[PSMDB-1130] Improve handling of the missing encryption key during KMIP key rotation - Percona JIRA

XML

Word

Printable

Details

Type: Bug
Status: Done
Priority: Medium
Resolution: Fixed
Affects Version/s: 4.4.15-15, 5.0.10-9
Fix Version/s: 4.4.17-17, 5.0.13-11, 6.0.2-1, 4.2.23-23
Component/s: None
Labels:
None

Epic Link:
kmip

Description

Hi,

STR:

1) Start PSMDB with kmipKeyIdentifier 1
2) During KMIP key rotation provide kmipKeyIdentifier 2 which doesn't exist on server

mongod --enableEncryption  --kmipServerName 192.168.4.51 --kmipClientCertificateFile mongod.crt --kmipServerCAFile ca.crt --kmipKeyIdentifier 2 --kmipRotateMasterKey

{"t":{"$date":"2022-08-24T07:40:46.240-04:00"},"s":"I",  "c":"STORAGE",  "id":22270,   "ctx":"initandlisten","msg":"Storage engine to use detected by data files","attr":{"dbpath":"/data/db","storageEngine":"wiredTiger"}}
{"t":{"$date":"2022-08-24T07:40:46.284-04:00"},"s":"I",  "c":"STORAGE",  "id":29108,   "ctx":"initandlisten","msg":"Master key has been read from the KMIP server","attr":{"kmipMasterKeyId":"1"}}
{"t":{"$date":"2022-08-24T07:40:46.284-04:00"},"s":"I",  "c":"STORAGE",  "id":29037,   "ctx":"initandlisten","msg":"Initializing KeyDB with wiredtiger_open config: {cfg}","attr":{"cfg":"create,config_base=false,extensions=[local=(entry=percona_encryption_extension_init,early_load=true,config=(cipher=AES256-CBC,rotation=false))],encryption=(name=percona,keyid=\"\"),log=(enabled,file_max=5MB),transaction_sync=(enabled=true,method=fsync),"}}
{"t":{"$date":"2022-08-24T07:40:46.875-04:00"},"s":"I",  "c":"STORAGE",  "id":29039,   "ctx":"initandlisten","msg":"Encryption keys DB is initialized successfully"}
{"t":{"$date":"2022-08-24T07:40:46.898-04:00"},"s":"E",  "c":"STORAGE",  "id":29038,   "ctx":"initandlisten","msg":"Exception in EncryptionKeyDB::init: {e}","attr":{"e":"Cannot start. Master encryption key is absent in KMIP. Check configuration options."}}
{"t":{"$date":"2022-08-24T07:40:46.931-04:00"},"s":"F",  "c":"CONTROL",  "id":4757800, "ctx":"initandlisten","msg":"Writing fatal message","attr":{"message":"Invalid access at address: 0"}}
{"t":{"$date":"2022-08-24T07:40:46.931-04:00"},"s":"F",  "c":"CONTROL",  "id":4757800, "ctx":"initandlisten","msg":"Writing fatal message","attr":{"message":"Got signal: 11 (Segmentation fault).\n"}}

Actual result
PSMDB crashes when new key is absent on KMIP server

Expected result
PSMDB normally exits with error

In addition, as a consequence of unclear exit it's impossible to run kmipRotateMasterKey again due to an error:

{"t":{"$date":"2022-08-24T07:45:34.962-04:00"},"s":"I",  "c":"STORAGE",  "id":29108,   "ctx":"initandlisten","msg":"Master key has been read from the KMIP server","attr":{"kmipMasterKeyId":"1"}}
{"t":{"$date":"2022-08-24T07:45:34.962-04:00"},"s":"I",  "c":"STORAGE",  "id":29037,   "ctx":"initandlisten","msg":"Initializing KeyDB with wiredtiger_open config: {cfg}","attr":{"cfg":"create,config_base=false,extensions=[local=(entry=percona_encryption_extension_init,early_load=true,config=(cipher=AES256-CBC,rotation=false))],encryption=(name=percona,keyid=\"\"),log=(enabled,file_max=5MB),transaction_sync=(enabled=true,method=fsync),"}}
{"t":{"$date":"2022-08-24T07:45:35.555-04:00"},"s":"I",  "c":"STORAGE",  "id":29039,   "ctx":"initandlisten","msg":"Encryption keys DB is initialized successfully"}
{"t":{"$date":"2022-08-24T07:45:35.585-04:00"},"s":"E",  "c":"STORAGE",  "id":20558,   "ctx":"initandlisten","msg":"std::exception in initAndListen, terminating","attr":{"error":"Cannot do master key rotation. Rotation directory '\"/data/db/key.db.rotation\"' already exists."}}

Attachments

Activity

People

Assignee:: Konstantin Trushin

Reporter:: Sandra Romanchenko

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 24/Aug/22 11:46 AM

Updated:: 10/Nov/22 4:31 PM

Resolved:: 12/Sep/22 4:06 PM