[jira] [Commented] (HADOOP-13443) KMS uses DefaultCryptoProvider when active keyprovider implements KeyProviderCryptoExtension

Fri, 29 Jul 2016 16:57:31 -0700 

    [ 
https://issues.apache.org/jira/browse/HADOOP-13443?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15400269#comment-15400269
 ] 

Xiao Chen commented on HADOOP-13443:
------------------------------------

Thanks very much for finding and fixing this, 
[~anthony.young-gar...@cloudera.com]!

Patch looks good in general. A few comments:
- Before this patch, if the {{KeyProvider}} itself implements 
{{CryptoExtension}}, it will be used, no matter whether it implements 
{{KeyProviderExtension}} or not. This behavior is changed from this patch, is 
it what we intend to do? IMHO we should check on {{CryptoExtension}} first, and 
add the {{KeyProviderExtension}} check as a fall back of the former.

- In patch 1, if {{keyProvider instanceof KeyProviderExtension == true}} but 
{{keyProviderExtension.getKeyProvider() instanceof 
KeyProviderCryptoExtension.CryptoExtension == false}}, {{cryptoExtension}} will 
end up being {{null}}. Let's make sure the default is used in any case.

- Please fix the checkstyle warnings.

> KMS uses DefaultCryptoProvider when active keyprovider implements 
> KeyProviderCryptoExtension
> --------------------------------------------------------------------------------------------
>
>                 Key: HADOOP-13443
>                 URL: https://issues.apache.org/jira/browse/HADOOP-13443
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: kms
>    Affects Versions: 2.6.0
>            Reporter: Anthony Young-Garner
>            Assignee: Anthony Young-Garner
>            Priority: Minor
>         Attachments: HADOOP-13443.patch
>
>
> By default, the KMS wraps the active key provider in a CachingKeyProvider at 
> runtime. This prevents the 
> KeyProviderCryptoExtension.createKeyProviderCryptoExtension method from ever 
> detecting whether the active key provider implements 
> theKeyProviderCryptoExtension interface. Therefore, the 
> DefaultCryptoExtension is always used. 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

Reply via email to