Return-Path: X-Original-To: apmail-hadoop-common-issues-archive@minotaur.apache.org Delivered-To: apmail-hadoop-common-issues-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id AC0471084E for ; Wed, 4 Dec 2013 17:02:07 +0000 (UTC) Received: (qmail 21815 invoked by uid 500); 4 Dec 2013 17:01:54 -0000 Delivered-To: apmail-hadoop-common-issues-archive@hadoop.apache.org Received: (qmail 21734 invoked by uid 500); 4 Dec 2013 17:01:50 -0000 Mailing-List: contact common-issues-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: common-issues@hadoop.apache.org Delivered-To: mailing list common-issues@hadoop.apache.org Received: (qmail 21543 invoked by uid 99); 4 Dec 2013 17:01:44 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 04 Dec 2013 17:01:44 +0000 Date: Wed, 4 Dec 2013 17:01:44 +0000 (UTC) From: "Owen O'Malley (JIRA)" To: common-issues@hadoop.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Updated] (HADOOP-10141) Create an API to separate encryption key storage from applications MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/HADOOP-10141?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Owen O'Malley updated HADOOP-10141: ----------------------------------- Status: Patch Available (was: Open) > Create an API to separate encryption key storage from applications > ------------------------------------------------------------------ > > Key: HADOOP-10141 > URL: https://issues.apache.org/jira/browse/HADOOP-10141 > Project: Hadoop Common > Issue Type: Bug > Components: security > Reporter: Owen O'Malley > Assignee: Owen O'Malley > Attachments: hadoop-10141.patch > > > As with the filesystem API, we need to provide a generic mechanism to support multiple key storage mechanisms that are potentially from third parties. > An additional requirement for long term data lakes is to keep multiple versions of each key so that keys can be rolled periodically without requiring the entire data set to be re-written. Rolling keys provides containment in the event of keys being leaked. > Toward that end, I propose an API that is configured using a list of URLs of KeyProviders. The implementation will look for implementations using the ServiceLoader interface and thus support third party libraries. > Two providers will be included in this patch. One using the credentials cache in MapReduce jobs and the other using Java KeyStores from either HDFS or local file system. -- This message was sent by Atlassian JIRA (v6.1#6144)