diff --git a/src/replica/kms_key_provider.h b/src/replica/kms_key_provider.h index 1c46aed38a..a6c6ed3c66 100644 --- a/src/replica/kms_key_provider.h +++ b/src/replica/kms_key_provider.h @@ -30,7 +30,7 @@ class replica_kms_info; } // namespace replication namespace security { -// This class is to generating EEK IV KV from KMS (a.k.a Key Manager Service) and get DEK from KMS. +// This class generates EEK IV KV from KMS (a.k.a Key Management Service) and retrieves DEK from KMS. class KMSKeyProvider { public: @@ -41,12 +41,11 @@ class KMSKeyProvider { } - // Use KMS client which decrypted the encryption key from KMS and decrypted key is a hex string - // which could be used derectly. + // Decrypt the encryption key in 'kms_info' via KMS. The 'decrypted_key' will be a hex string. dsn::error_s DecryptEncryptionKey(const dsn::replication::replica_kms_info &kms_info, std::string *decrypted_key); - // Use KMS client which generated an encryption key from KMS (the generated key is encrypted). + // Generate an encryption key from KMS. dsn::error_s GenerateEncryptionKey(dsn::replication::replica_kms_info *kms_info); private: diff --git a/src/replica/replica_stub.cpp b/src/replica/replica_stub.cpp index 46c336909d..d3e3487ca2 100644 --- a/src/replica/replica_stub.cpp +++ b/src/replica/replica_stub.cpp @@ -303,14 +303,14 @@ DSN_DEFINE_int32( DSN_DEFINE_string(pegasus.server, encryption_cluster_key_name, "pegasus", - "The cluster name of encrypted server which use to get server key from kms."); + "The cluster name of the server is used to retrieve its encryption key from KMS."); DSN_DEFINE_string( pegasus.server, hadoop_kms_url, "", - "Where the server key of file system can get from. " - "Url should be comma-separated list, such as 'hostname1:1234/kms,hostname2:1234/kms'"); + "Provide the comma-separated list of URLs from which to retrieve the " + "file system's server key. Example format: 'hostname1:1234/kms,hostname2:1234/kms'."); DSN_DECLARE_bool(duplication_enabled); DSN_DECLARE_int32(fd_beacon_interval_seconds); @@ -337,14 +337,14 @@ DSN_DEFINE_group_validator(encrypt_data_not_support_close, [](std::string &messa } else { return true; } - utils::split_args(data_dirs.c_str(), dirs, ','); - std::string kms_path = utils::filesystem::path_combine(dirs[0], ".kms_info"); + ::absl::StrSplit(data_dirs.c_str(), dirs, ','); + std::string kms_path = utils::filesystem::path_combine(dirs[0], replica_kms_info::kKmsInfo); if (!FLAGS_encrypt_data_at_rest && utils::filesystem::path_exists(kms_path)) { message = fmt::format( - "[pegasus.server] encrypt_data_at_rest = ({}), but kms_info file path = ({}) is exist." - "Pegasus dont support close encrypte after enable encrypte.", - FLAGS_encrypt_data_at_rest, - kms_path); + "The kms_info file exists at ({}), but [pegasus.server] encrypt_data_at_rest is set to ({})." + "Encryption in Pegasus is irreversible after its initial activation.", + kms_path, + FLAGS_encrypt_data_at_rest); return false; } return true; @@ -446,29 +446,27 @@ void replica_stub::initialize(const replication_options &opts, bool clear /* = f key_provider.reset(new dsn::security::KMSKeyProvider( ::absl::StrSplit(FLAGS_hadoop_kms_url, ",", ::absl::SkipEmpty()), FLAGS_encryption_cluster_key_name)); - auto err = kms_info.load(_options.data_dirs[0]); - if (err != dsn::ERR_OK) { - LOG_WARNING("Can't open kms-info file to read, this is normal when first launch " - "process. err = {}", - err); + auto error_code = kms_info.load(_options.data_dirs[0]); + if (error_code != dsn::ERR_OK) { + LOG_WARNING("It's normal to encounter a temporary inability to open the kms-info file during the first process launch. error_code = {}", + error_code); } - // The encryption key should empty when process upon the first launch. And the process will - // get EEK, IV, KV from KMS. - // After first launch, the encryption key should not empty and get from kms-info file. The - // process get DEK from KMS. - if (kms_info.eek.empty()) { + // Upon the first launch, the encryption key should be empty. The process will then retrieve EEK, IV, and KV from KMS. + // After the first launch, the encryption key, obtained from the kms-info file, should not be empty. The process will then acquire the DEK from KMS. + std::string kms_path = utils::filesystem::path_combine(_options.data_dirs[0], replica_kms_info::kKmsInfo); + if (!utils::filesystem::path_exists(kms_path)) { auto err = key_provider->GenerateEncryptionKey(&kms_info); CHECK(err, "get encryption key failed, err = {}", err); } - CHECK(key_provider->DecryptEncryptionKey(kms_info, &server_key), - "get decryption key failed"); + auto err = key_provider->DecryptEncryptionKey(kms_info, &server_key); + CHECK(err, "get decryption key failed, err = {}", err); FLAGS_server_key = server_key.c_str(); } // Initialize the file system manager. _fs_manager.initialize(_options.data_dirs, _options.data_dir_tags); - if (FLAGS_encrypt_data_at_rest && !utils::is_empty(FLAGS_hadoop_kms_url)) { + if (key_provider) { auto err = kms_info.store(_options.data_dirs[0]); CHECK(err == dsn::ERR_OK, "Can't store kms key to kms-info file, err = {}", err); } diff --git a/src/replica/storage/simple_kv/test/case-000.ini b/src/replica/storage/simple_kv/test/case-000.ini index 8cf61e0679..2f01f75f79 100644 --- a/src/replica/storage/simple_kv/test/case-000.ini +++ b/src/replica/storage/simple_kv/test/case-000.ini @@ -151,6 +151,11 @@ server_list = localhost:34601 [pegasus.server] encrypt_data_at_rest = false +[security] +enable_acl = false +super_users = Pegasus +meta_acl_rpc_allow_list = RPC_CM_CONFIG_SYNC,RPC_FD_FAILURE_DETECTOR_PING,RPC_PREPARE,RPC_CM_QUERY_PARTITION_CONFIG_BY_INDEX,RPC_GROUP_CHECK,RPC_CM_UPDATE_PARTITION_CONFIGURATION,RPC_LEARN_COMPLETION_NOTIFY,RPC_CONFIG_PROPOSAL,RPC_CM_DUPLICATION_SYNC,RPC_LEARN_ADD_LEARNER + [replication.app] app_name = simple_kv.instance0 app_type = simple_kv diff --git a/src/replica/storage/simple_kv/test/case-001.ini b/src/replica/storage/simple_kv/test/case-001.ini index ab71ae8472..c3e7315d8c 100644 --- a/src/replica/storage/simple_kv/test/case-001.ini +++ b/src/replica/storage/simple_kv/test/case-001.ini @@ -151,6 +151,11 @@ server_list = localhost:34601 [pegasus.server] encrypt_data_at_rest = false +[security] +enable_acl = false +super_users = Pegasus +meta_acl_rpc_allow_list = RPC_CM_CONFIG_SYNC,RPC_CM_DUPLICATION_SYNC,RPC_CM_QUERY_PARTITION_CONFIG_BY_INDEX,RPC_CM_UPDATE_PARTITION_CONFIGURATION,RPC_CONFIG_PROPOSAL,RPC_FD_FAILURE_DETECTOR_PING,RPC_GROUP_CHECK,RPC_LEARN_ADD_LEARNER,RPC_LEARN_COMPLETION_NOTIFY,RPC_PREPARE + [replication.app] app_name = simple_kv.instance0 app_type = simple_kv diff --git a/src/replica/storage/simple_kv/test/case-002.ini b/src/replica/storage/simple_kv/test/case-002.ini index 91e4fa9641..3bbadf5a6b 100644 --- a/src/replica/storage/simple_kv/test/case-002.ini +++ b/src/replica/storage/simple_kv/test/case-002.ini @@ -151,6 +151,11 @@ server_list = localhost:34601 [pegasus.server] encrypt_data_at_rest = false +[security] +enable_acl = false +super_users = Pegasus +meta_acl_rpc_allow_list = RPC_CM_CONFIG_SYNC,RPC_CM_DUPLICATION_SYNC,RPC_CM_QUERY_PARTITION_CONFIG_BY_INDEX,RPC_CM_UPDATE_PARTITION_CONFIGURATION,RPC_CONFIG_PROPOSAL,RPC_FD_FAILURE_DETECTOR_PING,RPC_GROUP_CHECK,RPC_LEARN_ADD_LEARNER,RPC_LEARN_COMPLETION_NOTIFY,RPC_PREPARE + [replication.app] app_name = simple_kv.instance0 app_type = simple_kv diff --git a/src/replica/storage/simple_kv/test/case-003.ini b/src/replica/storage/simple_kv/test/case-003.ini index fafc6c2a90..aa868593d2 100644 --- a/src/replica/storage/simple_kv/test/case-003.ini +++ b/src/replica/storage/simple_kv/test/case-003.ini @@ -151,6 +151,11 @@ server_list = localhost:34601 [pegasus.server] encrypt_data_at_rest = false +[security] +enable_acl = false +super_users = Pegasus +meta_acl_rpc_allow_list = RPC_CM_CONFIG_SYNC,RPC_CM_DUPLICATION_SYNC,RPC_CM_QUERY_PARTITION_CONFIG_BY_INDEX,RPC_CM_UPDATE_PARTITION_CONFIGURATION,RPC_PREPARE,RPC_LEARN_ADD_LEARNER,RPC_LEARN_COMPLETION_NOTIFY,RPC_GROUP_CHECK,RPC_FD_FAILURE_DETECTOR_PING,RPC_CONFIG_PROPOSAL + [replication.app] app_name = simple_kv.instance0 app_type = simple_kv diff --git a/src/replica/storage/simple_kv/test/case-004.ini b/src/replica/storage/simple_kv/test/case-004.ini index e25c587ee7..798d817a65 100644 --- a/src/replica/storage/simple_kv/test/case-004.ini +++ b/src/replica/storage/simple_kv/test/case-004.ini @@ -151,6 +151,11 @@ server_list = localhost:34601 [pegasus.server] encrypt_data_at_rest = false +[security] +enable_acl = false +super_users = Pegasus +meta_acl_rpc_allow_list = RPC_CM_CONFIG_SYNC,RPC_CM_DUPLICATION_SYNC,RPC_CM_QUERY_PARTITION_CONFIG_BY_INDEX,RPC_CM_UPDATE_PARTITION_CONFIGURATION,RPC_PREPARE,RPC_LEARN_ADD_LEARNER,RPC_LEARN_COMPLETION_NOTIFY,RPC_GROUP_CHECK,RPC_FD_FAILURE_DETECTOR_PING,RPC_CONFIG_PROPOSAL + [replication.app] app_name = simple_kv.instance0 app_type = simple_kv diff --git a/src/replica/storage/simple_kv/test/case-005.ini b/src/replica/storage/simple_kv/test/case-005.ini index 72700862a5..f0603dbb53 100644 --- a/src/replica/storage/simple_kv/test/case-005.ini +++ b/src/replica/storage/simple_kv/test/case-005.ini @@ -151,6 +151,11 @@ server_list = localhost:34601 [pegasus.server] encrypt_data_at_rest = false +[security] +enable_acl = false +super_users = Pegasus +meta_acl_rpc_allow_list = RPC_CM_CONFIG_SYNC,RPC_CM_DUPLICATION_SYNC,RPC_CM_QUERY_PARTITION_CONFIG_BY_INDEX,RPC_CM_UPDATE_PARTITION_CONFIGURATION,RPC_PREPARE,RPC_LEARN_ADD_LEARNER,RPC_LEARN_COMPLETION_NOTIFY,RPC_GROUP_CHECK,RPC_FD_FAILURE_DETECTOR_PING,RPC_CONFIG_PROPOSAL + [replication.app] app_name = simple_kv.instance0 app_type = simple_kv diff --git a/src/replica/storage/simple_kv/test/case-006.ini b/src/replica/storage/simple_kv/test/case-006.ini index 9947d72d95..466603d465 100644 --- a/src/replica/storage/simple_kv/test/case-006.ini +++ b/src/replica/storage/simple_kv/test/case-006.ini @@ -152,6 +152,11 @@ server_list = localhost:34601 [pegasus.server] encrypt_data_at_rest = false +[security] +enable_acl = false +super_users = Pegasus +meta_acl_rpc_allow_list = RPC_CM_CONFIG_SYNC,RPC_CM_DUPLICATION_SYNC,RPC_CM_QUERY_PARTITION_CONFIG_BY_INDEX,RPC_CM_UPDATE_PARTITION_CONFIGURATION,RPC_PREPARE,RPC_LEARN_ADD_LEARNER,RPC_LEARN_COMPLETION_NOTIFY,RPC_GROUP_CHECK,RPC_FD_FAILURE_DETECTOR_PING,RPC_CONFIG_PROPOSAL + [replication.app] app_name = simple_kv.instance0 app_type = simple_kv diff --git a/src/replica/storage/simple_kv/test/case-100.ini b/src/replica/storage/simple_kv/test/case-100.ini index 4258202b45..eca505e0af 100644 --- a/src/replica/storage/simple_kv/test/case-100.ini +++ b/src/replica/storage/simple_kv/test/case-100.ini @@ -152,6 +152,11 @@ server_list = localhost:34601 [pegasus.server] encrypt_data_at_rest = false +[security] +enable_acl = false +super_users = Pegasus +meta_acl_rpc_allow_list = RPC_CM_CONFIG_SYNC,RPC_CM_DUPLICATION_SYNC,RPC_CM_QUERY_PARTITION_CONFIG_BY_INDEX,RPC_CM_UPDATE_PARTITION_CONFIGURATION,RPC_PREPARE,RPC_LEARN_ADD_LEARNER,RPC_LEARN_COMPLETION_NOTIFY,RPC_GROUP_CHECK,RPC_FD_FAILURE_DETECTOR_PING,RPC_CONFIG_PROPOSAL + [replication.app] app_name = simple_kv.instance0 app_type = simple_kv diff --git a/src/replica/storage/simple_kv/test/case-101.ini b/src/replica/storage/simple_kv/test/case-101.ini index 4258202b45..eca505e0af 100644 --- a/src/replica/storage/simple_kv/test/case-101.ini +++ b/src/replica/storage/simple_kv/test/case-101.ini @@ -152,6 +152,11 @@ server_list = localhost:34601 [pegasus.server] encrypt_data_at_rest = false +[security] +enable_acl = false +super_users = Pegasus +meta_acl_rpc_allow_list = RPC_CM_CONFIG_SYNC,RPC_CM_DUPLICATION_SYNC,RPC_CM_QUERY_PARTITION_CONFIG_BY_INDEX,RPC_CM_UPDATE_PARTITION_CONFIGURATION,RPC_PREPARE,RPC_LEARN_ADD_LEARNER,RPC_LEARN_COMPLETION_NOTIFY,RPC_GROUP_CHECK,RPC_FD_FAILURE_DETECTOR_PING,RPC_CONFIG_PROPOSAL + [replication.app] app_name = simple_kv.instance0 app_type = simple_kv diff --git a/src/replica/storage/simple_kv/test/case-102.ini b/src/replica/storage/simple_kv/test/case-102.ini index 2b02cfa4f3..69b84f43a8 100644 --- a/src/replica/storage/simple_kv/test/case-102.ini +++ b/src/replica/storage/simple_kv/test/case-102.ini @@ -152,6 +152,11 @@ server_list = localhost:34601 [pegasus.server] encrypt_data_at_rest = false +[security] +enable_acl = false +super_users = Pegasus +meta_acl_rpc_allow_list = RPC_CM_CONFIG_SYNC,RPC_CM_DUPLICATION_SYNC,RPC_CM_QUERY_PARTITION_CONFIG_BY_INDEX,RPC_CM_UPDATE_PARTITION_CONFIGURATION,RPC_PREPARE,RPC_LEARN_ADD_LEARNER,RPC_LEARN_COMPLETION_NOTIFY,RPC_GROUP_CHECK,RPC_FD_FAILURE_DETECTOR_PING,RPC_CONFIG_PROPOSAL + [replication.app] app_name = simple_kv.instance0 app_type = simple_kv diff --git a/src/replica/storage/simple_kv/test/case-103.ini b/src/replica/storage/simple_kv/test/case-103.ini index e269693b3e..72a38e3ab8 100644 --- a/src/replica/storage/simple_kv/test/case-103.ini +++ b/src/replica/storage/simple_kv/test/case-103.ini @@ -152,6 +152,11 @@ server_list = localhost:34601 [pegasus.server] encrypt_data_at_rest = false +[security] +enable_acl = false +super_users = Pegasus +meta_acl_rpc_allow_list = RPC_CM_CONFIG_SYNC,RPC_CM_DUPLICATION_SYNC,RPC_CM_QUERY_PARTITION_CONFIG_BY_INDEX,RPC_CM_UPDATE_PARTITION_CONFIGURATION,RPC_PREPARE,RPC_LEARN_ADD_LEARNER,RPC_LEARN_COMPLETION_NOTIFY,RPC_GROUP_CHECK,RPC_FD_FAILURE_DETECTOR_PING,RPC_CONFIG_PROPOSAL + [replication.app] app_name = simple_kv.instance0 app_type = simple_kv diff --git a/src/replica/storage/simple_kv/test/case-104.ini b/src/replica/storage/simple_kv/test/case-104.ini index 4258202b45..eca505e0af 100644 --- a/src/replica/storage/simple_kv/test/case-104.ini +++ b/src/replica/storage/simple_kv/test/case-104.ini @@ -152,6 +152,11 @@ server_list = localhost:34601 [pegasus.server] encrypt_data_at_rest = false +[security] +enable_acl = false +super_users = Pegasus +meta_acl_rpc_allow_list = RPC_CM_CONFIG_SYNC,RPC_CM_DUPLICATION_SYNC,RPC_CM_QUERY_PARTITION_CONFIG_BY_INDEX,RPC_CM_UPDATE_PARTITION_CONFIGURATION,RPC_PREPARE,RPC_LEARN_ADD_LEARNER,RPC_LEARN_COMPLETION_NOTIFY,RPC_GROUP_CHECK,RPC_FD_FAILURE_DETECTOR_PING,RPC_CONFIG_PROPOSAL + [replication.app] app_name = simple_kv.instance0 app_type = simple_kv diff --git a/src/replica/storage/simple_kv/test/case-105.ini b/src/replica/storage/simple_kv/test/case-105.ini index 4258202b45..eca505e0af 100644 --- a/src/replica/storage/simple_kv/test/case-105.ini +++ b/src/replica/storage/simple_kv/test/case-105.ini @@ -152,6 +152,11 @@ server_list = localhost:34601 [pegasus.server] encrypt_data_at_rest = false +[security] +enable_acl = false +super_users = Pegasus +meta_acl_rpc_allow_list = RPC_CM_CONFIG_SYNC,RPC_CM_DUPLICATION_SYNC,RPC_CM_QUERY_PARTITION_CONFIG_BY_INDEX,RPC_CM_UPDATE_PARTITION_CONFIGURATION,RPC_PREPARE,RPC_LEARN_ADD_LEARNER,RPC_LEARN_COMPLETION_NOTIFY,RPC_GROUP_CHECK,RPC_FD_FAILURE_DETECTOR_PING,RPC_CONFIG_PROPOSAL + [replication.app] app_name = simple_kv.instance0 app_type = simple_kv diff --git a/src/replica/storage/simple_kv/test/case-106.ini b/src/replica/storage/simple_kv/test/case-106.ini index 4258202b45..eca505e0af 100644 --- a/src/replica/storage/simple_kv/test/case-106.ini +++ b/src/replica/storage/simple_kv/test/case-106.ini @@ -152,6 +152,11 @@ server_list = localhost:34601 [pegasus.server] encrypt_data_at_rest = false +[security] +enable_acl = false +super_users = Pegasus +meta_acl_rpc_allow_list = RPC_CM_CONFIG_SYNC,RPC_CM_DUPLICATION_SYNC,RPC_CM_QUERY_PARTITION_CONFIG_BY_INDEX,RPC_CM_UPDATE_PARTITION_CONFIGURATION,RPC_PREPARE,RPC_LEARN_ADD_LEARNER,RPC_LEARN_COMPLETION_NOTIFY,RPC_GROUP_CHECK,RPC_FD_FAILURE_DETECTOR_PING,RPC_CONFIG_PROPOSAL + [replication.app] app_name = simple_kv.instance0 app_type = simple_kv diff --git a/src/replica/storage/simple_kv/test/case-107.ini b/src/replica/storage/simple_kv/test/case-107.ini index 4258202b45..eca505e0af 100644 --- a/src/replica/storage/simple_kv/test/case-107.ini +++ b/src/replica/storage/simple_kv/test/case-107.ini @@ -152,6 +152,11 @@ server_list = localhost:34601 [pegasus.server] encrypt_data_at_rest = false +[security] +enable_acl = false +super_users = Pegasus +meta_acl_rpc_allow_list = RPC_CM_CONFIG_SYNC,RPC_CM_DUPLICATION_SYNC,RPC_CM_QUERY_PARTITION_CONFIG_BY_INDEX,RPC_CM_UPDATE_PARTITION_CONFIGURATION,RPC_PREPARE,RPC_LEARN_ADD_LEARNER,RPC_LEARN_COMPLETION_NOTIFY,RPC_GROUP_CHECK,RPC_FD_FAILURE_DETECTOR_PING,RPC_CONFIG_PROPOSAL + [replication.app] app_name = simple_kv.instance0 app_type = simple_kv diff --git a/src/replica/storage/simple_kv/test/case-108.ini b/src/replica/storage/simple_kv/test/case-108.ini index 4258202b45..eca505e0af 100644 --- a/src/replica/storage/simple_kv/test/case-108.ini +++ b/src/replica/storage/simple_kv/test/case-108.ini @@ -152,6 +152,11 @@ server_list = localhost:34601 [pegasus.server] encrypt_data_at_rest = false +[security] +enable_acl = false +super_users = Pegasus +meta_acl_rpc_allow_list = RPC_CM_CONFIG_SYNC,RPC_CM_DUPLICATION_SYNC,RPC_CM_QUERY_PARTITION_CONFIG_BY_INDEX,RPC_CM_UPDATE_PARTITION_CONFIGURATION,RPC_PREPARE,RPC_LEARN_ADD_LEARNER,RPC_LEARN_COMPLETION_NOTIFY,RPC_GROUP_CHECK,RPC_FD_FAILURE_DETECTOR_PING,RPC_CONFIG_PROPOSAL + [replication.app] app_name = simple_kv.instance0 app_type = simple_kv diff --git a/src/replica/storage/simple_kv/test/case-109.ini b/src/replica/storage/simple_kv/test/case-109.ini index 92ac7d41ef..0e7b09de23 100644 --- a/src/replica/storage/simple_kv/test/case-109.ini +++ b/src/replica/storage/simple_kv/test/case-109.ini @@ -152,6 +152,11 @@ server_list = localhost:34601 [pegasus.server] encrypt_data_at_rest = false +[security] +enable_acl = false +super_users = Pegasus +meta_acl_rpc_allow_list = RPC_CM_CONFIG_SYNC,RPC_CM_DUPLICATION_SYNC,RPC_CM_PROPOSE_BALANCER,RPC_CM_QUERY_PARTITION_CONFIG_BY_INDEX,RPC_CM_UPDATE_PARTITION_CONFIGURATION,RPC_PREPARE,RPC_LEARN_ADD_LEARNER,RPC_LEARN_COMPLETION_NOTIFY,RPC_GROUP_CHECK,RPC_FD_FAILURE_DETECTOR_PING,RPC_CONFIG_PROPOSAL + [replication.app] app_name = simple_kv.instance0 app_type = simple_kv diff --git a/src/replica/storage/simple_kv/test/case-200.ini b/src/replica/storage/simple_kv/test/case-200.ini index 4258202b45..eca505e0af 100644 --- a/src/replica/storage/simple_kv/test/case-200.ini +++ b/src/replica/storage/simple_kv/test/case-200.ini @@ -152,6 +152,11 @@ server_list = localhost:34601 [pegasus.server] encrypt_data_at_rest = false +[security] +enable_acl = false +super_users = Pegasus +meta_acl_rpc_allow_list = RPC_CM_CONFIG_SYNC,RPC_CM_DUPLICATION_SYNC,RPC_CM_QUERY_PARTITION_CONFIG_BY_INDEX,RPC_CM_UPDATE_PARTITION_CONFIGURATION,RPC_PREPARE,RPC_LEARN_ADD_LEARNER,RPC_LEARN_COMPLETION_NOTIFY,RPC_GROUP_CHECK,RPC_FD_FAILURE_DETECTOR_PING,RPC_CONFIG_PROPOSAL + [replication.app] app_name = simple_kv.instance0 app_type = simple_kv diff --git a/src/replica/storage/simple_kv/test/case-201.ini b/src/replica/storage/simple_kv/test/case-201.ini index 4258202b45..eca505e0af 100644 --- a/src/replica/storage/simple_kv/test/case-201.ini +++ b/src/replica/storage/simple_kv/test/case-201.ini @@ -152,6 +152,11 @@ server_list = localhost:34601 [pegasus.server] encrypt_data_at_rest = false +[security] +enable_acl = false +super_users = Pegasus +meta_acl_rpc_allow_list = RPC_CM_CONFIG_SYNC,RPC_CM_DUPLICATION_SYNC,RPC_CM_QUERY_PARTITION_CONFIG_BY_INDEX,RPC_CM_UPDATE_PARTITION_CONFIGURATION,RPC_PREPARE,RPC_LEARN_ADD_LEARNER,RPC_LEARN_COMPLETION_NOTIFY,RPC_GROUP_CHECK,RPC_FD_FAILURE_DETECTOR_PING,RPC_CONFIG_PROPOSAL + [replication.app] app_name = simple_kv.instance0 app_type = simple_kv diff --git a/src/replica/storage/simple_kv/test/case-202-0.ini b/src/replica/storage/simple_kv/test/case-202-0.ini index 80ca078e8a..98a83a819f 100644 --- a/src/replica/storage/simple_kv/test/case-202-0.ini +++ b/src/replica/storage/simple_kv/test/case-202-0.ini @@ -152,6 +152,11 @@ server_list = localhost:34601 [pegasus.server] encrypt_data_at_rest = false +[security] +enable_acl = false +super_users = Pegasus +meta_acl_rpc_allow_list = RPC_CM_CONFIG_SYNC,RPC_CM_DUPLICATION_SYNC,RPC_CM_QUERY_PARTITION_CONFIG_BY_INDEX,RPC_CM_UPDATE_PARTITION_CONFIGURATION,RPC_PREPARE,RPC_LEARN_ADD_LEARNER,RPC_LEARN_COMPLETION_NOTIFY,RPC_GROUP_CHECK,RPC_FD_FAILURE_DETECTOR_PING,RPC_CONFIG_PROPOSAL + [replication.app] app_name = simple_kv.instance0 app_type = simple_kv diff --git a/src/replica/storage/simple_kv/test/case-202-1.ini b/src/replica/storage/simple_kv/test/case-202-1.ini index 80ca078e8a..98a83a819f 100644 --- a/src/replica/storage/simple_kv/test/case-202-1.ini +++ b/src/replica/storage/simple_kv/test/case-202-1.ini @@ -152,6 +152,11 @@ server_list = localhost:34601 [pegasus.server] encrypt_data_at_rest = false +[security] +enable_acl = false +super_users = Pegasus +meta_acl_rpc_allow_list = RPC_CM_CONFIG_SYNC,RPC_CM_DUPLICATION_SYNC,RPC_CM_QUERY_PARTITION_CONFIG_BY_INDEX,RPC_CM_UPDATE_PARTITION_CONFIGURATION,RPC_PREPARE,RPC_LEARN_ADD_LEARNER,RPC_LEARN_COMPLETION_NOTIFY,RPC_GROUP_CHECK,RPC_FD_FAILURE_DETECTOR_PING,RPC_CONFIG_PROPOSAL + [replication.app] app_name = simple_kv.instance0 app_type = simple_kv diff --git a/src/replica/storage/simple_kv/test/case-203-0.ini b/src/replica/storage/simple_kv/test/case-203-0.ini index fa5a344bc2..03c888c1a2 100644 --- a/src/replica/storage/simple_kv/test/case-203-0.ini +++ b/src/replica/storage/simple_kv/test/case-203-0.ini @@ -152,6 +152,11 @@ server_list = localhost:34601 [pegasus.server] encrypt_data_at_rest = false +[security] +enable_acl = false +super_users = Pegasus +meta_acl_rpc_allow_list = RPC_CM_CONFIG_SYNC,RPC_CM_DUPLICATION_SYNC,RPC_CM_QUERY_PARTITION_CONFIG_BY_INDEX,RPC_CM_UPDATE_PARTITION_CONFIGURATION,RPC_PREPARE,RPC_LEARN_ADD_LEARNER,RPC_LEARN_COMPLETION_NOTIFY,RPC_GROUP_CHECK,RPC_FD_FAILURE_DETECTOR_PING,RPC_CONFIG_PROPOSAL + [replication.app] app_name = simple_kv.instance0 app_type = simple_kv diff --git a/src/replica/storage/simple_kv/test/case-204.ini b/src/replica/storage/simple_kv/test/case-204.ini index 2e7d5fb9b9..9e4d284367 100644 --- a/src/replica/storage/simple_kv/test/case-204.ini +++ b/src/replica/storage/simple_kv/test/case-204.ini @@ -152,6 +152,11 @@ server_list = localhost:34601 [pegasus.server] encrypt_data_at_rest = false +[security] +enable_acl = false +super_users = Pegasus +meta_acl_rpc_allow_list = RPC_CM_CONFIG_SYNC,RPC_CM_DUPLICATION_SYNC,RPC_CM_PROPOSE_BALANCER,RPC_CM_QUERY_PARTITION_CONFIG_BY_INDEX,RPC_CM_UPDATE_PARTITION_CONFIGURATION,RPC_PREPARE,RPC_LEARN_ADD_LEARNER,RPC_LEARN_COMPLETION_NOTIFY,RPC_GROUP_CHECK,RPC_FD_FAILURE_DETECTOR_PING,RPC_CONFIG_PROPOSAL + [replication.app] app_name = simple_kv.instance0 app_type = simple_kv diff --git a/src/replica/storage/simple_kv/test/case-205.ini b/src/replica/storage/simple_kv/test/case-205.ini index 2e7d5fb9b9..9e4d284367 100644 --- a/src/replica/storage/simple_kv/test/case-205.ini +++ b/src/replica/storage/simple_kv/test/case-205.ini @@ -152,6 +152,11 @@ server_list = localhost:34601 [pegasus.server] encrypt_data_at_rest = false +[security] +enable_acl = false +super_users = Pegasus +meta_acl_rpc_allow_list = RPC_CM_CONFIG_SYNC,RPC_CM_DUPLICATION_SYNC,RPC_CM_PROPOSE_BALANCER,RPC_CM_QUERY_PARTITION_CONFIG_BY_INDEX,RPC_CM_UPDATE_PARTITION_CONFIGURATION,RPC_PREPARE,RPC_LEARN_ADD_LEARNER,RPC_LEARN_COMPLETION_NOTIFY,RPC_GROUP_CHECK,RPC_FD_FAILURE_DETECTOR_PING,RPC_CONFIG_PROPOSAL + [replication.app] app_name = simple_kv.instance0 app_type = simple_kv diff --git a/src/replica/storage/simple_kv/test/case-206.ini b/src/replica/storage/simple_kv/test/case-206.ini index 2e7d5fb9b9..9e4d284367 100644 --- a/src/replica/storage/simple_kv/test/case-206.ini +++ b/src/replica/storage/simple_kv/test/case-206.ini @@ -152,6 +152,11 @@ server_list = localhost:34601 [pegasus.server] encrypt_data_at_rest = false +[security] +enable_acl = false +super_users = Pegasus +meta_acl_rpc_allow_list = RPC_CM_CONFIG_SYNC,RPC_CM_DUPLICATION_SYNC,RPC_CM_PROPOSE_BALANCER,RPC_CM_QUERY_PARTITION_CONFIG_BY_INDEX,RPC_CM_UPDATE_PARTITION_CONFIGURATION,RPC_PREPARE,RPC_LEARN_ADD_LEARNER,RPC_LEARN_COMPLETION_NOTIFY,RPC_GROUP_CHECK,RPC_FD_FAILURE_DETECTOR_PING,RPC_CONFIG_PROPOSAL + [replication.app] app_name = simple_kv.instance0 app_type = simple_kv diff --git a/src/replica/storage/simple_kv/test/case-207.ini b/src/replica/storage/simple_kv/test/case-207.ini index 2e7d5fb9b9..9e4d284367 100644 --- a/src/replica/storage/simple_kv/test/case-207.ini +++ b/src/replica/storage/simple_kv/test/case-207.ini @@ -152,6 +152,11 @@ server_list = localhost:34601 [pegasus.server] encrypt_data_at_rest = false +[security] +enable_acl = false +super_users = Pegasus +meta_acl_rpc_allow_list = RPC_CM_CONFIG_SYNC,RPC_CM_DUPLICATION_SYNC,RPC_CM_PROPOSE_BALANCER,RPC_CM_QUERY_PARTITION_CONFIG_BY_INDEX,RPC_CM_UPDATE_PARTITION_CONFIGURATION,RPC_PREPARE,RPC_LEARN_ADD_LEARNER,RPC_LEARN_COMPLETION_NOTIFY,RPC_GROUP_CHECK,RPC_FD_FAILURE_DETECTOR_PING,RPC_CONFIG_PROPOSAL + [replication.app] app_name = simple_kv.instance0 app_type = simple_kv diff --git a/src/replica/storage/simple_kv/test/case-208.ini b/src/replica/storage/simple_kv/test/case-208.ini index 2e7d5fb9b9..9e4d284367 100644 --- a/src/replica/storage/simple_kv/test/case-208.ini +++ b/src/replica/storage/simple_kv/test/case-208.ini @@ -152,6 +152,11 @@ server_list = localhost:34601 [pegasus.server] encrypt_data_at_rest = false +[security] +enable_acl = false +super_users = Pegasus +meta_acl_rpc_allow_list = RPC_CM_CONFIG_SYNC,RPC_CM_DUPLICATION_SYNC,RPC_CM_PROPOSE_BALANCER,RPC_CM_QUERY_PARTITION_CONFIG_BY_INDEX,RPC_CM_UPDATE_PARTITION_CONFIGURATION,RPC_PREPARE,RPC_LEARN_ADD_LEARNER,RPC_LEARN_COMPLETION_NOTIFY,RPC_GROUP_CHECK,RPC_FD_FAILURE_DETECTOR_PING,RPC_CONFIG_PROPOSAL + [replication.app] app_name = simple_kv.instance0 app_type = simple_kv diff --git a/src/replica/storage/simple_kv/test/case-209.ini b/src/replica/storage/simple_kv/test/case-209.ini index 2e7d5fb9b9..9e4d284367 100644 --- a/src/replica/storage/simple_kv/test/case-209.ini +++ b/src/replica/storage/simple_kv/test/case-209.ini @@ -152,6 +152,11 @@ server_list = localhost:34601 [pegasus.server] encrypt_data_at_rest = false +[security] +enable_acl = false +super_users = Pegasus +meta_acl_rpc_allow_list = RPC_CM_CONFIG_SYNC,RPC_CM_DUPLICATION_SYNC,RPC_CM_PROPOSE_BALANCER,RPC_CM_QUERY_PARTITION_CONFIG_BY_INDEX,RPC_CM_UPDATE_PARTITION_CONFIGURATION,RPC_PREPARE,RPC_LEARN_ADD_LEARNER,RPC_LEARN_COMPLETION_NOTIFY,RPC_GROUP_CHECK,RPC_FD_FAILURE_DETECTOR_PING,RPC_CONFIG_PROPOSAL + [replication.app] app_name = simple_kv.instance0 app_type = simple_kv diff --git a/src/replica/storage/simple_kv/test/case-210.ini b/src/replica/storage/simple_kv/test/case-210.ini index 7f7a444c2c..a8e4fa0b9a 100644 --- a/src/replica/storage/simple_kv/test/case-210.ini +++ b/src/replica/storage/simple_kv/test/case-210.ini @@ -152,6 +152,11 @@ server_list = localhost:34601 [pegasus.server] encrypt_data_at_rest = false +[security] +enable_acl = false +super_users = Pegasus +meta_acl_rpc_allow_list = RPC_CM_CONFIG_SYNC,RPC_CM_DUPLICATION_SYNC,RPC_CM_PROPOSE_BALANCER,RPC_CM_QUERY_PARTITION_CONFIG_BY_INDEX,RPC_CM_UPDATE_PARTITION_CONFIGURATION,RPC_PREPARE,RPC_LEARN_ADD_LEARNER,RPC_LEARN_COMPLETION_NOTIFY,RPC_GROUP_CHECK,RPC_FD_FAILURE_DETECTOR_PING,RPC_CONFIG_PROPOSAL + [replication.app] app_name = simple_kv.instance0 app_type = simple_kv diff --git a/src/replica/storage/simple_kv/test/case-211.ini b/src/replica/storage/simple_kv/test/case-211.ini index 7f7a444c2c..a8e4fa0b9a 100644 --- a/src/replica/storage/simple_kv/test/case-211.ini +++ b/src/replica/storage/simple_kv/test/case-211.ini @@ -152,6 +152,11 @@ server_list = localhost:34601 [pegasus.server] encrypt_data_at_rest = false +[security] +enable_acl = false +super_users = Pegasus +meta_acl_rpc_allow_list = RPC_CM_CONFIG_SYNC,RPC_CM_DUPLICATION_SYNC,RPC_CM_PROPOSE_BALANCER,RPC_CM_QUERY_PARTITION_CONFIG_BY_INDEX,RPC_CM_UPDATE_PARTITION_CONFIGURATION,RPC_PREPARE,RPC_LEARN_ADD_LEARNER,RPC_LEARN_COMPLETION_NOTIFY,RPC_GROUP_CHECK,RPC_FD_FAILURE_DETECTOR_PING,RPC_CONFIG_PROPOSAL + [replication.app] app_name = simple_kv.instance0 app_type = simple_kv diff --git a/src/replica/storage/simple_kv/test/case-212.ini b/src/replica/storage/simple_kv/test/case-212.ini index 5c4a32e2cb..fb18eb5bba 100644 --- a/src/replica/storage/simple_kv/test/case-212.ini +++ b/src/replica/storage/simple_kv/test/case-212.ini @@ -152,6 +152,11 @@ server_list = localhost:34601 [pegasus.server] encrypt_data_at_rest = false +[security] +enable_acl = false +super_users = Pegasus +meta_acl_rpc_allow_list = RPC_CM_CONFIG_SYNC,RPC_CM_DUPLICATION_SYNC,RPC_CM_PROPOSE_BALANCER,RPC_CM_QUERY_PARTITION_CONFIG_BY_INDEX,RPC_CM_UPDATE_PARTITION_CONFIGURATION,RPC_PREPARE,RPC_LEARN_ADD_LEARNER,RPC_LEARN_COMPLETION_NOTIFY,RPC_GROUP_CHECK,RPC_FD_FAILURE_DETECTOR_PING,RPC_CONFIG_PROPOSAL + [replication.app] app_name = simple_kv.instance0 app_type = simple_kv diff --git a/src/replica/storage/simple_kv/test/case-213.ini b/src/replica/storage/simple_kv/test/case-213.ini index bba13387ba..0319350514 100644 --- a/src/replica/storage/simple_kv/test/case-213.ini +++ b/src/replica/storage/simple_kv/test/case-213.ini @@ -152,6 +152,11 @@ server_list = localhost:34601 [pegasus.server] encrypt_data_at_rest = false +[security] +enable_acl = false +super_users = Pegasus +meta_acl_rpc_allow_list = RPC_CM_CONFIG_SYNC,RPC_CM_DUPLICATION_SYNC,RPC_CM_PROPOSE_BALANCER,RPC_CM_QUERY_PARTITION_CONFIG_BY_INDEX,RPC_CM_UPDATE_PARTITION_CONFIGURATION,RPC_PREPARE,RPC_LEARN_ADD_LEARNER,RPC_LEARN_COMPLETION_NOTIFY,RPC_GROUP_CHECK,RPC_FD_FAILURE_DETECTOR_PING,RPC_CONFIG_PROPOSAL + [replication.app] app_name = simple_kv.instance0 app_type = simple_kv diff --git a/src/replica/storage/simple_kv/test/case-214.ini b/src/replica/storage/simple_kv/test/case-214.ini index 2e7d5fb9b9..9e4d284367 100644 --- a/src/replica/storage/simple_kv/test/case-214.ini +++ b/src/replica/storage/simple_kv/test/case-214.ini @@ -152,6 +152,11 @@ server_list = localhost:34601 [pegasus.server] encrypt_data_at_rest = false +[security] +enable_acl = false +super_users = Pegasus +meta_acl_rpc_allow_list = RPC_CM_CONFIG_SYNC,RPC_CM_DUPLICATION_SYNC,RPC_CM_PROPOSE_BALANCER,RPC_CM_QUERY_PARTITION_CONFIG_BY_INDEX,RPC_CM_UPDATE_PARTITION_CONFIGURATION,RPC_PREPARE,RPC_LEARN_ADD_LEARNER,RPC_LEARN_COMPLETION_NOTIFY,RPC_GROUP_CHECK,RPC_FD_FAILURE_DETECTOR_PING,RPC_CONFIG_PROPOSAL + [replication.app] app_name = simple_kv.instance0 app_type = simple_kv diff --git a/src/replica/storage/simple_kv/test/case-215.ini b/src/replica/storage/simple_kv/test/case-215.ini index 2e7d5fb9b9..9e4d284367 100644 --- a/src/replica/storage/simple_kv/test/case-215.ini +++ b/src/replica/storage/simple_kv/test/case-215.ini @@ -152,6 +152,11 @@ server_list = localhost:34601 [pegasus.server] encrypt_data_at_rest = false +[security] +enable_acl = false +super_users = Pegasus +meta_acl_rpc_allow_list = RPC_CM_CONFIG_SYNC,RPC_CM_DUPLICATION_SYNC,RPC_CM_PROPOSE_BALANCER,RPC_CM_QUERY_PARTITION_CONFIG_BY_INDEX,RPC_CM_UPDATE_PARTITION_CONFIGURATION,RPC_PREPARE,RPC_LEARN_ADD_LEARNER,RPC_LEARN_COMPLETION_NOTIFY,RPC_GROUP_CHECK,RPC_FD_FAILURE_DETECTOR_PING,RPC_CONFIG_PROPOSAL + [replication.app] app_name = simple_kv.instance0 app_type = simple_kv diff --git a/src/replica/storage/simple_kv/test/case-216.ini b/src/replica/storage/simple_kv/test/case-216.ini index 2e7d5fb9b9..9e4d284367 100644 --- a/src/replica/storage/simple_kv/test/case-216.ini +++ b/src/replica/storage/simple_kv/test/case-216.ini @@ -152,6 +152,11 @@ server_list = localhost:34601 [pegasus.server] encrypt_data_at_rest = false +[security] +enable_acl = false +super_users = Pegasus +meta_acl_rpc_allow_list = RPC_CM_CONFIG_SYNC,RPC_CM_DUPLICATION_SYNC,RPC_CM_PROPOSE_BALANCER,RPC_CM_QUERY_PARTITION_CONFIG_BY_INDEX,RPC_CM_UPDATE_PARTITION_CONFIGURATION,RPC_PREPARE,RPC_LEARN_ADD_LEARNER,RPC_LEARN_COMPLETION_NOTIFY,RPC_GROUP_CHECK,RPC_FD_FAILURE_DETECTOR_PING,RPC_CONFIG_PROPOSAL + [replication.app] app_name = simple_kv.instance0 app_type = simple_kv diff --git a/src/replica/storage/simple_kv/test/case-300-0.ini b/src/replica/storage/simple_kv/test/case-300-0.ini index 4258202b45..eca505e0af 100644 --- a/src/replica/storage/simple_kv/test/case-300-0.ini +++ b/src/replica/storage/simple_kv/test/case-300-0.ini @@ -152,6 +152,11 @@ server_list = localhost:34601 [pegasus.server] encrypt_data_at_rest = false +[security] +enable_acl = false +super_users = Pegasus +meta_acl_rpc_allow_list = RPC_CM_CONFIG_SYNC,RPC_CM_DUPLICATION_SYNC,RPC_CM_QUERY_PARTITION_CONFIG_BY_INDEX,RPC_CM_UPDATE_PARTITION_CONFIGURATION,RPC_PREPARE,RPC_LEARN_ADD_LEARNER,RPC_LEARN_COMPLETION_NOTIFY,RPC_GROUP_CHECK,RPC_FD_FAILURE_DETECTOR_PING,RPC_CONFIG_PROPOSAL + [replication.app] app_name = simple_kv.instance0 app_type = simple_kv diff --git a/src/replica/storage/simple_kv/test/case-300-1.ini b/src/replica/storage/simple_kv/test/case-300-1.ini index 4258202b45..eca505e0af 100644 --- a/src/replica/storage/simple_kv/test/case-300-1.ini +++ b/src/replica/storage/simple_kv/test/case-300-1.ini @@ -152,6 +152,11 @@ server_list = localhost:34601 [pegasus.server] encrypt_data_at_rest = false +[security] +enable_acl = false +super_users = Pegasus +meta_acl_rpc_allow_list = RPC_CM_CONFIG_SYNC,RPC_CM_DUPLICATION_SYNC,RPC_CM_QUERY_PARTITION_CONFIG_BY_INDEX,RPC_CM_UPDATE_PARTITION_CONFIGURATION,RPC_PREPARE,RPC_LEARN_ADD_LEARNER,RPC_LEARN_COMPLETION_NOTIFY,RPC_GROUP_CHECK,RPC_FD_FAILURE_DETECTOR_PING,RPC_CONFIG_PROPOSAL + [replication.app] app_name = simple_kv.instance0 app_type = simple_kv diff --git a/src/replica/storage/simple_kv/test/case-300-2.ini b/src/replica/storage/simple_kv/test/case-300-2.ini index 4258202b45..eca505e0af 100644 --- a/src/replica/storage/simple_kv/test/case-300-2.ini +++ b/src/replica/storage/simple_kv/test/case-300-2.ini @@ -152,6 +152,11 @@ server_list = localhost:34601 [pegasus.server] encrypt_data_at_rest = false +[security] +enable_acl = false +super_users = Pegasus +meta_acl_rpc_allow_list = RPC_CM_CONFIG_SYNC,RPC_CM_DUPLICATION_SYNC,RPC_CM_QUERY_PARTITION_CONFIG_BY_INDEX,RPC_CM_UPDATE_PARTITION_CONFIGURATION,RPC_PREPARE,RPC_LEARN_ADD_LEARNER,RPC_LEARN_COMPLETION_NOTIFY,RPC_GROUP_CHECK,RPC_FD_FAILURE_DETECTOR_PING,RPC_CONFIG_PROPOSAL + [replication.app] app_name = simple_kv.instance0 app_type = simple_kv diff --git a/src/replica/storage/simple_kv/test/case-301.ini b/src/replica/storage/simple_kv/test/case-301.ini index 4258202b45..eca505e0af 100644 --- a/src/replica/storage/simple_kv/test/case-301.ini +++ b/src/replica/storage/simple_kv/test/case-301.ini @@ -152,6 +152,11 @@ server_list = localhost:34601 [pegasus.server] encrypt_data_at_rest = false +[security] +enable_acl = false +super_users = Pegasus +meta_acl_rpc_allow_list = RPC_CM_CONFIG_SYNC,RPC_CM_DUPLICATION_SYNC,RPC_CM_QUERY_PARTITION_CONFIG_BY_INDEX,RPC_CM_UPDATE_PARTITION_CONFIGURATION,RPC_PREPARE,RPC_LEARN_ADD_LEARNER,RPC_LEARN_COMPLETION_NOTIFY,RPC_GROUP_CHECK,RPC_FD_FAILURE_DETECTOR_PING,RPC_CONFIG_PROPOSAL + [replication.app] app_name = simple_kv.instance0 app_type = simple_kv diff --git a/src/replica/storage/simple_kv/test/case-302.ini b/src/replica/storage/simple_kv/test/case-302.ini index b0d50662f6..e06301b4fe 100644 --- a/src/replica/storage/simple_kv/test/case-302.ini +++ b/src/replica/storage/simple_kv/test/case-302.ini @@ -152,6 +152,11 @@ server_list = localhost:34601 [pegasus.server] encrypt_data_at_rest = false +[security] +enable_acl = false +super_users = Pegasus +meta_acl_rpc_allow_list = RPC_CM_CONFIG_SYNC,RPC_CM_DUPLICATION_SYNC,RPC_CM_QUERY_PARTITION_CONFIG_BY_INDEX,RPC_CM_UPDATE_PARTITION_CONFIGURATION,RPC_PREPARE,RPC_LEARN_ADD_LEARNER,RPC_LEARN_COMPLETION_NOTIFY,RPC_GROUP_CHECK,RPC_FD_FAILURE_DETECTOR_PING,RPC_CONFIG_PROPOSAL + [replication.app] app_name = simple_kv.instance0 app_type = simple_kv diff --git a/src/replica/storage/simple_kv/test/case-303.ini b/src/replica/storage/simple_kv/test/case-303.ini index b4fa46b9ad..deae46b33d 100644 --- a/src/replica/storage/simple_kv/test/case-303.ini +++ b/src/replica/storage/simple_kv/test/case-303.ini @@ -152,6 +152,11 @@ server_list = localhost:34601 [pegasus.server] encrypt_data_at_rest = false +[security] +enable_acl = false +super_users = Pegasus +meta_acl_rpc_allow_list = RPC_CM_CONFIG_SYNC,RPC_CM_DUPLICATION_SYNC,RPC_CM_QUERY_PARTITION_CONFIG_BY_INDEX,RPC_CM_UPDATE_PARTITION_CONFIGURATION,RPC_PREPARE,RPC_LEARN_ADD_LEARNER,RPC_LEARN_COMPLETION_NOTIFY,RPC_GROUP_CHECK,RPC_FD_FAILURE_DETECTOR_PING,RPC_CONFIG_PROPOSAL + [replication.app] app_name = simple_kv.instance0 app_type = simple_kv diff --git a/src/replica/storage/simple_kv/test/case-304.ini b/src/replica/storage/simple_kv/test/case-304.ini index 4258202b45..650b5f37a7 100644 --- a/src/replica/storage/simple_kv/test/case-304.ini +++ b/src/replica/storage/simple_kv/test/case-304.ini @@ -152,6 +152,11 @@ server_list = localhost:34601 [pegasus.server] encrypt_data_at_rest = false +[security] +enable_acl = false +super_users = Pegasus +meta_acl_rpc_allow_list = RPC_CM_CONFIG_SYNC,RPC_CM_DUPLICATION_SYNC,RPC_CM_PROPOSE_BALANCER,RPC_CM_QUERY_PARTITION_CONFIG_BY_INDEX,RPC_CM_UPDATE_PARTITION_CONFIGURATION,RPC_PREPARE,RPC_LEARN_ADD_LEARNER,RPC_LEARN_COMPLETION_NOTIFY,RPC_GROUP_CHECK,RPC_FD_FAILURE_DETECTOR_PING,RPC_CONFIG_PROPOSAL + [replication.app] app_name = simple_kv.instance0 app_type = simple_kv diff --git a/src/replica/storage/simple_kv/test/case-305.ini b/src/replica/storage/simple_kv/test/case-305.ini index b4fa46b9ad..a237c5262d 100644 --- a/src/replica/storage/simple_kv/test/case-305.ini +++ b/src/replica/storage/simple_kv/test/case-305.ini @@ -152,6 +152,11 @@ server_list = localhost:34601 [pegasus.server] encrypt_data_at_rest = false +[security] +enable_acl = false +super_users = Pegasus +meta_acl_rpc_allow_list = RPC_CM_CONFIG_SYNC,RPC_CM_DUPLICATION_SYNC,RPC_CM_PROPOSE_BALANCER,RPC_CM_QUERY_PARTITION_CONFIG_BY_INDEX,RPC_CM_UPDATE_PARTITION_CONFIGURATION,RPC_PREPARE,RPC_LEARN_ADD_LEARNER,RPC_LEARN_COMPLETION_NOTIFY,RPC_GROUP_CHECK,RPC_FD_FAILURE_DETECTOR_PING,RPC_CONFIG_PROPOSAL + [replication.app] app_name = simple_kv.instance0 app_type = simple_kv diff --git a/src/replica/storage/simple_kv/test/case-306.ini b/src/replica/storage/simple_kv/test/case-306.ini index 4258202b45..650b5f37a7 100644 --- a/src/replica/storage/simple_kv/test/case-306.ini +++ b/src/replica/storage/simple_kv/test/case-306.ini @@ -152,6 +152,11 @@ server_list = localhost:34601 [pegasus.server] encrypt_data_at_rest = false +[security] +enable_acl = false +super_users = Pegasus +meta_acl_rpc_allow_list = RPC_CM_CONFIG_SYNC,RPC_CM_DUPLICATION_SYNC,RPC_CM_PROPOSE_BALANCER,RPC_CM_QUERY_PARTITION_CONFIG_BY_INDEX,RPC_CM_UPDATE_PARTITION_CONFIGURATION,RPC_PREPARE,RPC_LEARN_ADD_LEARNER,RPC_LEARN_COMPLETION_NOTIFY,RPC_GROUP_CHECK,RPC_FD_FAILURE_DETECTOR_PING,RPC_CONFIG_PROPOSAL + [replication.app] app_name = simple_kv.instance0 app_type = simple_kv diff --git a/src/replica/storage/simple_kv/test/case-307.ini b/src/replica/storage/simple_kv/test/case-307.ini index 4258202b45..650b5f37a7 100644 --- a/src/replica/storage/simple_kv/test/case-307.ini +++ b/src/replica/storage/simple_kv/test/case-307.ini @@ -152,6 +152,11 @@ server_list = localhost:34601 [pegasus.server] encrypt_data_at_rest = false +[security] +enable_acl = false +super_users = Pegasus +meta_acl_rpc_allow_list = RPC_CM_CONFIG_SYNC,RPC_CM_DUPLICATION_SYNC,RPC_CM_PROPOSE_BALANCER,RPC_CM_QUERY_PARTITION_CONFIG_BY_INDEX,RPC_CM_UPDATE_PARTITION_CONFIGURATION,RPC_PREPARE,RPC_LEARN_ADD_LEARNER,RPC_LEARN_COMPLETION_NOTIFY,RPC_GROUP_CHECK,RPC_FD_FAILURE_DETECTOR_PING,RPC_CONFIG_PROPOSAL + [replication.app] app_name = simple_kv.instance0 app_type = simple_kv diff --git a/src/replica/storage/simple_kv/test/case-400.ini b/src/replica/storage/simple_kv/test/case-400.ini index 4258202b45..eca505e0af 100644 --- a/src/replica/storage/simple_kv/test/case-400.ini +++ b/src/replica/storage/simple_kv/test/case-400.ini @@ -152,6 +152,11 @@ server_list = localhost:34601 [pegasus.server] encrypt_data_at_rest = false +[security] +enable_acl = false +super_users = Pegasus +meta_acl_rpc_allow_list = RPC_CM_CONFIG_SYNC,RPC_CM_DUPLICATION_SYNC,RPC_CM_QUERY_PARTITION_CONFIG_BY_INDEX,RPC_CM_UPDATE_PARTITION_CONFIGURATION,RPC_PREPARE,RPC_LEARN_ADD_LEARNER,RPC_LEARN_COMPLETION_NOTIFY,RPC_GROUP_CHECK,RPC_FD_FAILURE_DETECTOR_PING,RPC_CONFIG_PROPOSAL + [replication.app] app_name = simple_kv.instance0 app_type = simple_kv diff --git a/src/replica/storage/simple_kv/test/case-401.ini b/src/replica/storage/simple_kv/test/case-401.ini index 4258202b45..eca505e0af 100644 --- a/src/replica/storage/simple_kv/test/case-401.ini +++ b/src/replica/storage/simple_kv/test/case-401.ini @@ -152,6 +152,11 @@ server_list = localhost:34601 [pegasus.server] encrypt_data_at_rest = false +[security] +enable_acl = false +super_users = Pegasus +meta_acl_rpc_allow_list = RPC_CM_CONFIG_SYNC,RPC_CM_DUPLICATION_SYNC,RPC_CM_QUERY_PARTITION_CONFIG_BY_INDEX,RPC_CM_UPDATE_PARTITION_CONFIGURATION,RPC_PREPARE,RPC_LEARN_ADD_LEARNER,RPC_LEARN_COMPLETION_NOTIFY,RPC_GROUP_CHECK,RPC_FD_FAILURE_DETECTOR_PING,RPC_CONFIG_PROPOSAL + [replication.app] app_name = simple_kv.instance0 app_type = simple_kv diff --git a/src/replica/storage/simple_kv/test/case-402.ini b/src/replica/storage/simple_kv/test/case-402.ini index 4258202b45..eca505e0af 100644 --- a/src/replica/storage/simple_kv/test/case-402.ini +++ b/src/replica/storage/simple_kv/test/case-402.ini @@ -152,6 +152,11 @@ server_list = localhost:34601 [pegasus.server] encrypt_data_at_rest = false +[security] +enable_acl = false +super_users = Pegasus +meta_acl_rpc_allow_list = RPC_CM_CONFIG_SYNC,RPC_CM_DUPLICATION_SYNC,RPC_CM_QUERY_PARTITION_CONFIG_BY_INDEX,RPC_CM_UPDATE_PARTITION_CONFIGURATION,RPC_PREPARE,RPC_LEARN_ADD_LEARNER,RPC_LEARN_COMPLETION_NOTIFY,RPC_GROUP_CHECK,RPC_FD_FAILURE_DETECTOR_PING,RPC_CONFIG_PROPOSAL + [replication.app] app_name = simple_kv.instance0 app_type = simple_kv diff --git a/src/replica/storage/simple_kv/test/case-600.ini b/src/replica/storage/simple_kv/test/case-600.ini index 9947d72d95..466603d465 100644 --- a/src/replica/storage/simple_kv/test/case-600.ini +++ b/src/replica/storage/simple_kv/test/case-600.ini @@ -152,6 +152,11 @@ server_list = localhost:34601 [pegasus.server] encrypt_data_at_rest = false +[security] +enable_acl = false +super_users = Pegasus +meta_acl_rpc_allow_list = RPC_CM_CONFIG_SYNC,RPC_CM_DUPLICATION_SYNC,RPC_CM_QUERY_PARTITION_CONFIG_BY_INDEX,RPC_CM_UPDATE_PARTITION_CONFIGURATION,RPC_PREPARE,RPC_LEARN_ADD_LEARNER,RPC_LEARN_COMPLETION_NOTIFY,RPC_GROUP_CHECK,RPC_FD_FAILURE_DETECTOR_PING,RPC_CONFIG_PROPOSAL + [replication.app] app_name = simple_kv.instance0 app_type = simple_kv diff --git a/src/replica/storage/simple_kv/test/case-601.ini b/src/replica/storage/simple_kv/test/case-601.ini index 37a1097690..136d961e28 100644 --- a/src/replica/storage/simple_kv/test/case-601.ini +++ b/src/replica/storage/simple_kv/test/case-601.ini @@ -152,6 +152,11 @@ server_list = localhost:34601 [pegasus.server] encrypt_data_at_rest = false +[security] +enable_acl = false +super_users = Pegasus +meta_acl_rpc_allow_list = RPC_CM_CONFIG_SYNC,RPC_CM_DUPLICATION_SYNC,RPC_CM_QUERY_PARTITION_CONFIG_BY_INDEX,RPC_CM_UPDATE_PARTITION_CONFIGURATION,RPC_PREPARE,RPC_LEARN_ADD_LEARNER,RPC_LEARN_COMPLETION_NOTIFY,RPC_GROUP_CHECK,RPC_FD_FAILURE_DETECTOR_PING,RPC_CONFIG_PROPOSAL + [replication.app] app_name = simple_kv.instance0 app_type = simple_kv diff --git a/src/replica/storage/simple_kv/test/case-602.ini b/src/replica/storage/simple_kv/test/case-602.ini index 9947d72d95..466603d465 100644 --- a/src/replica/storage/simple_kv/test/case-602.ini +++ b/src/replica/storage/simple_kv/test/case-602.ini @@ -152,6 +152,11 @@ server_list = localhost:34601 [pegasus.server] encrypt_data_at_rest = false +[security] +enable_acl = false +super_users = Pegasus +meta_acl_rpc_allow_list = RPC_CM_CONFIG_SYNC,RPC_CM_DUPLICATION_SYNC,RPC_CM_QUERY_PARTITION_CONFIG_BY_INDEX,RPC_CM_UPDATE_PARTITION_CONFIGURATION,RPC_PREPARE,RPC_LEARN_ADD_LEARNER,RPC_LEARN_COMPLETION_NOTIFY,RPC_GROUP_CHECK,RPC_FD_FAILURE_DETECTOR_PING,RPC_CONFIG_PROPOSAL + [replication.app] app_name = simple_kv.instance0 app_type = simple_kv diff --git a/src/replica/storage/simple_kv/test/case-603.ini b/src/replica/storage/simple_kv/test/case-603.ini index 42aec9583b..4179d5ee35 100644 --- a/src/replica/storage/simple_kv/test/case-603.ini +++ b/src/replica/storage/simple_kv/test/case-603.ini @@ -154,6 +154,11 @@ server_list = localhost:34601 [pegasus.server] encrypt_data_at_rest = false +[security] +enable_acl = false +super_users = Pegasus +meta_acl_rpc_allow_list = RPC_CM_CONFIG_SYNC,RPC_CM_DUPLICATION_SYNC,RPC_CM_PROPOSE_BALANCER,RPC_CM_QUERY_PARTITION_CONFIG_BY_INDEX,RPC_CM_UPDATE_PARTITION_CONFIGURATION,RPC_PREPARE,RPC_LEARN_ADD_LEARNER,RPC_LEARN_COMPLETION_NOTIFY,RPC_GROUP_CHECK,RPC_FD_FAILURE_DETECTOR_PING,RPC_CONFIG_PROPOSAL + [replication.app] app_name = simple_kv.instance0 app_type = simple_kv diff --git a/src/replica/storage/simple_kv/test/run.sh b/src/replica/storage/simple_kv/test/run.sh index 17affedf79..ee511d972a 100755 --- a/src/replica/storage/simple_kv/test/run.sh +++ b/src/replica/storage/simple_kv/test/run.sh @@ -118,7 +118,7 @@ if [ ! -z "${cases}" ]; then run_case ${id} echo done - TEST_OPTS=${OLD_TEST_OPTS},encrypt_data_at_rest=true + TEST_OPTS=${OLD_TEST_OPTS},enable_acl=true,encrypt_data_at_rest=true for id in ${cases}; do run_case ${id} echo diff --git a/src/replica/test/replica_http_service_test.cpp b/src/replica/test/replica_http_service_test.cpp index db8bc26366..00998fbcd7 100644 --- a/src/replica/test/replica_http_service_test.cpp +++ b/src/replica/test/replica_http_service_test.cpp @@ -53,8 +53,9 @@ class replica_http_service_test : public replica_test_base // Disable unnecessary works before starting stub. FLAGS_fd_disabled = true; FLAGS_duplication_enabled = false; - // Set FLAGS_enable_acl true to make group validator encrypt_data_at_rest_pre_check succeed - // when encrypt_data_at_rest is true. + // Set FLAGS_enable_acl to true, ensuring the group validator's encrypt_data_at_rest_pre_check + // is successful when encrypt_data_at_rest is also true. + // TODO(jingwei): It's a trick for test, it should set together at class pegasus::encrypt_data_at_rest. dsn::security::FLAGS_enable_acl = true; stub->initialize_start(); diff --git a/src/runtime/security/kms_client.cpp b/src/runtime/security/kms_client.cpp index b6a6a7499f..74d426f3d9 100644 --- a/src/runtime/security/kms_client.cpp +++ b/src/runtime/security/kms_client.cpp @@ -22,7 +22,7 @@ #include #include "absl/strings/escaping.h" -#include "absl/strings/substitute.h" +#include "fmt/core.h" #include "http/http_client.h" #include "http/http_method.h" #include "nlohmann/json.hpp" @@ -38,16 +38,16 @@ namespace security { dsn::error_s KMSClient::DecryptEncryptionKey(const dsn::replication::replica_kms_info &kms_info, std::string *decrypted_key) { - nlohmann::json post; - post["name"] = cluster_key_name_; + nlohmann::json payload; + payload["name"] = cluster_key_name_; std::string iv_plain = ::absl::HexStringToBytes(kms_info.iv); std::string iv_b64; ::absl::WebSafeBase64Escape(iv_plain, &iv_b64); - post["iv"] = iv_b64; + payload["iv"] = iv_b64; std::string eek_plain = ::absl::HexStringToBytes(kms_info.eek); std::string eek_b64; ::absl::WebSafeBase64Escape(eek_plain, &eek_b64); - post["material"] = eek_b64; + payload["material"] = eek_b64; http_client client; auto err = client.init(); @@ -64,13 +64,13 @@ dsn::error_s KMSClient::DecryptEncryptionKey(const dsn::replication::replica_kms urls.reserve(kms_urls_.size()); for (const auto &url : kms_urls_) { urls.emplace_back( - ::absl::Substitute("$0/v1/keyversion/$1/_eek?eek_op=decrypt", url, kms_info.kv)); + fmt::format("{}/v1/keyversion/{}/_eek?eek_op=decrypt", url, kms_info.kv)); } client.clear_header_fields(); client.set_content_type("application/json"); client.set_accept("*/*"); - err = client.with_post_method(post.dump()); + err = client.with_post_method(payload.dump()); if (!err.is_ok()) { return dsn::error_s::make(ERR_CURL_FAILED, "http client set method failed"); } @@ -90,6 +90,7 @@ dsn::error_s KMSClient::DecryptEncryptionKey(const dsn::replication::replica_kms client.get_http_status(http_status); if (http_status == 200) { j = nlohmann::json::parse(resp); + break; } else { LOG_WARNING("The http status is ({}), and url is ({})", http_status, url); } @@ -125,7 +126,7 @@ dsn::error_s KMSClient::GenerateEncryptionKeyFromKMS(const std::string &key_name urls.reserve(kms_urls_.size()); for (const auto &url : kms_urls_) { urls.emplace_back( - ::absl::Substitute("$0/v1/key/$1/_eek?eek_op=generate&num_keys=1", url, key_name)); + fmt::format("{}/v1/key/{}/_eek?eek_op=generate&num_keys=1", url, key_name)); } nlohmann::json j = nlohmann::json::object(); @@ -153,6 +154,7 @@ dsn::error_s KMSClient::GenerateEncryptionKeyFromKMS(const std::string &key_name nlohmann::json jsonObject = j.at(0); std::string res = jsonObject.dump(); j = nlohmann::json::parse(res); + break; } else { LOG_WARNING("The http status is ({}), and url is ({})", http_status, url); } diff --git a/src/runtime/security/kms_client.h b/src/runtime/security/kms_client.h index ed819f45eb..4fa0ab13cf 100644 --- a/src/runtime/security/kms_client.h +++ b/src/runtime/security/kms_client.h @@ -30,8 +30,8 @@ class replica_kms_info; } // namespace replication namespace security { -// A class to generate encryption_key from KMS for writing file which implemented based on http -// client. +// A class designed to generate an encryption key from KMS for file writing, +// implemented using an HTTP client. // This class is not thread-safe. Thus maintain one instance for each thread. class KMSClient { @@ -41,8 +41,7 @@ class KMSClient { } - // Get the Decrypted Encryption Key(dek) back from KMS. The EEK, IV, KV need generated from KMS - // by GenerateEncryptionKey function first. + // Retrieve the Decrypted Encryption Key (DEK) from KMS after generating the EEK, IV, and KV. dsn::error_s DecryptEncryptionKey(const dsn::replication::replica_kms_info &kms_info, std::string *decrypted_key); diff --git a/src/runtime/security/replica_kms_info.cpp b/src/runtime/security/replica_kms_info.cpp index f30d314dcc..870ba6a2f7 100644 --- a/src/runtime/security/replica_kms_info.cpp +++ b/src/runtime/security/replica_kms_info.cpp @@ -1,22 +1,30 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ +// Licensed to the Apache Software Foundation (ASF) under one +// or more contributor license agreements. See the NOTICE file +// distributed with this work for additional information +// regarding copyright ownership. The ASF licenses this file +// to you under the Apache License, Version 2.0 (the +// "License"); you may not use this file except in compliance +// with the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// Disable class-memaccess warning to facilitate compilation with gcc>7 +// https://github.com/Tencent/rapidjson/issues/1700 +#pragma GCC diagnostic push +#if defined(__GNUC__) && __GNUC__ >= 8 #pragma GCC diagnostic ignored "-Wclass-memaccess" +#endif +#include "common/json_helper.h" + +#pragma GCC diagnostic pop + #include #include "replica/replication_app_base.h" diff --git a/src/runtime/security/replica_kms_info.h b/src/runtime/security/replica_kms_info.h index 8bafcc5a50..b4ee1490e8 100644 --- a/src/runtime/security/replica_kms_info.h +++ b/src/runtime/security/replica_kms_info.h @@ -1,21 +1,19 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ +// Licensed to the Apache Software Foundation (ASF) under one +// or more contributor license agreements. See the NOTICE file +// distributed with this work for additional information +// regarding copyright ownership. The ASF licenses this file +// to you under the Apache License, Version 2.0 (the +// "License"); you may not use this file except in compliance +// with the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. #pragma once @@ -28,8 +26,8 @@ namespace dsn { namespace replication { -// This class is to store and load EEK, IV, KV from KMS as json file. -// Get decrypted key should POST EEK, IV, KV both to KMS. +// This class stores and loads EEK, IV, and KV from KMS as a JSON file. +// To get the decrypted key, should POST EEK, IV, and KV to KMS. class replica_kms_info { public: @@ -46,9 +44,9 @@ class replica_kms_info : eek(e_key), iv(i), kv(k_version) { } - // load replica_kms_info object from json file + // Load the replica_kms_info object from a JSON file. error_code load(const std::string &dir) WARN_UNUSED_RESULT; - // store replica_kms_info object to json file + // Store the replica_kms_info object in a JSON file. error_code store(const std::string &dir); }; diff --git a/src/utils/metrics.h b/src/utils/metrics.h index c17cbc12a9..0cf9ba14d1 100644 --- a/src/utils/metrics.h +++ b/src/utils/metrics.h @@ -28,6 +28,7 @@ #include #include #include +#include #include #include #include