-
Type:
Improvement
-
Status: Resolved
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: 2.6.5
-
Fix Version/s: 3.0.0-alpha4
-
Component/s: encryption, kms
-
Labels:None
-
Target Version/s:
-
Hadoop Flags:Reviewed
-
Release Note:
To support re-encrypting EDEK, we need to make sure after a key is rolled, no old version EDEKs are used anymore. This includes various caches when generating EDEK.
This is not true currently, simply because no such requirements / necessities before.
This includes
- Client Provider(s), and corresponding cache(s).
When LoadBalancingKMSCP is used, we need to clear all KMSCPs. - KMS server instance(s), and corresponding cache(s)
When KMS HA is configured with multiple KMS instances, only 1 will receive the rollNewVersion request, we need to make sure other instances are rolled too. - The Client instance inside NN(s), and corresponding cache(s)
When hadoop key roll is succeeded, the client provider inside NN should be drained too.
- breaks
-
HDFS-12667 KMSClientProvider#ValueQueue does synchronous fetch of edeks in background async thread.
-
- Patch Available
-
- is depended upon by
-
HDFS-10899 Add functionality to re-encrypt EDEKs
-
- Resolved
-
- is duplicated by
-
HDFS-6971 Bounded staleness of EDEK caches on the NN
-
- Resolved
-