INTPYTHON-527 Add Queryable Encryption support #329
Conversation
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
django_mongodb_backend/management/commands/get_encrypted_fields_map.py
Outdated
Show resolved
Hide resolved
django_mongodb_backend/management/commands/get_encrypted_fields_map.py
Outdated
Show resolved
Hide resolved
django_mongodb_backend/management/commands/get_encrypted_fields_map.py
Outdated
Show resolved
Hide resolved
django_mongodb_backend/management/commands/get_encrypted_fields_map.py
Outdated
Show resolved
Hide resolved
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
aclark4life
force-pushed
the
INTPYTHON-527
branch
2 times, most recently
from
c89be3d to
b22dfbd
Compare
… it part of the normal flow
Move crypt shared installation instructions to "Installation" section and crypt shared configuration steps to "Configuring the DATABASES setting" section.
Fall back to local if no env vars set
aclark4life
force-pushed
the
INTPYTHON-527
branch
from
b22dfbd to
76200b1
Compare
| KMS_CREDENTIALS = {"aws": {"key": _AWS_KEY_ARN, "region": _AWS_REGION}} | ||
| else: | ||
| KMS_PROVIDERS = {"local": {"key": os.urandom(96)}} | ||
| KMS_CREDENTIALS = {"local": {}} |
There was a problem hiding this comment.
As far as I know "local" isn't required in this dictionary and I wouldn't put it there so we don't test an unrealistic scenario.
| _AWS_REGION = os.environ.get("FLE_AWS_KMS_REGION", "us-east-1") | ||
| _AWS_KEY_ARN = os.environ.get( | ||
| "FLE_AWS_KMS_KEY_ARN", | ||
| "arn:aws:kms:us-east-1:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0", | ||
| ) |
There was a problem hiding this comment.
Should there be fallback values? Seems it might be better to fail loudly than silently.
| KMS_PROVIDERS = {"aws": AWS_CREDS} | ||
| KMS_CREDENTIALS = {"aws": {"key": _AWS_KEY_ARN, "region": _AWS_REGION}} |
There was a problem hiding this comment.
I would caution against using uppercased values that look like Django settings. (Any values in this file are accessible as such. It could lead to inadvertent referencing of them.)
| master_key = connections["encrypted"].settings_dict["KMS_CREDENTIALS"][ | ||
| self.DEFAULT_KMS_PROVIDER | ||
| ] |
There was a problem hiding this comment.
Since we only support on provider, I think you could avoid all the logic in test_base.py and simply retrieve the configured provider/master key values similar to how schema.py does it: next(iter(kms_providers.keys()))
| # Export secrets as environment variables | ||
| . ../secrets-export.sh |
There was a problem hiding this comment.
This file is from driver tools or something?
| pip install -e . | ||
| pip install -e '.[encryption]' |
There was a problem hiding this comment.
Try to avoid encryption related tasks like this on non-encrypted builds.
| display_name: Run Tests 8.2 QE | ||
| run_on: rhel87-small | ||
| expansions: | ||
| MONGODB_VERSION: "8.2" |
There was a problem hiding this comment.
My impression is that we only want to test with dot zero MongoDB's, but lets get clarification on this.
| "accessKeyId": os.environ.get("FLE_AWS_KEY", ""), | ||
| "secretAccessKey": os.environ.get("FLE_AWS_SECRET", ""), |
There was a problem hiding this comment.
Comment where the environment variable names come from given that then name doesn't appear anywhere else in this repo. (Is it really configured correctly?) Maybe it's better to have some configuration variable like "USE_AWS_KMS" rather than inferring it from these values.
There was a problem hiding this comment.
I thought it might be incorrect since the names are different from this line in evergreen config: include_expansions_in_env: ["AWS_SECRET_ACCESS_KEY", "AWS_ACCESS_KEY_ID", "AWS_SESSION_TOKEN"]
6 participants
Previous attempts and additional context here:
INTPYTHON-527 Add Queryable Encryption config #318
INTPYTHON-527 Add queryable encryption support #319
INTPYTHON-527 Add Queryable Encryption support #323
Add test for "Encrypted fields found" error (ensure this exception still happens)
Add check for model schema not matching encrypted fields
Document key_vault_namespace must be encrypted db
Document that fields within EmbeddedModelArrayField can't be encrypted
Document workflow: