498b235461
Build and test / Build and test AMD64 Ubuntu 22.04 (push) Failing after 0s
Publish Builder / amazonlinux2023 (push) Failing after 1s
Build and test / UT for Go (push) Has been skipped
Publish KRTE Images / KRTE (push) Failing after 1s
Build and test / Integration Test (push) Has been skipped
Build and test / Upload Code Coverage (push) Has been skipped
Publish Builder / rockylinux9 (push) Failing after 1s
Publish Builder / ubuntu22.04 (push) Failing after 0s
Publish Builder / ubuntu24.04 (push) Failing after 0s
Publish Gpu Builder / publish-gpu-builder (push) Failing after 1s
Publish Test Images / PyTest (push) Failing after 0s
Build and test / UT for Cpp (push) Has been cancelled
548 lines
16 KiB
Go
548 lines
16 KiB
Go
// Licensed to the LF AI & Data foundation under one
|
|
// or more contributor license agreements. See the NOTICE file
|
|
// distributed with this work for additional information
|
|
// regarding copyright ownership. The ASF licenses this file
|
|
// to you under the Apache License, Version 2.0 (the
|
|
// "License"); you may not use this file except in compliance
|
|
// with the License. You may obtain a copy of the License at
|
|
//
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
//
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
// See the License for the specific language governing permissions and
|
|
// limitations under the License.
|
|
|
|
package hookutil
|
|
|
|
import (
|
|
"bytes"
|
|
"context"
|
|
"encoding/base64"
|
|
"fmt"
|
|
"strconv"
|
|
"strings"
|
|
"sync"
|
|
|
|
"github.com/cockroachdb/errors"
|
|
"github.com/samber/lo"
|
|
"go.uber.org/atomic"
|
|
|
|
"github.com/milvus-io/milvus-proto/go-api/v3/commonpb"
|
|
"github.com/milvus-io/milvus-proto/go-api/v3/hook"
|
|
"github.com/milvus-io/milvus/pkg/v3/common"
|
|
"github.com/milvus-io/milvus/pkg/v3/mlog"
|
|
"github.com/milvus-io/milvus/pkg/v3/proto/indexcgopb"
|
|
"github.com/milvus-io/milvus/pkg/v3/streaming/util/message"
|
|
"github.com/milvus-io/milvus/pkg/v3/util/merr"
|
|
"github.com/milvus-io/milvus/pkg/v3/util/paramtable"
|
|
)
|
|
|
|
var (
|
|
Cipher atomic.Value
|
|
initCipherOnce sync.Once
|
|
cipherReloadMutex sync.RWMutex
|
|
errCipherPluginMissing = errors.New("cipher plugin is missing")
|
|
)
|
|
|
|
type BackupInterface interface {
|
|
Backup(ezID int64) (string, error)
|
|
}
|
|
|
|
// GetCipher returns singleton hook.Cipher instance.
|
|
// If Milvus is not built with cipher plugin, it will return nil
|
|
// If Milvus is built with cipher plugin, it will return hook.Cipher
|
|
func GetCipher() hook.Cipher {
|
|
InitOnceCipher()
|
|
return Cipher.Load().(cipherContainer).cipher
|
|
}
|
|
|
|
func GetCipherWithState() CipherWithState {
|
|
cipher := GetCipher()
|
|
if cipher == nil {
|
|
return nil
|
|
}
|
|
|
|
cipherWithState, ok := cipher.(CipherWithState)
|
|
if !ok {
|
|
return nil
|
|
}
|
|
return cipherWithState
|
|
}
|
|
|
|
func IsClusterEncryptionEnabled() bool {
|
|
return GetCipher() != nil
|
|
}
|
|
|
|
// KeyState represents the state of a KMS key
|
|
type KeyState string
|
|
|
|
const (
|
|
KeyStateEnabled KeyState = "Enabled"
|
|
KeyStateDisabled KeyState = "Disabled"
|
|
KeyStatePendingDeletion KeyState = "PendingDeletion"
|
|
KeyStateUnknown KeyState = "Unknown"
|
|
)
|
|
|
|
// CipherWithState extends the base Cipher interface with
|
|
// GetStates
|
|
type CipherWithState interface {
|
|
hook.Cipher
|
|
|
|
// GetStates returns the state of KMS keys.
|
|
// Returns a map of ezID -> state.
|
|
GetStates() (map[int64]string, error)
|
|
}
|
|
|
|
type EZ struct {
|
|
EzID int64
|
|
CollectionID int64
|
|
}
|
|
|
|
func (ez *EZ) AsMessageConfig() *message.CipherConfig {
|
|
if ez == nil {
|
|
return nil
|
|
}
|
|
return &message.CipherConfig{EzID: ez.EzID, CollectionID: ez.CollectionID}
|
|
}
|
|
|
|
type CipherContext struct {
|
|
EZ
|
|
key []byte
|
|
}
|
|
|
|
// GetEzStates queries the state of KMS keys for the given EZ IDs.
|
|
// This uses type assertion to check if the cipher plugin implements CipherWithState.
|
|
// If not supported, returns an empty map and no error (backward compatible).
|
|
func GetEzStates() (map[int64]KeyState, error) {
|
|
if GetCipherWithState() == nil {
|
|
return make(map[int64]KeyState), nil
|
|
}
|
|
|
|
states, err := GetCipherWithState().GetStates()
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
result := make(map[int64]KeyState)
|
|
for ezID, state := range states {
|
|
result[ezID] = KeyState(state)
|
|
}
|
|
|
|
return result, nil
|
|
}
|
|
|
|
func ContainsCipherProperties(properties []*commonpb.KeyValuePair, deletedKeys []string) bool {
|
|
for _, property := range properties {
|
|
if property.Key == common.EncryptionEnabledKey ||
|
|
property.Key == common.EncryptionEzIDKey ||
|
|
property.Key == common.EncryptionRootKeyKey {
|
|
return true
|
|
}
|
|
}
|
|
return lo.ContainsBy(deletedKeys, func(data string) bool {
|
|
return lo.Contains([]string{
|
|
common.EncryptionEnabledKey,
|
|
common.EncryptionEzIDKey,
|
|
common.EncryptionRootKeyKey,
|
|
}, data)
|
|
})
|
|
}
|
|
|
|
func GetEzByCollProperties(collProperties []*commonpb.KeyValuePair, collectionID int64) *EZ {
|
|
if len(collProperties) == 0 {
|
|
return nil
|
|
}
|
|
for _, property := range collProperties {
|
|
if property.Key == common.EncryptionEzIDKey {
|
|
ezID, _ := strconv.ParseInt(property.Value, 10, 64)
|
|
return &EZ{
|
|
EzID: ezID,
|
|
CollectionID: collectionID,
|
|
}
|
|
}
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func CreateEZByDBProperties(dbProperties []*commonpb.KeyValuePair) error {
|
|
ezID, hasEzID := ParseEzIDFromProperties(dbProperties)
|
|
if !hasEzID {
|
|
return nil
|
|
}
|
|
|
|
for _, property := range dbProperties {
|
|
if property.GetKey() == common.EncryptionRootKeyKey {
|
|
return CreateEZ(ezID, property.GetValue())
|
|
}
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// When creating a new database
|
|
// System will encrypt the DB If defaultKey is not empty.
|
|
// However, if user controls with "cipher.enabled" and "cipher.key", respect the user's choice.
|
|
// An encrypted DB's properties will contain two properties:
|
|
// cipher.ezID, cipher.key
|
|
//
|
|
// Property consistency: DB without cipher.ezID and cipher.Key is NOT encrypted
|
|
// - Encrypted DB: cipher.ezID and cipher.key are not empty
|
|
// - Non-encrypted DB: no cipher.* key in properties
|
|
func TidyDBCipherProperties(ezID int64, dbProperties []*commonpb.KeyValuePair) ([]*commonpb.KeyValuePair, error) {
|
|
defaultRootKey := paramtable.GetCipherParams().DefaultRootKey.GetValue()
|
|
defaultEncrypt := len(defaultRootKey) > 0
|
|
|
|
for _, property := range dbProperties {
|
|
switch property.Key {
|
|
case common.EncryptionEnabledKey:
|
|
value := strings.ToLower(property.Value)
|
|
if value != "true" && value != "false" {
|
|
return nil, merr.WrapErrParameterInvalidMsg("invalid value for %s: %q, must be \"true\" or \"false\"",
|
|
common.EncryptionEnabledKey, property.Value)
|
|
}
|
|
defaultEncrypt = value == "true"
|
|
mlog.Info(context.TODO(), "User explicitly controls encryption", mlog.Int64("ezID", ezID), mlog.Bool("value", defaultEncrypt))
|
|
|
|
case common.EncryptionRootKeyKey:
|
|
defaultRootKey = property.Value
|
|
mlog.Info(context.TODO(), "User explicitly set rootKey", mlog.Int64("ezID", ezID), mlog.String("value", property.GetValue()))
|
|
}
|
|
}
|
|
|
|
cipher := GetCipher()
|
|
// If cipher plugin is missing but encryption is requested, return error
|
|
if cipher == nil && defaultEncrypt {
|
|
return nil, errCipherPluginMissing
|
|
}
|
|
|
|
// No plugin or not encrypted
|
|
if cipher == nil || !defaultEncrypt {
|
|
return removeCipherProperties(dbProperties), nil
|
|
}
|
|
|
|
if defaultRootKey == "" {
|
|
return nil, merr.WrapErrParameterInvalidMsg("encryption enabled but no key provided and no default key configured")
|
|
}
|
|
|
|
result := removeCipherProperties(dbProperties)
|
|
result = append(result,
|
|
&commonpb.KeyValuePair{
|
|
Key: common.EncryptionEzIDKey,
|
|
Value: strconv.FormatInt(ezID, 10),
|
|
},
|
|
&commonpb.KeyValuePair{
|
|
Key: common.EncryptionRootKeyKey,
|
|
Value: defaultRootKey,
|
|
},
|
|
)
|
|
|
|
return result, nil
|
|
}
|
|
|
|
func removeCipherProperties(properties []*commonpb.KeyValuePair) []*commonpb.KeyValuePair {
|
|
result := make([]*commonpb.KeyValuePair, 0, len(properties))
|
|
for _, property := range properties {
|
|
if property.Key != common.EncryptionEnabledKey &&
|
|
property.Key != common.EncryptionEzIDKey &&
|
|
property.Key != common.EncryptionRootKeyKey {
|
|
result = append(result, property)
|
|
}
|
|
}
|
|
return result
|
|
}
|
|
|
|
func TidyCollPropsByDBProps(collProps, dbProps []*commonpb.KeyValuePair) []*commonpb.KeyValuePair {
|
|
newCollProps := []*commonpb.KeyValuePair{}
|
|
for _, property := range collProps {
|
|
// Ignore already have ez property, likely from backup collection's schema
|
|
if property.Key == common.EncryptionEzIDKey {
|
|
continue
|
|
}
|
|
newCollProps = append(newCollProps, property)
|
|
}
|
|
|
|
// Set the new database's encryption properties
|
|
if ezProps := getCollEzPropsByDBProps(dbProps); ezProps != nil {
|
|
newCollProps = append(newCollProps, ezProps)
|
|
}
|
|
return newCollProps
|
|
}
|
|
|
|
func getCollEzPropsByDBProps(dbProperties []*commonpb.KeyValuePair) *commonpb.KeyValuePair {
|
|
for _, property := range dbProperties {
|
|
if property.Key == common.EncryptionEzIDKey {
|
|
return &commonpb.KeyValuePair{
|
|
Key: common.EncryptionEzIDKey,
|
|
Value: property.Value,
|
|
}
|
|
}
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func IsDBEncrypted(dbProperties []*commonpb.KeyValuePair) bool {
|
|
hasEzID, hasKey := false, false
|
|
for _, property := range dbProperties {
|
|
if property.Key == common.EncryptionEzIDKey && property.Value != "" {
|
|
hasEzID = true
|
|
} else if property.Key == common.EncryptionRootKeyKey && property.Value != "" {
|
|
hasKey = true
|
|
}
|
|
}
|
|
return hasEzID && hasKey
|
|
}
|
|
|
|
func RemoveEZByDBProperties(dbProperties []*commonpb.KeyValuePair) error {
|
|
ezID, has := ParseEzIDFromProperties(dbProperties)
|
|
if !has {
|
|
return nil
|
|
}
|
|
|
|
return RemoveEZ(ezID)
|
|
}
|
|
|
|
// GetStoragePluginContext returns the local plugin context for RPC from datacoord to datanode
|
|
func GetStoragePluginContext(collProps []*commonpb.KeyValuePair, collectionID int64) []*commonpb.KeyValuePair {
|
|
if ez := GetEzByCollProperties(collProps, collectionID); ez != nil {
|
|
pluginContext, err := GetPluginContext(ez.EzID, ez.CollectionID)
|
|
if err != nil {
|
|
mlog.Error(context.TODO(), "failed to get plugin context", mlog.Err(err))
|
|
return nil
|
|
}
|
|
return pluginContext
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// Non nill return
|
|
func GetReadStoragePluginContext(importEzk string) []*commonpb.KeyValuePair {
|
|
readContext, err := ImportEZ(importEzk)
|
|
if err != nil {
|
|
mlog.Error(context.TODO(), "failed to import ezk", mlog.Err(err))
|
|
return []*commonpb.KeyValuePair{}
|
|
}
|
|
return readContext
|
|
}
|
|
|
|
// RegisterEZsFromPluginContext registers all EZ contexts from plugin context.
|
|
// This processes ALL CipherConfigUnsafeEZK entries (for both read and write contexts).
|
|
func RegisterEZsFromPluginContext(context []*commonpb.KeyValuePair) error {
|
|
if !IsClusterEncryptionEnabled() {
|
|
return nil
|
|
}
|
|
|
|
for _, value := range context {
|
|
if value.GetKey() == CipherConfigUnsafeEZK {
|
|
ezID, encryptionKey, err := decodeEZContext(value.GetValue())
|
|
if err != nil {
|
|
return err
|
|
}
|
|
if err := CreateLocalEZ(ezID, encryptionKey); err != nil {
|
|
return err
|
|
}
|
|
}
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// GetCPluginContext gets C++ plugin context from the first CipherConfigUnsafeEZK entry.
|
|
// Used for creating indexcgopb.StoragePluginContext for C++ segcore.
|
|
func GetCPluginContext(context []*commonpb.KeyValuePair, collectionID int64) (*indexcgopb.StoragePluginContext, error) {
|
|
if !IsClusterEncryptionEnabled() {
|
|
return nil, nil
|
|
}
|
|
|
|
for _, value := range context {
|
|
if value.GetKey() == CipherConfigUnsafeEZK {
|
|
ezID, encryptionKey, err := decodeEZContext(value.GetValue())
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return &indexcgopb.StoragePluginContext{
|
|
CollectionId: collectionID,
|
|
EncryptionZoneId: ezID,
|
|
EncryptionKey: encryptionKey,
|
|
}, nil
|
|
}
|
|
}
|
|
|
|
return nil, nil
|
|
}
|
|
|
|
func GetCPluginContextByEzID(ezID int64) (*indexcgopb.StoragePluginContext, error) {
|
|
if !IsClusterEncryptionEnabled() {
|
|
return nil, nil
|
|
}
|
|
key := GetCipher().GetUnsafeKey(ezID, 0)
|
|
if len(key) == 0 {
|
|
return nil, merr.WrapErrParameterInvalidMsg("cannot get ez key for ezID=%d", ezID)
|
|
}
|
|
return &indexcgopb.StoragePluginContext{
|
|
EncryptionZoneId: ezID,
|
|
EncryptionKey: base64.StdEncoding.EncodeToString(key),
|
|
CollectionId: 0,
|
|
}, nil
|
|
}
|
|
|
|
func BackupEZKFromDBProperties(dbProperties []*commonpb.KeyValuePair) (string, error) {
|
|
if !IsDBEncrypted(dbProperties) {
|
|
return "", merr.WrapErrParameterInvalidMsg("not an encryption zone")
|
|
}
|
|
|
|
ezID, hasEzID := ParseEzIDFromProperties(dbProperties)
|
|
if !hasEzID {
|
|
return "", merr.WrapErrServiceInternalMsg("encryption enabled but no ezID found")
|
|
}
|
|
|
|
return BackupEZ(ezID)
|
|
}
|
|
|
|
// For test only
|
|
func InitTestCipher() {
|
|
InitOnceCipher()
|
|
storeCipher(testCipher{})
|
|
}
|
|
|
|
// cipherContainer is Container to wrap hook.Cipher interface
|
|
// this struct is used to be stored in atomic.Value
|
|
// since different type stored in it will cause panicking.
|
|
type cipherContainer struct {
|
|
cipher hook.Cipher
|
|
}
|
|
|
|
func storeCipher(cipher hook.Cipher) {
|
|
Cipher.Store(cipherContainer{cipher: cipher})
|
|
}
|
|
|
|
func initCipher() error {
|
|
storeCipher(nil)
|
|
|
|
pathGo := paramtable.GetCipherParams().SoPathGo.GetValue()
|
|
pathCpp := paramtable.GetCipherParams().SoPathCpp.GetValue()
|
|
if pathGo == "" || pathCpp == "" {
|
|
mlog.Info(context.TODO(), "empty so path for cipher plugin, skip to load plugin")
|
|
return nil
|
|
}
|
|
|
|
cipherVal, err := LoadPlugin[hook.Cipher](pathGo, "CipherPlugin")
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
initConfigs := buildCipherInitConfig()
|
|
if err = cipherVal.Init(initConfigs); err != nil {
|
|
return merr.Wrap(err, "fail to init configs for the cipher plugin")
|
|
}
|
|
|
|
registerCallback()
|
|
storeCipher((cipherVal))
|
|
return nil
|
|
}
|
|
|
|
func InitOnceCipher() {
|
|
initCipherOnce.Do(func() {
|
|
err := initCipher()
|
|
if err != nil {
|
|
mlog.Panic(context.TODO(),
|
|
fmt.Sprintf("fail to init cipher plugin, go_so_path=%s, cpp_so_path=%s, error=%v",
|
|
paramtable.GetCipherParams().SoPathGo.GetValue(),
|
|
paramtable.GetCipherParams().SoPathCpp.GetValue(),
|
|
err))
|
|
}
|
|
})
|
|
}
|
|
|
|
func buildCipherInitConfig() map[string]string {
|
|
initConfigs := lo.Assign(paramtable.Get().EtcdCfg.GetAll(), paramtable.GetCipherParams().GetAll())
|
|
initConfigs[CipherConfigMilvusRoleName] = paramtable.GetRole()
|
|
initConfigs[paramtable.Get().LocalStorageCfg.Path.Key] = paramtable.Get().LocalStorageCfg.Path.GetValue()
|
|
return initConfigs
|
|
}
|
|
|
|
func registerCallback() {
|
|
params := paramtable.GetCipherParams()
|
|
params.DefaultRootKey.RegisterCallback(reloadCipherConfig)
|
|
params.KmsAwsRoleARN.RegisterCallback(reloadCipherConfig)
|
|
params.KmsAwsExternalID.RegisterCallback(reloadCipherConfig)
|
|
params.RotationPeriodInHours.RegisterCallback(reloadCipherConfig)
|
|
params.UpdatePerieldInMinutes.RegisterCallback(reloadCipherConfig)
|
|
mlog.Info(context.TODO(), "cipher config callbacks registered")
|
|
}
|
|
|
|
func reloadCipherConfig(ctx context.Context, key, oldValue, newValue string) error {
|
|
cipher := GetCipher()
|
|
if cipher == nil {
|
|
mlog.Warn(ctx, "cipher plugin not loaded, skip config reload", mlog.String("key", key))
|
|
return nil
|
|
}
|
|
|
|
cipherReloadMutex.Lock()
|
|
defer cipherReloadMutex.Unlock()
|
|
|
|
mlog.Info(ctx, "reloading cipher plugin config",
|
|
mlog.String("key", key),
|
|
mlog.String("oldValue", oldValue),
|
|
mlog.String("newValue", newValue))
|
|
|
|
initConfigs := buildCipherInitConfig()
|
|
if err := cipher.Init(initConfigs); err != nil {
|
|
mlog.Error(ctx, "fail to reload cipher plugin config",
|
|
mlog.String("key", key),
|
|
mlog.Err(err))
|
|
return err
|
|
}
|
|
|
|
mlog.Info(ctx, "cipher plugin config reloaded successfully", mlog.String("key", key))
|
|
return nil
|
|
}
|
|
|
|
// testCipher encryption will append magicStr to plainText, magicStr is str of ezID and collectionID
|
|
type testCipher struct{}
|
|
|
|
var (
|
|
_ hook.Cipher = (*testCipher)(nil)
|
|
_ CipherWithState = (*testCipher)(nil)
|
|
|
|
_ hook.Encryptor = (*testCryptoImpl)(nil)
|
|
_ hook.Decryptor = (*testCryptoImpl)(nil)
|
|
)
|
|
|
|
func (d testCipher) Init(params map[string]string) error {
|
|
return nil
|
|
}
|
|
|
|
func (d testCipher) GetEncryptor(ezID, collectionID int64) (encryptor hook.Encryptor, safeKey []byte, err error) {
|
|
return createTestCryptoImpl(ezID, collectionID), []byte("safe key"), nil
|
|
}
|
|
|
|
func (d testCipher) GetDecryptor(ezID, collectionID int64, safeKey []byte) (hook.Decryptor, error) {
|
|
return createTestCryptoImpl(ezID, collectionID), nil
|
|
}
|
|
|
|
func (d testCipher) GetUnsafeKey(ezID, collectionID int64) []byte {
|
|
return []byte("unsafe key")
|
|
}
|
|
|
|
func (d testCipher) GetStates() (map[int64]string, error) {
|
|
return map[int64]string{}, nil
|
|
}
|
|
|
|
// append magicStr to plainText
|
|
type testCryptoImpl struct {
|
|
magicStr string
|
|
}
|
|
|
|
func createTestCryptoImpl(ezID, collectionID int64) testCryptoImpl {
|
|
return testCryptoImpl{fmt.Sprintf("%d%d", ezID, collectionID)}
|
|
}
|
|
|
|
func (c testCryptoImpl) Encrypt(plainText []byte) (cipherText []byte, err error) {
|
|
return append(plainText, []byte(c.magicStr)...), nil
|
|
}
|
|
|
|
func (c testCryptoImpl) Decrypt(cipherText []byte) (plainText []byte, err error) {
|
|
return bytes.TrimSuffix(cipherText, []byte(c.magicStr)), nil
|
|
}
|