hadoop-hdfs-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hudson (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HDFS-11210) Enhance key rolling to guarantee new KeyVersion is returned from generateEncryptedKeys after a key is rolled
Date Wed, 08 Feb 2017 05:47:41 GMT

    [ https://issues.apache.org/jira/browse/HDFS-11210?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15857453#comment-15857453
] 

Hudson commented on HDFS-11210:
-------------------------------

SUCCESS: Integrated in Jenkins build Hadoop-trunk-Commit #11221 (See [https://builds.apache.org/job/Hadoop-trunk-Commit/11221/])
HDFS-11210. Enhance key rolling to guarantee new KeyVersion is returned (xiao: rev 2007e0cf2ad371e2dbf533c367f09c1f5acd1c0b)
* (edit) hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KeyAuthorizationKeyProvider.java
* (edit) hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMSAudit.java
* (edit) hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java
* (edit) hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSRESTConstants.java
* (edit) hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/KeyProvider.java
* (edit) hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/ValueQueue.java
* (edit) hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/TestEncryptionZones.java
* (edit) hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/KeyProviderExtension.java
* (edit) hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/EagerKeyGeneratorKeyProviderCryptoExtension.java
* (edit) hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMS.java
* (edit) hadoop-common-project/hadoop-kms/src/site/markdown/index.md.vm
* (edit) hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/LoadBalancingKMSClientProvider.java
* (edit) hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/key/TestKeyShell.java
* (edit) hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/CachingKeyProvider.java
* (edit) hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/KeyShell.java
* (edit) hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMS.java


> Enhance key rolling to guarantee new KeyVersion is returned from generateEncryptedKeys
after a key is rolled
> ------------------------------------------------------------------------------------------------------------
>
>                 Key: HDFS-11210
>                 URL: https://issues.apache.org/jira/browse/HDFS-11210
>             Project: Hadoop HDFS
>          Issue Type: Improvement
>          Components: encryption, kms
>    Affects Versions: 2.6.5
>            Reporter: Xiao Chen
>            Assignee: Xiao Chen
>             Fix For: 3.0.0-alpha3
>
>         Attachments: HDFS-11210.01.patch, HDFS-11210.02.patch, HDFS-11210.03.patch, HDFS-11210.04.patch,
HDFS-11210.05.patch
>
>
> To support re-encrypting EDEK, we need to make sure after a key is rolled, no old version
EDEKs are used anymore. This includes various caches when generating EDEK.
> This is not true currently, simply because no such requirements / necessities before.
> This includes
> - Client Provider(s), and corresponding cache(s).
> When LoadBalancingKMSCP is used, we need to clear all KMSCPs.
> - KMS server instance(s), and corresponding cache(s)
> When KMS HA is configured with multiple KMS instances, only 1 will receive the {{rollNewVersion}}
request, we need to make sure other instances are rolled too.
> - The Client instance inside NN(s), and corresponding cache(s)
> When {{hadoop key roll}} is succeeded, the client provider inside NN should be drained
too.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-help@hadoop.apache.org


Mime
View raw message