[
https://issues.apache.org/jira/browse/HDFS-12400?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16157761#comment-16157761
]
Xiao Chen commented on HDFS-12400:
----------------------------------
Thank you for the review Wei-Chiu!
bq. nit
That only happens for start, so no need to log I think. :)
As chatted offline, {{flush()}} is technically required only for the
JavaKeyStoreProvider. For the tests, we need to flush if the key is rolled and
we want to generate new edeks from JKSP.
Looking at the test code, I think I can do better. In patch 2, key rollover is
exacted to a method and done differently for JKSP and KMSCP. This is to let
JKSP tests still pass, yet KMSCP cases the same as real cluster. Also fixed the
checkstyle.
> Provide a way for NN to drain the local key cache before re-encryption
> ----------------------------------------------------------------------
>
> Key: HDFS-12400
> URL: https://issues.apache.org/jira/browse/HDFS-12400
> Project: Hadoop HDFS
> Issue Type: Bug
> Components: encryption
> Affects Versions: 3.0.0-beta1
> Reporter: Xiao Chen
> Assignee: Xiao Chen
> Attachments: HDFS-12400.01.patch, HDFS-12400.02.patch
>
>
> In HDFS-12359, a fix for the KMS ACLs required for re-encryption was done. As
> part of the fix, the following code is used to make sure the local provider
> cache in the NN is drained.
> {code:java}
> if (dir.getProvider() instanceof CryptoExtension) {
> ((CryptoExtension) dir.getProvider()).drain(keyName);
> }
> {code}
> This doesn't work, because the provider is {{KeyProviderCryptoExtension}}
> instead of {{CryptoExtension}} - the latter is composite of the former.
> Unfortunately unit test didn't catch this, because it conveniently rolled the
> from the NN's provider.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org
