Uploaded image for project: 'Hadoop HDFS'
  1. Hadoop HDFS
  2. HDFS-15230

Sanity check should not assume key base name can be derived from version name

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Open
    • Major
    • Resolution: Unresolved
    • None
    • None
    • None
    • None

    Description

      HDFS-14884 checks if the encryption info of a file matches the encryption zone key.

              if (!KeyProviderCryptoExtension.
                getBaseName(keyVersionName).equals(zoneKeyName)) {
          throw new IllegalArgumentException(String.format(
                  "KeyVersion '%s' does not belong to the key '%s'",
                  keyVersionName, zoneKeyName));
        }

      Here it assumes the "base name" can be derived from key version name, and that the base name should be the same as zone key.

      However, there is no published definition of what a key version name should be.

      While the code works for the builtin JKS key provider, it may not work for other kind of key providers. (Specifically, it breaks Cloudera's KeyTrustee KMS KeyProvider)

      Attachments

        Issue Links

          is broken by

          Bug - A problem which impairs or prevents the functions of the product. HDFS-14884 Add sanity check that zone key equals feinfo key while setting Xattrs

          • Major - Major loss of function.
          • Resolved

          Activity

            People

              Unassigned Unassigned
              weichiu Wei-Chiu Chuang
              Votes:
              1 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated: