[ https://issues.apache.org/jira/browse/HADOOP-14104?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Rushabh S Shah updated HADOOP-14104: ------------------------------------ Status: Patch Available (was: Open) Added 2 member variable (optional in protobuf format) in FsServerDefaults: 1. namenodeSupportsProviderUri: to differentiate between empty keyProviderUri and namenode not supporting encrpytion zones and supporting backward compatibility. 2. keyProviderUri: New namenode returns namenodeSupportsProviderUri as true. If namenodeSupportsProviderUri is true, then the client will always trust whatever namenode returned in keyProviderUri. If namenodeSupportsProviderUri is false (that means the namenode is not upgraded), then the client will use it own conf as before thereby supporting backwards compatibility. {code:title=DFSClient.java|borderStyle=solid} public boolean isHDFSEncryptionEnabled() { try { return DFSUtilClient.isHDFSEncryptionEnabled(getKeyProviderUri()); } catch(IOException ioe) { return false; } } {code} {code:title=DFSClient.java|borderStyle=solid} private String getKeyProviderUri() throws IOException { FsServerDefaults serverDefaults = getServerDefaults(); return serverDefaults.getNamenodeSupportsProviderUri() ? serverDefaults.getKeyProviderUri() : conf.getTrimmed( CommonConfigurationKeysPublic.HADOOP_SECURITY_KEY_PROVIDER_PATH, ""); } {code} {{DFSClient#getServerDefaults}} throws IOExcpetion (StandbyException) If {{DFSUtilClient#isHDFSEncryptionEnabled}} throws IOException then I am returning false. Not sure what should I return. Comments are welcome. Please review. > Client should always ask namenode for kms provider path. > -------------------------------------------------------- > > Key: HADOOP-14104 > URL: https://issues.apache.org/jira/browse/HADOOP-14104 > Project: Hadoop Common > Issue Type: Bug > Components: kms > Reporter: Rushabh S Shah > Assignee: Rushabh S Shah > Attachments: HADOOP-14104-trunk.patch > > > According to current implementation of kms provider in client conf, there can > only be one kms. > In multi-cluster environment, if a client is reading encrypted data from > multiple clusters it will only get kms token for local cluster. > Not sure whether the target version is correct or not. -- This message was sent by Atlassian JIRA (v6.3.15#6346) --------------------------------------------------------------------- To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org