[jira] [Commented] (HADOOP-11862) Add support key share across KMS instances for KMS HA

Wed, 22 Apr 2015 00:33:52 -0700 

    [ 
https://issues.apache.org/jira/browse/HADOOP-11862?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14506581#comment-14506581
 ] 

Arun Suresh commented on HADOOP-11862:
--------------------------------------

[~dengxiumao], technically KMS is a proxy for an actual key provider, that, in 
addition to creating/storing/deleting the keys, generates EDEKs for keys and 
decrypts them to corresponding DEKs. It also caches the keys in memory. It 
delegates the Key store/retrieve/delete operations to a backing keyprovider 
specified by the *hadoop.kms.key.provider.uri* specified in the *kms-site.xml* 
conf file. The only concrete implementation (shipped with hadoop) of a 
KeyProvider is currently the {{JavaKeyStoreProvider}}.

Consider the following deployment scenario :
# *KMS1* configured with *hadoop.kms.key.provider.uri* as "jcek://file@...". 
and thus will delegate to a {{JavaKeyStoreProvider}}
# *KMS2* configured with *hadoop.kms.key.provider.uri*  as "kms://http@KMS1.." 
and thus will delegate Key create/store/rollover/delete operations to KMS1 but 
will provide generate/decrypt operations. It also caches the Keys for faster 
access
# *KMS3* ALSO configured with *hadoop.kms.key.provider.uri*  as 
"kms://http@KMS1.." and thus will, like KMS2 delegate Key 
create/store/rollover/delete operations to KMS1 but will provide 
generate/decrypt operations.

Now if we set the *hadoop.security.key.provider.path*  to the special 
loadbalancing url : "kms://http@KM1_HOST;KMS2_HOST:16000/kms", then all 
requests will be loadbalanced across KMS2 and KMS3 and keys will be shared.

> Add support key share across KMS instances for KMS HA
> -----------------------------------------------------
>
>                 Key: HADOOP-11862
>                 URL: https://issues.apache.org/jira/browse/HADOOP-11862
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: kms
>    Affects Versions: 2.6.0
>            Reporter: dengxiumao
>              Labels: kms
>
> The patch [HADOOP-11620|https://issues.apache.org/jira/browse/HADOOP-11620] 
> only supports specification of multiple hostnames in the kms key provider 
> uri. it means that it support config as:
> {quote}
> <property>
>  <name>hadoop.security.key.provider.path</name>
>  <value>kms://http@[HOSTNAME1];[HOSTNAME2]:16000/kms</value>
> </property>
> {quote}
> but HA is still not available, keys can not share across KMS instances, if 
> one of KMS instances goes down, Encrypted files, which encrypted by the keys 
> in the KMS,  can not be read.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to