Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Summer 2021] Add a plugin SPI for configuration encryption and decryption for Nacos 2.0 #5695

Closed
KomachiSion opened this issue May 13, 2021 · 0 comments · Fixed by #7934 or #7949
Closed

[Summer 2021] Add a plugin SPI for configuration encryption and decryption for Nacos 2.0 #5695

KomachiSion opened this issue May 13, 2021 · 0 comments · Fixed by #7934 or #7949
Labels
area/Config kind/feature type/feature Summer
Milestone
2.1.0

Comments

@KomachiSion
Copy link
Collaborator

Background

In Nacos community, many users concerned about the security issues of some sensitive information in the configuration.

Like #492, #4025, #4707, #5367 and many closed issues.

So Nacos community want to design a set of API for encryption and inject into the workflow of publish and query configuration. And provide one kind of easy implementation like AES encryption.

Through the encryption plugin, users can use the simple implementation provided by the community to preliminarily carry out the problem of sensitive configuration desensitization. At the same time, they can also implement their own encryption plug-in to meet the high requirements for desensitization.

Target

Add a plugin SPI for configuring encryption and decryption, and add a simple implementation of encryption and decryption.

Difficulty

Medium

Mentor

@TsingLiang
qingliang.ql@alibaba-inc.com

Output Requirements

  • Add a set of easy to expand SPI interface for configuration encryption and decryption.
  • Use the appropriate design pattern to inject this SPI into the workflow of configuration center.
  • Choose one of common encryption algorithm and use this algorithm to implement a configuration encryption and decryption plugin.

Technical Requirements

  • Familiar with Java programming language.
  • Familiar with Java class loading mechanism.
  • Familiar with Java SPI loading mechanism.
  • Understand common design patterns.
  • Understand common data encryption and decryption algorithms.

背景

在Nacos社区中,许多用户关注配置中某些敏感信息的安全性问题。

#492#4025#4707#5367 和许多已关闭的Issue。

因此,Nacos社区希望设计一套用于加密的API,并将其注入到发布和查询配置的工作流程中。 并提供一种简单的实现,如AES加密。

通过加密插件,用户可以使用社区提供的简单实现来初步解决敏感配置脱敏问题。 同时,他们还可以实现自己的加密插件,以满足对脱敏的高要求。

目标

为Nacos添加配置加解密的插件SPI,并新增一类简单的加解密实现。

难度

中等

导师

@TsingLiang
qingliang.ql@alibaba-inc.com

产出要求

  • 添加一套易于扩展的配置加解密SPI接口。
  • 使用合适的设计模式在配置中心流程中使用加解密SPI接口。
  • 选择一个常见的加密算法,并使用该算法实现一个配置加解密插件。

能力要求

  • 熟悉Java开发语言
  • 熟悉Java 类加载机制
  • 熟悉Java SPI加载机制
  • 了解常用设计模式
  • 了解常用数据加解密算法
@KomachiSion KomachiSion mentioned this issue May 13, 2021
Closed
@KomachiSion KomachiSion mentioned this issue Jul 7, 2021
Closed
@realJackSun realJackSun mentioned this issue Jan 7, 2022
Closed
5 tasks
@li-xiao-shuang li-xiao-shuang mentioned this issue Jan 7, 2022
Closed
5 tasks
@li-xiao-shuang li-xiao-shuang mentioned this issue Mar 11, 2022
Merged
5 tasks
realJackSun pushed a commit that referenced this issue Mar 16, 2022
@li-xiao-shuang @KomachiSion
[ISSUE #5695] Add config encrypt spi for nacos server. (#7934)
88fb26c 
* [ISSUE#5695] Add a plugin SPI for configuration encryption and decryption for Nacos 2.0 (#6655)

* Defines the interface

* 增加aes实现

* 客户端、服务端加解密实现

* 客户端、服务端加解密实现

* fix code quality (#6727)

* [ISSUE#5695] Add a plugin SPI for configuration encryption and decryption for Nacos 2.0, EncryptedDataKey is persisted (#6740)

* Defines the interface

* 增加aes实现

* 客户端、服务端加解密实现

* 客户端、服务端加解密实现

* 秘钥持久化

* 秘钥持久化

* [ISSUE#5695] Summer2021 Cache encryptedDataKey  (#6878)

* Defines the interface

* 增加aes实现

* 客户端、服务端加解密实现

* 客户端、服务端加解密实现

* 秘钥持久化

* 秘钥持久化

* 秘钥缓存到内存中

* 解决冲突

* 修改filter继承AbstractConfigFilter (#6879)

* [ISSUE#5695] Summer2021   EncryptedDataKey is persisted to Derby (#6882)

* [ISSUE#5695] Add a plugin SPI for configuration encryption and decryption for Nacos 2.0 (#6655)

* Defines the interface

* 增加aes实现

* 客户端、服务端加解密实现

* 客户端、服务端加解密实现

* fix code quality (#6727)

* # This is a combination of 6 commits.tree cf7a399f99c4d81b8667c8de06f5ceb8c79fb6f0
parent 8024ecf
author 李晓双 Li Xiao Shuang <644968328@qq.com> 1630028256 +0800
committer lixiaoshuang <644968328@qq.com> 1631804378 +0800

# This is a combination of 3 commits.
# This is the 1st commit message:

[ISSUE#5695] Add a plugin SPI for configuration encryption and decryption for Nacos 2.0, EncryptedDataKey is persisted (#6740)

* Defines the interface

* 增加aes实现

* 客户端、服务端加解密实现

* 客户端、服务端加解密实现

* 秘钥持久化

* 秘钥持久化
# This is the commit message #2:

[ISSUE#5695] Summer2021 Cache encryptedDataKey  (#6878)

* Defines the interface

* 增加aes实现

* 客户端、服务端加解密实现

* 客户端、服务端加解密实现

* 秘钥持久化

* 秘钥持久化

* 秘钥缓存到内存中

* 解决冲突
# This is the commit message #3:

修改filter继承AbstractConfigFilter (#6879)


# This is the commit message #6:

客户端、服务端加解密实现

* parent 8024ecf
author 李晓双 Li Xiao Shuang <644968328@qq.com> 1630028256 +0800
committer lixiaoshuang <644968328@qq.com> 1631805204 +0800

parent 8024ecf
author 李晓双 Li Xiao Shuang <644968328@qq.com> 1630028256 +0800
committer lixiaoshuang <644968328@qq.com> 1631804378 +0800

[ISSUE#5695] Add a plugin SPI for configuration encryption and decryption for Nacos 2.0, EncryptedDataKey is persisted (#6740)

* 配置加解密插件

* derby支持秘钥存储

* 克隆功能兼容配置加解密 (#6913)

* [ISSUE#5695] Summer2021 Import/export compatible with configuration encryption and decryption (#6956)

* 克隆功能兼容配置加解密

* 导入导出兼容配置加解密

* 秘钥base64编码、更换AES加密模式 (#6974)

* [ISSUE#5695] Summer2021 add unit test for ConfigCryptoFilter (#6991)

* add unit test for ConfigCryptoFilter

* add unit test for ConfigCryptoFilter

* [ISSUE#5695] Summer2021 add unit test for CryptoExecutor (#6990)

* add unit test for CryptoExecutor

* add Copyright

* [ISSUE#5695] Summer2021  add unit test for CryptoManager (#6989)

* add unit test for CryptoManager

* add unit test for CryptoManager

* [ISSUE#5695] Summer2021 add unit test for AesCrypto (#6988)

* add unit test for AesCrypto

* update AesCryptoTest

* Increased iv randomness

* add default Iv

* fix javadoc

* fix unit test

* defining plugin intergace

* Replace the client encryption and decryption actuator

* Replace the server encryption and decryption actuator

* add unit test

* add unit test

* remove old code

* fix NacosConfigServiceTest

* Encryption and decryption to achieve migration

Co-authored-by: 杨翊 SionYang <263976490@qq.com>
@li-xiao-shuang li-xiao-shuang mentioned this issue Mar 17, 2022
Merged
5 tasks
@KomachiSion KomachiSion added this to the 2.1.0 milestone Mar 31, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/Config kind/feature type/feature Summer
Projects
None yet
Milestone
2.1.0
1 participant
@KomachiSion