Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 9D235200C3A for ; Fri, 3 Mar 2017 07:19:51 +0100 (CET) Received: by cust-asf.ponee.io (Postfix) id 9BDCD160B7A; Fri, 3 Mar 2017 06:19:51 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id E572E160B6F for ; Fri, 3 Mar 2017 07:19:50 +0100 (CET) Received: (qmail 9870 invoked by uid 500); 3 Mar 2017 06:19:50 -0000 Mailing-List: contact common-issues-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Delivered-To: mailing list common-issues@hadoop.apache.org Received: (qmail 9859 invoked by uid 99); 3 Mar 2017 06:19:49 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 03 Mar 2017 06:19:49 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id 3B8C318DBED for ; Fri, 3 Mar 2017 06:19:49 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -1.547 X-Spam-Level: X-Spam-Status: No, score=-1.547 tagged_above=-999 required=6.31 tests=[KAM_ASCII_DIVIDERS=0.8, RP_MATCHES_RCVD=-2.999, SPF_NEUTRAL=0.652] autolearn=disabled Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024) with ESMTP id AsnLVyt7os3e for ; Fri, 3 Mar 2017 06:19:47 +0000 (UTC) Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTP id 1B2D85FD84 for ; Fri, 3 Mar 2017 06:19:47 +0000 (UTC) Received: from jira-lw-us.apache.org (unknown [207.244.88.139]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id 669AEE031F for ; Fri, 3 Mar 2017 06:19:46 +0000 (UTC) Received: from jira-lw-us.apache.org (localhost [127.0.0.1]) by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id A0D832415A for ; Fri, 3 Mar 2017 06:19:45 +0000 (UTC) Date: Fri, 3 Mar 2017 06:19:45 +0000 (UTC) From: "Yongjun Zhang (JIRA)" To: common-issues@hadoop.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (HADOOP-14104) Client should always ask namenode for kms provider path. MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 archived-at: Fri, 03 Mar 2017 06:19:51 -0000 [ https://issues.apache.org/jira/browse/HADOOP-14104?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15893802#comment-15893802 ] Yongjun Zhang commented on HADOOP-14104: ---------------------------------------- Thanks [~andrew.wang], good comments. Hi [~daryn], I like the sound of your proposal too {quote} I think the cleanest/most-compatible way is leveraging the Credentials instead of the config. We could inject a mapping of filesystem uri to kms uri via the secrets map. So now when the client needs to talk to the kms it can check the map, else fallback to getServerDefaults. {quote} Did you mean to use the following UserProvider method {code} @Override public synchronized CredentialEntry createCredentialEntry(String name, char[] credential) throws IOException { Text nameT = new Text(name); if (credentials.getSecretKey(nameT) != null) { throw new IOException("Credential " + name + " already exists in " + this); } credentials.addSecretKey(new Text(name), new String(credential).getBytes("UTF-8")); return new CredentialEntry(name, credential); } {code} to add mapping to the credential map? This mapping info for a remote cluster need to come from either the remote cluster conf, or the NN of the remote cluster, what's your thinking here? Would you please elaborate this approach? Is there any in-compatibility here? Thanks. > Client should always ask namenode for kms provider path. > -------------------------------------------------------- > > Key: HADOOP-14104 > URL: https://issues.apache.org/jira/browse/HADOOP-14104 > Project: Hadoop Common > Issue Type: Improvement > Components: kms > Reporter: Rushabh S Shah > Assignee: Rushabh S Shah > Attachments: HADOOP-14104-trunk.patch, HADOOP-14104-trunk-v1.patch > > > According to current implementation of kms provider in client conf, there can only be one kms. > In multi-cluster environment, if a client is reading encrypted data from multiple clusters it will only get kms token for local cluster. > Not sure whether the target version is correct or not. -- This message was sent by Atlassian JIRA (v6.3.15#6346) --------------------------------------------------------------------- To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org For additional commands, e-mail: common-issues-help@hadoop.apache.org