Uploaded image for project: 'Hadoop HDFS'
  1. Hadoop HDFS
  2. HDFS-6201

Get EncryptionKey from NN only if data transfer encryption is required

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Open
    • Major
    • Resolution: Unresolved
    • None
    • None
    • security
    • None

    Description

      HDFS-5910 allowed data transfer encryption to be decided by custom logic based on the Ip address of client and datanode. This is on top of the dfs.encrypt.data.transfer flag.

      There are some invocations where encryptionkey is fetched first and the datanode is identified later. In these cases, encryptionkey is fetched after invoking the custom logic without the ip address of the datanode. This might result in fetching fetching encryptionkey when it is not required and vice versa.

      To correct this, a refactoring is required so that encryptionkey is fetched only when it is required.

      Per arpitagarwal on HDFS-5910

      For the usage in getDataEncryptionKey(), we can refactor to pass a functor as the encryption key to e.g. getFileChecksum. However I am okay with doing the refactoring in a separate change. We can leave the parameter-less overload of isTrusted for now and just use it fromgetEcnryptionKey and file a separate Jira to fix it.

      Attachments

        Issue Links

          relates to

          Improvement - An improvement or enhancement to an existing feature or task. HDFS-5910 Enhance DataTransferProtocol to allow per-connection choice of encryption/plain-text

          • Major - Major loss of function.
          • Closed

          Activity

            People

              benoyantony Benoy Antony
              benoyantony Benoy Antony
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated: