[ https://issues.apache.org/jira/browse/HDFS-6785?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14079713#comment-14079713 ]
Andrew Wang commented on HDFS-6785: ----------------------------------- We should be asserting that the thing is a directory, rather than that it's not a file. Otherwise looks good. > Should not be able to create encryption zone using path to a non-directory > file > ------------------------------------------------------------------------------- > > Key: HDFS-6785 > URL: https://issues.apache.org/jira/browse/HDFS-6785 > Project: Hadoop HDFS > Issue Type: Sub-task > Components: security > Affects Versions: fs-encryption (HADOOP-10150 and HDFS-6134) > Reporter: Stephen Chu > Assignee: Charles Lamb > Attachments: HDFS-6785.001.patch > > > Currently, users can create an encryption zone while specifying a path to a > file, as seen below. > {code} > [hdfs@schu-enc2 ~]$ cat hi > hi > [hdfs@schu-enc2 ~]$ hadoop fs -put hi /hi > [hdfs@schu-enc2 ~]$ hadoop key create testKey > testKey has been successfully created. > KMSClientProvider[http://schu-enc2.vpc.com:16000/kms/v1/] has been updated. > [hdfs@schu-enc2 ~]$ hdfs crypto -createZone -keyName testKey -path /hi > Added encryption zone /hi > [hdfs@schu-enc2 ~]$ hdfs crypto -listZones > /hi testKey > {code} > Based on my understanding, admins should be able to create encryption zones > only on empty directories, not files. > If the design changed to allow creating EZ on files, then we should change > the javadoc of {{HdfsAdmin#createEncryptionZone}}, which currently states, > "Create an encryption zone rooted at an empty existing directory, using the > specified encryption key. An encryption zone has an associated encryption key > used when reading and writing files within the zone." -- This message was sent by Atlassian JIRA (v6.2#6252)