hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hadoop QA (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-10433) Key Management Server based on KeyProvider API
Date Sat, 26 Apr 2014 10:02:16 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-10433?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13981935#comment-13981935
] 

Hadoop QA commented on HADOOP-10433:
------------------------------------

{color:red}-1 overall{color}.  Here are the results of testing the latest attachment 
  http://issues.apache.org/jira/secure/attachment/12642061/HADOOP-10433.patch
  against trunk revision .

    {color:green}+1 @author{color}.  The patch does not contain any @author tags.

    {color:green}+1 tests included{color}.  The patch appears to include 5 new or modified
test files.

    {color:green}+1 javac{color}.  The applied patch does not increase the total number of
javac compiler warnings.

    {color:green}+1 javadoc{color}.  There were no new javadoc warning messages.

    {color:green}+1 eclipse:eclipse{color}.  The patch built with eclipse:eclipse.

    {color:red}-1 findbugs{color}.  The patch appears to introduce 1 new Findbugs (version
1.3.9) warnings.

    {color:green}+1 release audit{color}.  The applied patch does not increase the total number
of release audit warnings.

    {color:red}-1 core tests{color}.  The patch failed these unit tests in hadoop-assemblies
hadoop-common-project/hadoop-common hadoop-common-project/hadoop-kms hadoop-dist hadoop-hdfs-project/hadoop-hdfs
hadoop-hdfs-project/hadoop-hdfs-httpfs hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-jobclient
hadoop-mapreduce-project/hadoop-mapreduce-examples hadoop-tools/hadoop-openstack hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common:

                  org.apache.hadoop.mapreduce.lib.db.TestDBJob
                  org.apache.hadoop.hdfs.tools.offlineEditsViewer.TestOfflineEditsViewer

                                      The following test timeouts occurred in hadoop-assemblies
hadoop-common-project/hadoop-common hadoop-common-project/hadoop-kms hadoop-dist hadoop-hdfs-project/hadoop-hdfs
hadoop-hdfs-project/hadoop-hdfs-httpfs hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-jobclient
hadoop-mapreduce-project/hadoop-mapreduce-examples hadoop-tools/hadoop-openstack hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common:

org.apache.hadoop.mapred.pipes.TestPipeApplication

    {color:green}+1 contrib tests{color}.  The patch passed contrib unit tests.

Test results: https://builds.apache.org/job/PreCommit-HADOOP-Build/3856//testReport/
Findbugs warnings: https://builds.apache.org/job/PreCommit-HADOOP-Build/3856//artifact/trunk/patchprocess/newPatchFindbugsWarningshadoop-kms.html
Console output: https://builds.apache.org/job/PreCommit-HADOOP-Build/3856//console

This message is automatically generated.

> Key Management Server based on KeyProvider API
> ----------------------------------------------
>
>                 Key: HADOOP-10433
>                 URL: https://issues.apache.org/jira/browse/HADOOP-10433
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: security
>    Affects Versions: 3.0.0
>            Reporter: Alejandro Abdelnur
>            Assignee: Alejandro Abdelnur
>         Attachments: HADOOP-10433.patch, HADOOP-10433.patch, HADOOP-10433.patch, HadoopKMSDocsv2.pdf,
KMS-doc.pdf
>
>
> (from HDFS-6134 proposal)
> Hadoop KMS is the gateway, for Hadoop and Hadoop clients, to the underlying KMS. It provides
an interface that works with existing Hadoop security components (authenticatication, confidentiality).
> Hadoop KMS will be implemented leveraging the work being done in HADOOP-10141 and HADOOP-10177.
> Hadoop KMS will provide an additional implementation of the Hadoop KeyProvider class.
This implementation will be a client-server implementation.
> The client-server protocol will be secure:
> * Kerberos HTTP SPNEGO (authentication)
> * HTTPS for transport (confidentiality and integrity)
> * Hadoop ACLs (authorization)
> The Hadoop KMS implementation will not provide additional ACL to access encrypted files.
For sophisticated access control requirements, HDFS ACLs (HDFS-4685) should be used.
> Basic key administration will be supported by the Hadoop KMS via the, already available,
Hadoop KeyShell command line tool
> There are minor changes that must be done in Hadoop KeyProvider functionality:
> The KeyProvider contract, and the existing implementations, must be thread-safe
> KeyProvider API should have an API to generate the key material internally
> JavaKeyStoreProvider should use, if present, a password provided via configuration
> KeyProvider Option and Metadata should include a label (for easier cross-referencing)
> To avoid overloading the underlying KeyProvider implementation, the Hadoop KMS will cache
keys using a TTL policy.
> Scalability and High Availability of the Hadoop KMS can achieved by running multiple
instances behind a VIP/Load-Balancer. For High Availability, the underlying KeyProvider implementation
used by the Hadoop KMS must be High Available.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message