hadoop-hdfs-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Yi Liu (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HDFS-6605) Client server negotiation of cipher suite
Date Wed, 02 Jul 2014 12:23:25 GMT

    [ https://issues.apache.org/jira/browse/HDFS-6605?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14049862#comment-14049862
] 

Yi Liu commented on HDFS-6605:
------------------------------

Thanks Andrew, nice work.

It’s great to change {{CipherType}} to {{CipherSuite}}, then it’s consistent.  :)
I have gone through the patch, very good, I just have following comments:

*1.*
Could we change the name CipherSuite#algoBytes to CipherSuite#blockSize or CipherSuite#algBlockSize,
also {{getAlgorithmBlockBytes}} could be {{getAlgorithmBlockSize}}. Since we usually use this
terminology, please refer to:
http://en.wikipedia.org/wiki/Block_size_%28cryptography%29
I think It's enough that we add whether it’s counted in bits or bytes in java doc .

*2.*
In {{FSNamesystem#startFileInternal}}, the snippet code:

{code}
if (zone != null) {
      CipherSuite chosen = null;
      for (CipherSuite c : cipherSuites) {
…
…
{code}
We’d better to finish the logic, we don't have next step after getting "chosen", I see there
is no place calling {{FSDirectory#setFileEncryptionInfo}}. I think they should work together,
right? Otherwise, {{getFileEncryptionInfo}} will always return null.


*3.*
In {{hdfs.proto}}
{code}
/**
+ * Cipher suite.
+ */
+enum CipherSuite {
+    UNKNOWN = 1;
+    AES_CTR_NOPADDING = 2;
+}
{code}

We forgot the algorithm block size?

*4.*
In {{TestEncryptionZonesAPI.java}}, I think we need test to cover setting/getting File Encryption
Info successfully. 


> Client server negotiation of cipher suite
> -----------------------------------------
>
>                 Key: HDFS-6605
>                 URL: https://issues.apache.org/jira/browse/HDFS-6605
>             Project: Hadoop HDFS
>          Issue Type: Sub-task
>          Components: security
>    Affects Versions: fs-encryption (HADOOP-10150 and HDFS-6134)
>            Reporter: Andrew Wang
>            Assignee: Andrew Wang
>         Attachments: hdfs-6605.001.patch
>
>
> For compatibility purposes, the client and server should negotiate what cipher suite
to use based on their respective capabilities. This is also a way for the server to reject
old clients that do not support encryption.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message