cipherDetails, BlobCipherMetrics::BACKUP));
|
||||
return mutation.decrypt(getCipherKeysResult, *arena, BlobCipherMetrics::BACKUP);
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -25,7 +25,7 @@
|
|||
#include "fdbclient/FDBOptions.g.h"
|
||||
#include "fdbclient/NativeAPI.actor.h"
|
||||
#include "fdbclient/SystemData.h"
|
||||
#include "fdbclient/GetEncryptCipherKeys.actor.h"
|
||||
#include "fdbclient/GetEncryptCipherKeys.h"
|
||||
#include "fdbserver/Knobs.h"
|
||||
#include "fdbserver/ServerDBInfo.h"
|
||||
#include "fdbclient/StorageServerInterface.h"
|
||||
|
|
@ -1949,7 +1949,8 @@ ACTOR Future<Void> pullAsyncData(StorageCacheData* data) {
|
|||
|
||||
if (collectingCipherKeys) {
|
||||
std::unordered_map<BlobCipherDetails, Reference<BlobCipherKey>> result =
|
||||
wait(getEncryptCipherKeys(data->db, cipherDetails, BlobCipherMetrics::TLOG));
|
||||
wait(GetEncryptCipherKeys<ServerDBInfo>::getEncryptCipherKeys(
|
||||
data->db, cipherDetails, BlobCipherMetrics::TLOG));
|
||||
cipherKeys = result;
|
||||
collectingCipherKeys = false;
|
||||
} else {
|
||||
|
|
|
|||
|
|
@ -28,7 +28,7 @@
|
|||
#define FDBSERVER_IPAGEENCRYPTIONKEYPROVIDER_ACTOR_H
|
||||
|
||||
#include "fdbclient/BlobCipher.h"
|
||||
#include "fdbclient/GetEncryptCipherKeys.actor.h"
|
||||
#include "fdbclient/GetEncryptCipherKeys.h"
|
||||
#include "fdbclient/SystemData.h"
|
||||
#include "fdbclient/Tenant.h"
|
||||
|
||||
|
|
@ -337,12 +337,13 @@ public:
|
|||
state TextAndHeaderCipherKeys cipherKeys;
|
||||
if (CLIENT_KNOBS->ENABLE_CONFIGURABLE_ENCRYPTION) {
|
||||
BlobCipherEncryptHeaderRef headerRef = Encoder::getEncryptionHeaderRef(encodingHeader);
|
||||
TextAndHeaderCipherKeys cks =
|
||||
wait(getEncryptCipherKeys(self->db, headerRef, BlobCipherMetrics::KV_REDWOOD));
|
||||
TextAndHeaderCipherKeys cks = wait(GetEncryptCipherKeys<ServerDBInfo>::getEncryptCipherKeys(
|
||||
self->db, headerRef, BlobCipherMetrics::KV_REDWOOD));
|
||||
cipherKeys = cks;
|
||||
} else {
|
||||
const BlobCipherEncryptHeader& header = reinterpret_cast<const EncodingHeader*>(encodingHeader)->encryption;
|
||||
TextAndHeaderCipherKeys cks = wait(getEncryptCipherKeys(self->db, header, BlobCipherMetrics::KV_REDWOOD));
|
||||
TextAndHeaderCipherKeys cks = wait(GetEncryptCipherKeys<ServerDBInfo>::getEncryptCipherKeys(
|
||||
self->db, header, BlobCipherMetrics::KV_REDWOOD));
|
||||
cipherKeys = cks;
|
||||
}
|
||||
EncryptionKey encryptionKey;
|
||||
|
|
@ -361,7 +362,8 @@ public:
|
|||
ACTOR static Future<EncryptionKey> getLatestEncryptionKey(AESEncryptionKeyProvider* self, int64_t domainId) {
|
||||
ASSERT(self->encryptionMode == EncryptionAtRestMode::DOMAIN_AWARE || domainId < 0);
|
||||
TextAndHeaderCipherKeys cipherKeys =
|
||||
wait(getLatestEncryptCipherKeysForDomain(self->db, domainId, BlobCipherMetrics::KV_REDWOOD));
|
||||
wait(GetEncryptCipherKeys<ServerDBInfo>::getLatestEncryptCipherKeysForDomain(
|
||||
self->db, domainId, BlobCipherMetrics::KV_REDWOOD));
|
||||
EncryptionKey encryptionKey;
|
||||
encryptionKey.aesKey = cipherKeys;
|
||||
return encryptionKey;
|
||||
|
|
|
|||
|
|
@ -25,7 +25,7 @@
|
|||
|
||||
#include "fdbclient/BlobCipher.h"
|
||||
#include "fdbclient/FDBTypes.h"
|
||||
#include "fdbclient/GetEncryptCipherKeys.actor.h"
|
||||
#include "fdbclient/GetEncryptCipherKeys.h"
|
||||
#include "fdbclient/Tenant.h"
|
||||
#include "fdbserver/IClosable.h"
|
||||
#include "flow/EncryptUtils.h"
|
||||
|
|
|
|||
|
|
@ -126,6 +126,7 @@ struct GetServerDBInfoRequest {
|
|||
// Instantiated in worker.actor.cpp
|
||||
extern template class RequestStream<GetServerDBInfoRequest, false>;
|
||||
extern template struct NetNotifiedQueue<GetServerDBInfoRequest, false>;
|
||||
extern template class GetEncryptCipherKeys<ServerDBInfo>;
|
||||
|
||||
ACTOR Future<Void> broadcastTxnRequest(TxnStateRequest req, int sendAmount, bool sendReply);
|
||||
|
||||
|
|
|
|||
|
|
@ -38,6 +38,9 @@
|
|||
template class ReplyPromise<MasterInterface>;
|
||||
template struct NetSAV<MasterInterface>;
|
||||
|
||||
// Instantiate ServerDBInfo related tempates
|
||||
template class GetEncryptCipherKeys<struct ServerDBInfo>;
|
||||
|
||||
struct MasterData : NonCopyable, ReferenceCounted<MasterData> {
|
||||
UID dbgid;
|
||||
|
||||
|
|
|
|||
|
|
@ -71,7 +71,7 @@
|
|||
#include "fdbrpc/Smoother.h"
|
||||
#include "fdbrpc/Stats.h"
|
||||
#include "fdbserver/FDBExecHelper.actor.h"
|
||||
#include "fdbclient/GetEncryptCipherKeys.actor.h"
|
||||
#include "fdbclient/GetEncryptCipherKeys.h"
|
||||
#include "fdbserver/IKeyValueStore.h"
|
||||
#include "fdbserver/Knobs.h"
|
||||
#include "fdbserver/LatencyBandConfig.h"
|
||||
|
|
@ -3058,7 +3058,8 @@ ACTOR Future<std::pair<ChangeFeedStreamReply, bool>> getChangeFeedMutations(Stor
|
|||
state std::unordered_map<BlobCipherDetails, Reference<BlobCipherKey>> cipherMap;
|
||||
if (cipherDetails.size()) {
|
||||
std::unordered_map<BlobCipherDetails, Reference<BlobCipherKey>> getCipherKeysResult =
|
||||
wait(getEncryptCipherKeys(data->db, cipherDetails, BlobCipherMetrics::TLOG));
|
||||
wait(GetEncryptCipherKeys<ServerDBInfo>::getEncryptCipherKeys(
|
||||
data->db, cipherDetails, BlobCipherMetrics::TLOG));
|
||||
cipherMap = getCipherKeysResult;
|
||||
}
|
||||
|
||||
|
|
@ -9324,7 +9325,8 @@ ACTOR Future<Void> update(StorageServer* data, bool* pReceivedUpdate) {
|
|||
|
||||
if (collectingCipherKeys) {
|
||||
std::unordered_map<BlobCipherDetails, Reference<BlobCipherKey>> getCipherKeysResult =
|
||||
wait(getEncryptCipherKeys(data->db, cipherDetails, BlobCipherMetrics::TLOG));
|
||||
wait(GetEncryptCipherKeys<ServerDBInfo>::getEncryptCipherKeys(
|
||||
data->db, cipherDetails, BlobCipherMetrics::TLOG));
|
||||
cipherKeys = getCipherKeysResult;
|
||||
collectingCipherKeys = false;
|
||||
eager = UpdateEagerReadInfo(enableClearRangeEagerReads);
|
||||
|
|
|
|||
|
|
@ -27,6 +27,7 @@
|
|||
#include "flow/ApiVersion.h"
|
||||
#include "flow/IAsyncFile.h"
|
||||
#include "fdbrpc/Locality.h"
|
||||
#include "fdbclient/GetEncryptCipherKeys_impl.actor.h"
|
||||
#include "fdbclient/GlobalConfig.actor.h"
|
||||
#include "fdbclient/ProcessInterface.h"
|
||||
#include "fdbclient/StorageServerInterface.h"
|
||||
|
|
@ -114,6 +115,7 @@ template struct NetNotifiedQueue<InitializeGrvProxyRequest, false>;
|
|||
|
||||
template class RequestStream<GetServerDBInfoRequest, false>;
|
||||
template struct NetNotifiedQueue<GetServerDBInfoRequest, false>;
|
||||
template class GetEncryptCipherKeys<ServerDBInfo>;
|
||||
|
||||
namespace {
|
||||
RoleLineageCollector roleLineageCollector;
|
||||
|
|
|
|||
|
|
@ -20,7 +20,7 @@
|
|||
|
||||
#include "fdbclient/BlobCipher.h"
|
||||
#include "fdbclient/EncryptKeyProxyInterface.h"
|
||||
#include "fdbclient/GetEncryptCipherKeys.actor.h"
|
||||
#include "fdbclient/GetEncryptCipherKeys.h"
|
||||
|
||||
#include "fdbrpc/Locality.h"
|
||||
|
||||
|
|
@ -79,7 +79,8 @@ struct EncryptKeyProxyTestWorkload : TestWorkload {
|
|||
domainIds.emplace(domainId);
|
||||
}
|
||||
std::unordered_map<EncryptCipherDomainId, Reference<BlobCipherKey>> latestCiphers =
|
||||
wait(getLatestEncryptCipherKeys(self->dbInfo, domainIds, BlobCipherMetrics::UsageType::TEST));
|
||||
wait(GetEncryptCipherKeys<ServerDBInfo>::getLatestEncryptCipherKeys(
|
||||
self->dbInfo, domainIds, BlobCipherMetrics::UsageType::TEST));
|
||||
|
||||
ASSERT_EQ(latestCiphers.size(), domainIds.size());
|
||||
|
||||
|
|
@ -105,7 +106,8 @@ struct EncryptKeyProxyTestWorkload : TestWorkload {
|
|||
domainIds.emplace(domainId);
|
||||
}
|
||||
std::unordered_map<EncryptCipherDomainId, Reference<BlobCipherKey>> latestCiphers =
|
||||
wait(getLatestEncryptCipherKeys(self->dbInfo, domainIds, BlobCipherMetrics::UsageType::TEST));
|
||||
wait(GetEncryptCipherKeys<ServerDBInfo>::getLatestEncryptCipherKeys(
|
||||
self->dbInfo, domainIds, BlobCipherMetrics::UsageType::TEST));
|
||||
|
||||
TraceEvent("SimPartialDomainIdCacheEnd");
|
||||
return Void();
|
||||
|
|
@ -122,7 +124,8 @@ struct EncryptKeyProxyTestWorkload : TestWorkload {
|
|||
}
|
||||
|
||||
std::unordered_map<EncryptCipherDomainId, Reference<BlobCipherKey>> latestCiphers =
|
||||
wait(getLatestEncryptCipherKeys(self->dbInfo, domainIds, BlobCipherMetrics::UsageType::TEST));
|
||||
wait(GetEncryptCipherKeys<ServerDBInfo>::getLatestEncryptCipherKeys(
|
||||
self->dbInfo, domainIds, BlobCipherMetrics::UsageType::TEST));
|
||||
state std::vector<Reference<BlobCipherKey>> cipherKeysVec;
|
||||
for (auto item : latestCiphers) {
|
||||
cipherKeysVec.push_back(item.second);
|
||||
|
|
@ -149,7 +152,8 @@ struct EncryptKeyProxyTestWorkload : TestWorkload {
|
|||
}
|
||||
|
||||
std::unordered_map<BlobCipherDetails, Reference<BlobCipherKey>> cipherKeys =
|
||||
wait(getEncryptCipherKeys(self->dbInfo, cipherDetails, BlobCipherMetrics::UsageType::TEST));
|
||||
wait(GetEncryptCipherKeys<ServerDBInfo>::getEncryptCipherKeys(
|
||||
self->dbInfo, cipherDetails, BlobCipherMetrics::UsageType::TEST));
|
||||
// Ensure the sanity of the lookedup data
|
||||
for (auto item : cipherKeys) {
|
||||
bool found = false;
|
||||
|
|
@ -183,7 +187,8 @@ struct EncryptKeyProxyTestWorkload : TestWorkload {
|
|||
}
|
||||
domainIds.emplace(FDB_DEFAULT_ENCRYPT_DOMAIN_ID - 1);
|
||||
std::unordered_map<EncryptCipherDomainId, Reference<BlobCipherKey>> res =
|
||||
wait(getLatestEncryptCipherKeys(self->dbInfo, domainIds, BlobCipherMetrics::UsageType::TEST));
|
||||
wait(GetEncryptCipherKeys<ServerDBInfo>::getLatestEncryptCipherKeys(
|
||||
self->dbInfo, domainIds, BlobCipherMetrics::UsageType::TEST));
|
||||
// BlobCipherKeyCache is 'empty'; fetching invalid cipher from KMS must through 'encrypt_key_not_found'
|
||||
ASSERT(false);
|
||||
} catch (Error& e) {
|
||||
|
|
|
|||
Loading…
Reference in New Issue