Uploaded image for project: 'Hadoop Common'
  1. Hadoop Common
  2. HADOOP-10141

Create an API to separate encryption key storage from applications

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 2.6.0
    • Component/s: security
    • Labels:
      None

      Description

      As with the filesystem API, we need to provide a generic mechanism to support multiple key storage mechanisms that are potentially from third parties.

      An additional requirement for long term data lakes is to keep multiple versions of each key so that keys can be rolled periodically without requiring the entire data set to be re-written. Rolling keys provides containment in the event of keys being leaked.

      Toward that end, I propose an API that is configured using a list of URLs of KeyProviders. The implementation will look for implementations using the ServiceLoader interface and thus support third party libraries.

      Two providers will be included in this patch. One using the credentials cache in MapReduce jobs and the other using Java KeyStores from either HDFS or local file system.

        Attachments

        1. h-10141.patch
          48 kB
          Owen O'Malley
        2. hadoop-10141.patch
          47 kB
          Owen O'Malley
        3. hadoop-10141.patch
          47 kB
          Owen O'Malley
        4. hadoop-10141.patch
          47 kB
          Owen O'Malley

          Issue Links

            Activity

              People

              • Assignee:
                omalley Owen O'Malley
                Reporter:
                omalley Owen O'Malley
              • Votes:
                0 Vote for this issue
                Watchers:
                20 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: