[ https://issues.apache.org/jira/browse/HDDS-11227?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Saketa Chalamchala reassigned HDDS-11227: ----------------------------------------- Assignee: Saketa Chalamchala > Use OM's KMS from client side when connecting to a cluster and dealing with > encrypted data > ------------------------------------------------------------------------------------------ > > Key: HDDS-11227 > URL: https://issues.apache.org/jira/browse/HDDS-11227 > Project: Apache Ozone > Issue Type: Improvement > Reporter: István Fajth > Assignee: Saketa Chalamchala > Priority: Major > > In the FileSystem API in Hadoop, there is a method to get some server > defaults. > In Ozone's filesystem implementation this call is not implemented, so that > defaults to the implementation that is provided in the FileSystem class. > The FileSystem class itself provides defaults by default based on the > client's configuration, which is overridden for HDFS within the > DistributedFileSystem class in Hadoop. > Our implementations does not override this, and we do not provide any server > side configs to the client side at the moment. > We seen a problematic use case recently, when one client on one cluster tries > to read encrypted data on an other cluster. In HDFS this works, as the > {{hadoop.security.key.provider.path}} is part of the server defaults provided > to the client by the NameNode, and the client is using it unless > {{dfs.client.ignore.namenode.default.kms.uri}} is configured to be true, it > is false by default. > If we want to enable this use case where a client needs to communicate with > encryption zones on multiple clusters, then we need to resolve providing this > information to the client side. I believe this should be solved for the > FileSystem API based clients and for the Ozone client itself also. > I don't believe our S3 API is affected by this problem. -- This message was sent by Atlassian Jira (v8.20.10#820010) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@ozone.apache.org For additional commands, e-mail: issues-h...@ozone.apache.org