hadoop-hdfs-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Xiao Chen (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HDFS-12400) Provide a way for NN to drain the local key cache before re-encryption
Date Thu, 07 Sep 2017 22:13:00 GMT

    [ https://issues.apache.org/jira/browse/HDFS-12400?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16157761#comment-16157761
] 

Xiao Chen commented on HDFS-12400:
----------------------------------

Thank you for the review Wei-Chiu!

bq. nit
That only happens for start, so no need to log I think. :)

As chatted offline, {{flush()}} is technically required only for the JavaKeyStoreProvider.
For the tests, we need to flush if the key is rolled and we want to generate new edeks from
JKSP.

Looking at the test code, I think I can do better. In patch 2, key rollover is exacted to
a method and done differently for JKSP and KMSCP. This is to let JKSP tests still pass, yet
KMSCP cases the same as real cluster. Also fixed the checkstyle.



> Provide a way for NN to drain the local key cache before re-encryption
> ----------------------------------------------------------------------
>
>                 Key: HDFS-12400
>                 URL: https://issues.apache.org/jira/browse/HDFS-12400
>             Project: Hadoop HDFS
>          Issue Type: Bug
>          Components: encryption
>    Affects Versions: 3.0.0-beta1
>            Reporter: Xiao Chen
>            Assignee: Xiao Chen
>         Attachments: HDFS-12400.01.patch, HDFS-12400.02.patch
>
>
> In HDFS-12359, a fix for the KMS ACLs required for re-encryption was done. As part of
the fix,  the following code is used to make sure the local provider cache in the NN is drained.
> {code:java}
> if (dir.getProvider() instanceof CryptoExtension) {
>   ((CryptoExtension) dir.getProvider()).drain(keyName);
> }
> {code}
> This doesn't work, because the provider is {{KeyProviderCryptoExtension}} instead of
{{CryptoExtension}} - the latter is composite of the former.
> Unfortunately unit test didn't catch this, because it conveniently rolled the from the
NN's provider.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-help@hadoop.apache.org


Mime
View raw message