[jira] [Commented] (HADOOP-10528) A TokenKeyProvider for a Centralized Key Manager Server (BEE: bee-key-manager)
[ https://issues.apache.org/jira/browse/HADOOP-10528?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14524796#comment-14524796 ] Hadoop QA commented on HADOOP-10528: \\ \\ | (x) *{color:red}-1 overall{color}* | \\ \\ || Vote || Subsystem || Runtime || Comment || | {color:red}-1{color} | patch | 0m 0s | The patch command could not apply the patch during dryrun. | \\ \\ || Subsystem || Report/Notes || | Patch URL | http://issues.apache.org/jira/secure/attachment/12641173/HADOOP-10528.patch | | Optional Tests | javadoc javac unit findbugs checkstyle | | git revision | trunk / f1a152c | | Console output | https://builds.apache.org/job/PreCommit-HADOOP-Build/6332/console | This message was automatically generated. > A TokenKeyProvider for a Centralized Key Manager Server (BEE: bee-key-manager) > -- > > Key: HADOOP-10528 > URL: https://issues.apache.org/jira/browse/HADOOP-10528 > Project: Hadoop Common > Issue Type: Sub-task > Components: security >Reporter: howie yu > Attachments: HADOOP-10528.patch > > > This is a key provider based on HADOOP-9331. HADOOP-9331 has designed a > complete Hadoop crypto codec framework, but the key can only be retrieved > from a local Java KeyStore file. To the convenience, we design a Centralized > Key Manager Server (BEE: bee-key-manager) and user can use this > TokenKeyProvider to retrieve keys from the Centralized Key Manager Server. By > the way, to secure the key exchange, we leverage HTTPS + SPNego/SASL to > protect the key exchange. To the detail design and usage, please refer to > https://github.com/trendmicro/BEE. > Moreover, there are still much more requests about Hadoop Data Encryption > (such as provide standalone module, support KMIP...etc.), if anyone has > interested in those features, pleas let us know. > > Ps. Because this patch based on HADOOP-9331, please use patch HADOOP-9333, > and HADOOP-9332 and before use our patch HADOOP-10528.patch. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HADOOP-10528) A TokenKeyProvider for a Centralized Key Manager Server (BEE: bee-key-manager)
[ https://issues.apache.org/jira/browse/HADOOP-10528?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14524777#comment-14524777 ] Hadoop QA commented on HADOOP-10528: \\ \\ | (x) *{color:red}-1 overall{color}* | \\ \\ || Vote || Subsystem || Runtime || Comment || | {color:red}-1{color} | patch | 0m 0s | The patch command could not apply the patch during dryrun. | \\ \\ || Subsystem || Report/Notes || | Patch URL | http://issues.apache.org/jira/secure/attachment/12641173/HADOOP-10528.patch | | Optional Tests | javadoc javac unit findbugs checkstyle | | git revision | trunk / f1a152c | | Console output | https://builds.apache.org/job/PreCommit-HADOOP-Build/6328/console | This message was automatically generated. > A TokenKeyProvider for a Centralized Key Manager Server (BEE: bee-key-manager) > -- > > Key: HADOOP-10528 > URL: https://issues.apache.org/jira/browse/HADOOP-10528 > Project: Hadoop Common > Issue Type: Sub-task > Components: security >Reporter: howie yu > Attachments: HADOOP-10528.patch > > > This is a key provider based on HADOOP-9331. HADOOP-9331 has designed a > complete Hadoop crypto codec framework, but the key can only be retrieved > from a local Java KeyStore file. To the convenience, we design a Centralized > Key Manager Server (BEE: bee-key-manager) and user can use this > TokenKeyProvider to retrieve keys from the Centralized Key Manager Server. By > the way, to secure the key exchange, we leverage HTTPS + SPNego/SASL to > protect the key exchange. To the detail design and usage, please refer to > https://github.com/trendmicro/BEE. > Moreover, there are still much more requests about Hadoop Data Encryption > (such as provide standalone module, support KMIP...etc.), if anyone has > interested in those features, pleas let us know. > > Ps. Because this patch based on HADOOP-9331, please use patch HADOOP-9333, > and HADOOP-9332 and before use our patch HADOOP-10528.patch. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HADOOP-10528) A TokenKeyProvider for a Centralized Key Manager Server (BEE: bee-key-manager)
[ https://issues.apache.org/jira/browse/HADOOP-10528?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13977674#comment-13977674 ] Larry McCay commented on HADOOP-10528: -- [~apurtell] I regret that you read my comments as dismissive and disappointing. I certainly don't want to come across as dismissive of what looks like a good amount of work. What I was hoping to do is get a sense for what the Token aspect of this provider is and help determine how it fits into the existing KeyProvider API. As for your characterization of that work, it seems to me that a common need was identified across multiple projects. It was started and continues to evolve to meet the needs of its consumers. It would be perfectly reasonable for the needs represented in this jira to inform further evolution in the KeyProvider API and KMS work. Cross cutting concerns such as these types of security efforts are difficult and I can fully appreciate the frustration there. > A TokenKeyProvider for a Centralized Key Manager Server (BEE: bee-key-manager) > -- > > Key: HADOOP-10528 > URL: https://issues.apache.org/jira/browse/HADOOP-10528 > Project: Hadoop Common > Issue Type: Sub-task > Components: security >Reporter: howie yu > Attachments: HADOOP-10528.patch > > > This is a key provider based on HADOOP-9331. HADOOP-9331 has designed a > complete Hadoop crypto codec framework, but the key can only be retrieved > from a local Java KeyStore file. To the convenience, we design a Centralized > Key Manager Server (BEE: bee-key-manager) and user can use this > TokenKeyProvider to retrieve keys from the Centralized Key Manager Server. By > the way, to secure the key exchange, we leverage HTTPS + SPNego/SASL to > protect the key exchange. To the detail design and usage, please refer to > https://github.com/trendmicro/BEE. > Moreover, there are still much more requests about Hadoop Data Encryption > (such as provide standalone module, support KMIP...etc.), if anyone has > interested in those features, pleas let us know. > > Ps. Because this patch based on HADOOP-9331, please use patch HADOOP-9333, > and HADOOP-9332 and before use our patch HADOOP-10528.patch. -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Commented] (HADOOP-10528) A TokenKeyProvider for a Centralized Key Manager Server (BEE: bee-key-manager)
[ https://issues.apache.org/jira/browse/HADOOP-10528?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13977592#comment-13977592 ] Andrew Purtell commented on HADOOP-10528: - bq. While this seems like interesting work, it also duplicates a number of jiras Certainly in the sense that parts of HADOOP-9331 were peeled off in JIRAs that duplicate some of its scope. That seems to have forked work in this area rather than foster healthy community collaboration between those with and without the commit bit. It's disappointing to see this pattern continuing here with this issue dismissed as "duplicate". > A TokenKeyProvider for a Centralized Key Manager Server (BEE: bee-key-manager) > -- > > Key: HADOOP-10528 > URL: https://issues.apache.org/jira/browse/HADOOP-10528 > Project: Hadoop Common > Issue Type: Sub-task > Components: security >Reporter: howie yu > Attachments: HADOOP-10528.patch > > > This is a key provider based on HADOOP-9331. HADOOP-9331 has designed a > complete Hadoop crypto codec framework, but the key can only be retrieved > from a local Java KeyStore file. To the convenience, we design a Centralized > Key Manager Server (BEE: bee-key-manager) and user can use this > TokenKeyProvider to retrieve keys from the Centralized Key Manager Server. By > the way, to secure the key exchange, we leverage HTTPS + SPNego/SASL to > protect the key exchange. To the detail design and usage, please refer to > https://github.com/trendmicro/BEE. > Moreover, there are still much more requests about Hadoop Data Encryption > (such as provide standalone module, support KMIP...etc.), if anyone has > interested in those features, pleas let us know. > > Ps. Because this patch based on HADOOP-9331, please use patch HADOOP-9333, > and HADOOP-9332 and before use our patch HADOOP-10528.patch. -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Commented] (HADOOP-10528) A TokenKeyProvider for a Centralized Key Manager Server (BEE: bee-key-manager)
[ https://issues.apache.org/jira/browse/HADOOP-10528?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13977022#comment-13977022 ] Larry McCay commented on HADOOP-10528: -- Correction: the KMS patch is not quite committed yet but it is on its way in. That is HADOOP-10433. > A TokenKeyProvider for a Centralized Key Manager Server (BEE: bee-key-manager) > -- > > Key: HADOOP-10528 > URL: https://issues.apache.org/jira/browse/HADOOP-10528 > Project: Hadoop Common > Issue Type: Sub-task > Components: security >Reporter: howie yu > Attachments: HADOOP-10528.patch > > > This is a key provider based on HADOOP-9331. HADOOP-9331 has designed a > complete Hadoop crypto codec framework, but the key can only be retrieved > from a local Java KeyStore file. To the convenience, we design a Centralized > Key Manager Server (BEE: bee-key-manager) and user can use this > TokenKeyProvider to retrieve keys from the Centralized Key Manager Server. By > the way, to secure the key exchange, we leverage HTTPS + SPNego/SASL to > protect the key exchange. To the detail design and usage, please refer to > https://github.com/trendmicro/BEE. > Moreover, there are still much more requests about Hadoop Data Encryption > (such as provide standalone module, support KMIP...etc.), if anyone has > interested in those features, pleas let us know. > > Ps. Because this patch based on HADOOP-9331, please use patch HADOOP-9333, > and HADOOP-9332 and before use our patch HADOOP-10528.patch. -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Commented] (HADOOP-10528) A TokenKeyProvider for a Centralized Key Manager Server (BEE: bee-key-manager)
[ https://issues.apache.org/jira/browse/HADOOP-10528?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13977021#comment-13977021 ] Larry McCay commented on HADOOP-10528: -- KeyProvider API > A TokenKeyProvider for a Centralized Key Manager Server (BEE: bee-key-manager) > -- > > Key: HADOOP-10528 > URL: https://issues.apache.org/jira/browse/HADOOP-10528 > Project: Hadoop Common > Issue Type: Sub-task > Components: security >Reporter: howie yu > Attachments: HADOOP-10528.patch > > > This is a key provider based on HADOOP-9331. HADOOP-9331 has designed a > complete Hadoop crypto codec framework, but the key can only be retrieved > from a local Java KeyStore file. To the convenience, we design a Centralized > Key Manager Server (BEE: bee-key-manager) and user can use this > TokenKeyProvider to retrieve keys from the Centralized Key Manager Server. By > the way, to secure the key exchange, we leverage HTTPS + SPNego/SASL to > protect the key exchange. To the detail design and usage, please refer to > https://github.com/trendmicro/BEE. > Moreover, there are still much more requests about Hadoop Data Encryption > (such as provide standalone module, support KMIP...etc.), if anyone has > interested in those features, pleas let us know. > > Ps. Because this patch based on HADOOP-9331, please use patch HADOOP-9333, > and HADOOP-9332 and before use our patch HADOOP-10528.patch. -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Commented] (HADOOP-10528) A TokenKeyProvider for a Centralized Key Manager Server (BEE: bee-key-manager)
[ https://issues.apache.org/jira/browse/HADOOP-10528?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13977018#comment-13977018 ] Larry McCay commented on HADOOP-10528: -- central key management service > A TokenKeyProvider for a Centralized Key Manager Server (BEE: bee-key-manager) > -- > > Key: HADOOP-10528 > URL: https://issues.apache.org/jira/browse/HADOOP-10528 > Project: Hadoop Common > Issue Type: Sub-task > Components: security >Reporter: howie yu > Attachments: HADOOP-10528.patch > > > This is a key provider based on HADOOP-9331. HADOOP-9331 has designed a > complete Hadoop crypto codec framework, but the key can only be retrieved > from a local Java KeyStore file. To the convenience, we design a Centralized > Key Manager Server (BEE: bee-key-manager) and user can use this > TokenKeyProvider to retrieve keys from the Centralized Key Manager Server. By > the way, to secure the key exchange, we leverage HTTPS + SPNego/SASL to > protect the key exchange. To the detail design and usage, please refer to > https://github.com/trendmicro/BEE. > Moreover, there are still much more requests about Hadoop Data Encryption > (such as provide standalone module, support KMIP...etc.), if anyone has > interested in those features, pleas let us know. > > Ps. Because this patch based on HADOOP-9331, please use patch HADOOP-9333, > and HADOOP-9332 and before use our patch HADOOP-10528.patch. -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Commented] (HADOOP-10528) A TokenKeyProvider for a Centralized Key Manager Server (BEE: bee-key-manager)
[ https://issues.apache.org/jira/browse/HADOOP-10528?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13977019#comment-13977019 ] Larry McCay commented on HADOOP-10528: -- KeyShell is a CLI for key management commands for the KeyProvider API > A TokenKeyProvider for a Centralized Key Manager Server (BEE: bee-key-manager) > -- > > Key: HADOOP-10528 > URL: https://issues.apache.org/jira/browse/HADOOP-10528 > Project: Hadoop Common > Issue Type: Sub-task > Components: security >Reporter: howie yu > Attachments: HADOOP-10528.patch > > > This is a key provider based on HADOOP-9331. HADOOP-9331 has designed a > complete Hadoop crypto codec framework, but the key can only be retrieved > from a local Java KeyStore file. To the convenience, we design a Centralized > Key Manager Server (BEE: bee-key-manager) and user can use this > TokenKeyProvider to retrieve keys from the Centralized Key Manager Server. By > the way, to secure the key exchange, we leverage HTTPS + SPNego/SASL to > protect the key exchange. To the detail design and usage, please refer to > https://github.com/trendmicro/BEE. > Moreover, there are still much more requests about Hadoop Data Encryption > (such as provide standalone module, support KMIP...etc.), if anyone has > interested in those features, pleas let us know. > > Ps. Because this patch based on HADOOP-9331, please use patch HADOOP-9333, > and HADOOP-9332 and before use our patch HADOOP-10528.patch. -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Commented] (HADOOP-10528) A TokenKeyProvider for a Centralized Key Manager Server (BEE: bee-key-manager)
[ https://issues.apache.org/jira/browse/HADOOP-10528?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13977014#comment-13977014 ] Larry McCay commented on HADOOP-10528: -- While this seems like interesting work, it also duplicates a number of jiras - all of which are already committed and being collaboratively worked on. I will add them as jiras that this duplicates but here are the ones that come to mind: duplicates KeyProvider API, KeyShell and Alejandro's KMS. https://issues.apache.org/jira/browse/HADOOP-10433 KMS https://issues.apache.org/jira/browse/HADOOP-10177 KeyShell https://issues.apache.org/jira/browse/HADOOP-10141 KeyProvider API Another thing that I noticed is that Key.deriveKeys doesn't seem to be using a salt of any kind in its creation of a key from a password. This is going to end up creating the same key each time - no? I could also use a bit of description about the Token aspect of this provider - this will be good in determining how to fit it into the existing KeyProvider API. > A TokenKeyProvider for a Centralized Key Manager Server (BEE: bee-key-manager) > -- > > Key: HADOOP-10528 > URL: https://issues.apache.org/jira/browse/HADOOP-10528 > Project: Hadoop Common > Issue Type: Sub-task > Components: security >Reporter: howie yu > Attachments: HADOOP-10528.patch > > > This is a key provider based on HADOOP-9331. HADOOP-9331 has designed a > complete Hadoop crypto codec framework, but the key can only be retrieved > from a local Java KeyStore file. To the convenience, we design a Centralized > Key Manager Server (BEE: bee-key-manager) and user can use this > TokenKeyProvider to retrieve keys from the Centralized Key Manager Server. By > the way, to secure the key exchange, we leverage HTTPS + SPNego/SASL to > protect the key exchange. To the detail design and usage, please refer to > https://github.com/trendmicro/BEE. > Moreover, there are still much more requests about Hadoop Data Encryption > (such as provide standalone module, support KMIP...etc.), if anyone has > interested in those features, pleas let us know. > > Ps. Because this patch based on HADOOP-9331, please use patch HADOOP-9333, > and HADOOP-9332 and before use our patch HADOOP-10528.patch. -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Commented] (HADOOP-10528) A TokenKeyProvider for a Centralized Key Manager Server (BEE: bee-key-manager)
[ https://issues.apache.org/jira/browse/HADOOP-10528?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13976400#comment-13976400 ] Hadoop QA commented on HADOOP-10528: {color:red}-1 overall{color}. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12641173/HADOOP-10528.patch against trunk revision . {color:red}-1 patch{color}. The patch command could not apply the patch. Console output: https://builds.apache.org/job/PreCommit-HADOOP-Build/3825//console This message is automatically generated. > A TokenKeyProvider for a Centralized Key Manager Server (BEE: bee-key-manager) > -- > > Key: HADOOP-10528 > URL: https://issues.apache.org/jira/browse/HADOOP-10528 > Project: Hadoop Common > Issue Type: Sub-task > Components: security >Reporter: howie yu > Attachments: HADOOP-10528.patch > > > This is a key provider based on HADOOP-9331. HADOOP-9331 has designed a > complete Hadoop crypto codec framework, but the key can only be retrieved > from a local Java KeyStore file. To the convenience, we design a Centralized > Key Manager Server (BEE: bee-key-manager) and user can use this > TokenKeyProvider to retrieve keys from the Centralized Key Manager Server. By > the way, to secure the key exchange, we leverage HTTPS + SPNego/SASL to > protect the key exchange. To the detail design and usage, please refer to > https://github.com/trendmicro/BEE. > Moreover, there are still much more requests about Hadoop Data Encryption > (such as provide standalone module, support KMIP...etc.), if anyone has > interested in those features, pleas let us know. > > Ps. Because this patch based on HADOOP-9331, please use patch HADOOP-9333, > and HADOOP-9332 and before use our patch HADOOP-10528.patch. -- This message was sent by Atlassian JIRA (v6.2#6252)