hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andrew Wang (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-10719) Add generateEncryptedKey and decryptEncryptedKey methods to KeyProvider
Date Tue, 24 Jun 2014 17:03:24 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-10719?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14042368#comment-14042368

Andrew Wang commented on HADOOP-10719:

Hey tucu, thought about this a little more. I can understand Owen and Larry's hesitations
about extending the KeyProvider API like this, since these ops involving EDEKs feels implementation
specific to our plan for HDFS encryption. We're also going to need some API for rolling EDEKs,
likely a batch one.

With this in mind, how do you feel about splitting some of this stuff out to a new interface
implemented by the KMS (and I guess JKS for testing)? This way we can keep the KeyProvider
interface nice and clean, but still have what we need on the HDFS side.

> Add generateEncryptedKey and decryptEncryptedKey methods to KeyProvider
> -----------------------------------------------------------------------
>                 Key: HADOOP-10719
>                 URL: https://issues.apache.org/jira/browse/HADOOP-10719
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: security
>    Affects Versions: 3.0.0
>            Reporter: Alejandro Abdelnur
>            Assignee: Alejandro Abdelnur
>         Attachments: HADOOP-10719.patch, HADOOP-10719.patch, HADOOP-10719.patch, HADOOP-10719.patch,
> This is a follow up on [HDFS-6134|https://issues.apache.org/jira/browse/HDFS-6134?focusedCommentId=14036044&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-14036044]
> KeyProvider API should  have 2 new methods:
> * KeyVersion generateEncryptedKey(String keyVersionName, byte[] iv)
> * KeyVersion decryptEncryptedKey(String keyVersionName, byte[] iv, KeyVersion encryptedKey)
> The implementation would do a known transformation on the IV (i.e.: xor with 0xff the
original IV).

This message was sent by Atlassian JIRA

View raw message