[ https://issues.apache.org/jira/browse/HADOOP-10141?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Owen O'Malley updated HADOOP-10141: ----------------------------------- Attachment: h-10141.patch Jitendra, That's a good point, I changed the separator to '@' which is clean in URIs, but still reads well. I also added a findProvider utility to look through a list of providers to find the right one and updated the default to AES/CTR/NoPadding. > Create an API to separate encryption key storage from applications > ------------------------------------------------------------------ > > Key: HADOOP-10141 > URL: https://issues.apache.org/jira/browse/HADOOP-10141 > Project: Hadoop Common > Issue Type: Bug > Components: security > Reporter: Owen O'Malley > Assignee: Owen O'Malley > Attachments: h-10141.patch, hadoop-10141.patch, hadoop-10141.patch, > hadoop-10141.patch > > > As with the filesystem API, we need to provide a generic mechanism to support > multiple key storage mechanisms that are potentially from third parties. > An additional requirement for long term data lakes is to keep multiple > versions of each key so that keys can be rolled periodically without > requiring the entire data set to be re-written. Rolling keys provides > containment in the event of keys being leaked. > Toward that end, I propose an API that is configured using a list of URLs of > KeyProviders. The implementation will look for implementations using the > ServiceLoader interface and thus support third party libraries. > Two providers will be included in this patch. One using the credentials cache > in MapReduce jobs and the other using Java KeyStores from either HDFS or > local file system. -- This message was sent by Atlassian JIRA (v6.1.4#6159)