Uploaded image for project: 'Apache Ozone'
  1. Apache Ozone
  2. HDDS-5501

Support to upload/read keys from encrypted buckets through S3G

    XMLWordPrintableJSON

Details

    • Task
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • None
    • 1.2.0
    • None

    Description

      When KMS is secured using hadoop.kms.authentication.type = KERBEROS. From S3 key put/get fails when decrypting the key due to missing Kerberos Credentials/KMS tokens.

      Proposal to fix this:
      1. Introduce keytab for s3g
      2. Make s3g acts as proxy for end users while decrypt kms key during put/get/mpu.

      The idea is similar to NFSgateway security model.
      https://hadoop.apache.org/docs/stable/hadoop-project-dist/hadoop-hdfs/HdfsNfsGateway.html

      Attachments

        Issue Links

          is related to

          New Feature - A new feature of the product, which has yet to be developed. HDDS-4653 Support TDE for MPU Keys on Encrypted Buckets

          • Major - Major loss of function.
          • Resolved
          relates to

          Bug - A problem which impairs or prevents the functions of the product. HDDS-5964 [S3-TDE] Range Reads not working on encrypted buckets

          • Critical - Crashes, loss of data, severe memory leak.
          • Resolved

          Improvement - An improvement or enhancement to an existing feature or task. HDDS-5968 Make S3 test suite run with secure-mr

          • Major - Major loss of function.
          • Resolved
          links to

          Web Link GitHub Pull Request #2467

          Activity

            People

              bharat Bharat Viswanadham
              bharat Bharat Viswanadham
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: