[ https://issues.apache.org/jira/browse/HADOOP-10433?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13990229#comment-13990229 ]
Hudson commented on HADOOP-10433: --------------------------------- SUCCESS: Integrated in Hadoop-trunk-Commit #5593 (See [https://builds.apache.org/job/Hadoop-trunk-Commit/5593/]) HADOOP-10433. Key Management Server based on KeyProvider API. (tucu) (tucu: http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1592637) * /hadoop/common/trunk/.gitignore * /hadoop/common/trunk/hadoop-assemblies/src/main/resources/assemblies/hadoop-kms-dist.xml * /hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt * /hadoop/common/trunk/hadoop-common-project/hadoop-common/dev-support/findbugsExcludeFile.xml * /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms * /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java * /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSRESTConstants.java * /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/resources/META-INF/services/org.apache.hadoop.crypto.key.KeyProviderFactory * /hadoop/common/trunk/hadoop-common-project/hadoop-kms * /hadoop/common/trunk/hadoop-common-project/hadoop-kms/dev-support * /hadoop/common/trunk/hadoop-common-project/hadoop-kms/dev-support/findbugsExcludeFile.xml * /hadoop/common/trunk/hadoop-common-project/hadoop-kms/pom.xml * /hadoop/common/trunk/hadoop-common-project/hadoop-kms/src * /hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/main * /hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/main/conf * /hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/main/conf/kms-acls.xml * /hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/main/conf/kms-env.sh * /hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/main/conf/kms-log4j.properties * /hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/main/conf/kms-site.xml * /hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/main/java * /hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/main/java/org * /hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/main/java/org/apache * /hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop * /hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto * /hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key * /hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms * /hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server * /hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMS.java * /hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSACLs.java * /hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSAudit.java * /hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSAuthenticationFilter.java * /hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSCacheKeyProvider.java * /hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSConfiguration.java * /hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSExceptionsProvider.java * /hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSJSONReader.java * /hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSJSONWriter.java * /hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSMDCFilter.java * /hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSServerJSONUtils.java * /hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSWebApp.java * /hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/main/libexec * /hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/main/libexec/kms-config.sh * /hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/main/sbin * /hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/main/sbin/kms.sh * /hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/main/tomcat * /hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/main/tomcat/ROOT * /hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/main/tomcat/ROOT/WEB-INF * /hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/main/tomcat/ROOT/WEB-INF/web.xml * /hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/main/tomcat/ROOT/index.html * /hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/main/tomcat/logging.properties * /hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/main/tomcat/server.xml * /hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/main/tomcat/ssl-server.xml * /hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/main/webapp * /hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/main/webapp/WEB-INF * /hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/main/webapp/WEB-INF/web.xml * /hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/site * /hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/site/apt * /hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/site/apt/index.apt.vm * /hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/site/resources * /hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/site/resources/css * /hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/site/resources/css/site.css * /hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/site/site.xml * /hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/test * /hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/test/java * /hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/test/java/org * /hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/test/java/org/apache * /hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop * /hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto * /hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key * /hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms * /hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server * /hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMS.java * /hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMSACLs.java * /hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMSCacheKeyProvider.java * /hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/test/resources * /hadoop/common/trunk/hadoop-common-project/hadoop-kms/src/test/resources/log4j.properties * /hadoop/common/trunk/hadoop-common-project/pom.xml * /hadoop/common/trunk/hadoop-dist/pom.xml * /hadoop/common/trunk/hadoop-project/pom.xml * /hadoop/common/trunk/hadoop-project/src/site/site.xml > Key Management Server based on KeyProvider API > ---------------------------------------------- > > Key: HADOOP-10433 > URL: https://issues.apache.org/jira/browse/HADOOP-10433 > Project: Hadoop Common > Issue Type: Improvement > Components: security > Affects Versions: 3.0.0 > Reporter: Alejandro Abdelnur > Assignee: Alejandro Abdelnur > Fix For: 3.0.0 > > Attachments: HADOOP-10433.patch, HADOOP-10433.patch, > HADOOP-10433.patch, HADOOP-10433.patch, HADOOP-10433.patch, > HADOOP-10433.patch, HADOOP-10433.patch, HADOOP-10433.patch, > HADOOP-10433.patch, HADOOP-10433.patch, HADOOP-10433.patch, > HADOOP-10433.patch, HadoopKMSDocsv2.pdf, KMS-doc.pdf > > > (from HDFS-6134 proposal) > Hadoop KMS is the gateway, for Hadoop and Hadoop clients, to the underlying > KMS. It provides an interface that works with existing Hadoop security > components (authenticatication, confidentiality). > Hadoop KMS will be implemented leveraging the work being done in HADOOP-10141 > and HADOOP-10177. > Hadoop KMS will provide an additional implementation of the Hadoop > KeyProvider class. This implementation will be a client-server implementation. > The client-server protocol will be secure: > * Kerberos HTTP SPNEGO (authentication) > * HTTPS for transport (confidentiality and integrity) > * Hadoop ACLs (authorization) > The Hadoop KMS implementation will not provide additional ACL to access > encrypted files. For sophisticated access control requirements, HDFS ACLs > (HDFS-4685) should be used. > Basic key administration will be supported by the Hadoop KMS via the, already > available, Hadoop KeyShell command line tool > There are minor changes that must be done in Hadoop KeyProvider functionality: > The KeyProvider contract, and the existing implementations, must be > thread-safe > KeyProvider API should have an API to generate the key material internally > JavaKeyStoreProvider should use, if present, a password provided via > configuration > KeyProvider Option and Metadata should include a label (for easier > cross-referencing) > To avoid overloading the underlying KeyProvider implementation, the Hadoop > KMS will cache keys using a TTL policy. > Scalability and High Availability of the Hadoop KMS can achieved by running > multiple instances behind a VIP/Load-Balancer. For High Availability, the > underlying KeyProvider implementation used by the Hadoop KMS must be High > Available. -- This message was sent by Atlassian JIRA (v6.2#6252)