-
Type: Task
-
Resolution: Unresolved
-
Priority: Minor - P4
-
None
-
Component/s: Client Side Encryption, CSOT
-
Needed
-
Summary
Some parts of FLE should be subject to `timeoutMS` but the specs (CSOT and client-side-encryption) don't mention these APIs. These APIs are:{}
- fetching kms credentials on demand
- the key management API
Motivation
Drivers that implement CSOT should implement it properly for all relevant APIs.
Who is the affected end user?
Driver engineers and potentially users.
How does this affect the end user?
Users might be surprised that certain APIs don't support CSOT, or might find that operations timeout without respecting timeoutMS.
How likely is it that this problem or use case will occur?
Unlikely, for initializing kms credentials. Unknown for the key management API.
If the problem does occur, what are the consequences and how severe are they?
Minor annoyance.
Is this issue urgent?
No.
Is this ticket required by a downstream team?
No.
Is this ticket only for tests?
No.
Acceptance Criteria
- Review the client-side-encryption spec for any additional APIs (or asynchronous operations used internally in FLE) that should be subject to timeoutMS.
- Clarify the CSOT and FLE spec to mention that these APIs should be subject to timeoutMS.
- Testing
- Add unified tests demonstrating that the key management API respects timeoutMS.
- Testing for other parts of FLE (including fetching kms credentials on demand) is tbd.
- related to
-
PYTHON-3621 On demand KMS credential lookups do not pass a timeout
- Closed