public class GridEncryptionManager extends GridManagerAdapter<EncryptionSpi> implements MetastorageLifecycleListener, IgniteChangeGlobalStateSupport, IgniteEncryption
EncryptionSpi
instances.
NOTE: Following protocol applied to statically configured caches.
For dynamically created caches key generated in request creation.
Group keys generation protocol:
Master key change process:
prepareMKChangeProc
,
performMKChangeProc
Modifier and Type | Class and Description |
---|---|
protected static class |
GridEncryptionManager.EmptyResult |
protected static class |
GridEncryptionManager.KeyChangeFuture
Key change future.
|
protected static class |
GridEncryptionManager.NodeEncryptionKeys |
GridComponent.DiscoveryDataExchangeType
Modifier and Type | Field and Description |
---|---|
static String |
ENCRYPTION_KEYS_PREFIX
Prefix for a encryption group key in meta store, which contains encryption keys with identifiers.
|
static int |
INITIAL_KEY_ID
Initial identifier for cache group encryption key.
|
static String |
MASTER_KEY_NAME_PREFIX
Prefix for a master key name.
|
ctx, log
Constructor and Description |
---|
GridEncryptionManager(GridKernalContext ctx) |
Modifier and Type | Method and Description |
---|---|
void |
applyKeys(MasterKeyChangeRecordV2 rec)
Apply keys from WAL record during the recovery phase.
|
void |
applyReencryptionStartRecord(ReencryptionStartRecord rec)
Start reencryption using logical WAL record.
|
void |
beforeCacheGroupStart(int grpId,
@Nullable byte[] encKey)
Callback for cache group start event.
|
IgniteFuture<Void> |
changeCacheGroupKey(Collection<String> cacheOrGrpNames)
Starts cache group encryption key change process.
|
protected void |
changeCacheGroupKeyLocal(int[] grpIds,
byte[] keyIds,
byte[][] keys) |
IgniteFuture<Void> |
changeMasterKey(String masterKeyName)
Starts master key change process.
|
void |
checkEncryptedCacheSupported()
Checks cache encryption supported by all nodes in cluster.
|
void |
collectGridNodeData(DiscoveryDataBag dataBag)
Collects discovery data on nodes already in grid on receiving
TcpDiscoveryNodeAddedMessage . |
void |
collectJoiningNodeData(DiscoveryDataBag dataBag)
Collects discovery data on joining node before sending
TcpDiscoveryJoinRequestMessage request. |
GridComponent.DiscoveryDataExchangeType |
discoveryDataType()
Gets unique component type to distinguish components providing discovery data.
|
IgniteInternalFuture<T2<Collection<byte[]>,byte[]>> |
generateKeys(int keyCnt) |
long |
getBytesLeftForReencryption(int grpId) |
long |
getEncryptionState(int grpId,
int partId)
Get reencryption status for partition.
|
String |
getMasterKeyName()
Gets the current master key name.
|
double |
getReencryptionRate() |
@Nullable GroupKey |
groupKey(int grpId)
Returns group encryption key.
|
@Nullable GroupKey |
groupKey(int grpId,
int keyId)
Returns group encryption key with specified identifier.
|
@Nullable List<Integer> |
groupKeyIds(int grpId)
Gets the existing encryption key IDs for the specified cache group.
|
boolean |
isMasterKeyChangeInProgress() |
@Nullable byte[] |
masterKeyDigest()
Digest of last changed master key or
null if master key was not changed. |
void |
onActivate(GridKernalContext kctx)
Called when cluster performing activation.
|
void |
onCacheGroupDestroyed(int grpId)
Callback for cache group destroy event.
|
void |
onCacheGroupStop(int grpId)
Callback is called before invalidate page memory.
|
void |
onDeActivate(GridKernalContext kctx)
Called when cluster performing deactivation.
|
void |
onDestroyPartitionStore(CacheGroupContext grp,
int partId) |
void |
onDisconnected(IgniteFuture<?> reconnectFut)
Client disconnected callback.
|
void |
onGridDataReceived(DiscoveryDataBag.GridDiscoveryData data)
Receives discovery data object from remote nodes (called
on new node during discovery process).
|
void |
onJoiningNodeDataReceived(DiscoveryDataBag.JoiningNodeDiscoveryData data)
Method is called on nodes that are already in grid (not on joining node).
|
protected void |
onKernalStart0() |
protected void |
onKernalStop0(boolean cancel) |
void |
onLocalJoin()
Callback for local join.
|
void |
onReadyForRead(ReadOnlyMetastorage metastorage)
Is called when metastorage is made ready for read-only operations very early on node startup phase.
|
void |
onReadyForReadWrite(ReadWriteMetastorage metaStorage)
Fully functional metastore capable of performing reading and writing operations.
|
IgniteInternalFuture<?> |
onReconnected(boolean clusterRestarted)
Client reconnected callback.
|
void |
onWalSegmentRemoved(long segmentIdx)
Callback when WAL segment is removed.
|
IgniteInternalFuture<Void> |
reencryptionFuture(int grpId) |
boolean |
reencryptionInProgress(int grpId) |
boolean |
resumeReencryption(int grpId)
Forces re-encryption of the cache group.
|
void |
setEncryptionState(CacheGroupContext grp,
int partId,
int idx,
int total)
Set reencryption status for partition.
|
void |
setReencryptionRate(double rate) |
void |
start()
Starts grid component.
|
void |
stop(boolean cancel)
Stops grid component.
|
boolean |
suspendReencryption(int grpId)
Suspend re-encryption of the cache group.
|
@Nullable IgniteNodeValidationResult |
validateNode(ClusterNode node,
DiscoveryDataBag.JoiningNodeDiscoveryData discoData)
Validates that new node can join grid topology, this method is called on coordinator
node before new node joins topology.
|
assertParameter, enabled, getSpi, getSpi, getSpis, inject, onAfterSpiStart, onBeforeSpiStart, onKernalStart, onKernalStop, printMemoryStats, startInfo, startSpi, stopInfo, stopSpi, toString, validateNode
public static final String MASTER_KEY_NAME_PREFIX
public static final String ENCRYPTION_KEYS_PREFIX
public static final int INITIAL_KEY_ID
public GridEncryptionManager(GridKernalContext ctx)
ctx
- Kernel context.public void start() throws IgniteCheckedException
start
in interface GridComponent
IgniteCheckedException
- Throws in case of any errors.public void stop(boolean cancel) throws IgniteCheckedException
stop
in interface GridComponent
cancel
- If true
, then all ongoing tasks or jobs for relevant
components need to be cancelled.IgniteCheckedException
- Thrown in case of any errors.protected void onKernalStart0() throws IgniteCheckedException
onKernalStart0
in class GridManagerAdapter<EncryptionSpi>
IgniteCheckedException
- If failed.protected void onKernalStop0(boolean cancel)
onKernalStop0
in class GridManagerAdapter<EncryptionSpi>
cancel
- Cancel flag.public void onDisconnected(IgniteFuture<?> reconnectFut)
onDisconnected
in interface GridComponent
onDisconnected
in class GridManagerAdapter<EncryptionSpi>
reconnectFut
- Reconnect future.public IgniteInternalFuture<?> onReconnected(boolean clusterRestarted)
onReconnected
in interface GridComponent
onReconnected
in class GridManagerAdapter<EncryptionSpi>
clusterRestarted
- Cluster restarted flag.public void onLocalJoin()
@Nullable public @Nullable IgniteNodeValidationResult validateNode(ClusterNode node, DiscoveryDataBag.JoiningNodeDiscoveryData discoData)
validateNode
in interface GridComponent
validateNode
in class GridManagerAdapter<EncryptionSpi>
node
- Joining node.discoData
- Joining node discovery data.null
in case of success.public void collectJoiningNodeData(DiscoveryDataBag dataBag)
TcpDiscoveryJoinRequestMessage
request.collectJoiningNodeData
in interface GridComponent
collectJoiningNodeData
in class GridManagerAdapter<EncryptionSpi>
dataBag
- container object to store discovery data in.public void onJoiningNodeDataReceived(DiscoveryDataBag.JoiningNodeDiscoveryData data)
onJoiningNodeDataReceived
in interface GridComponent
onJoiningNodeDataReceived
in class GridManagerAdapter<EncryptionSpi>
data
- DiscoveryDataBag.JoiningNodeDiscoveryData
interface to retrieve discovery data of joining node.public void collectGridNodeData(DiscoveryDataBag dataBag)
TcpDiscoveryNodeAddedMessage
.collectGridNodeData
in interface GridComponent
collectGridNodeData
in class GridManagerAdapter<EncryptionSpi>
dataBag
- container object to store discovery data in.public void onGridDataReceived(DiscoveryDataBag.GridDiscoveryData data)
onGridDataReceived
in interface GridComponent
onGridDataReceived
in class GridManagerAdapter<EncryptionSpi>
data
- DiscoveryDataBag.GridDiscoveryData
interface to retrieve discovery data collected on remote nodes
(data common for all nodes in grid and specific for each node).@Nullable public @Nullable GroupKey groupKey(int grpId)
grpId
- Cache group ID.@Nullable public @Nullable GroupKey groupKey(int grpId, int keyId)
grpId
- Cache group ID.keyId
- Encryption key ID.@Nullable public @Nullable List<Integer> groupKeyIds(int grpId)
grpId
- Cache group ID.public IgniteFuture<Void> changeMasterKey(String masterKeyName)
Each node will re-encrypt group keys stored on the disk.
NOTE: The new master key should be available to EncryptionSpi
for each server node. Cache start
and node join during the key change process is prohibited and will be rejected.
If some node was unavailable during a master key change process it won't be able to join to cluster with the old
master key. The node should re-encrypt group keys during recovery on startup. The actual master key
name should be set via IgniteSystemProperties.IGNITE_MASTER_KEY_NAME_TO_CHANGE_BEFORE_STARTUP
.
changeMasterKey
in interface IgniteEncryption
public String getMasterKeyName()
getMasterKeyName
in interface IgniteEncryption
public IgniteFuture<Void> changeCacheGroupKey(Collection<String> cacheOrGrpNames)
NOTE: Node join is rejected during rotation of cache group encryption key. Background re-encryption of existing data in the specified cache group(s) begins after the encryption key(s) is changed. During re-encryption, node join is not rejected, the cluster remains fully functional, it is fault-tolerant operation that automatically continues after restart. Secondary rotation of the encryption key of a cache group is only possible after background re-encryption of existing data in this cache group is completed.
changeCacheGroupKey
in interface IgniteEncryption
cacheOrGrpNames
- Cache or group names.protected void changeCacheGroupKeyLocal(int[] grpIds, byte[] keyIds, byte[][] keys) throws IgniteCheckedException
grpIds
- Cache group IDs.keyIds
- Encryption key IDs.keys
- Encryption keys.IgniteCheckedException
- If failed.public IgniteInternalFuture<Void> reencryptionFuture(int grpId)
grpId
- Cache group ID.public boolean reencryptionInProgress(int grpId)
grpId
- Cache group ID.True
If the specified cache group is currently being re-encrypted.public double getReencryptionRate()
0
- unlimited).public void setReencryptionRate(double rate)
rate
- Re-encryption rate limit in megabytes per second (0
- unlimited).public void beforeCacheGroupStart(int grpId, @Nullable @Nullable byte[] encKey)
grpId
- Cache group ID.encKey
- Encryption keypublic void onCacheGroupStop(int grpId)
grpId
- Cache group ID.public void onCacheGroupDestroyed(int grpId)
grpId
- Cache group ID.public void onDestroyPartitionStore(CacheGroupContext grp, int partId)
grp
- Cache group.partId
- Partition ID.public void onWalSegmentRemoved(long segmentIdx)
segmentIdx
- WAL segment index.public void onReadyForRead(ReadOnlyMetastorage metastorage)
onReadyForRead
in interface MetastorageLifecycleListener
metastorage
- Read-only meta storage.public void onReadyForReadWrite(ReadWriteMetastorage metaStorage) throws IgniteCheckedException
onReadyForReadWrite
in interface MetastorageLifecycleListener
metaStorage
- Fully functional meta storage.IgniteCheckedException
public void onActivate(GridKernalContext kctx) throws IgniteCheckedException
onActivate
in interface IgniteChangeGlobalStateSupport
kctx
- Kernal context.IgniteCheckedException
- If failed.public void onDeActivate(GridKernalContext kctx)
onDeActivate
in interface IgniteChangeGlobalStateSupport
kctx
- Kernal context.public void setEncryptionState(CacheGroupContext grp, int partId, int idx, int total)
grp
- Cache group.partId
- Partition ID.idx
- Index of the last reencrypted page.total
- Total pages to be reencrypted.public long getEncryptionState(int grpId, int partId)
grpId
- Cache group ID.partId
- Parttiion ID.public long getBytesLeftForReencryption(int grpId)
grpId
- Cache group ID.public IgniteInternalFuture<T2<Collection<byte[]>,byte[]>> generateKeys(int keyCnt)
keyCnt
- Count of keys to generate.public boolean suspendReencryption(int grpId) throws IgniteCheckedException
grpId
- Cache group ID.IgniteCheckedException
public boolean resumeReencryption(int grpId) throws IgniteCheckedException
grpId
- Cache group ID.IgniteCheckedException
public void checkEncryptedCacheSupported() throws IgniteCheckedException
IgniteCheckedException
- If check fails.public GridComponent.DiscoveryDataExchangeType discoveryDataType()
GridComponent.collectJoiningNodeData(DiscoveryDataBag)
or GridComponent.collectGridNodeData(DiscoveryDataBag)
.discoveryDataType
in interface GridComponent
discoveryDataType
in class GridManagerAdapter<EncryptionSpi>
public void applyKeys(MasterKeyChangeRecordV2 rec)
rec
- Record.public void applyReencryptionStartRecord(ReencryptionStartRecord rec)
rec
- Reencryption start logical record.public boolean isMasterKeyChangeInProgress()
True
if the master key change process in progress.@Nullable public @Nullable byte[] masterKeyDigest()
null
if master key was not changed.
Used to verify the digest on a client node in case of cache start after master key change.
null
if master key was not changed.
Follow @ApacheIgnite
Ignite Database and Caching Platform : ver. 2.10.0 Release Date : March 10 2021