Uploaded image for project: 'Hadoop HDFS'
  1. Hadoop HDFS
  2. HDFS-11210

Enhance key rolling to guarantee new KeyVersion is returned from generateEncryptedKeys after a key is rolled

    XMLWordPrintableJSON

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.6.5
    • Fix Version/s: 3.0.0-alpha4
    • Component/s: encryption, kms
    • Labels:
      None
    • Target Version/s:
    • Hadoop Flags:
      Reviewed
    • Release Note:
      Hide
      <!-- markdown -->

      An `invalidateCache` command has been added to the KMS.
      The `rollNewVersion` semantics of the KMS has been improved so that after a key's version is rolled, `generateEncryptedKey` of that key guarantees to return the `EncryptedKeyVersion` based on the new key version.
      Show
      <!-- markdown --> An `invalidateCache` command has been added to the KMS. The `rollNewVersion` semantics of the KMS has been improved so that after a key's version is rolled, `generateEncryptedKey` of that key guarantees to return the `EncryptedKeyVersion` based on the new key version.

      Description

      To support re-encrypting EDEK, we need to make sure after a key is rolled, no old version EDEKs are used anymore. This includes various caches when generating EDEK.
      This is not true currently, simply because no such requirements / necessities before.

      This includes

      • Client Provider(s), and corresponding cache(s).
        When LoadBalancingKMSCP is used, we need to clear all KMSCPs.
      • KMS server instance(s), and corresponding cache(s)
        When KMS HA is configured with multiple KMS instances, only 1 will receive the rollNewVersion request, we need to make sure other instances are rolled too.
      • The Client instance inside NN(s), and corresponding cache(s)
        When hadoop key roll is succeeded, the client provider inside NN should be drained too.

        Attachments

        1. HDFS-11210.05.patch
          37 kB
          Xiao Chen
        2. HDFS-11210.04.patch
          37 kB
          Xiao Chen
        3. HDFS-11210.03.patch
          36 kB
          Xiao Chen
        4. HDFS-11210.02.patch
          34 kB
          Xiao Chen
        5. HDFS-11210.01.patch
          21 kB
          Xiao Chen

          Issue Links

          breaks

          Bug - A problem which impairs or prevents the functions of the product. HDFS-12667 KMSClientProvider#ValueQueue does synchronous fetch of edeks in background async thread.

          • Major - Major loss of function.
          • Patch Available
          is depended upon by

          New Feature - A new feature of the product, which has yet to be developed. HDFS-10899 Add functionality to re-encrypt EDEKs

          • Major - Major loss of function.
          • Resolved
          is duplicated by

          Improvement - An improvement or enhancement to an existing feature or task. HDFS-6971 Bounded staleness of EDEK caches on the NN

          • Major - Major loss of function.
          • Resolved

            Activity

              People

              • Assignee:
                xiaochen Xiao Chen
                Reporter:
                xiaochen Xiao Chen
              • Votes:
                0 Vote for this issue
                Watchers:
                6 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: