feat: Cache across Hierarchy Keyrings #273
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
texastony
commented
Jun 13, 2024
Comment on lines
+50
to
+112
| The Hierarchy Keyring, | ||
| and it's component the (Branch) Keystore, | ||
| allow MPL Consumers to reduce their KMS Call volume | ||
| by persisting KMS protected cryptographic materials into | ||
| an avabile medium | ||
| (currently, only a DynamoDB table is avabile as persistence medium). | ||
|
|
||
| We call these cryptographic materials Branch Keys. | ||
|
|
||
| However, an instance of the Hierarchy Keyring | ||
| can only ever call KMS with one KMS Relationship, | ||
| which is, at least partly, | ||
| configured on the KMS Client determined | ||
| at the Hierarchy Keyring's construction. | ||
|
|
||
| By KMS Relationship, we mean any or all of the following: | ||
|
|
||
| - KMS Configuration | ||
| - Credentials used when creating the KMS Client, and thus used when calling KMS | ||
| - Other properties of the KMS Client, such as the region, or request headers | ||
|
|
||
| The Local Cryptographic Material Cache of | ||
| the Hierarchy Keyring instance is then only | ||
| populated with Branch Keys that correspond with | ||
| that KMS relationship. | ||
|
|
||
| Which is appropriate, | ||
| as it is clear under what KMS relationship | ||
| a Branch Key is accessed. | ||
|
|
||
| However, | ||
| the Hierarchy Keyring, | ||
| and it's Keystore, | ||
| have a runtime cost, | ||
| exerting memory pressure | ||
| and, without manual optimization, | ||
| requiring at least 2 TLS handshakes | ||
| when first serving a request | ||
| (TLS to KMS & TLS to DDB). | ||
|
|
||
| Additionally, | ||
| the local Cryptographic Materials Cache | ||
| exerts some runtime cost, | ||
| particularly in a multi-threaded environment, | ||
| when a background worker thread MAY be refreshing | ||
| or pruning entries of the cache. | ||
|
|
||
| For MPL Consumers that MUST work with Branch Keys | ||
| under different KMS Relationships, | ||
| this runtime cost adds up. | ||
|
|
||
| These MPL Consumers MAY end up establishing | ||
| a LRU Cache of Hierarchy Keyrings. | ||
|
|
||
| Which, while workable, is sub-optimal, | ||
| and clearly makes the Hierarchy Keyring, | ||
| in these conditions, | ||
| "Hard to Use". | ||
|
|
||
| The objective, with these changes, | ||
| is to make the Hierarchy Keyring | ||
| "Easy to Use" in a multiple KMS Relationship | ||
| environment. |
There was a problem hiding this comment.
Blocking: All of this should be moved to the Motivation.
Comment on lines
114
to
132
| To facilitate Caching across KeyStores/KMS Clients/KMS Keys, | ||
| we MUST break the Cryptographic Materials Cache (CMC) | ||
| out of the Hierarchy Keyring. | ||
|
|
||
| By allowing MPL Consumers to provide an already initialized CMC | ||
| to the Hierarchy Keyring at construction, | ||
| the CMC MAY cache Branch Keys protected by different | ||
| KMS Relationships. | ||
|
|
||
| This simplifies Multiple KMS Relationship MPL Consumers, | ||
| as they do not need to stand up LRU Cache of Hierarchy Keyrings. | ||
|
|
||
| Instead, they may maintain one CMC. | ||
| They still create a Hierarchy Keyring instance per KMS Relationship, | ||
| and they MUST use the correct Keyring to retrieve material | ||
| from the Cache. | ||
|
|
||
| But they need not maintain many Keyrings; | ||
| only the common cache. |
There was a problem hiding this comment.
This is probably sufficient for the Summary.
Comment on lines
210
to
212
| ## Motivation | ||
|
|
||
| TODO |
There was a problem hiding this comment.
I think I am going to break our convention, and move Motivation to be right behind Summary.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Issue #, if available:
Description of changes:
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.
Check any applicable: