CLDSRV-636: SSE with both internal & external KMS (HF 9.2.0.12)

[BourgoisMickael]

This is generic but simplified for file to aws use case and will be extended in latest version to handle any backend.

• Store all KMS keys with an arn describing backend provider (see ARSN-485: Prefix KMS Keys with an arn (HF cldsrv 9.2.0.12) Arsenal#2349)
  • option (hideScalityArn) to keep backward compatibility
• Migrate KMS Keys with sseMigration config
  • For bucket, replace file key with aws key
  • For object reformat key into an arn
• Allow usage of keys from previous KMS provider (file) to decript and read files (or for ongoing MPU)

Overall example of a new Key Format and migration

flowchart TD
    GetObject:::red --> bktArn
    objArn --NO GetObject--> objUpdate[Update Object: Prefix KMS key with arn]:::red
    %% Get 0-1 Links

    %% Common route
    bktArn{Bucket SSE is arn?}:::purple
        --NO--> bktKey["
            Create new external KMS Key with arn prefix
            Update Bucket attribute
        "]:::purple
    bktArn
        --Then--> objArn{Object SSE is arn?}:::purple
        --Then--> ...:::purple
        --> KMS
    subgraph KMS[KMS#nbsp;Object#nbsp;Decrypt/Encrypt]
        extract[Extract KMS provider and KeyId from arn]:::purple
        --> client[Pick or instantiate KMS client based on provider from Key arn]:::purple
        --> send["
            Backend Decrypts/Encrypts with KeyId
            But if Arn is sent, client still extract KeyId from arn
        "]:::purple
    end
    %% 2-7 Links common

    PutObject:::blue --> bktArn
    objArn --NO PutObject--> PutPrefix[Prefix KMS Key with arn if missing]:::blue
    %% PUT 8-9 Links

    classDef red stroke:red
    classDef blue stroke:blue
    classDef purple stroke:purple

    linkStyle 0,1 stroke:red
    linkStyle 8,9 stroke:blue
    linkStyle 2,3,4,5,6,7 stroke:purple

Loading

[bert-e]

Hello bourgoismickael,

My role is to assist you with the merge of this
pull request. Please type @bert-e help to get information
on this process, or consult the user documentation.

Available options

name	description	privileged	authored
/after_pull_request	Wait for the given pull request id to be merged before continuing with the current one.
/bypass_author_approval	Bypass the pull request author's approval	⭐
/bypass_build_status	Bypass the build and test status	⭐
/bypass_commit_size	Bypass the check on the size of the changeset TBA	⭐
/bypass_incompatible_branch	Bypass the check on the source branch prefix	⭐
/bypass_jira_check	Bypass the Jira issue check	⭐
/bypass_peer_approval	Bypass the pull request peers' approval	⭐
/bypass_leader_approval	Bypass the pull request leaders' approval	⭐
/approve	Instruct Bert-E that the author has approved the pull request.		✍️
/create_pull_requests	Allow the creation of integration pull requests.
/create_integration_branches	Allow the creation of integration branches.
/no_octopus	Prevent Wall-E from doing any octopus merge and use multiple consecutive merge instead
/unanimity	Change review acceptance criteria from one reviewer at least to all reviewers
/wait	Instruct Bert-E not to run until further notice.

Available commands

name	description	privileged
/help	Print Bert-E's manual in the pull request.
/status	Print Bert-E's current status in the pull request TBA
/clear	Remove all comments from Bert-E from the history TBA
/retry	Re-start a fresh build TBA
/build	Re-start a fresh build TBA
/force_reset	Delete integration branches & pull requests, and restart merge process from the beginning.
/reset	Try to remove integration branches unless there are commits on them which do not appear on the source branch.

Status report is not available.

[bert-e]

Waiting for approval

The following approvals are needed before I can proceed with the merge:

• the author

• 2 peers

[nicolas2bert]

should we log something?

[BourgoisMickael]

errors should already be logged by kms implementation. But we could append a message to the error to describe the error is due to the SSE migration

[nicolas2bert]

Are sse.masterKeyId and sse.configuredMasterKeyId not suppose to be different?
Does it break something if we have them both be the same value?

[BourgoisMickael]

Yes they should be different, I need to fix this

[BourgoisMickael]

Actually nothing should break, right now they are different because they are set at different times, but having the same key is fine

[nicolas2bert]

Should we fail the GET/HEAD object call if update encryption fails?

[BourgoisMickael]

Right now it will fail, the error is passed to the next callback.

But we could provide a flag through config to ignore migration failure and still return the object.

The only reason where the update could fail but not the get is if you can't write, because disk is full but still wants to read from it.

[nicolas2bert]

We always need to check the client because there is no way to know that a migration never happened before? If we had a way to know that no migration happened before, we would be safe to use the default KMS, right? How is the impact of getClientForKey on the GET object latency?

[BourgoisMickael]

If we know the migration never happened before, we'd rather know we should use the previous KMS instead of the new default external KMS.

But the way to know for now for outscale is if the scality kms arnPrefix is present or not.

I've also pre instantiated the previous KMS as file is the only allowed for now in migration, to avoid latency of first GET after startup.

The impact on GET object latency is:

• extract key detail from arn: split('/') and split(':') on the key: https://github.com/scality/Arsenal/pull/2349/files#diff-1c24d37a19bc08405b548ef9b5ac12a2ef83b7edb3a2ee62cc8426c7df8e5b95R122-R137
• if key is scality arnPrefix
  • validate the key parts: https://github.com/scality/Arsenal/pull/2349/files#diff-1c24d37a19bc08405b548ef9b5ac12a2ef83b7edb3a2ee62cc8426c7df8e5b95R145-R167
  • concatenate the clientIdentifier string: https://github.com/scality/cloudserver/pull/5788/files#diff-c506ce0254987c99cd5ff5a10cd1ecabc6e1bc59e643fe2401103b9feb7b27a6R131
  • return the client and KeyId
• if key is not scality arnPrefix
  • return the client (default or previous based on sseMigration configuration presence) and the KeyId

But as the GetObject migrate to new scality arn format, it should be expected the first Get on a bucket and object is slower for migration, and then we fall in the case where it's a scality arnPrefix

[nicolas2bert]

Is getClientForKey needed for PUT object? We know that the client will always be the default one. What is the impact on our PUT object latency?

[BourgoisMickael]

It's needed if kms key is passed in scality arn format on a PUT request. Then the function will extract the KeyId from the arn and validate the arn scality format.

It also returns the client identifier so we can block usage of other client like if an arn for the file KMS is used when there is a configured external KMS, it should be forbidden: https://github.com/scality/cloudserver/pull/5788/files#diff-c506ce0254987c99cd5ff5a10cd1ecabc6e1bc59e643fe2401103b9feb7b27a6R332-R339

---

And for any future case where multiple KMS providers can be used it will become useful

[BourgoisMickael]

As for PUT latency, it will be same as GET:

The impact on PUT object latency is:

• extract key detail from arn: split('/') and split(':') on the key: https://github.com/scality/Arsenal/pull/2349/files#diff-1c24d37a19bc08405b548ef9b5ac12a2ef83b7edb3a2ee62cc8426c7df8e5b95R122-R137
• if key is scality arnPrefix
  • validate the key parts: https://github.com/scality/Arsenal/pull/2349/files#diff-1c24d37a19bc08405b548ef9b5ac12a2ef83b7edb3a2ee62cc8426c7df8e5b95R145-R167
  • concatenate the clientIdentifier string: https://github.com/scality/cloudserver/pull/5788/files#diff-c506ce0254987c99cd5ff5a10cd1ecabc6e1bc59e643fe2401103b9feb7b27a6R131
  • return the client and KeyId
• if key is not scality arnPrefix (should not happen as the PUT will prefix the key with a scality arn)
  • return the client (default or previous based on sseMigration configuration presence) and the KeyId

[anurag4DSB]

Thanks for the changes