[jira] [Comment Edited] (HADOOP-14705) Add batched reencryptEncryptedKey interface to KMS

Thu, 17 Aug 2017 15:20:28 -0700 

    [ 
https://issues.apache.org/jira/browse/HADOOP-14705?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16131330#comment-16131330
 ] 

Wei-Chiu Chuang edited comment on HADOOP-14705 at 8/17/17 10:19 PM:
--------------------------------------------------------------------

Thanks for the new patch, Xiao.

Looking at rev 007, I feel like adding an artificial, hard-coded limit of size 
of payload is not the best approach.
{code:title=EagerKeyGeneratorKeyProviderCryptoExtension#reencryptEncryptedKeys}
Preconditions.checkArgument(jsonPayload.size() <= MAX_NUM_PER_BATCH,
                  "jsonPayload too many objects");
{code}
I would actually prefer to log a warning if the size exceed a certain limit, 
than rejecting it right away.

After adding this interface, does it deprecate the old reencrypt interface 
added in HADOOP-13827?

Regarding doc: it might be useful to mention the batch reencryption interface 
only supports EEKs in the same encryption zone (or has the same EK)


was (Author: jojochuang):
Thanks for the new patch, Xiao.

Looking at rev 007, I feel like adding an artificial, hard-coded limit of size 
of payload is not the best approach.
{code:title=EagerKeyGeneratorKeyProviderCryptoExtension#reencryptEncryptedKeys}
Preconditions.checkArgument(jsonPayload.size() <= MAX_NUM_PER_BATCH,
                  "jsonPayload too many objects");
{code}
I would actually prefer to log a warning if the size exceed a certain limit, 
than rejecting it right away.

After adding this interface, does it deprecate the old reencrypt interface 
added in HADOOP-13827?

> Add batched reencryptEncryptedKey interface to KMS
> --------------------------------------------------
>
>                 Key: HADOOP-14705
>                 URL: https://issues.apache.org/jira/browse/HADOOP-14705
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: kms
>            Reporter: Xiao Chen
>            Assignee: Xiao Chen
>         Attachments: HADOOP-14705.01.patch, HADOOP-14705.02.patch, 
> HADOOP-14705.03.patch, HADOOP-14705.04.patch, HADOOP-14705.05.patch, 
> HADOOP-14705.06.patch, HADOOP-14705.07.patch
>
>
> HADOOP-13827 already enabled the KMS to re-encrypt a {{EncryptedKeyVersion}}.
> As the performance results of HDFS-10899 turns out, communication overhead 
> with the KMS occupies the majority of the time. So this jira proposes to add 
> a batched interface to re-encrypt multiple EDEKs in 1 call.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

Reply via email to