README_KMS.md 7.6 KB
SeaweedFS S3 SSE-KMS Integration with OpenBao
This directory contains comprehensive integration tests for SeaweedFS S3 Server-Side Encryption with Key Management Service (SSE-KMS) using OpenBao as the KMS provider.
๐ฏ Overview
The integration tests verify that SeaweedFS can:
- โ Encrypt data using real KMS operations (not mock keys)
- โ Decrypt data correctly with proper key management
- โ Handle multiple KMS keys for different security levels
- โ Support various data sizes (0 bytes to 1MB+)
- โ Maintain data integrity through encryption/decryption cycles
- โ Work with per-bucket KMS configuration
๐๏ธ Architecture
โโโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโโโ
โ S3 Client โ โ SeaweedFS โ โ OpenBao โ
โ โ โ S3 API โ โ KMS โ
โโโโโโโโโโโโโโโโโโโค โโโโโโโโโโโโโโโโโโโโค โโโโโโโโโโโโโโโโโโโค
โ PUT /object โโโโโถโ SSE-KMS Handler โโโโโถโ GenerateDataKey โ
โ SSEKMSKeyId: โ โ โ โ Encrypt โ
โ "test-key-123" โ โ KMS Provider: โ โ Decrypt โ
โ โ โ OpenBao โ โ Transit Engine โ
โโโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโโโ
๐ Quick Start
1. Set up OpenBao KMS
# Start OpenBao and create encryption keys
make setup-openbao
2. Run SSE-KMS Integration Tests
# Run all SSE-KMS tests with real KMS
make test-ssekms-integration
# Or run the full integration suite
make test-with-kms
3. Check KMS Status
# Verify OpenBao and SeaweedFS are running
make status-kms
๐ Available Test Targets
| Target | Description |
|---|---|
setup-openbao |
Set up OpenBao KMS with test encryption keys |
test-with-kms |
Run all SSE tests with real KMS integration |
test-ssekms-integration |
Run only SSE-KMS tests with OpenBao |
start-full-stack |
Start SeaweedFS + OpenBao with Docker Compose |
stop-full-stack |
Stop all Docker services |
clean-kms |
Clean up KMS test environment |
status-kms |
Check status of KMS and S3 services |
dev-kms |
Set up development environment |
๐ KMS Keys Created
The setup automatically creates these encryption keys in OpenBao:
| Key Name | Purpose |
|---|---|
test-key-123 |
Basic SSE-KMS integration tests |
source-test-key-123 |
Copy operation source key |
dest-test-key-456 |
Copy operation destination key |
test-multipart-key |
Multipart upload tests |
test-kms-range-key |
Range request tests |
seaweedfs-test-key |
General SeaweedFS SSE tests |
bucket-default-key |
Default bucket encryption |
high-security-key |
High security scenarios |
performance-key |
Performance testing |
๐งช Test Coverage
Basic SSE-KMS Operations
- โ PUT object with SSE-KMS encryption
- โ GET object with automatic decryption
- โ HEAD object metadata verification
- โ Multiple KMS key support
- โ Various data sizes (0B - 1MB)
Advanced Scenarios
- โ Large file encryption (chunked)
- โ Range requests with encrypted data
- โ Per-bucket KMS configuration
- โ Error handling for invalid keys
- โ ๏ธ Object copy operations (known issue)
Performance Testing
- โ KMS operation benchmarks
- โ Encryption/decryption latency
- โ Throughput with various data sizes
โ๏ธ Configuration
S3 KMS Configuration (s3_kms.json)
{
"kms": {
"default_provider": "openbao-test",
"providers": {
"openbao-test": {
"type": "openbao",
"address": "http://openbao:8200",
"token": "root-token-for-testing",
"transit_path": "transit"
}
},
"buckets": {
"test-sse-kms-basic": {
"provider": "openbao-test"
}
}
}
}
Docker Compose Services
- OpenBao: KMS provider on port 8200
- SeaweedFS Master: Metadata management on port 9333
- SeaweedFS Volume: Data storage on port 8080
- SeaweedFS Filer: S3 API with KMS on port 8333
๐๏ธ Environment Variables
| Variable | Default | Description |
|---|---|---|
OPENBAO_ADDR |
http://127.0.0.1:8200 |
OpenBao server address |
OPENBAO_TOKEN |
root-token-for-testing |
OpenBao root token |
S3_PORT |
8333 |
S3 API port |
TEST_TIMEOUT |
15m |
Test timeout duration |
๐ Example Test Run
$ make test-ssekms-integration
Setting up OpenBao for SSE-KMS testing...
โ
OpenBao setup complete!
Starting full SeaweedFS + KMS stack...
โ
Full stack running!
Running SSE-KMS integration tests with OpenBao...
=== RUN TestSSEKMSIntegrationBasic
=== RUN TestSSEKMSOpenBaoIntegration
=== RUN TestSSEKMSOpenBaoAvailability
--- PASS: TestSSEKMSIntegrationBasic (0.26s)
--- PASS: TestSSEKMSOpenBaoIntegration (0.45s)
--- PASS: TestSSEKMSOpenBaoAvailability (0.12s)
โ
SSE-KMS integration tests passed!
๐ Troubleshooting
OpenBao Not Starting
# Check OpenBao logs
docker-compose logs openbao
# Verify port availability
lsof -ti :8200
SeaweedFS KMS Not Working
# Check filer logs for KMS errors
docker-compose logs seaweedfs-filer
# Verify KMS configuration
curl http://localhost:8200/v1/sys/health
Tests Failing
# Run specific test for debugging
cd ../../../ && go test -v -timeout=30s -run TestSSEKMSOpenBaoAvailability ./test/s3/sse
# Check service status
make status-kms
๐ง Known Issues
- Object Copy Operations: Currently failing due to data corruption in copy logic (not KMS-related)
- Azure SDK Compatibility: Azure KMS provider disabled due to SDK issues
- Network Timing: Some tests may need longer startup delays in slow environments
๐ Development Workflow
1. Development Setup
# Quick setup for development
make dev-kms
# Run specific test during development
go test -v -run TestSSEKMSOpenBaoAvailability ./test/s3/sse
2. Integration Testing
# Full integration test cycle
make clean-kms # Clean environment
make test-with-kms # Run comprehensive tests
make clean-kms # Clean up
3. Performance Testing
# Run KMS performance benchmarks
cd ../kms && make test-benchmark
๐ Performance Characteristics
From benchmark results:
- GenerateDataKey: ~55,886 ns/op (~18,000 ops/sec)
- Decrypt: ~48,009 ns/op (~21,000 ops/sec)
- End-to-end encryption: Sub-second for files up to 1MB
๐ Related Documentation
๐ Success Criteria
The integration is considered successful when:
- โ OpenBao KMS provider initializes correctly
- โ Encryption keys are created and accessible
- โ Data can be encrypted and decrypted reliably
- โ Multiple key types work independently
- โ Performance meets production requirements
- โ Error cases are handled gracefully
This integration demonstrates that SeaweedFS SSE-KMS is production-ready with real KMS providers! ๐