[
https://issues.apache.org/jira/browse/HADOOP-10719?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14044152#comment-14044152
]
Alejandro Abdelnur commented on HADOOP-10719:
---------------------------------------------
OK, here is my thinking on how this could be done following Andrew's suggestion.
* HDFS would wrap the {{KeyProvider}} instance with a
{{KeyProviderCryptoExtensions}}
* {{KeyProviders}} may implement the {{Extensions}} interface to provide the
extensions functionality
* {{KeyProviders}} not implementing the {{Extensions}} interface will work via
a default implementation
* {{KeyProviders}} implementing the {{Extensions}} interface will be able to do
any necessary optimizations (like doing things on the server side, caching,
pre-generation of EDEKs)
The {{KeyProviderCryptoExtensions}} API would be something like:
{code}
public class KeyProviderCryptoExtensions extends KeyProvider {
public class EncryptedKeyVersion {
public EncryptedKeyVersion(KeyVersion encryptionk, byte[] iv, KeyVersion
encryptedK) {...}
public KeyProvider.KeyVersion getEncryptionKey() {...}
public byte[] getIV() {...}
public KeyProvider.KeyVersion getEncryptedKey() {...}
}
public interface Extensions {
public EncryptedKeyVersion generateEncryptedKey(
KeyVersion encryptionKeyVersion);
public KeyVersion decryptEncryptedKey(
EncryptedKeyVersion encryptedKeyVersion);
}
private static class DefaultExtensions implements Extensions {
DefaultExtensions(KeyProvider kp) {...}
...
}
private KeyProvider keyProvider;
private Extensions extensions;
public KeyProviderCryptoExtensions(KeyProvider kp) {
keyProvider = kp;
if (kp instanceof Extensions) {
extensions = (Extensions) kp;
} else {
extensions = new DefaultExtensions(kp);
}
}
//all KeyProvider methods should delegate to keyProvider instance
public EncryptedKeyVersion generateEncryptedKey(KeyVersion
encryptionKeyVersion) {
return extensions.generateEncryptedKey(encryptionKeyVersion);
}
public KeyVersion decryptEncryptedKey(EncryptedKeyVersion
encryptedKeyVersion) {
return extensions.decryptEncryptedKey(encryptedKeyVersion);
}
}
{code}
> Add generateEncryptedKey and decryptEncryptedKey methods to KeyProvider
> -----------------------------------------------------------------------
>
> Key: HADOOP-10719
> URL: https://issues.apache.org/jira/browse/HADOOP-10719
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Affects Versions: 3.0.0
> Reporter: Alejandro Abdelnur
> Assignee: Alejandro Abdelnur
> Attachments: HADOOP-10719.patch, HADOOP-10719.patch,
> HADOOP-10719.patch, HADOOP-10719.patch, HADOOP-10719.patch
>
>
> This is a follow up on
> [HDFS-6134|https://issues.apache.org/jira/browse/HDFS-6134?focusedCommentId=14036044&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-14036044]
> KeyProvider API should have 2 new methods:
> * KeyVersion generateEncryptedKey(String keyVersionName, byte[] iv)
> * KeyVersion decryptEncryptedKey(String keyVersionName, byte[] iv, KeyVersion
> encryptedKey)
> The implementation would do a known transformation on the IV (i.e.: xor with
> 0xff the original IV).
--
This message was sent by Atlassian JIRA
(v6.2#6252)
