[jira] [Commented] (HADOOP-14705) Add batched reencryptEncryptedKey interface to KMS

Mon, 07 Aug 2017 16:05:33 -0700 

    [ 
https://issues.apache.org/jira/browse/HADOOP-14705?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16117517#comment-16117517
 ] 

Xiao Chen commented on HADOOP-14705:
------------------------------------

Thanks for reviewing [~shahrs87]. Will address other comments, but want to 
discuss on these 2:
bq. 1. It would be better if we don't fail if one EDEK fails to process.
Also thought about this, but didn't do for these reasons:
- it's hard to throw a clear exception to tell what went wrong on the failures. 
(i.e. throw first, or last, or some aggregated exception that contains all?)
- I'm not sure if a partially re-encrypted batch is useful to the clients. For 
namenode, it'll make tracking harder so NN will call again.
- Complexity on both the server (need to catch exception in the middle and 
continue the rest of the keys, potentially keeping the some of the exceptions 
for the final throw) and client (need to look up each key and logically handle 
differently, depending on whether the return is null)

bq. 4. KMSUtil.java Why do we need to use LinkedHashMap ?
I'm also not 100% sure why LinkedHashMap is required, probably not.
This patch is just moving the existing util methods, so I'd like to leave this 
change to a new jira for cleanness.

> Add batched reencryptEncryptedKey interface to KMS
> --------------------------------------------------
>
>                 Key: HADOOP-14705
>                 URL: https://issues.apache.org/jira/browse/HADOOP-14705
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: kms
>            Reporter: Xiao Chen
>            Assignee: Xiao Chen
>         Attachments: HADOOP-14705.01.patch, HADOOP-14705.02.patch
>
>
> HADOOP-13827 already enabled the KMS to re-encrypt a {{EncryptedKeyVersion}}.
> As the performance results of HDFS-10899 turns out, communication overhead 
> with the KMS occupies the majority of the time. So this jira proposes to add 
> a batched interface to re-encrypt multiple EDEKs in 1 call.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

Reply via email to