[
https://issues.apache.org/jira/browse/HADOOP-10863?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14111832#comment-14111832
]
Benoy Antony edited comment on HADOOP-10863 at 8/27/14 4:34 AM:
----------------------------------------------------------------
Service authorization policies has different naming convention for ACLS and
blacklists compared to KMS ACLS.
*Sample Service authorization ACL entry keys*
{code}
security.refresh.user.mappings.protocol.acl
security.refresh.user.mappings.protocol.acl.blocked (blacklists)
{code}
*Sample KMS ACL entry keys*
{code}
hadoop.kms.acl.CREATE
hadoop.kms.blacklist.CREATE
{code}
Can we please follow a uniform naming scheme for both types of ACLs ?
Also it will be good to keep the keys in lowercase.
was (Author: benoyantony):
Service authorization policies has different naming convention for ACLS and
blacklists compared to KMS ACLS.
*Sample Service authorization ACL entry keys*
security.refresh.user.mappings.protocol.acl and
security.refresh.user.mappings.protocol.acl.blocked (blacklists)
*Sample KMS ACL entry keys*
hadoop.kms.acl.CREATE and hadoop.kms.blacklist.CREATE
Can we please follow a uniform naming scheme for both types of ACLs ?
Also it will be good to keep the keys in lowercase.
> KMS should have a blacklist for decrypting EEKs
> -----------------------------------------------
>
> Key: HADOOP-10863
> URL: https://issues.apache.org/jira/browse/HADOOP-10863
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Affects Versions: 3.0.0
> Reporter: Alejandro Abdelnur
> Assignee: Arun Suresh
> Attachments: HADOOP-10863.1.patch, HADOOP-10863.2.patch,
> HADOOP-10863.3.patch
>
>
> In particular, we'll need to put HDFS admin user there by default to prevent
> an HDFS admin from getting file encryption keys.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
