[
https://issues.apache.org/jira/browse/HADOOP-10863?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14116055#comment-14116055
]
Alejandro Abdelnur commented on HADOOP-10863:
---------------------------------------------
On the patch, looks good, a few minor things:
KMS.java: introduces a few unused imports
KMSACLs.java: the hasAccess() method can be rewritten as:
{code}
public boolean hasAccess(Type type, UserGroupInformation ugi) {
boolean access = acls.get(type).isUserAllowed(ugi);
if (access) {
AccessControlList blacklist = blacklistedAcls.get(type);
access = (blacklist == null) || !blacklist.isUserInList(ugi);
}
return access;
}
{code}
Documentation is missing.
Regarding [~benoyantony], I think it makes sense normalizing ACL properties to
follow the syntax used in the rest of Hadoop. Regarding the uppercase
concerns, properties are case sensitive, so if documented as (ie) CREATE, it
should be fine. Else, we can make the ENUM parsing to be case insensitive in
KMS.
> KMS should have a blacklist for decrypting EEKs
> -----------------------------------------------
>
> Key: HADOOP-10863
> URL: https://issues.apache.org/jira/browse/HADOOP-10863
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Affects Versions: 3.0.0
> Reporter: Alejandro Abdelnur
> Assignee: Arun Suresh
> Attachments: HADOOP-10863.1.patch, HADOOP-10863.2.patch,
> HADOOP-10863.3.patch
>
>
> In particular, we'll need to put HDFS admin user there by default to prevent
> an HDFS admin from getting file encryption keys.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
