[
https://issues.apache.org/jira/browse/HADOOP-11335?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14601883#comment-14601883
]
Steve Ross commented on HADOOP-11335:
-------------------------------------
I like the overall premise of this JIRA, particularly the concept of storing
the ACLs with the keys.
Question: If the method for setting ACLs becomes the hadoop command-line
utilities outlined in the design doc, how could one prevent the hadoop admin
from having the ability to give themselves access to decrypt all data?
A key design requirement of HDFS encryption is to be able to restrict HDFS
superusers from having access to key material, thereby providing a layer
protection even against admins. This prevents a malicious superuser from having
access to both (a) all the key material and (b) all the encrypted data, and
thus being able to decrypt everything.
For example, see http://hadoop.apache.org/docs/r2.7.0/hadoop-kms/index.html,
the section titled "KMS Access Control"; the blacklist example includes the
hdfs user.
> KMS ACL in meta data or database
> --------------------------------
>
> Key: HADOOP-11335
> URL: https://issues.apache.org/jira/browse/HADOOP-11335
> Project: Hadoop Common
> Issue Type: Improvement
> Components: kms
> Affects Versions: 2.6.0
> Reporter: Jerry Chen
> Assignee: Dian Fu
> Labels: BB2015-05-TBR, Security
> Attachments: HADOOP-11335.001.patch, HADOOP-11335.002.patch,
> HADOOP-11335.003.patch, HADOOP-11335.004.patch, HADOOP-11335.005.patch,
> HADOOP-11335.006.patch, HADOOP-11335.007.patch, HADOOP-11335.008.patch,
> HADOOP-11335.re-design.patch, KMS ACL in metadata or database.pdf
>
> Original Estimate: 504h
> Remaining Estimate: 504h
>
> Currently Hadoop KMS has implemented ACL for keys and the per key ACL are
> stored in the configuration file kms-acls.xml.
> The management of ACL in configuration file would not be easy in enterprise
> usage and it is put difficulties for backup and recovery.
> It is ideal to store the ACL for keys in the key meta data similar to what
> file system ACL does. In this way, the backup and recovery that works on
> keys should work for ACL for keys too.
> On the other hand, with the ACL in meta data, the ACL of each key can be
> easily manipulate with API or command line tool and take effect instantly.
> This is very important for enterprise level access control management. This
> feature can be addressed by separate JIRA. While with the configuration file,
> these would be hard to provide.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
