1. KiVi interface

The KiVi interface offers the user the ability to retrieve data directly, by accessing the Storage Engine of LeanXcale while keeping ACID transactions. This interface is typically used for fast ingestion.

KiVi is divided into multiple components:

  • KiVi Meta Server (KVMS) stores the metadata information.

  • KiVi Data Server (KVDS) stores the actual data.

  • KiVi Proxy (KVP) is used as a proxy to hide the connections between KiVi clients and KiVi Servers providing an unique endpoint for the clients.

1.1. Network encryption

All the communication between all the KiVi components and the clients are encoded using an implementation of the AES algorithm, specifically ECB and CBC mode. This encoding protocol is based on symmetric functions with AES 256 keys.

The implementation is verified against the test vectors in National Institute of Standards and Technology Special Publication 800-38A 2001 ED.

net kv

1.2. Data encryption

KiVi data encryption is delegated to the filesystem where KiVi stores its data. Usually, we recommend using OpenZFS that supports multiple encryption types:

  • aes-128-ccm

  • aes-192-ccm

  • aes-256-ccm (default in OpenZFS < 0.8.4)

  • aes-128-gcm

  • aes-192-gcm

  • aes-256-gcm (default in OpenZFS >= 0.8.4)

LeanXcale recommends using the last stable version of OpenZFS 2.1.0, that uses by default aes-256-gcm.

1.3. Authentication

To connect with KiVi with security enabled, an application certificate is needed. This certificate has to be provided to the KiVi API application to authenticate and authorize itself with KiVi. This certificate is also used to encode the network communication.

LeanXcale uses the following concept for its structure:

  1. Database: name of the database where all the tables are created

  2. Schema: under this schema, some tables may be created. These tables will only be accessible by the certificates that have access to this schema. Note that schemas are named after the SQL users by default.

To create a valid certificate for an application that uses the KiVi interface, the following is required:

  1. Create the user using the administration console, lxConsole. This has to be done with the following command. This command creates the user alice to use the database db. This step can be skipped if you already have a user created.

$ lxConsole addUser alice iAm@dmin db

  1. After creating the user, the certificate can be created. The following command shows an example to create the certificate application1 giving it permissions to access the tables created by the user alice. The command returns a string with the full path to the new certificate created. With this certificate, the application application1 has access to all the tables of the user alice.

$ lxConsole createCert application1 alice
/home/ubuntu/lxs/conf/certificates/application1.kcf

  1. The application that uses this certificate will have permissions to all the tables created by the alice user.

1.4. Authorization

When the certificate is created, the administrator has to specify the list of users, from which the application that uses the certificate will have access. The permissions of this application are restricted to the tables created by the users allowed in the certificate. In this case, the owner of the certificate has access to all the tables created from the list of users provided when the certificate was created. If these permissions need to be changed, it is necessary to create a new certificate. In this case, the granularity of permissions is granted per schema.