[ 
https://issues.apache.org/jira/browse/HDFS-6785?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14079713#comment-14079713
 ] 

Andrew Wang commented on HDFS-6785:
-----------------------------------

We should be asserting that the thing is a directory, rather than that it's not 
a file. Otherwise looks good.

> Should not be able to create encryption zone using path to a non-directory 
> file
> -------------------------------------------------------------------------------
>
>                 Key: HDFS-6785
>                 URL: https://issues.apache.org/jira/browse/HDFS-6785
>             Project: Hadoop HDFS
>          Issue Type: Sub-task
>          Components: security
>    Affects Versions: fs-encryption (HADOOP-10150 and HDFS-6134)
>            Reporter: Stephen Chu
>            Assignee: Charles Lamb
>         Attachments: HDFS-6785.001.patch
>
>
> Currently, users can create an encryption zone while specifying a path to a 
> file, as seen below.
> {code}
> [hdfs@schu-enc2 ~]$ cat hi
> hi
> [hdfs@schu-enc2 ~]$ hadoop fs -put hi /hi
> [hdfs@schu-enc2 ~]$ hadoop key create testKey
> testKey has been successfully created.
> KMSClientProvider[http://schu-enc2.vpc.com:16000/kms/v1/] has been updated.
> [hdfs@schu-enc2 ~]$ hdfs crypto -createZone -keyName testKey -path /hi
> Added encryption zone /hi
> [hdfs@schu-enc2 ~]$ hdfs crypto -listZones
> /hi  testKey
> {code}
> Based on my understanding, admins should be able to create encryption zones 
> only on empty directories, not files.
> If the design changed to allow creating EZ on files, then we should change 
> the javadoc of {{HdfsAdmin#createEncryptionZone}}, which currently states, 
> "Create an encryption zone rooted at an empty existing directory, using the 
> specified encryption key. An encryption zone has an associated encryption key 
> used when reading and writing files within the zone."



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Reply via email to