[HDFS-6134] Transparent data at rest encryption - ASF JIRA

XML

Word

Printable

JSON

Details

Type: New Feature
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 2.3.0, 3.0.0-alpha1
Fix Version/s: 2.6.0
Component/s: security
Labels:
None

Target Version/s:

fs-encryption (HADOOP-10150 and HDFS-6134)

Description

Because of privacy and security regulations, for many industries, sensitive data at rest must be in encrypted form. For example: the healthcare industry (HIPAA regulations), the card payment industry (PCI DSS regulations) or the US government (FISMA regulations).

This JIRA aims to provide a mechanism to encrypt HDFS data at rest that can be used transparently by any application accessing HDFS via Hadoop Filesystem Java API, Hadoop libhdfs C library, or WebHDFS REST API.

The resulting implementation should be able to be used in compliance with different regulation requirements.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

HDFSDataatRestEncryptionProposal_obsolete.pdf
20/Jun/14 22:58
219 kB
Alejandro Abdelnur
HDFSEncryptionConceptualDesignProposal-2014-06-20.pdf
20/Jun/14 23:04
86 kB
Alejandro Abdelnur
HDFS-6134_test_plan.pdf
02/Aug/14 17:06
147 kB
Stephen Chu
HDFS-6134.001.patch
04/Aug/14 18:39
566 kB
Charles Lamb
HDFS-6134.002.patch
06/Aug/14 05:09
562 kB
Yi Liu
HDFSDataatRestEncryption.pdf
07/Aug/14 10:48
357 kB
Charles Lamb
fs-encryption.2014-08-18.patch
18/Aug/14 18:49
653 kB
Andrew Wang
fs-encryption.2014-08-19.patch
20/Aug/14 01:25
653 kB
Andrew Wang

Issue Links

breaks

HADOOP-11286 Map/Reduce dangerously adds Guava @Beta class to CryptoUtils

Closed

is related to

HADOOP-10919 Copy command should preserve raw.* namespace extended attributes

Resolved

MAPREDUCE-6007 Add support to distcp to preserve raw.* namespace extended attributes

Closed

relates to

HADOOP-9333 Hadoop crypto codec framework based on compression codec

Patch Available

HDFS-6891 Follow-on work for transparent data at rest encryption

Resolved

HADOOP-10141 Create an API to separate encryption key storage from applications

Closed

HADOOP-10150 Hadoop cryptographic file system

Closed

requires

HADOOP-10856 HarFileSystem and HarFs support for HDFS encryption

Resolved

(2 relates to, 1 requires)

Sub-Tasks

1.	HDFS Encryption Zones	Resolved	Charles Lamb
2.	HDFS integration with KeyProvider	Resolved	Charles Lamb
3.	Wire crypto streams for encrypted files in DFSClient	Resolved	Charles Lamb
4.	Protocol and API for Encryption Zones	Resolved	Charles Lamb
5.	Print out the KeyProvider after finding KP successfully on startup	Resolved	Juan Yu
6.	CryptoCode.generateSecureRandom should be a static method	Resolved	Charles Lamb
7.	HDFS CLI admin tool for creating & deleting an encryption zone	Resolved	Charles Lamb
8.	Get the Key/IV from the NameNode for encrypted files in DFSClient	Resolved	Andrew Wang
9.	Rename restrictions for encryption zones	Resolved	Charles Lamb
10.	Client server negotiation of cipher suite	Resolved	Andrew Wang
11.	Remove the Delete Encryption Zone function	Resolved	Charles Lamb
12.	List of Encryption Zones should be based on inodes	Resolved	Charles Lamb
13.	Test Crypto streams in HDFS	Resolved	Yi Liu
14.	Namenode needs to get the actual keys and iv from the KeyProvider	Resolved	Andrew Wang
15.	Clean up encryption-related tests	Resolved	Andrew Wang
16.	Fix the keyid format for generated keys in FSNamesystem.createEncryptionZone	Resolved	Charles Lamb
17.	Not able to create symlinks after HDFS-6516	Resolved	Uma Maheswara Rao G
18.	Refactor encryption zone functionality into new EncryptionZoneManager class	Resolved	Andrew Wang
19.	Update usage of KeyProviderCryptoExtension APIs on NameNode	Resolved	Andrew Wang
20.	Remove EncryptionZoneManager lock	Resolved	Andrew Wang
21.	Remove unnecessary getEncryptionZoneForPath call in EZManager#createEncryptionZone	Resolved	Uma Maheswara Rao G
22.	Remove KeyProvider in EncryptionZoneManager	Resolved	Andrew Wang
23.	Decrypt EDEK before creating CryptoInputStream/CryptoOutputStream	Resolved	Andrew Wang
24.	Creating encryption zone results in NPE when KeyProvider is null	Resolved	Charles Lamb
25.	Create a special /.reserved/raw directory for raw access to encrypted data	Resolved	Charles Lamb
26.	Create a .RAW extended attribute namespace	Resolved	Charles Lamb
27.	Add more HDFS encryption tests	Resolved	Andrew Wang
28.	Should not be able to create encryption zone using path to a non-directory file	Resolved	Charles Lamb
29.	Require specification of an encryption key when creating an encryption zone	Resolved	Andrew Wang
30.	Batch the encryption zones listing API	Resolved	Andrew Wang
31.	DFSClient should use IV generated based on the configured CipherSuite with codecs used	Resolved	Uma Maheswara Rao G
32.	Cannot remove directory within encryption zone to Trash	Resolved	Unassigned
33.	Fix TestReservedRawPaths failures	Resolved	Charles Lamb
34.	Mistakenly dfs.namenode.list.encryption.zones.num.responses configured as boolean	Resolved	Uma Maheswara Rao G
35.	HDFS encryption documentation	Resolved	Andrew Wang
36.	Fix findbugs and other warnings	Resolved	Yi Liu
37.	Improve the configuration guidance in DFSClient when there are no Codec classes found in configs	Resolved	Uma Maheswara Rao G
38.	Fix TestCLI to expect new output	Resolved	Charles Lamb
39.	Add non-superuser capability to get the encryption zone for a specific path	Resolved	Charles Lamb
40.	Constants in CommandWithDestination should be static	Resolved	Charles Lamb

Activity

People

Assignee:: Charles Lamb

Reporter:: Alejandro Abdelnur

Votes:: 2 Vote for this issue

Watchers:: 62 Start watching this issue

Dates

Created:: 21/Mar/14 06:08

Updated:: 14/Nov/22 11:58

Resolved:: 20/Aug/14 19:07