hadoop-hdfs-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hudson (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HDFS-10643) Namenode should use loginUser(hdfs) to generateEncryptedKey
Date Wed, 10 Aug 2016 23:27:22 GMT

    [ https://issues.apache.org/jira/browse/HDFS-10643?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15416195#comment-15416195

Hudson commented on HDFS-10643:

SUCCESS: Integrated in Hadoop-trunk-Commit #10256 (See [https://builds.apache.org/job/Hadoop-trunk-Commit/10256/])
HDFS-10643. Namenode should use loginUser(hdfs) to generateEncryptedKey. (xyao: rev ec289bbeceff064ad24e189db20a3e0a296822c1)
* hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestSecureEncryptionZoneWithKMS.java
* hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSDirEncryptionZoneOp.java

> Namenode should use loginUser(hdfs) to generateEncryptedKey
> -----------------------------------------------------------
>                 Key: HDFS-10643
>                 URL: https://issues.apache.org/jira/browse/HDFS-10643
>             Project: Hadoop HDFS
>          Issue Type: Bug
>          Components: encryption, namenode
>    Affects Versions: 2.6.0
>            Reporter: Xiaoyu Yao
>            Assignee: Xiaoyu Yao
>             Fix For: 2.8.0
>         Attachments: HDFS-10643.00.patch, HDFS-10643.01.patch, HDFS-10643.02.patch, HDFS-10643.03.patch,
HDFS-10643.04.patch, HDFS-10643.05.patch
> KMSClientProvider is designed to be shared by different KMS clients. When HDFS Namenode
as KMS client talks to KMS to generateEncryptedKey for new file creation from proxy user (hive,
oozie), the proxyuser handling for KMSClientProvider in this case is unnecessary, which cause
1) an extra proxy user configuration allowing hdfs user to proxy its clients and 2) KMS acls
to allow non-hdfs user for GENERATE_EEK operation. 
> This ticket is opened to always use HDFS namenode login user (hdfs) when talking to KMS
to generateEncryptedKey for new file creation. This way, we have a more secure KMS based HDFS
encryption (we can set kms-acls to allow only hdfs user for GENERATE_EEK) with less configuration
hassle for KMS to allow hdfs to proxy other users. 

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: hdfs-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-help@hadoop.apache.org

View raw message