[ https://issues.apache.org/jira/browse/HADOOP-14705?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16131776#comment-16131776 ]
Wei-Chiu Chuang commented on HADOOP-14705: ------------------------------------------ KMSUtil: The following method does not need to suppress warning if the json object is declared with generics type. {code} public static Map toJSON(KeyProvider.KeyVersion keyVersion) { Map<String,String> json = new HashMap<String,String>(); if (keyVersion != null) { json.put(KMSRESTConstants.NAME_FIELD, keyVersion.getName()); json.put(KMSRESTConstants.VERSION_NAME_FIELD, keyVersion.getVersionName()); json.put(KMSRESTConstants.MATERIAL_FIELD, Base64.encodeBase64URLSafeString( keyVersion.getMaterial())); } return json; } {code} Without any additional change, these methods do not need to suppress warning {code} public static Map toJSON(EncryptedKeyVersion encryptedKeyVersion) { Map json = new HashMap(); if (encryptedKeyVersion != null) { json.put(KMSRESTConstants.VERSION_NAME_FIELD, encryptedKeyVersion.getEncryptionKeyVersionName()); json.put(KMSRESTConstants.IV_FIELD, Base64 .encodeBase64URLSafeString(encryptedKeyVersion.getEncryptedKeyIv())); json.put(KMSRESTConstants.ENCRYPTED_KEY_VERSION_FIELD, toJSON(encryptedKeyVersion.getEncryptedKeyVersion())); } return json; } public static List<EncryptedKeyVersion> parseJSONEncKeyVersions(String keyName, List valueList) { checkNotNull(valueList, "valueList"); List<EncryptedKeyVersion> ekvs = new ArrayList<>(valueList.size()); if (!valueList.isEmpty()) { for (Object values : valueList) { Map valueMap = (Map) values; ekvs.add(parseJSONEncKeyVersion(keyName, valueMap)); } } return ekvs; } public static EncryptedKeyVersion parseJSONEncKeyVersion(String keyName, Map valueMap) { checkNotNull(valueMap, "valueMap"); String versionName = checkNotNull( (String) valueMap.get(KMSRESTConstants.VERSION_NAME_FIELD), KMSRESTConstants.VERSION_NAME_FIELD); byte[] iv = Base64.decodeBase64(checkNotNull( (String) valueMap.get(KMSRESTConstants.IV_FIELD), KMSRESTConstants.IV_FIELD)); Map encValueMap = checkNotNull((Map) valueMap.get(KMSRESTConstants.ENCRYPTED_KEY_VERSION_FIELD), KMSRESTConstants.ENCRYPTED_KEY_VERSION_FIELD); String encVersionName = checkNotNull((String) encValueMap.get(KMSRESTConstants.VERSION_NAME_FIELD), KMSRESTConstants.VERSION_NAME_FIELD); byte[] encKeyMaterial = Base64.decodeBase64(checkNotNull((String) encValueMap.get(KMSRESTConstants.MATERIAL_FIELD), KMSRESTConstants.MATERIAL_FIELD)); return new KMSClientProvider.KMSEncryptedKeyVersion(keyName, versionName, iv, encVersionName, encKeyMaterial); } public static KeyProvider.KeyVersion parseJSONKeyVersion(Map valueMap) { checkNotNull(valueMap, "valueMap"); KeyProvider.KeyVersion keyVersion = null; if (!valueMap.isEmpty()) { byte[] material = (valueMap.containsKey(KMSRESTConstants.MATERIAL_FIELD)) ? Base64.decodeBase64( (String) valueMap.get(KMSRESTConstants.MATERIAL_FIELD)) : null; String versionName = (String) valueMap.get(KMSRESTConstants.VERSION_NAME_FIELD); String keyName = (String) valueMap.get(KMSRESTConstants.NAME_FIELD); keyVersion = new KMSClientProvider.KMSKeyVersion(keyName, versionName, material); } return keyVersion; } {code} On another jira, [~shahrs87] mentioned a possibility to reuse CryptoCodec (making it a member variable of DefaultCryptoExtension). Is there any security concerns? If it is reused, and if CryptoCodec uses {{SecureRandom}}, the random numbers generated in {{DefaultCryptoExtension#generateEncryptedKey}} may become predictable. I don't come with a security background, but I am thinking it could be exploitable. > Add batched reencryptEncryptedKey interface to KMS > -------------------------------------------------- > > Key: HADOOP-14705 > URL: https://issues.apache.org/jira/browse/HADOOP-14705 > Project: Hadoop Common > Issue Type: Improvement > Components: kms > Reporter: Xiao Chen > Assignee: Xiao Chen > Attachments: HADOOP-14705.01.patch, HADOOP-14705.02.patch, > HADOOP-14705.03.patch, HADOOP-14705.04.patch, HADOOP-14705.05.patch, > HADOOP-14705.06.patch, HADOOP-14705.07.patch, HADOOP-14705.08.patch > > > HADOOP-13827 already enabled the KMS to re-encrypt a {{EncryptedKeyVersion}}. > As the performance results of HDFS-10899 turns out, communication overhead > with the KMS occupies the majority of the time. So this jira proposes to add > a batched interface to re-encrypt multiple EDEKs in 1 call. -- This message was sent by Atlassian JIRA (v6.4.14#64029) --------------------------------------------------------------------- To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org