This is an automated email from the ASF dual-hosted git repository. elek pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/hadoop.git
The following commit(s) were added to refs/heads/trunk by this push: new 5c963a7 HDDS-2016. Add option to enforce GDPR in Bucket Create command 5c963a7 is described below commit 5c963a75d648cb36e7e36884f61616831229b25a Author: dchitlangia <dineshchitlan...@gmail.com> AuthorDate: Thu Sep 19 10:58:01 2019 +0200 HDDS-2016. Add option to enforce GDPR in Bucket Create command Closes #1458 --- hadoop-hdds/docs/content/gdpr/GDPR in Ozone.md | 42 ++++++++++++++++++++++ hadoop-hdds/docs/content/gdpr/_index.md | 38 ++++++++++++++++++++ hadoop-hdds/docs/content/shell/BucketCommands.md | 2 ++ .../hadoop/ozone/om/helpers/OmBucketArgs.java | 2 ++ .../hadoop/ozone/om/helpers/OmBucketInfo.java | 2 ++ .../web/ozShell/bucket/CreateBucketHandler.java | 14 ++++++++ .../ozone/web/ozShell/keys/InfoKeyHandler.java | 6 ++++ 7 files changed, 106 insertions(+) diff --git a/hadoop-hdds/docs/content/gdpr/GDPR in Ozone.md b/hadoop-hdds/docs/content/gdpr/GDPR in Ozone.md new file mode 100644 index 0000000..dd23e04 --- /dev/null +++ b/hadoop-hdds/docs/content/gdpr/GDPR in Ozone.md @@ -0,0 +1,42 @@ +--- +title: "GDPR in Ozone" +date: "2019-September-17" +weight: 5 +summary: GDPR in Ozone +icon: user +--- +<!--- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> + + +Enabling GDPR compliance in Ozone is very straight forward. During bucket +creation, you can specify `--enforcegdpr=true` or `-g=true` and this will +ensure the bucket is GDPR compliant. Thus, any key created under this bucket +will automatically be GDPR compliant. + +GDPR can only be enabled on a new bucket. For existing buckets, you would +have to create a new GDPR compliant bucket and copy data from old bucket into + new bucket to take advantage of GDPR. + +Example to create a GDPR compliant bucket: + +`ozone sh bucket create --enforcegdpr=true /hive/jan` + +`ozone sh bucket create -g=true /hive/jan` + +If you want to create an ordinary bucket then you can skip `--enforcegdpr` +and `-g` flags. \ No newline at end of file diff --git a/hadoop-hdds/docs/content/gdpr/_index.md b/hadoop-hdds/docs/content/gdpr/_index.md new file mode 100644 index 0000000..9888369 --- /dev/null +++ b/hadoop-hdds/docs/content/gdpr/_index.md @@ -0,0 +1,38 @@ +--- +title: GDPR +name: GDPR +identifier: gdpr +menu: main +weight: 5 +--- +<!--- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + --> + +{{<jumbotron title="GDPR compliance in Ozone">}} + The General Data Protection Regulation (GDPR) is a law that governs how personal data should be handled. This is an European Union law, but due to the nature of software oftentimes spills into other geographies. + Ozone supports GDPR's Right to Erasure(Right to be Forgotten). +{{</jumbotron>}} + +<div class="alert alert-warning" role="alert"> +If you would like to understand Ozone's GDPR framework at a greater +depth, please take a look at <a href="https://issues.apache.org/jira/secure/attachment/12978992/Ozone%20GDPR%20Framework.pdf">Ozone GDPR Framework.</a> +</div> + +Once you create a GDPR compliant bucket, any key created in that bucket will +automatically by GDPR compliant. + + diff --git a/hadoop-hdds/docs/content/shell/BucketCommands.md b/hadoop-hdds/docs/content/shell/BucketCommands.md index f59f1ad..e817349 100644 --- a/hadoop-hdds/docs/content/shell/BucketCommands.md +++ b/hadoop-hdds/docs/content/shell/BucketCommands.md @@ -35,8 +35,10 @@ The `bucket create` command allows users to create a bucket. | Arguments | Comment | |--------------------------------|-----------------------------------------| +| -g, \-\-enforcegdpr | Optional, if set to true it creates a GDPR compliant bucket, if not specified or set to false, it creates an ordinary bucket. | Uri | The name of the bucket in **/volume/bucket** format. + {{< highlight bash >}} ozone sh bucket create /hive/jan {{< /highlight >}} diff --git a/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/helpers/OmBucketArgs.java b/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/helpers/OmBucketArgs.java index 8a938a9..aa6e8f5 100644 --- a/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/helpers/OmBucketArgs.java +++ b/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/helpers/OmBucketArgs.java @@ -112,6 +112,8 @@ public final class OmBucketArgs extends WithMetadata implements Auditable { Map<String, String> auditMap = new LinkedHashMap<>(); auditMap.put(OzoneConsts.VOLUME, this.volumeName); auditMap.put(OzoneConsts.BUCKET, this.bucketName); + auditMap.put(OzoneConsts.GDPR_FLAG, + this.metadata.get(OzoneConsts.GDPR_FLAG)); auditMap.put(OzoneConsts.IS_VERSION_ENABLED, String.valueOf(this.isVersionEnabled)); if(this.storageType != null){ diff --git a/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/helpers/OmBucketInfo.java b/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/helpers/OmBucketInfo.java index 4207583..eb10802 100644 --- a/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/helpers/OmBucketInfo.java +++ b/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/helpers/OmBucketInfo.java @@ -202,6 +202,8 @@ public final class OmBucketInfo extends WithMetadata implements Auditable { Map<String, String> auditMap = new LinkedHashMap<>(); auditMap.put(OzoneConsts.VOLUME, this.volumeName); auditMap.put(OzoneConsts.BUCKET, this.bucketName); + auditMap.put(OzoneConsts.GDPR_FLAG, + this.metadata.get(OzoneConsts.GDPR_FLAG)); auditMap.put(OzoneConsts.ACLS, (this.acls != null) ? this.acls.toString() : null); auditMap.put(OzoneConsts.IS_VERSION_ENABLED, diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/web/ozShell/bucket/CreateBucketHandler.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/web/ozShell/bucket/CreateBucketHandler.java index 97d4ec7..237a7b2 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/web/ozShell/bucket/CreateBucketHandler.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/web/ozShell/bucket/CreateBucketHandler.java @@ -18,6 +18,7 @@ package org.apache.hadoop.ozone.web.ozShell.bucket; import org.apache.hadoop.hdds.protocol.StorageType; +import org.apache.hadoop.ozone.OzoneConsts; import org.apache.hadoop.ozone.client.BucketArgs; import org.apache.hadoop.ozone.client.OzoneBucket; import org.apache.hadoop.ozone.client.OzoneClient; @@ -44,6 +45,11 @@ public class CreateBucketHandler extends Handler { description = "bucket encryption key name") private String bekName; + @Option(names = {"--enforcegdpr", "-g"}, + description = "if true, indicates GDPR enforced bucket, " + + "false/unspecified indicates otherwise") + private Boolean isGdprEnforced; + /** * Executes create bucket. */ @@ -61,6 +67,14 @@ public class CreateBucketHandler extends Handler { .setStorageType(StorageType.DEFAULT) .setVersioning(false); + if(isGdprEnforced != null) { + if(isGdprEnforced) { + bb.addMetadata(OzoneConsts.GDPR_FLAG, String.valueOf(Boolean.TRUE)); + } else { + bb.addMetadata(OzoneConsts.GDPR_FLAG, String.valueOf(Boolean.FALSE)); + } + } + if (bekName != null) { if (!bekName.isEmpty()) { bb.setBucketEncryptionKey(bekName); diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/web/ozShell/keys/InfoKeyHandler.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/web/ozShell/keys/InfoKeyHandler.java index afc3ece..7cb54f2 100644 --- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/web/ozShell/keys/InfoKeyHandler.java +++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/web/ozShell/keys/InfoKeyHandler.java @@ -18,6 +18,7 @@ package org.apache.hadoop.ozone.web.ozShell.keys; +import org.apache.hadoop.ozone.OzoneConsts; import org.apache.hadoop.ozone.client.OzoneBucket; import org.apache.hadoop.ozone.client.OzoneClient; import org.apache.hadoop.ozone.client.OzoneKeyDetails; @@ -62,6 +63,11 @@ public class InfoKeyHandler extends Handler { OzoneVolume vol = client.getObjectStore().getVolume(volumeName); OzoneBucket bucket = vol.getBucket(bucketName); OzoneKeyDetails key = bucket.getKey(keyName); + // For compliance/security, GDPR Secret & Algorithm details are removed + // from local copy of metadata before printing. This doesn't remove these + // from Ozone Manager's actual metadata. + key.getMetadata().remove(OzoneConsts.GDPR_SECRET); + key.getMetadata().remove(OzoneConsts.GDPR_ALGORITHM); ObjectPrinter.printObjectAsJson(key); return null; --------------------------------------------------------------------- To unsubscribe, e-mail: common-commits-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-commits-h...@hadoop.apache.org