Uploaded image for project: 'Hadoop HDFS'
  1. Hadoop HDFS
  2. HDFS-6134 Transparent data at rest encryption
  3. HDFS-6785

Should not be able to create encryption zone using path to a non-directory file

    XMLWordPrintableJSON

    Details

      Description

      Currently, users can create an encryption zone while specifying a path to a file, as seen below.

      [hdfs@schu-enc2 ~]$ cat hi
      hi
      [hdfs@schu-enc2 ~]$ hadoop fs -put hi /hi
      [hdfs@schu-enc2 ~]$ hadoop key create testKey
      testKey has been successfully created.
      KMSClientProvider[http://schu-enc2.vpc.com:16000/kms/v1/] has been updated.
      [hdfs@schu-enc2 ~]$ hdfs crypto -createZone -keyName testKey -path /hi
      Added encryption zone /hi
      [hdfs@schu-enc2 ~]$ hdfs crypto -listZones
      /hi  testKey
      

      Based on my understanding, admins should be able to create encryption zones only on empty directories, not files.

      If the design changed to allow creating EZ on files, then we should change the javadoc of HdfsAdmin#createEncryptionZone, which currently states, "Create an encryption zone rooted at an empty existing directory, using the specified encryption key. An encryption zone has an associated encryption key used when reading and writing files within the zone."

        Attachments

        1. HDFS-6785.001.patch
          2 kB
          Charles Lamb
        2. HDFS-6785.002.patch
          2 kB
          Charles Lamb

          Activity

            People

            • Assignee:
              clamb Charles Lamb
              Reporter:
              schu Stephen Chu
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: