Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use AES key per stream #77

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Use AES key per stream #77

wants to merge 1 commit into from

Conversation

willyborankin
Copy link
Collaborator

Switched to use AES key for each stream which brings key auto-rotation

@willyborankin willyborankin requested a review from reta August 18, 2023 09:41
@willyborankin willyborankin mentioned this pull request Sep 18, 2023
Closed
@pmarjou22
Copy link

pmarjou22 commented Nov 6, 2023
edited
Loading

Hello @willyborankin, Is this change backward compatible with snapshots created with previous version of the plugin ? We have taken this change and built a version of the plugin for opensearch 2.10.0. Once we upgraded opensearch, we cannot access previously created snapshots :

GET _snapshot/s3-repositoryencr/_all

{
  "error": {
    "root_cause": [
      {
        "type": "data_length_exception",
        "reason": "data_length_exception: input too large for RSA cipher."
      }
    ],
    "type": "repository_exception",
    "reason": "[s3-repositoryencr] Unexpected exception when loading repository data",
    "caused_by": {
      "type": "data_length_exception",
      "reason": "data_length_exception: input too large for RSA cipher."
    }
  },
  "status": 500
}

2023-11-06 15:37:52 | org.opensearch.transport.RemoteTransportException: [ES_MASTERHA_0][xxxxxxxxxxx:9300][cluster:admin/snapshot/get] Caused by: org.opensearch.repositories.RepositoryException: [s3-repositoryencr] Unexpected exception when loading repository data at org.opensearch.repositories.blobstore.BlobStoreRepository.doGetRepositoryData(BlobStoreRepository.java:2066) ~[opensearch-2.10.0.jar:2.10.0] at org.opensearch.action.ActionRunnable$2.doRun(ActionRunnable.java:89) ~[opensearch-2.10.0.jar:2.10.0] at org.opensearch.common.util.concurrent.ThreadContext$ContextPreservingAbstractRunnable.doRun(ThreadContext.java:908) ~[opensearch-2.10.0.jar:2.10.0] at org.opensearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:52) ~[opensearch-2.10.0.jar:2.10.0] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136) ~[?:?] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) ~[?:?] at java.lang.Thread.run(Thread.java:833) [?:?] Caused by: org.opensearch.core.common.io.stream.NotSerializableExceptionWrapper: data_length_exception: input too large for RSA cipher. at org.bouncycastle.crypto.engines.RSACoreEngine.convertInput(Unknown Source) ~[?:?] at org.bouncycastle.crypto.engines.RSABlindedEngine.processBlock(Unknown Source) ~[?:?] at org.bouncycastle.crypto.encodings.OAEPEncoding.decodeBlock(Unknown Source) ~[?:?] at org.bouncycastle.crypto.encodings.OAEPEncoding.processBlock(Unknown Source) ~[?:?] at org.bouncycastle.jcajce.provider.asymmetric.rsa.CipherSpi.getOutput(Unknown Source) ~[?:?] at org.bouncycastle.jcajce.provider.asymmetric.rsa.CipherSpi.engineDoFinal(Unknown Source) ~[?:?] at javax.crypto.Cipher.doFinal(Cipher.java:2205) ~[?:?] at org.opensearch.repository.encrypted.security.EncryptionDataSerializer.decrypt(EncryptionDataSerializer.java:103) ~[?:?] at org.opensearch.repository.encrypted.security.EncryptionDataSerializer.lambda$deserialize$1(EncryptionDataSerializer.java:81) ~[?:?] at java.security.AccessController.doPrivileged(AccessController.java:569) ~[?:?] at org.opensearch.repository.encrypted.Permissions.doPrivileged(Permissions.java:21) ~[?:?] at org.opensearch.repository.encrypted.security.EncryptionDataSerializer.deserialize(EncryptionDataSerializer.java:70) ~[?:?] at org.opensearch.repository.encrypted.security.CryptoIO.lambda$decrypt$1(CryptoIO.java:58) ~[?:?] at java.security.AccessController.doPrivileged(AccessController.java:569) ~[?:?] at org.opensearch.repository.encrypted.Permissions.doPrivileged(Permissions.java:21) ~[?:?] at org.opensearch.repository.encrypted.security.CryptoIO.decrypt(CryptoIO.java:56) ~[?:?] at org.opensearch.repository.encrypted.EncryptedBlobContainer.readBlob(EncryptedBlobContainer.java:39) ~[?:?] at org.opensearch.repositories.blobstore.BlobStoreRepository.getRepositoryData(BlobStoreRepository.java:2217) ~[opensearch-2.10.0.jar:2.10.0] at org.opensearch.repositories.blobstore.BlobStoreRepository.doGetRepositoryData(BlobStoreRepository.java:2028) ~[opensearch-2.10.0.jar:2.10.0] at org.opensearch.action.ActionRunnable$2.doRun(ActionRunnable.java:89) ~[opensearch-2.10.0.jar:2.10.0] at org.opensearch.common.util.concurrent.ThreadContext$ContextPreservingAbstractRunnable.doRun(ThreadContext.java:908) ~[opensearch-2.10.0.jar:2.10.0] at org.opensearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:52) ~[opensearch-2.10.0.jar:2.10.0] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136) ~[?:?] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) ~[?:?] at java.lang.Thread.run(Thread.java:833) ~[?:?]

@willyborankin
Copy link
Collaborator Author

willyborankin commented Nov 6, 2023
edited
Loading

Nope this is the reason why we haven't merged it yet. :-). Technically it is possible to do but unfortunately i did not have time to finish it.

@willyborankin
Use AES key per stream
57e33e0 
Switched to use AES key for each stream which brings key auto-rotation

Signed-off-by: Andrey Pleskach <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@reta reta Awaiting requested review from reta

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@willyborankin @pmarjou22