Package org.apache.ignite.internal.managers.encryption

Class GridEncryptionManager

  • All Implemented Interfaces:
    IgniteEncryption, GridComponent, EncryptionCacheKeyProvider, GridManager, PartitionsExchangeAware, MetastorageLifecycleListener, IgniteChangeGlobalStateSupport
    public class GridEncryptionManager
extends GridManagerAdapter<EncryptionSpi>
implements EncryptionCacheKeyProvider, MetastorageLifecycleListener, IgniteChangeGlobalStateSupport, IgniteEncryption, PartitionsExchangeAware
    Manages cache keys and EncryptionSpi instances. NOTE: Following protocol applied to statically configured caches. For dynamically created caches key generated in request creation. Group keys generation protocol:
    • Joining node:
      • 1. Collects and send all stored group keys to coordinator.
      • 2. Generate(but doesn't store locally!) and send keys for all statically configured groups in case the not presented in metastore.
      • 3. Store all keys received from coordinator to local store.
    • Coordinator:
      • 1. Checks master key digest are equal to local. If not join is rejected.
      • 2. Checks all stored keys from joining node are equal to stored keys. If not join is rejected.
      • 3. Collects all stored keys and sends it to joining node.
    • All nodes:
      • 1. If new key for group doesn't exists locally it added to local store.
      • 2. If new key for group exists locally, then received key skipped.
      • 3. If a cache group is encrypted with a different (previous) encryption key, then background re-encryption of this group with a new key is started.

    Master key change process:

    1. The initiator starts the process.
    2. Each server node compares the master key digest. If not equals - the process finishes with error.
    3. Each server node changes the master key: creates WAL record and re-encrypts group keys in MetaStore.
    4. The initiator gets the result when all server nodes completed the master key change.
    See Also:
    prepareMKChangeProc, performMKChangeProc

    • Field Detail

      • MASTER_KEY_NAME_PREFIX

        public static final String MASTER_KEY_NAME_PREFIX
        Prefix for a master key name.
        See Also:
        Constant Field Values

      • ENCRYPTION_KEYS_PREFIX

        public static final String ENCRYPTION_KEYS_PREFIX
        Prefix for a encryption group key in meta store, which contains encryption keys with identifiers.
        See Also:
        Constant Field Values

      • INITIAL_KEY_ID

        public static final int INITIAL_KEY_ID
        Initial identifier for cache group encryption key.
        See Also:
        Constant Field Values

    • Constructor Detail

      • GridEncryptionManager

        public GridEncryptionManager​(GridKernalContext ctx)
        Parameters:
        ctx - Kernel context.

    • Method Detail

      • stop

        public void stop​(boolean cancel)
          throws IgniteCheckedException
        Stops grid component.
        Specified by:
        stop in interface GridComponent
        Parameters:
        cancel - If true, then all ongoing tasks or jobs for relevant components need to be cancelled.
        Throws:
        IgniteCheckedException - Thrown in case of any errors.

      • onLocalJoin

        public void onLocalJoin()
        Callback for local join.

      • getActiveKey

        @Nullable
public @Nullable GroupKey getActiveKey​(int grpId)
        Returns group encryption key, that was set for writing.
        Specified by:
        getActiveKey in interface EncryptionCacheKeyProvider
        Parameters:
        grpId - Cache group ID.
        Returns:
        Group encryption key with ID, that was set for writing.

      • groupKey

        @Nullable
public @Nullable GroupKey groupKey​(int grpId,
                                   int keyId)
        Returns group encryption key with specified ID.
        Specified by:
        groupKey in interface EncryptionCacheKeyProvider
        Parameters:
        grpId - Cache group ID.
        keyId - Encryption key ID.
        Returns:
        Group encryption key.

      • groupKeyIds

        @Nullable
public @Nullable List<Integer> groupKeyIds​(int grpId)
        Gets the existing encryption key IDs for the specified cache group.
        Parameters:
        grpId - Cache group ID.
        Returns:
        List of the key identifiers.

      • changeMasterKey

        public IgniteFuture<Void> changeMasterKey​(String masterKeyName)
        Starts master key change process.

        Each node will re-encrypt group keys stored on the disk.

        NOTE: The new master key should be available to EncryptionSpi for each server node. Cache start and node join during the key change process is prohibited and will be rejected.

        If some node was unavailable during a master key change process it won't be able to join to cluster with the old master key. The node should re-encrypt group keys during recovery on startup. The actual master key name should be set via IgniteSystemProperties.IGNITE_MASTER_KEY_NAME_TO_CHANGE_BEFORE_STARTUP.

        Specified by:
        changeMasterKey in interface IgniteEncryption
        Parameters:
        masterKeyName - Name of the master key.
        Returns:
        Future for this operation.

      • changeCacheGroupKey

        public IgniteFuture<Void> changeCacheGroupKey​(Collection<String> cacheOrGrpNames)
        Starts cache group encryption key change process.

        NOTE: Node join is rejected during rotation of cache group encryption key. Background re-encryption of existing data in the specified cache group(s) begins after the encryption key(s) is changed. During re-encryption, node join is not rejected, the cluster remains fully functional, it is fault-tolerant operation that automatically continues after restart. Secondary rotation of the encryption key of a cache group is only possible after background re-encryption of existing data in this cache group is completed.

        Specified by:
        changeCacheGroupKey in interface IgniteEncryption
        Parameters:
        cacheOrGrpNames - Cache or group names.
        Returns:
        Future which will be completed when new encryption key(s) are set for writing on all nodes in the cluster and re-encryption of existing cache data is initiated.

      • changeCacheGroupKeyLocal

        protected void changeCacheGroupKeyLocal​(int[] grpIds,
                                        byte[] keyIds,
                                        byte[][] keys)
                                 throws IgniteCheckedException
        Parameters:
        grpIds - Cache group IDs.
        keyIds - Encryption key IDs.
        keys - Encryption keys.
        Throws:
        IgniteCheckedException - If failed.

      • reencryptionFuture

        public IgniteInternalFuture<Void> reencryptionFuture​(int grpId)
        Parameters:
        grpId - Cache group ID.
        Returns:
        Future that will be completed when reencryption of the specified group is finished.

      • reencryptionInProgress

        public boolean reencryptionInProgress​(int grpId)
        Parameters:
        grpId - Cache group ID.
        Returns:
        True If the specified cache group is currently being re-encrypted.

      • reencryptionInProgress

        public boolean reencryptionInProgress()
        Returns:
        True If reencryption is active in the cluster.

      • getReencryptionRate

        public double getReencryptionRate()
        Returns:
        Re-encryption rate limit in megabytes per second (0 - unlimited).

      • setReencryptionRate

        public void setReencryptionRate​(double rate)
        Parameters:
        rate - Re-encryption rate limit in megabytes per second (0 - unlimited).

      • setInitialGroupKey

        public void setInitialGroupKey​(int grpId,
                               @Nullable
                               @org.jetbrains.annotations.Nullable byte[] encKey,
                               @Nullable
                               @Nullable Integer encKeyId)
        Sets new initial group key if key is not null.
        Parameters:
        grpId - Cache group ID.
        encKey - Encryption key
        encKeyId - Key id to use. If null, INITIAL_KEY_ID is used.

      • onCacheGroupStop

        public void onCacheGroupStop​(int grpId)
        Callback is called before invalidate page memory.
        Parameters:
        grpId - Cache group ID.

      • onCacheGroupDestroyed

        public void onCacheGroupDestroyed​(int grpId)
        Callback for cache group destroy event.
        Parameters:
        grpId - Cache group ID.

      • onDestroyPartitionStore

        public void onDestroyPartitionStore​(CacheGroupContext grp,
                                    int partId)
        Parameters:
        grp - Cache group.
        partId - Partition ID.

      • onCancelDestroyPartitionStore

        public void onCancelDestroyPartitionStore​(CacheGroupContext grp,
                                          int partId)
        Parameters:
        grp - Cache group.
        partId - Partition ID.

      • onWalSegmentRemoved

        public void onWalSegmentRemoved​(long segmentIdx)
        Callback when WAL segment is removed.
        Parameters:
        segmentIdx - WAL segment index.

      • onReadyForRead

        public void onReadyForRead​(ReadOnlyMetastorage metastorage)
        Is called when metastorage is made ready for read-only operations very early on node startup phase. Reference for read-only metastorage should be used only within this method and shouldn't be stored to any field.
        Specified by:
        onReadyForRead in interface MetastorageLifecycleListener
        Parameters:
        metastorage - Read-only meta storage.

      • setEncryptionState

        public void setEncryptionState​(CacheGroupContext grp,
                               int partId,
                               int idx,
                               int total)
        Set reencryption status for partition.
        Parameters:
        grp - Cache group.
        partId - Partition ID.
        idx - Index of the last reencrypted page.
        total - Total pages to be reencrypted.

      • getEncryptionState

        public long getEncryptionState​(int grpId,
                               int partId)
        Get reencryption status for partition.
        Parameters:
        grpId - Cache group ID.
        partId - Parttiion ID.
        Returns:
        Index and count of pages to be reencrypted.

      • getBytesLeftForReencryption

        public long getBytesLeftForReencryption​(int grpId)
        Parameters:
        grpId - Cache group ID.
        Returns:
        The number of bytes left for re-ecryption.

      • generateKeys

        public IgniteInternalFuture<T2<Collection<byte[]>,​byte[]>> generateKeys​(int keyCnt)
        Parameters:
        keyCnt - Count of keys to generate.
        Returns:
        Future that will contain results of generation.

      • applyKeys

        public void applyKeys​(MasterKeyChangeRecordV2 rec)
        Apply keys from WAL record during the recovery phase.
        Parameters:
        rec - Record.

      • applyReencryptionStartRecord

        public void applyReencryptionStartRecord​(ReencryptionStartRecord rec)
        Start reencryption using logical WAL record.
        Parameters:
        rec - Reencryption start logical record.

      • isMasterKeyChangeInProgress

        public boolean isMasterKeyChangeInProgress()
        Returns:
        True if the master key change process in progress.

      • masterKeyDigest

        @Nullable
public @org.jetbrains.annotations.Nullable byte[] masterKeyDigest()
        Digest of last changed master key or null if master key was not changed.

        Used to verify the digest on a client node in case of cache start after master key change.

        Returns:
        Digest of last changed master key or null if master key was not changed.