Skip to content

Commit

Permalink
Adding sdk support for Encryption with customer managed key to the Az…
Browse files Browse the repository at this point in the history 
…ure Search specs (#5567)

* Add encryption

* change format and fix comment

* Remove UUID

* Update descriptions

* Update description based on PR feedback

* Add encrypted example

* Update examples

* Update descriptions

* Update customer managed keys to customer-managed keys

* Update descriptions

* Updated descriptions

* Update encryption key description

* Update description to use customer-managed instead of user-managed or user-defined
  • Loading branch information
@shmed @sarangan12
shmed authored and sarangan12 committed Apr 17, 2019
1 parent d5f53ae commit 6720121
Show file tree
Hide file tree
Showing 9 changed files with 172 additions and 9 deletions.
18 changes: 18 additions & 0 deletions ...ft.Azure.Search.Service/preview/2017-11-11-preview/examples/SearchServiceCreateIndex.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -112,6 +112,15 @@
"tempuri.org"
],
"maxAgeInSeconds": 60
},
"encryptionKey": {
"keyVaultKeyName": "myUserManagedEncryptionKey-createdinAzureKeyVault",
"keyVaultKeyVersion": "myKeyVersion-32charAlphaNumericString",
"keyVaultUri": "https://myKeyVault.vault.azure.net",
"accessCredentials": {
"applicationId": "00000000-0000-0000-0000-000000000000",
"applicationSecret": "myApplicationSecret"
}
}
}
},
Expand Down Expand Up @@ -339,6 +348,15 @@
"tempuri.org"
],
"maxAgeInSeconds": 60
},
"encryptionKey": {
"keyVaultKeyName": "myUserManagedEncryptionKey-createdinAzureKeyVault",
"keyVaultKeyVersion": "myKeyVersion-32charAlphaNumericString",
"keyVaultUri": "https://myKeyVault.vault.azure.net",
"accessCredentials": {
"applicationId": "00000000-0000-0000-0000-000000000000",
"applicationSecret": null
}
}
}
}
Expand Down
18 changes: 18 additions & 0 deletions ....Search.Service/preview/2017-11-11-preview/examples/SearchServiceCreateOrUpdateIndex.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -115,6 +115,12 @@
"tempuri.org"
],
"maxAgeInSeconds": 60
},
"encryptionKey": {
"keyVaultKeyName": "myUserManagedEncryptionKey-createdinAzureKeyVault",
"keyVaultKeyVersion": "myKeyVersion-32charAlphaNumericString",
"keyVaultUri": "https://myKeyVault.vault.azure.net",
"accessCredentials": null
}
}
},
Expand Down Expand Up @@ -342,6 +348,12 @@
"tempuri.org"
],
"maxAgeInSeconds": 60
},
"encryptionKey": {
"keyVaultKeyName": "myUserManagedEncryptionKey-createdinAzureKeyVault",
"keyVaultKeyVersion": "myKeyVersion-32charAlphaNumericString",
"keyVaultUri": "https://myKeyVault.vault.azure.net",
"accessCredentials": null
}
}
},
Expand Down Expand Up @@ -568,6 +580,12 @@
"tempuri.org"
],
"maxAgeInSeconds": 60
},
"encryptionKey": {
"keyVaultKeyName": "myUserManagedEncryptionKey-createdinAzureKeyVault",
"keyVaultKeyVersion": "myKeyVersion-32charAlphaNumericString",
"keyVaultUri": "https://myKeyVault.vault.azure.net",
"accessCredentials": null
}
}
}
Expand Down
24 changes: 21 additions & 3 deletions ...ch.Service/preview/2017-11-11-preview/examples/SearchServiceCreateOrUpdateSynonymMap.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,22 +8,40 @@
"synonymMap": {
"name": "mysynonymmap",
"format": "solr",
"synonyms": "United States, United States of America, USA\nWashington, Wash. => WA"
"synonyms": "United States, United States of America, USA\nWashington, Wash. => WA",
"encryptionKey": {
"keyVaultKeyName": "myUserManagedEncryptionKey-createdinAzureKeyVault",
"keyVaultKeyVersion": "myKeyVersion-32charAlphaNumericString",
"keyVaultUri": "https://myKeyVault.vault.azure.net",
"accessCredentials": null
}
}
},
"responses": {
"200": {
"body": {
"name": "mysynonymmap",
"format": "solr",
"synonyms": "United States, United States of America, USA\nWashington, Wash. => WA"
"synonyms": "United States, United States of America, USA\nWashington, Wash. => WA",
"encryptionKey": {
"keyVaultKeyName": "myUserManagedEncryptionKey-createdinAzureKeyVault",
"keyVaultKeyVersion": "myKeyVersion-32charAlphaNumericString",
"keyVaultUri": "https://myKeyVault.vault.azure.net",
"accessCredentials": null
}
}
},
"201": {
"body": {
"name": "mysynonymmap",
"format": "solr",
"synonyms": "United States, United States of America, USA\nWashington, Wash. => WA"
"synonyms": "United States, United States of America, USA\nWashington, Wash. => WA",
"encryptionKey": {
"keyVaultKeyName": "myUserManagedEncryptionKey-createdinAzureKeyVault",
"keyVaultKeyVersion": "myKeyVersion-32charAlphaNumericString",
"keyVaultUri": "https://myKeyVault.vault.azure.net",
"accessCredentials": null
}
}
}
}
Expand Down
22 changes: 20 additions & 2 deletions ...ure.Search.Service/preview/2017-11-11-preview/examples/SearchServiceCreateSynonymMap.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,15 +6,33 @@
"synonymMap": {
"name": "mysynonymmap",
"format": "solr",
"synonyms": "United States, United States of America, USA\nWashington, Wash. => WA"
"synonyms": "United States, United States of America, USA\nWashington, Wash. => WA",
"encryptionKey": {
"keyVaultKeyName": "myUserManagedEncryptionKey-createdinAzureKeyVault",
"keyVaultKeyVersion": "myKeyVersion-32charAlphaNumericString",
"keyVaultUri": "https://myKeyVault.vault.azure.net",
"accessCredentials": {
"applicationId": "00000000-0000-0000-0000-000000000000",
"applicationSecret": "myApplicationSecret"
}
}
}
},
"responses": {
"201": {
"body": {
"name": "mysynonymmap",
"format": "solr",
"synonyms": "United States, United States of America, USA\nWashington, Wash. => WA"
"synonyms": "United States, United States of America, USA\nWashington, Wash. => WA",
"encryptionKey": {
"keyVaultKeyName": "myUserManagedEncryptionKey-createdinAzureKeyVault",
"keyVaultKeyVersion": "myKeyVersion-32charAlphaNumericString",
"keyVaultUri": "https://myKeyVault.vault.azure.net",
"accessCredentials": {
"applicationId": "00000000-0000-0000-0000-000000000000",
"applicationSecret": null
}
}
}
}
}
Expand Down
9 changes: 9 additions & 0 deletions ...osoft.Azure.Search.Service/preview/2017-11-11-preview/examples/SearchServiceGetIndex.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -229,6 +229,15 @@
"tempuri.org"
],
"maxAgeInSeconds": 60
},
"encryptionKey": {
"keyVaultKeyName": "myKeyName",
"keyVaultKeyVersion": "myKeyVersion",
"keyVaultUri": "https://myKeyVault.vault.azure.net",
"accessCredentials": {
"applicationId": "00000000-0000-0000-0000-000000000000",
"applicationSecret": null
}
}
}
}
Expand Down
11 changes: 10 additions & 1 deletion ....Azure.Search.Service/preview/2017-11-11-preview/examples/SearchServiceGetSynonymMap.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,16 @@
"body": {
"name": "mysynonymmap",
"format": "solr",
"synonyms": "United States, United States of America, USA\nWashington, Wash. => WA"
"synonyms": "United States, United States of America, USA\nWashington, Wash. => WA",
"encryptionKey": {
"keyVaultKeyName": "myKeyName",
"keyVaultKeyVersion": "myKeyVersion",
"keyVaultUri": "https://myKeyVault.vault.azure.net",
"accessCredentials": {
"applicationId": "00000000-0000-0000-0000-000000000000",
"applicationSecret": null
}
}
}
}
}
Expand Down
9 changes: 8 additions & 1 deletion ...ft.Azure.Search.Service/preview/2017-11-11-preview/examples/SearchServiceListIndexes.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -231,6 +231,12 @@
"tempuri.org"
],
"maxAgeInSeconds": 60
},
"encryptionKey": {
"keyVaultKeyName": "myKeyName",
"keyVaultKeyVersion": "myKeyVersion",
"keyVaultUri": "https://myKeyVault.vault.azure.net",
"accessCredentials": null
}
},
{
Expand Down Expand Up @@ -272,7 +278,8 @@
"tokenizers": [],
"tokenFilters": [],
"charFilters": [],
"corsOptions": null
"corsOptions": null,
"encryptionKey": null
}
]
}
Expand Down
11 changes: 9 additions & 2 deletions ...zure.Search.Service/preview/2017-11-11-preview/examples/SearchServiceListSynonymMaps.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,12 +11,19 @@
{
"name": "mysynonymmap",
"format": "solr",
"synonyms": "United States, United States of America, USA\nWashington, Wash. => WA"
"synonyms": "United States, United States of America, USA\nWashington, Wash. => WA",
"encryptionKey": {
"keyVaultKeyName": "myKeyName",
"keyVaultKeyVersion": "myKeyVersion",
"keyVaultUri": "https://myKeyVault.vault.azure.net",
"accessCredentials": null
}
},
{
"name": "myothersynonymmap",
"format": "solr",
"synonyms": "couch, sofa, chesterfield\npop, soda\ntoque, hat"
"synonyms": "couch, sofa, chesterfield\npop, soda\ntoque, hat",
"encryptionKey": null
}
]
}
Expand Down
59 changes: 59 additions & 0 deletions ...h/data-plane/Microsoft.Azure.Search.Service/preview/2017-11-11-preview/searchservice.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4389,6 +4389,13 @@
"url": "https://docs.microsoft.com/rest/api/searchservice/Custom-analyzers-in-Azure-Search"
}
},
"encryptionKey": {
"$ref": "#/definitions/EncryptionKey",
"description": "A description of an encryption key that you create in Azure Key Vault. This key is used to provide an additional level of encryption-at-rest for your data when you want full assurance that no one, not even Microsoft, can decrypt your data in Azure Search. Once you have encrypted your data, it will always remain encrypted. Azure Search will ignore attempts to set this property to null. You can change this property as needed if you want to rotate your encryption key; Your data will be unaffected. Encryption with customer-managed keys is not available for free search services, and is only available for paid services created on or after January 1, 2019.",
"externalDocs": {
"url": "https://aka.ms/azure-search-encryption-with-cmk"
}
},
"@odata.etag": {
"x-ms-client-name": "ETag",
"type": "string",
Expand Down Expand Up @@ -5168,6 +5175,13 @@
"url": "https://docs.microsoft.com/rest/api/searchservice/Create-Synonym-Map#SynonymMapFormat"
}
},
"encryptionKey": {
"$ref": "#/definitions/EncryptionKey",
"description": "A description of an encryption key that you create in Azure Key Vault. This key is used to provide an additional level of encryption-at-rest for your data when you want full assurance that no one, not even Microsoft, can decrypt your data in Azure Search. Once you have encrypted your data, it will always remain encrypted. Azure Search will ignore attempts to set this property to null. You can change this property as needed if you want to rotate your encryption key; Your data will be unaffected. Encryption with customer-managed keys is not available for free search services, and is only available for paid services created on or after January 1, 2019.",
"externalDocs": {
"url": "https://aka.ms/azure-search-encryption-with-cmk"
}
},
"@odata.etag": {
"x-ms-client-name": "ETag",
"type": "string",
Expand Down Expand Up @@ -5195,6 +5209,51 @@
},
"description": "Response from a List SynonymMaps request. If successful, it includes the full definitions of all synonym maps."
},
"EncryptionKey": {
"properties": {
"keyVaultKeyName": {
"type": "string",
"description": "The name of your Azure Key Vault key to be used to encrypt your data at rest."
},
"keyVaultKeyVersion": {
"type": "string",
"description": "The version of your Azure Key Vault key to be used to encrypt your data at rest."
},
"keyVaultUri": {
"type": "string",
"description": "The URI of your Azure Key Vault, also referred to as DNS name, that contains the key to be used to encrypt your data at rest. An example URI might be https://my-keyvault-name.vault.azure.net."
},
"accessCredentials": {
"$ref": "#/definitions/AzureActiveDirectoryApplicationCredentials",
"description": "Optional Azure Active Directory credentials used for accessing your Azure Key Vault. Not required if using managed identity instead.",
"externalDocs": {
"url": "https://aka.ms/azure-search-msi"
}
}
},
"required": [
"keyVaultKeyName",
"keyVaultKeyVersion",
"keyVaultUri"
],
"description": "A customer-managed encryption key in Azure Key Vault. Keys that you create and manage can be used to encrypt or decrypt data-at-rest in Azure Search, such as indexes and synonym maps."
},
"AzureActiveDirectoryApplicationCredentials": {
"properties": {
"applicationId": {
"type": "string",
"description": "An AAD Application ID that was granted the required access permissions to the Azure Key Vault that is to be used when encrypting your data at rest. The Application ID should not be confused with the Object ID for your AAD Application."
},
"applicationSecret": {
"type": "string",
"description": "The authentication key of the specified AAD application."
}
},
"required": [
"applicationId"
],
"description" : "Credentials of a registered application created for your Azure Search service, used for authenticated access to the encryption keys stored in Azure Key Vault."
},
"ServiceStatistics": {
"properties": {
"counters": {
Expand Down

0 comments on commit 6720121

Please sign in to comment.