[
https://issues.apache.org/jira/browse/HADOOP-10863?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14112401#comment-14112401
]
Benoy Antony commented on HADOOP-10863:
---------------------------------------
Though the operation name stands out in the property name, it comes at the
price of making it error prone due to administrators typing in wrong case.I
believe, we need to make the ACL key names consistent across Hadoop as mush as
possible.
There are 3 inconsistencies in ACL keys for KMS and hadoop service
authorization.
# *.acl* comes at the end in service ACLs whereas it comes in the middle for
KMS ACLs.
# *.acl.blocked* is used for blocked service users, *.blacklist* is used for
blocked KMS users.
# All the keys are in lowercase in service ACLs whereas some parts of KMS ACLS
is in uppercase.
The problem exists for both types of KMS ACLS. (regular ACLS and blacklists).
So this could be fixed as separate jira, if it makes sense.
> KMS should have a blacklist for decrypting EEKs
> -----------------------------------------------
>
> Key: HADOOP-10863
> URL: https://issues.apache.org/jira/browse/HADOOP-10863
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Affects Versions: 3.0.0
> Reporter: Alejandro Abdelnur
> Assignee: Arun Suresh
> Attachments: HADOOP-10863.1.patch, HADOOP-10863.2.patch,
> HADOOP-10863.3.patch
>
>
> In particular, we'll need to put HDFS admin user there by default to prevent
> an HDFS admin from getting file encryption keys.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
