hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Colin Patrick McCabe (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-10735) Fall back AesCtrCryptoCodec implementation from OpenSSL to JCE if non native support.
Date Tue, 15 Jul 2014 21:31:08 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-10735?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14062681#comment-14062681
] 

Colin Patrick McCabe commented on HADOOP-10735:
-----------------------------------------------

{code}
+    for (Class<? extends CryptoCodec> klass : klasses) {
+      try {
+        codec = ReflectionUtils.newInstance(klass, conf);
+        if (codec.getCipherSuite().getName().equalsIgnoreCase(name)) {
+          LOG.info("Using crypto codec {}.", klass.getName());
+          return codec;
+        } else {
+          LOG.warn("Crypto codec {} doesn't meet the cipher suite {}.", 
+              klass.getName(), name);
+        }
+      } catch (Exception e) {
+        LOG.warn("Crypto codec {} is not available.", klass.getName());
+      }
+    }
{code}

Hmm.  With this code, we might ignore the fact that a crypto codec that was configured didn't
match the cipher suite, if there were another crypto codec that came first that was usable.

I'd rather have two loops, one to log the warning about bad codecs, and another to figure
out which codec to use.  That way users won't get a nasty surprise when the first codec they
configure doesn't work, and the second turns out not to match the cipher suite.

+1 once that's addressed.

> Fall back AesCtrCryptoCodec implementation from OpenSSL to JCE if non native support.
> -------------------------------------------------------------------------------------
>
>                 Key: HADOOP-10735
>                 URL: https://issues.apache.org/jira/browse/HADOOP-10735
>             Project: Hadoop Common
>          Issue Type: Sub-task
>          Components: security
>    Affects Versions: fs-encryption (HADOOP-10150 and HDFS-6134)
>            Reporter: Yi Liu
>            Assignee: Yi Liu
>             Fix For: fs-encryption (HADOOP-10150 and HDFS-6134)
>
>         Attachments: HADOOP-10735.001.patch, HADOOP-10735.002.patch, HADOOP-10735.003.patch,
HADOOP-10735.004.patch, HADOOP-10735.005.patch, HADOOP-10735.006.patch
>
>
> If there is no native support or OpenSSL version is too low not supporting AES-CTR, but
{{OpensslAesCtrCryptoCodec}} is configured, we need to fall back it to JCE implementation.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message