ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Varun Rao (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (RANGER-723) Ranger-KMS – CloudHSM Integration
Date Thu, 05 Nov 2015 23:44:27 GMT

    [ https://issues.apache.org/jira/browse/RANGER-723?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14992718#comment-14992718
] 

Varun Rao commented on RANGER-723:
----------------------------------

We can add the following properties:

ranger.ks.master.key.password.type=CloudHSM
ranger.ks.cloudhsm.partition.credential.path=<path to the encrypted cloudHSM partition
password file>
ranger.ks.cloudhsm.partition.credential.alias=ranger.ks.cloudhsm.partition.password
ranger.ks.cloudhsm.masterkey.name=RangerKMSMasterKey
ranger.ks.cloudhsm.partition.password=_

ranger.ks.master.key.password.type - can be used to indicate if the CloudHSM will be used
for encrypt the Master key. If this value is set to "TEXT" or not set at all, it will use
the default setup.

NOTE: we should be allowed to switch between the default and cloudHSM encryption

When the value is set back to "TEXT", it should decrypt master key using CloudHSM, encrypt
using the TEXT master key password, and update the database. 
The reverse should hold true as well.


> Ranger-KMS – CloudHSM Integration
> ---------------------------------
>
>                 Key: RANGER-723
>                 URL: https://issues.apache.org/jira/browse/RANGER-723
>             Project: Ranger
>          Issue Type: New Feature
>          Components: kms, Ranger
>    Affects Versions: 0.5.0
>            Reporter: Varun Rao
>            Assignee: Varun Rao
>            Priority: Minor
>         Attachments: Hadoop KMS.png, Ranger KMS - CloudHSM integration.png
>
>
> Integrate Ranger KMS with CloudHSM to manage master keys.
> Currently Ranger KMS uses the database (rangerkms.ranger_masterkey) to store the master
key. 
> This Master key is encrypted using a property "KMS_MASTER_KEY_PASSWD". 
> It would be nice if we can use CloudHSM instead of using "KMS_MASTER_KEY_PASSWD" to encrypt
the master key. 
> This will add an extra layer in the Key Hierarchy.
> Attached is the high level architecture of the current Hadoop KMS and the proposed change
to integrate with CloudHSM.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message