[HDFS-12359] Re-encryption should operate with minimum KMS ACL requirements. - ASF JIRA

Log work

Agile Board

Rank to Top

Rank to Bottom

Attach files

Attach Screenshot

Bulk Copy Attachments

Bulk Move Attachments

Voters

Watch issue

Watchers

Create sub-task

Convert to sub-task

Move

Link

Clone

Labels

Update Comment Author

Replace String in Comment

Update Comment Visibility

Delete Comments

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 3.0.0-beta1
Fix Version/s: 3.0.0-beta1
Component/s: encryption
Labels:
None

Target Version/s:

3.0.0-beta1
Hadoop Flags:

Reviewed

Description

This was caught from KMS acl testing.

~~HDFS-10899~~ gets the current key versions from KMS directly, which requires READ acls.
It also calls invalidateCache, which requires MANAGEMENT acls.

We should fix re-encryption to not require additional ACLs than original encryption.

Attachments

HDFS-12359.03.patch
04/Sep/17 02:27
16 kB
Xiao Chen
HDFS-12359.02.patch
31/Aug/17 02:57
13 kB
Xiao Chen
HDFS-12359.01.patch
26/Aug/17 05:00
13 kB
Xiao Chen

Issue Links

Add Link

breaks

HDFS-12400 Provide a way for NN to drain the local key cache before re-encryption

Resolved

Delete this link

is broken by

HDFS-10899 Add functionality to re-encrypt EDEKs

Resolved

Delete this link

Activity

Comment

This comment will be Viewable by All Users Viewable by All Users

Cancel

People

Assignee:: Xiao Chen Assign to me

Reporter:: Xiao Chen

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 25/Aug/17 23:54

Updated:: 02/Oct/19 17:15

Resolved:: 05/Sep/17 17:08

Agile

View on Board

Re-encryption should operate with minimum KMS ACL requirements.

Details

Description

Attachments

Attachments

Issue Links

Activity

People

Dates

Agile

Slack

Issue deployment