[
https://issues.apache.org/jira/browse/HADOOP-10863?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14111572#comment-14111572
]
Alejandro Abdelnur commented on HADOOP-10863:
---------------------------------------------
It seems to me that the blacklist is a KMSACLs concern. I would have a
{{isBlackListedForDecryptingKeys(String user)}} method there and load the value
from the kms-acls.xml file. Also, I would not bother on defining 2 configs
(HDFS_ADMIN_USER and BLACKLISTED_USERS), just one
BLACKLISTED_FOR_DECRYPTION_USER.
> KMS should have a blacklist for decrypting EEKs
> -----------------------------------------------
>
> Key: HADOOP-10863
> URL: https://issues.apache.org/jira/browse/HADOOP-10863
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Affects Versions: 3.0.0
> Reporter: Alejandro Abdelnur
> Assignee: Arun Suresh
> Attachments: HADOOP-10863.1.patch
>
>
> In particular, we'll need to put HDFS admin user there by default to prevent
> an HDFS admin from getting file encryption keys.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
