Uploaded image for project: 'Hadoop HDFS'
  1. Hadoop HDFS
  2. HDFS-15230

Sanity check should not assume key base name can be derived from version name

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: None
    • Labels:
      None

      Description

      HDFS-14884 checks if the encryption info of a file matches the encryption zone key.

              if (!KeyProviderCryptoExtension.
                      getBaseName(keyVersionName).equals(zoneKeyName)) {
                throw new IllegalArgumentException(String.format(
                        "KeyVersion '%s' does not belong to the key '%s'",
                        keyVersionName, zoneKeyName));
              }
      

      Here it assumes the "base name" can be derived from key version name, and that the base name should be the same as zone key.

      However, there is no published definition of what a key version name should be.

      While the code works for the builtin JKS key provider, it may not work for other kind of key providers. (Specifically, it breaks Cloudera's KeyTrustee KMS KeyProvider)

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                weichiu Wei-Chiu Chuang
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated: