hadoop-hdfs-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sanjay Radia (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HDFS-6134) Transparent data at rest encryption
Date Thu, 14 Aug 2014 18:24:18 GMT

    [ https://issues.apache.org/jira/browse/HDFS-6134?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14097330#comment-14097330
] 

Sanjay Radia commented on HDFS-6134:
------------------------------------

Had a chat with Owen over the wehbhdfs issue and the solution I had proposed in [comment |
https://issues.apache.org/jira/browse/HDFS-6134?focusedCommentId=14096027&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-14096027].
He said that restricting the client connections from user hdfs are not necessary: the DN does
a doAs(user) . KMS is configured for hdfs to be proxy but it also blacklists hdfs (and other
superusers). That is the DN as a proxy cannot get a key for hdfs but it can get the keys for
other users. So this brings the httpfs and webhdfs solutions to be the same.

Owen proposed another solution where the  httpfs or DN daemons do *not* need to be trusted
proxies for the KMS. The user simply passes a KMS delegation token in the REST request (we
already pass HDFS delegation tokens). 



> Transparent data at rest encryption
> -----------------------------------
>
>                 Key: HDFS-6134
>                 URL: https://issues.apache.org/jira/browse/HDFS-6134
>             Project: Hadoop HDFS
>          Issue Type: New Feature
>          Components: security
>    Affects Versions: 3.0.0, 2.3.0
>            Reporter: Alejandro Abdelnur
>            Assignee: Charles Lamb
>         Attachments: HDFS-6134.001.patch, HDFS-6134.002.patch, HDFS-6134_test_plan.pdf,
HDFSDataatRestEncryption.pdf, HDFSDataatRestEncryptionProposal_obsolete.pdf, HDFSEncryptionConceptualDesignProposal-2014-06-20.pdf
>
>
> Because of privacy and security regulations, for many industries, sensitive data at rest
must be in encrypted form. For example: the health­care industry (HIPAA regulations), the
card payment industry (PCI DSS regulations) or the US government (FISMA regulations).
> This JIRA aims to provide a mechanism to encrypt HDFS data at rest that can be used transparently
by any application accessing HDFS via Hadoop Filesystem Java API, Hadoop libhdfs C library,
or WebHDFS REST API.
> The resulting implementation should be able to be used in compliance with different regulation
requirements.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message