[jira] [Updated] (HADOOP-14104) Client should always ask namenode for kms provider path.

Fri, 24 Feb 2017 15:30:07 -0800 

     [ 
https://issues.apache.org/jira/browse/HADOOP-14104?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Rushabh S Shah updated HADOOP-14104:
------------------------------------
    Status: Patch Available  (was: Open)

Added 2 member variable (optional in protobuf format) in FsServerDefaults:
1. namenodeSupportsProviderUri: to differentiate between empty keyProviderUri 
and namenode not supporting encrpytion zones and supporting backward 
compatibility.
2. keyProviderUri: 

New namenode returns namenodeSupportsProviderUri as true.
If namenodeSupportsProviderUri is true, then the client will always trust 
whatever namenode returned in keyProviderUri.
If namenodeSupportsProviderUri is false (that means the namenode is not 
upgraded), then the client will use it own conf as before thereby supporting 
backwards compatibility.

{code:title=DFSClient.java|borderStyle=solid}
  public boolean isHDFSEncryptionEnabled() {
    try {
      return DFSUtilClient.isHDFSEncryptionEnabled(getKeyProviderUri());
    } catch(IOException ioe) {
      return false;
    }
  }
{code}

{code:title=DFSClient.java|borderStyle=solid}
  private String getKeyProviderUri() throws IOException {
    FsServerDefaults serverDefaults = getServerDefaults();
    return serverDefaults.getNamenodeSupportsProviderUri() ?
        serverDefaults.getKeyProviderUri() : conf.getTrimmed(
        CommonConfigurationKeysPublic.HADOOP_SECURITY_KEY_PROVIDER_PATH, "");
  }
{code}

{{DFSClient#getServerDefaults}} throws IOExcpetion (StandbyException) 
If {{DFSUtilClient#isHDFSEncryptionEnabled}} throws IOException then I am 
returning false. 
Not sure what should I return.
Comments are welcome.

Please review.



> Client should always ask namenode for kms provider path.
> --------------------------------------------------------
>
>                 Key: HADOOP-14104
>                 URL: https://issues.apache.org/jira/browse/HADOOP-14104
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: kms
>            Reporter: Rushabh S Shah
>            Assignee: Rushabh S Shah
>         Attachments: HADOOP-14104-trunk.patch
>
>
> According to current implementation of kms provider in client conf, there can 
> only be one kms.
> In multi-cluster environment, if a client is reading encrypted data from 
> multiple clusters it will only get kms token for local cluster.
> Not sure whether the target version is correct or not.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

Reply via email to