hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andrew Wang (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-10719) Add generateEncryptedKey and decryptEncryptedKey methods to KeyProvider
Date Thu, 19 Jun 2014 21:19:25 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-10719?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14037905#comment-14037905
] 

Andrew Wang commented on HADOOP-10719:
--------------------------------------

Hi tucu, cool patch,

* Would prefer if the commented out TODO code was put in a follow-on JIRA or on the fs-encryption
branch
* Can we document the xorIV function, and why we do this? Naming it something like {{flipBits}}
might also be better, naming it xor made me think we were encrypting it.
* Shouldn't the new KeyProvider methods be abstract? The NN will be calling KMSClientProvider
methods, and KMSCP is a KP so these methods will be running on the NN, which based on the
HDFS-6134 comments is undesirable.
* Are there other uses for this method besides generating/decrypting EDEKs? I'm thinking we
should name these methods {{generateEncryptedDataEncryptionKey}} and so on for consistency
(though very verbose) since we are always returning EDEK as the versionName.
* Can we tighten up the visibility of the EDEK and DEK constants? Probably only useful in
tests.

> Add generateEncryptedKey and decryptEncryptedKey methods to KeyProvider
> -----------------------------------------------------------------------
>
>                 Key: HADOOP-10719
>                 URL: https://issues.apache.org/jira/browse/HADOOP-10719
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: security
>    Affects Versions: 3.0.0
>            Reporter: Alejandro Abdelnur
>            Assignee: Alejandro Abdelnur
>         Attachments: HADOOP-10719.patch, HADOOP-10719.patch
>
>
> This is a follow up on [HDFS-6134|https://issues.apache.org/jira/browse/HDFS-6134?focusedCommentId=14036044&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-14036044]
> KeyProvider API should  have 2 new methods:
> * KeyVersion generateEncryptedKey(String keyVersionName, byte[] iv)
> * KeyVersion decryptEncryptedKey(String keyVersionName, byte[] iv, KeyVersion encryptedKey)
> The implementation would do a known transformation on the IV (i.e.: xor with 0xff the
original IV).



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message