Return-Path: <hdfs-issues-return-196615-archive-asf-public=cust-asf.ponee.io@hadoop.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id 5A1BA200D01
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Fri,  8 Sep 2017 00:13:10 +0200 (CEST)
Received: by cust-asf.ponee.io (Postfix)
	id 58DA01609D9; Thu,  7 Sep 2017 22:13:10 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id A03811609BD
	for <archive-asf-public@cust-asf.ponee.io>; Fri,  8 Sep 2017 00:13:09 +0200 (CEST)
Received: (qmail 14845 invoked by uid 500); 7 Sep 2017 22:13:08 -0000
Mailing-List: contact hdfs-issues-help@hadoop.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:hdfs-issues-help@hadoop.apache.org>
List-Unsubscribe: <mailto:hdfs-issues-unsubscribe@hadoop.apache.org>
List-Post: <mailto:hdfs-issues@hadoop.apache.org>
List-Id: <hdfs-issues.hadoop.apache.org>
Delivered-To: mailing list hdfs-issues@hadoop.apache.org
Received: (qmail 14833 invoked by uid 99); 7 Sep 2017 22:13:08 -0000
Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 07 Sep 2017 22:13:08 +0000
Received: from localhost (localhost [127.0.0.1])
	by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id 0849618CF4F
	for <hdfs-issues@hadoop.apache.org>; Thu,  7 Sep 2017 22:13:08 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: -99.202
X-Spam-Level: 
X-Spam-Status: No, score=-99.202 tagged_above=-999 required=6.31
	tests=[KAM_ASCII_DIVIDERS=0.8, RP_MATCHES_RCVD=-0.001,
	SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=disabled
Received: from mx1-lw-us.apache.org ([10.40.0.8])
	by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024)
	with ESMTP id z4QgRG0tkFqH for <hdfs-issues@hadoop.apache.org>;
	Thu,  7 Sep 2017 22:13:03 +0000 (UTC)
Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139])
	by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTP id 405A86126C
	for <hdfs-issues@hadoop.apache.org>; Thu,  7 Sep 2017 22:13:02 +0000 (UTC)
Received: from jira-lw-us.apache.org (unknown [207.244.88.139])
	by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id 61041E0F03
	for <hdfs-issues@hadoop.apache.org>; Thu,  7 Sep 2017 22:13:01 +0000 (UTC)
Received: from jira-lw-us.apache.org (localhost [127.0.0.1])
	by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id 6D06F2416A
	for <hdfs-issues@hadoop.apache.org>; Thu,  7 Sep 2017 22:13:00 +0000 (UTC)
Date: Thu, 7 Sep 2017 22:13:00 +0000 (UTC)
From: "Xiao Chen (JIRA)" <jira@apache.org>
To: hdfs-issues@hadoop.apache.org
Message-ID: <JIRA.13100273.1504726031000.55085.1504822380445@Atlassian.JIRA>
In-Reply-To: <JIRA.13100273.1504726031000@Atlassian.JIRA>
References: <JIRA.13100273.1504726031000@Atlassian.JIRA> <JIRA.13100273.1504726031429@jira-lw-us.apache.org>
Subject: [jira] [Commented] (HDFS-12400) Provide a way for NN to drain the
 local key cache before re-encryption
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394
archived-at: Thu, 07 Sep 2017 22:13:10 -0000


    [ https://issues.apache.org/jira/browse/HDFS-12400?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16157761#comment-16157761 ] 

Xiao Chen commented on HDFS-12400:
----------------------------------

Thank you for the review Wei-Chiu!

bq. nit
That only happens for start, so no need to log I think. :)

As chatted offline, {{flush()}} is technically required only for the JavaKeyStoreProvider. For the tests, we need to flush if the key is rolled and we want to generate new edeks from JKSP.

Looking at the test code, I think I can do better. In patch 2, key rollover is exacted to a method and done differently for JKSP and KMSCP. This is to let JKSP tests still pass, yet KMSCP cases the same as real cluster. Also fixed the checkstyle.



> Provide a way for NN to drain the local key cache before re-encryption
> ----------------------------------------------------------------------
>
>                 Key: HDFS-12400
>                 URL: https://issues.apache.org/jira/browse/HDFS-12400
>             Project: Hadoop HDFS
>          Issue Type: Bug
>          Components: encryption
>    Affects Versions: 3.0.0-beta1
>            Reporter: Xiao Chen
>            Assignee: Xiao Chen
>         Attachments: HDFS-12400.01.patch, HDFS-12400.02.patch
>
>
> In HDFS-12359, a fix for the KMS ACLs required for re-encryption was done. As part of the fix,  the following code is used to make sure the local provider cache in the NN is drained.
> {code:java}
> if (dir.getProvider() instanceof CryptoExtension) {
>   ((CryptoExtension) dir.getProvider()).drain(keyName);
> }
> {code}
> This doesn't work, because the provider is {{KeyProviderCryptoExtension}} instead of {{CryptoExtension}} - the latter is composite of the former.
> Unfortunately unit test didn't catch this, because it conveniently rolled the from the NN's provider.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-help@hadoop.apache.org