Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Producing a version of druid which is FIPS compliant #16549

Open
mamccorm opened this issue Jun 5, 2024 · 0 comments
Open

Producing a version of druid which is FIPS compliant #16549

mamccorm opened this issue Jun 5, 2024 · 0 comments

Comments

@mamccorm
Copy link

mamccorm commented Jun 5, 2024

FIPS 140-2 is a set of cryptography requirements which are mandated if you wish to run an application in certain regulatory environments.

ensuring they are using FIPS compliant versions of BouncyCastle, not utilizing any non-FIPS approved algorithms, reviewing / applying the same changes to any dependencies, and some documentation. Example: keycloak fips docs.

In the pom.xml, I see references to the non-FIPS version of BouncyCastle, which would indicate the app is using bundled crypto, and would not utilise whatever crypto we configure on the host (i.e such as JRE with bcfips). Additionally, this project looks to have dependencies on other applications, namely:

  • Guava
  • Jetty
  • Curator
  • Commons Codec
  • Log4j
  • Hadoop
  • Kafka
  • Zookeeper

Any dependencies would also need to be FIPS compliant. Appreciate any guidance on the above, and whether FIPS is on the roadmap for druid
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@mamccorm