diff --git a/src/replica/replica_stub.cpp b/src/replica/replica_stub.cpp index 74d6a041cb..48928c8013 100644 --- a/src/replica/replica_stub.cpp +++ b/src/replica/replica_stub.cpp @@ -590,18 +590,17 @@ void replica_stub::initialize(bool clear /* = false*/) _access_controller = std::make_unique(); } -dsn::error_s store_kms_key(std::string data_dir, +dsn::error_s store_kms_key(const std::string &data_dir, std::string encryption_key, std::string iv, std::string key_version) { replica_kms_info kms_info(encryption_key, iv, key_version); auto err = kms_info.store(data_dir); - if (dsn::ERR_OK == err) { - return dsn::error_s::ok(); - } else { - return dsn::error_s::make(err, "Can't open replica_encrypted_key file to write"); + if (!err.is_ok()) { + return dsn::error_s::make(err, "Can't open kms-info file to write"); } + return dsn::error_s::ok(); } void get_kms_key(std::string data_dir, @@ -614,9 +613,7 @@ void get_kms_key(std::string data_dir, *encryption_key = kms_info.encryption_key; *iv = kms_info.iv; *key_version = kms_info.key_version; - if (dsn::ERR_OK != err) { - CHECK(err, "Can't open replica_encrypted_key file to read"); - } + CHECK_OK(err, "Can't open replica_encrypted_key file to read"); } void replica_stub::initialize(const replication_options &opts, bool clear /* = false*/) @@ -650,9 +647,12 @@ void replica_stub::initialize(const replication_options &opts, bool clear /* = f std::string iv; std::string key_version; std::string server_key; - // get and store eek from kms + // get and store Encrypted Encryption Key(eek),Initialization Vector(iv),Key Version from kms if (key_provider && !utils::is_empty(FLAGS_hadoop_kms_url)) { + CHECK(_options.data_dirs[0], "data_dirs is empty"); get_kms_key(_options.data_dirs[0], &encryption_key, &iv, &key_version); + // The encryption key should empty when process upon the first launch. And the process will get eek,iv,kv from kms + // After first launch, the encryption key should not empty. And the process get Decrypted Encryption Key(dek) from kms if (encryption_key.empty()) { CHECK(key_provider->GenerateEncryptionKey(&encryption_key, &iv, &key_version), "get encryption key failed"); diff --git a/src/replica/replication_app_base.cpp b/src/replica/replication_app_base.cpp index 9955fe5871..21587a8325 100644 --- a/src/replica/replication_app_base.cpp +++ b/src/replica/replication_app_base.cpp @@ -61,7 +61,7 @@ namespace dsn { namespace replication { const std::string replica_init_info::kInitInfo = ".init-info"; -const std::string replica_kms_info::kFileName = ".kms-info"; +const std::string replica_kms_info::kKmsInfo = ".kms-info"; error_code replica_init_info::load(const std::string &dir) { diff --git a/src/runtime/security/kms_client.h b/src/runtime/security/kms_client.h index 92e6fb1782..73ca13a305 100644 --- a/src/runtime/security/kms_client.h +++ b/src/runtime/security/kms_client.h @@ -26,6 +26,46 @@ namespace dsn { namespace security { +// A library for http client that provides convenient APIs to access http services, implemented +// based on http client (https://curl.se/libcurl/c/). +// +// A class to implement +// This class is not thread-safe. Thus maintain one instance for each thread. +// +// Example of useing Kms client: +// -------------------------------------------------------- +// Create an instance of http_client: +// GenerateEncryptionKey +// +// It's necessary to initialize the new instance before coming into use: +// DecryptEncryptionKey +// +// Specify the target url that you would request for: +// err = client.set_url(method); +// +// If you would use GET method, call `with_get_method`: +// err = client.with_get_method(); +// +// If you would use POST method, call `with_post_method` with post data: +// err = client.with_post_method(post_data); +// +// Submit the request to remote http service: +// err = client.exec_method(); +// +// If response data should be processed, use callback function: +// auto callback = [...](const void *data, size_t length) { +// ...... +// return true; +// }; +// err = client.exec_method(callback); +// +// Or just provide a string pointer: +// std::string response; +// err = client.exec_method(&response); +// +// Get the http status code after requesting: +// long http_status; +// err = client.get_http_status(http_status); class KMSClient { public: