Skip to content

Fixes the cache for the KMS encryption plugin.#6636

Merged
dlvenable merged 1 commit into
opensearch-project:mainfrom
dlvenable:kms-encryption-cache-fix
Mar 13, 2026
Merged

Fixes the cache for the KMS encryption plugin.#6636
dlvenable merged 1 commit into
opensearch-project:mainfrom
dlvenable:kms-encryption-cache-fix

Conversation

@dlvenable

@dlvenable dlvenable commented Mar 13, 2026
edited
Loading

Copy link
Copy Markdown
Member

Description

The cache was using byte[] as the key. As an array it doesn't have equals/hashCode so the keys would never be found. To cache it correctly I use SdkBytes which implements both.

Additionally the tests appeared to be passing. But there is a subtle issue with them. The verify call happened before the second call. The verifyNoMoreInteractions appears to not verify based on counts. Just by moving the verify call below the second call I was able to get the tests to fail before fixing the code.

I also added three metrics for the KMS plugin:

  1. A gauge on decrypted keys in the cache
  2. KMS requests succeeded
  3. KMS requests failed

You can see the issue using the metrics:

KmsCache-PreFix

Here it is with the fix:

KmsCache-Fixed

Note, that I renamed the new metric after taking the screenshots to remove the redundant "count."

Issues Resolved

N/A

Check List

  • New functionality includes testing.
  • New functionality has a documentation issue. Please link to it in this PR.
    • New functionality has javadoc added
  • Commits are signed with a real name per the DCO

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

@dlvenable
Fixes the cache for the KMS encryption plugin.
502644c 
The cache was using byte[] as the key. As an array it doesn't have equals/hashCode so the keys would never be found. To cache it correctly I use SdkBytes which implements both.

I also added three metrics for the KMS plugin: 1. A gauge on decrypted keys in the cache; 2. KMS requests succeeded; 3. KMS requests failed.

Signed-off-by: David Venable <dlv@amazon.com>
@dlvenable dlvenable added this to the v2.15 milestone Mar 13, 2026
@dlvenable dlvenable merged commit 580b6ef into opensearch-project:main Mar 13, 2026
72 checks passed
@dlvenable dlvenable deleted the kms-encryption-cache-fix branch March 24, 2026 13:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sb2k16 sb2k16 sb2k16 approved these changes
@graytaylor0 graytaylor0 graytaylor0 approved these changes
@engechas engechas Awaiting requested review from engechas
@san81 san81 Awaiting requested review from san81 san81 is a code owner
@srikanthjg srikanthjg Awaiting requested review from srikanthjg srikanthjg is a code owner
@dinujoh dinujoh Awaiting requested review from dinujoh dinujoh is a code owner
@kkondaka kkondaka Awaiting requested review from kkondaka kkondaka is a code owner
@KarstenSchnitter KarstenSchnitter Awaiting requested review from KarstenSchnitter KarstenSchnitter is a code owner
@oeyh oeyh Awaiting requested review from oeyh oeyh is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

v2.15

Development

Successfully merging this pull request may close these issues.

3 participants

@dlvenable @sb2k16 @graytaylor0