[HADOOP-10141] Create an API to separate encryption key storage from applications - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 2.6.0
Component/s: security
Labels:
None

Description

As with the filesystem API, we need to provide a generic mechanism to support multiple key storage mechanisms that are potentially from third parties.

An additional requirement for long term data lakes is to keep multiple versions of each key so that keys can be rolled periodically without requiring the entire data set to be re-written. Rolling keys provides containment in the event of keys being leaked.

Toward that end, I propose an API that is configured using a list of URLs of KeyProviders. The implementation will look for implementations using the ServiceLoader interface and thus support third party libraries.

Two providers will be included in this patch. One using the credentials cache in MapReduce jobs and the other using Java KeyStores from either HDFS or local file system.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

hadoop-10141.patch
04/Dec/13 17:01
47 kB
Owen O'Malley
hadoop-10141.patch
05/Dec/13 17:36
47 kB
Owen O'Malley
hadoop-10141.patch
06/Dec/13 19:41
47 kB
Owen O'Malley
h-10141.patch
19/Dec/13 18:40
48 kB
Owen O'Malley

Issue Links

is duplicated by

HADOOP-10528 A TokenKeyProvider for a Centralized Key Manager Server (BEE: bee-key-manager)

Patch Available

HADOOP-9825 Key Provider for TokenAuth

Open

is related to

HADOOP-9534 Credential Management Framework (CMF)

Resolved

HADOOP-10607 Create an API to Separate Credentials/Password Storage from Applications

Closed

HDFS-6134 Transparent data at rest encryption

Closed

Activity

People

Assignee:: Owen O'Malley

Reporter:: Owen O'Malley

Votes:: 0 Vote for this issue

Watchers:: 20 Start watching this issue

Dates

Created:: 03/Dec/13 00:11

Updated:: 01/Dec/14 03:10

Resolved:: 20/Dec/13 00:27