hive-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Xiaomeng Huang (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (HIVE-7934) Improve column level encryption with key management
Date Tue, 02 Sep 2014 03:20:20 GMT

     [ https://issues.apache.org/jira/browse/HIVE-7934?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Xiaomeng Huang updated HIVE-7934:
---------------------------------
    Description: 
Now HIVE-6329 is a framework of column level encryption/decryption. But the implementation
in HIVE-6329 is just use Base64, it is not safe and have some problems:
Base64WriteOnly can just get the ciphertext from client for any users. And Base64Rewriter
can just get plaintext from client for any users.
I have an improvement based HIVE-7934 using key management.
{code}
-- region-aes-column.q
set hive.encrypt.key=123456789;
set hive.encrypt.iv=123456; 
drop table region_aes_column;
create table region_aes_column (r_regionkey int, r_name string) ROW FORMAT SERDE 'org.apache.hadoop.hive.serde2.lazy.LazySimpleSerDe'
  WITH SERDEPROPERTIES ('column.encode.columns'='r_name', 'column.encode.classname'='org.apache.hadoop.hive.serde2.aes.AESRewriter',
'column.encode.key'='123456789', 'column.encode.iv'='123456') 
  STORED AS TEXTFILE;
insert overwrite table region_aes_column 
select 
  r_regionkey, r_name
from region;

hive> select * from region_aes_column;
OK
0	/q5RTO1X
1	/qVGV+dV3g==
2	/rtKRA==
3	+r1RSv5T
4	8qFHQeJTvxWUadw=
Time taken: 0.666 seconds, Fetched: 5 row(s)

hive> set hive.encrypt.key=123456789;
hive> set hive.encrypt.iv=123456;
hive> select * from region_aes_column;
OK
0	AFRICA
1	AMERICA
2	ASIA
3	EUROPE
4	MIDDLE EAST
Time taken: 0.714 seconds, Fetched: 5 row(s)
{code}

  was:
Now HIVE-6329 is a framework of column level encryption/decryption. But the implementation
in HIVE-6329 is just use Base64, it is not safe and have some problems.
Base64WriteOnly can just get the ciphertext from client for any users. And Base64Rewriter
can just get plaintext from client for any users.
I have an improvement based HIVE-7934 using key management.
{code}
-- region-aes-column.q
set hive.encrypt.key=123456789;
set hive.encrypt.iv=123456; 
drop table region_aes_column;
create table region_aes_column (r_regionkey int, r_name string) ROW FORMAT SERDE 'org.apache.hadoop.hive.serde2.lazy.LazySimpleSerDe'
  WITH SERDEPROPERTIES ('column.encode.columns'='r_name', 'column.encode.classname'='org.apache.hadoop.hive.serde2.aes.AESRewriter',
'column.encode.key'='123456789', 'column.encode.iv'='123456') 
  STORED AS TEXTFILE;
insert overwrite table region_aes_column 
select 
  r_regionkey, r_name
from region;

hive> select * from region_aes_column;
OK
0	/q5RTO1X
1	/qVGV+dV3g==
2	/rtKRA==
3	+r1RSv5T
4	8qFHQeJTvxWUadw=
Time taken: 0.666 seconds, Fetched: 5 row(s)

hive> set hive.encrypt.key=123456789;
hive> set hive.encrypt.iv=123456;
hive> select * from region_aes_column;
OK
0	AFRICA
1	AMERICA
2	ASIA
3	EUROPE
4	MIDDLE EAST
Time taken: 0.714 seconds, Fetched: 5 row(s)
{code}


> Improve column level encryption with key management
> ---------------------------------------------------
>
>                 Key: HIVE-7934
>                 URL: https://issues.apache.org/jira/browse/HIVE-7934
>             Project: Hive
>          Issue Type: Improvement
>            Reporter: Xiaomeng Huang
>            Assignee: Xiaomeng Huang
>            Priority: Minor
>
> Now HIVE-6329 is a framework of column level encryption/decryption. But the implementation
in HIVE-6329 is just use Base64, it is not safe and have some problems:
> Base64WriteOnly can just get the ciphertext from client for any users. And Base64Rewriter
can just get plaintext from client for any users.
> I have an improvement based HIVE-7934 using key management.
> {code}
> -- region-aes-column.q
> set hive.encrypt.key=123456789;
> set hive.encrypt.iv=123456; 
> drop table region_aes_column;
> create table region_aes_column (r_regionkey int, r_name string) ROW FORMAT SERDE 'org.apache.hadoop.hive.serde2.lazy.LazySimpleSerDe'
>   WITH SERDEPROPERTIES ('column.encode.columns'='r_name', 'column.encode.classname'='org.apache.hadoop.hive.serde2.aes.AESRewriter',
'column.encode.key'='123456789', 'column.encode.iv'='123456') 
>   STORED AS TEXTFILE;
> insert overwrite table region_aes_column 
> select 
>   r_regionkey, r_name
> from region;
> hive> select * from region_aes_column;
> OK
> 0	/q5RTO1X
> 1	/qVGV+dV3g==
> 2	/rtKRA==
> 3	+r1RSv5T
> 4	8qFHQeJTvxWUadw=
> Time taken: 0.666 seconds, Fetched: 5 row(s)
> hive> set hive.encrypt.key=123456789;
> hive> set hive.encrypt.iv=123456;
> hive> select * from region_aes_column;
> OK
> 0	AFRICA
> 1	AMERICA
> 2	ASIA
> 3	EUROPE
> 4	MIDDLE EAST
> Time taken: 0.714 seconds, Fetched: 5 row(s)
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message