Assets 2

0.84.0, November 9th 2018

Core:

  • Key management

    • Improved LRU cache: fixed concurrent access to LRU cache by adding mutex. LRU cache is used for quick access to in-memory keys (private keys are stored encrypted) in AcraServer and AcraTranslator (#272).

    AcraServer documentation, AcraTranslator documentation.

    • Improved AcraRotate utility: added "dry-run" mode for testing AcraRotate before it is used for real. In the "dry-run" mode AcraRotate doesn't rotate keys: it fetches AcraStructs (from files or database), decrypts, rotates in-memory keys, encrypts the data with new public keys and prints the resulting JSON with new public keys without actually saving the rotated keys and AcraStructs. As key rotation might be tricky, we want users to make sure that AcraRotate has all the required permissions and access right before actually re-encrypting the data (#269).

    AcraRotate documentation.

  • AcraWriter

    • Added C++ AcraWriter library, added examples and tests. The library itself is a single header-only file acrawriter.hpp with dependency on Themis, placed in wrappers/cpp.
      Read the usage guide and examples in examples/cpp folder (#270).

    AcraWriter C++ documentation.

  • Logging

    • Improved logs of AcraConnector and AcraServer: use Debug log level for all network errors (closed connection, unavailable network, etc) and use Error log level only for cases of certainly unexpected behavior (#275).

    • Improved startup logs: log process PID on start of AcraServer, AcraConnector, AcraTranslator, and AcraWebConfig (#275).

    • Fixed timestamps: do not overwrite logs' timestamps (#273).

  • Tracing with OpenCensus

    • Added tracing with OpenCensus: AcraServer, AcraConnector, and AcraTranslator track every request from client application to the database and back. Each client request has a unique traceID that helps measure how much time it needs to perform a certain data processing functions (i.e. checking requests via AcraCensor, encrypting data, decrypting AcraStructs, etc.). Traces can be exported to Jaeger (#279, #276, #274).

    You can read more about tracing in our documentation in Tracing in Acra.

    A blogpost about technical details, profits, and pitfalls during the implementation of traces is coming soon.

  • Other

    • Improved AcraServer's connection handling: stop accepting connections after error and stop AcraServer instead of trying to accept connections after the listening socket was closed (#275).

    • Improved AcraCensor's handling of prepared statements for PostgreSQL binary protocol (#280).

    • Improved handling of terminating packets (COM_QUIT for PostgreSQL and TerminatePacket for MySQL) to correctly handle the closing connections from clients (#275).

    • Refactored inner logic of AcraCensor: improved code quality and stability, added more tests that use more patterns (#268).

Infrastructure:

  • Ceased testing and supporting Go versions below 1.9. This will only affect the users who build Acra manually from sources.
    You can install the pre-built Acra components shipped for various Ubuntu, Debian, and CentOS distributives using Installation guide. Alternatively, you can check out our Docker images and Docker-compose files in docker folder (#277).

  • Tested Acra suite with PostgreSQL v11 and MariaDB v10.3 and updated docker compose examples and Acra Engineering Demo to use it (#278).

  • Published Acra load balancing demo: it illustrates some of the many possible variants of building high availability and balanced infrastructure based on Acra data protection suite components, PostgreSQL, and Python web application. In these examples we used HAProxy – one of the most popular high availability balancers today.

  • Updated AcraStruct Validator – an online tool that can decrypt your AcraStructs. AcraStruct Validator is useful for developers who build their own AcraWriters (to validate AcraStruct binary structure).

Features coming soon:

  • Running SQL queries over encrypted data: perform AcraServer-side lookups (search) over protected data.

  • Pseudonymisation: early version of pseudonymisation library/plugin for Acra for transparent data pseudonymisation.

  • Cryptographically protected audit log: protection for logs against tampering.

Documentation:

  • AcraWriter C++ has a short guide for installing and using AcraWriter for C++.

  • AcraRotate: added description and notes about "dry-run" mode.

  • Updated documentation for logging, collecting metrics, and tracing in Acra.

  • Many small fixes here and there to make your overall experience of using Acra's docs on a new platform distinctive and smooth ;)