[jira] [Commented] (HADOOP-14705) Add batched reencryptEncryptedKey interface to KMS

[Xiao Chen (JIRA)]

    [ 
https://issues.apache.org/jira/browse/HADOOP-14705?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16128322#comment-16128322
 ] 

Xiao Chen commented on HADOOP-14705:
------------------------------------

Thanks Wei-Chiu for reviewing, good comments! Patch 4 to address all comments, 
with explanations / exception below.

bq. if all ekv are the same, wouldn’t it be more efficient to optimize it 
somehow?
Yes and good catch. Client side has a bug, should not have added keyName to the 
json.
The request looks like below, keyName should only be on the url path,
{noformat}
POST http://HOST:PORT/kms/v1/key/<key-name>/_reencryptbatch
    Content-Type: application/json

    [
      {
        "versionName"         : "<encryptionVersionName>",
        "iv"                  : "<iv>",            //base64
        "encryptedKeyVersion" : {
            "versionName"       : "EEK",
            "material"          : "<material>",    //base64
        }
      },
      {
        "versionName"         : "<encryptionVersionName>",
        "iv"                  : "<iv>",            //base64
        "encryptedKeyVersion" : {
            "versionName"       : "EEK",
            "material"          : "<material>",    //base64
        }
      },
      ...
    ]
{noformat}

bq. should the last parameter be Map.class?
The {{response}} is a List<Map>, hence List.class.

bq. Question: is there a practical size limit for a KMS request?
Not on the request itself, but the client sending it and the server receiving 
it both need to be able to hold and parse it. As it turned out from HDFS-10899, 
bigger than 2k may trigger edit log sync and impact performance.
For KMS here, I added a static 10k {{maxNumPerBatch}} as a safeguard too. 
Security-wise okay be cause ACL is checked before iterating through the json 
payload.

> Add batched reencryptEncryptedKey interface to KMS
> --------------------------------------------------
>
>                 Key: HADOOP-14705
>                 URL: https://issues.apache.org/jira/browse/HADOOP-14705
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: kms
>            Reporter: Xiao Chen
>            Assignee: Xiao Chen
>         Attachments: HADOOP-14705.01.patch, HADOOP-14705.02.patch, 
> HADOOP-14705.03.patch
>
>
> HADOOP-13827 already enabled the KMS to re-encrypt a {{EncryptedKeyVersion}}.
> As the performance results of HDFS-10899 turns out, communication overhead 
> with the KMS occupies the majority of the time. So this jira proposes to add 
> a batched interface to re-encrypt multiple EDEKs in 1 call.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org