[ https://issues.apache.org/jira/browse/HADOOP-17255?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17201920#comment-17201920 ]
Akira Ajisaka edited comment on HADOOP-17255 at 10/16/20, 12:08 PM: -------------------------------------------------------------------- {quote}It wouldn't work if the keystore is in a HDFS encryption zone (it would end up in a recursive loop). Storing key store in unencrypted HDFS could in theory work, but transmitting unencrypted key store compromises security. {quote} Yes. Thank you for your explanation. Note: * I understand there are very few (or no) people using Hadoop KMS and the keystore is in unencrypted HDFS. * Therefore it may not work even if this PR is merged. * I'll use Ranger KMS instead because EMR recommends using it. * Probably there are many users, so the quality of Ranger KMS is better than that of Hadoop KMS. was (Author: ajisakaa): bq. It wouldn't work if the keystore is in a HDFS encryption zone (it would end up in a recursive loop). Storing key store in unencrypted HDFS could in theory work, but transmitting unencrypted key store compromises security. Yes. Thank you for your explanation. Note: * I understand there are very few (or no) people using Hadoop KMS and the keystore is in unencrypted HDFS. * Therefore it may not work even if this PR is merged. * I'll use Ranger KMS instead because CDP/EMR recommend using it. * Probably there are many users, so the quality of Ranger KMS is better than that of Hadoop KMS. > JavaKeyStoreProvider fails to create a new key if the keystore is HDFS > ---------------------------------------------------------------------- > > Key: HADOOP-17255 > URL: https://issues.apache.org/jira/browse/HADOOP-17255 > Project: Hadoop Common > Issue Type: Bug > Components: kms > Reporter: Akira Ajisaka > Assignee: Akira Ajisaka > Priority: Major > Labels: pull-request-available > Time Spent: 1h 20m > Remaining Estimate: 0h > > The caller of JavaKeyStoreProvider#renameOrFail assumes that it throws > FileNotFoundException if the src does not exist. However, > JavaKeyStoreProvider#renameOrFail calls the old rename API. In > DistributedFileSystem, the old API returns false if the src does not exist. > That way JavaKeyStoreProvider fails to create a new key if the keystore is > HDFS. -- This message was sent by Atlassian Jira (v8.3.4#803005) --------------------------------------------------------------------- To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org