[ 
https://issues.apache.org/jira/browse/HADOOP-10433?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13990229#comment-13990229
 ] 

Hudson commented on HADOOP-10433:
---------------------------------

SUCCESS: Integrated in Hadoop-trunk-Commit #5593 (See 
[https://builds.apache.org/job/Hadoop-trunk-Commit/5593/])
HADOOP-10433. Key Management Server based on KeyProvider API. (tucu) (tucu: 
http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1592637)
* /hadoop/common/trunk/.gitignore
* 
/hadoop/common/trunk/hadoop-assemblies/src/main/resources/assemblies/hadoop-kms-dist.xml
* /hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt
* 
/hadoop/common/trunk/hadoop-common-project/hadoop-common/dev-support/findbugsExcludeFile.xml
* 
/hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms
* 
/hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java
* 
/hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSRESTConstants.java
* 
/hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/resources/META-INF/services/org.apache.hadoop.crypto.key.KeyProviderFactory
* /hadoop/common/trunk/hadoop-common-project/hadoop-kms
* /hadoop/common/trunk/hadoop-common-project/hadoop-kms/dev-support
* 
/hadoop/common/trunk/hadoop-common-project/hadoop-kms/dev-support/findbugsExcludeFile.xml
* /hadoop/common/trunk/hadoop-common-project/hadoop-kms/pom.xml
* /hadoop/common/trunk/hadoop-common-project/hadoop-kms/src
* /hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/main
* /hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/main/conf
* 
/hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/main/conf/kms-acls.xml
* /hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/main/conf/kms-env.sh
* 
/hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/main/conf/kms-log4j.properties
* 
/hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/main/conf/kms-site.xml
* /hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/main/java
* /hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/main/java/org
* /hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/main/java/org/apache
* 
/hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop
* 
/hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto
* 
/hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key
* 
/hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms
* 
/hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server
* 
/hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMS.java
* 
/hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSACLs.java
* 
/hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSAudit.java
* 
/hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSAuthenticationFilter.java
* 
/hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSCacheKeyProvider.java
* 
/hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSConfiguration.java
* 
/hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSExceptionsProvider.java
* 
/hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSJSONReader.java
* 
/hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSJSONWriter.java
* 
/hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSMDCFilter.java
* 
/hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSServerJSONUtils.java
* 
/hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSWebApp.java
* /hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/main/libexec
* 
/hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/main/libexec/kms-config.sh
* /hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/main/sbin
* /hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/main/sbin/kms.sh
* /hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/main/tomcat
* /hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/main/tomcat/ROOT
* 
/hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/main/tomcat/ROOT/WEB-INF
* 
/hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/main/tomcat/ROOT/WEB-INF/web.xml
* 
/hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/main/tomcat/ROOT/index.html
* 
/hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/main/tomcat/logging.properties
* 
/hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/main/tomcat/server.xml
* 
/hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/main/tomcat/ssl-server.xml
* /hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/main/webapp
* /hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/main/webapp/WEB-INF
* 
/hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/main/webapp/WEB-INF/web.xml
* /hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/site
* /hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/site/apt
* 
/hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/site/apt/index.apt.vm
* /hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/site/resources
* /hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/site/resources/css
* 
/hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/site/resources/css/site.css
* /hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/site/site.xml
* /hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/test
* /hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/test/java
* /hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/test/java/org
* /hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/test/java/org/apache
* 
/hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop
* 
/hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto
* 
/hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key
* 
/hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms
* 
/hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server
* 
/hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMS.java
* 
/hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMSACLs.java
* 
/hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMSCacheKeyProvider.java
* /hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/test/resources
* 
/hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/test/resources/log4j.properties
* /hadoop/common/trunk/hadoop-common-project/pom.xml
* /hadoop/common/trunk/hadoop-dist/pom.xml
* /hadoop/common/trunk/hadoop-project/pom.xml
* /hadoop/common/trunk/hadoop-project/src/site/site.xml


> Key Management Server based on KeyProvider API
> ----------------------------------------------
>
>                 Key: HADOOP-10433
>                 URL: https://issues.apache.org/jira/browse/HADOOP-10433
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: security
>    Affects Versions: 3.0.0
>            Reporter: Alejandro Abdelnur
>            Assignee: Alejandro Abdelnur
>             Fix For: 3.0.0
>
>         Attachments: HADOOP-10433.patch, HADOOP-10433.patch, 
> HADOOP-10433.patch, HADOOP-10433.patch, HADOOP-10433.patch, 
> HADOOP-10433.patch, HADOOP-10433.patch, HADOOP-10433.patch, 
> HADOOP-10433.patch, HADOOP-10433.patch, HADOOP-10433.patch, 
> HADOOP-10433.patch, HadoopKMSDocsv2.pdf, KMS-doc.pdf
>
>
> (from HDFS-6134 proposal)
> Hadoop KMS is the gateway, for Hadoop and Hadoop clients, to the underlying 
> KMS. It provides an interface that works with existing Hadoop security 
> components (authenticatication, confidentiality).
> Hadoop KMS will be implemented leveraging the work being done in HADOOP-10141 
> and HADOOP-10177.
> Hadoop KMS will provide an additional implementation of the Hadoop 
> KeyProvider class. This implementation will be a client-server implementation.
> The client-server protocol will be secure:
> * Kerberos HTTP SPNEGO (authentication)
> * HTTPS for transport (confidentiality and integrity)
> * Hadoop ACLs (authorization)
> The Hadoop KMS implementation will not provide additional ACL to access 
> encrypted files. For sophisticated access control requirements, HDFS ACLs 
> (HDFS-4685) should be used.
> Basic key administration will be supported by the Hadoop KMS via the, already 
> available, Hadoop KeyShell command line tool
> There are minor changes that must be done in Hadoop KeyProvider functionality:
> The KeyProvider contract, and the existing implementations, must be 
> thread-safe
> KeyProvider API should have an API to generate the key material internally
> JavaKeyStoreProvider should use, if present, a password provided via 
> configuration
> KeyProvider Option and Metadata should include a label (for easier 
> cross-referencing)
> To avoid overloading the underlying KeyProvider implementation, the Hadoop 
> KMS will cache keys using a TTL policy.
> Scalability and High Availability of the Hadoop KMS can achieved by running 
> multiple instances behind a VIP/Load-Balancer. For High Availability, the 
> underlying KeyProvider implementation used by the Hadoop KMS must be High 
> Available.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Reply via email to