accumulo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Josh Elser <josh.el...@gmail.com>
Subject ACCUMULO-958 - Pluggable encryption in walogs
Date Wed, 30 Jan 2013 14:13:08 GMT
All,

It's been a few days and I haven't seen much chatter at all on 
ACCUMULO-958 [1] since the patch was applied. There are a couple of 
concerns I have that I definitely want to see addressed before a 1.5.0 
release.

- It worries me that the provided patch is fail-open (when we can't load 
the configured encryption strategies/modules, we don't decrypt anything. 
I think for a security-minded database, we should probably be defaulting 
to fail-close; but, that brings up an issue, what happens when we can't 
encrypt a WAL? Do minor compactions fail gracefully? What does Accumulo do?

- John said he had been reviewing the patch before he applied it; it 
bothers me that there was a version of this patch that had been reviewed 
privately for some amount of time when we had already pushed back the 
feature freeze date by a week waiting for features that weren't done.

- The author noted himself with the deprecation of the CryptoModule 
interface that "we anticipate changing [this] in non-backwards 
compatible ways as we explore requirements for encryption in 
Accumulo...". This tells me that implementation of WAL encryption 
overall hasn't been properly thought out.

Given all of this, it gives me great pause to knowingly include this 
patch into a 1.5.0 release. I see no signs that this has been truly 
thought out, there is no default provided encryption strategy for 1.5.0 
with this patch for the WAL and there is still no support at all for 
RFile encryption (no end-to-end Accumulo encryption for a user). All of 
these issues considered make me believe that this is an incomplete 
feature that is not ready for an Apache Accumulo release.

Thoughts?

- Josh

[1] https://issues.apache.org/jira/browse/ACCUMULO-958

Mime
View raw message