[
https://issues.apache.org/jira/browse/HDFS-6509?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14071198#comment-14071198
]
Charles Lamb commented on HDFS-6509:
------------------------------------
[~aw],
My apologies. I misspoke in an earlier comment. We went back and forth on this
question of who can access /.reserved/raw and I forgot which way we ended up.
The design doc actually says that /.reserved/raw will only be accessible by the
HDFS admin as you suspected. The thinking is that we will start with a more
conservative implementation (i.e. hdfs admin only). If a non-admin wants access
to a subset of the hierarchy today, they can use distcp on the
non-/.reserved/raw hierarchy, which will of course decrypt the data. Whether
the distcp target is encrypted or not will be dependent on whether an
encryption zone has been configured prior to the distcp.
> create a /.reserved/raw filesystem namespace
> --------------------------------------------
>
> Key: HDFS-6509
> URL: https://issues.apache.org/jira/browse/HDFS-6509
> Project: Hadoop HDFS
> Issue Type: Sub-task
> Components: security
> Affects Versions: fs-encryption (HADOOP-10150 and HDFS-6134)
> Reporter: Charles Lamb
> Assignee: Charles Lamb
> Attachments: HDFS-6509.001.patch,
> HDFS-6509distcpandDataatRestEncryption-2.pdf,
> HDFS-6509distcpandDataatRestEncryption.pdf
>
>
> This is part of the work for making distcp work with Data at Rest Encryption.
> Per the attached document, create a /.reserved/raw HDFS filesystem namespace
> that allows access to the encrypted bytes of a file.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
