[ https://issues.apache.org/jira/browse/HADOOP-10141?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Owen O'Malley updated HADOOP-10141: ----------------------------------- Attachment: hadoop-10141.patch Updated patch: * Renamed JksProvider to JavaKeyStoreProvider * Changed URL scheme for JavaKeyStoreProvider to jceks. If we want to support other keystore types in the future, it should be relatively easy to add additional schemes to the JavaKeyStoreProvider. > Create an API to separate encryption key storage from applications > ------------------------------------------------------------------ > > Key: HADOOP-10141 > URL: https://issues.apache.org/jira/browse/HADOOP-10141 > Project: Hadoop Common > Issue Type: Bug > Components: security > Reporter: Owen O'Malley > Assignee: Owen O'Malley > Attachments: hadoop-10141.patch, hadoop-10141.patch > > > As with the filesystem API, we need to provide a generic mechanism to support > multiple key storage mechanisms that are potentially from third parties. > An additional requirement for long term data lakes is to keep multiple > versions of each key so that keys can be rolled periodically without > requiring the entire data set to be re-written. Rolling keys provides > containment in the event of keys being leaked. > Toward that end, I propose an API that is configured using a list of URLs of > KeyProviders. The implementation will look for implementations using the > ServiceLoader interface and thus support third party libraries. > Two providers will be included in this patch. One using the credentials cache > in MapReduce jobs and the other using Java KeyStores from either HDFS or > local file system. -- This message was sent by Atlassian JIRA (v6.1#6144)