Uploaded image for project: 'Hadoop HDFS'
  1. Hadoop HDFS
  2. HDFS-10643

Namenode should use loginUser(hdfs) to generateEncryptedKey

    Details

    • Hadoop Flags:
      Reviewed

      Description

      KMSClientProvider is designed to be shared by different KMS clients. When HDFS Namenode as KMS client talks to KMS to generateEncryptedKey for new file creation from proxy user (hive, oozie), the proxyuser handling for KMSClientProvider in this case is unnecessary, which cause 1) an extra proxy user configuration allowing hdfs user to proxy its clients and 2) KMS acls to allow non-hdfs user for GENERATE_EEK operation.

      This ticket is opened to always use HDFS namenode login user (hdfs) when talking to KMS to generateEncryptedKey for new file creation. This way, we have a more secure KMS based HDFS encryption (we can set kms-acls to allow only hdfs user for GENERATE_EEK) with less configuration hassle for KMS to allow hdfs to proxy other users.

        Attachments

        1. HDFS-10643.00.patch
          2 kB
          Xiaoyu Yao
        2. HDFS-10643.01.patch
          2 kB
          Xiaoyu Yao
        3. HDFS-10643.02.patch
          14 kB
          Xiaoyu Yao
        4. HDFS-10643.03.patch
          14 kB
          Xiaoyu Yao
        5. HDFS-10643.04.patch
          14 kB
          Xiaoyu Yao
        6. HDFS-10643.05.patch
          15 kB
          Xiaoyu Yao

          Issue Links

            Activity

              People

              • Assignee:
                xyao Xiaoyu Yao
                Reporter:
                xyao Xiaoyu Yao
              • Votes:
                0 Vote for this issue
                Watchers:
                9 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: