...
ChangeMasterKeyMessage
message and sent it by discovery as a custom event. The goal is to verify that all nodes have the same master key. ChangeMasterKeyFinishMessage
action message is sent by discovery as a custom event.ChangeMasterKeyRecord
) that consist of:MetaStore
....
Process completes when all nodes in cluster will process action message.
...
...
...
If some node was unavailable during master key rotation process it will unable to join to the cluster because it has old master key.
...
The node will re-encrypt cache keys with new MK and try to join to cluster.
...
...
A node should not try to join to the cluster before the process of ChangeMasterKeyRecord
. Regardless of whether the key rotation was finished successfully or not, the recovery will be from the record.
ChangeMasterKeyRecord
it passed to EncryptionManager
.EncryptionManager
writes new cache group keys to it....
Meta storage will store master key id. Key id from meta storage has a higher priority to key id from EncryptionSpi.
Currently joining node send hash MK for validation in attributes. Attributes can't be modified at runtime. So joining node will send hash MK in JoiningNodeDiscoveryData
.