Details
-
Improvement
-
Status: Open
-
Major
-
Resolution: Unresolved
-
3.0.0, 2.3.0
-
None
-
None
Description
At present, RangerKMS has six different MasterKey Provider. Among them, three types can access MK, and KMS can complete the encryption and decryption of ZoneKey by itself, and three types can only entrust the encryption and decryption of ZoneKey to MasterKey Provider.
Except the built-in JDBC-based RangerMasterKey class, other provider have more or less introduced a large number of dependencies. This makes the dependence of KMS quite complicated and confusing. In the future, these dependencies may conflict. Therefore, it is necessary to refine MasterKey Provider into a plug-in mechanism, similar to plugin shim of Ranger Admin.
A preliminary idea, we can define a MKProviderFactory interface which can create instance of RangerKMSMKI from a URL. Then we use ServiceLoader<MKProviderFactory> to create MK Provider at runtime. The dependencies of actual MK Provider is hidden by plugin class loader.
URL schema can like "mkp-azure://conffile/keyprefix", "mkp-jdbc://connectionstring", ...
At last we can unify the way of key import / export / migration CLI utilities.
Task Blocked on: https://issues.apache.org/jira/browse/RANGER-3682