[
https://issues.apache.org/jira/browse/HIVE-7934?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Xiaomeng Huang updated HIVE-7934:
---------------------------------
Description:
Now HIVE-6329 is a framework of column level encryption/decryption. But the
implementation in HIVE-6329 is just use Base64, it is not safe and have some
problems:
Base64WriteOnly can just get the ciphertext from client for any users. And
Base64Rewriter can just get plaintext from client for any users.
I have an improvement based HIVE-7934 using key management.
{code}
-- region-aes-column.q
set hive.encrypt.key=123456789;
set hive.encrypt.iv=123456;
drop table region_aes_column;
create table region_aes_column (r_regionkey int, r_name string) ROW FORMAT
SERDE 'org.apache.hadoop.hive.serde2.lazy.LazySimpleSerDe'
WITH SERDEPROPERTIES ('column.encode.columns'='r_name',
'column.encode.classname'='org.apache.hadoop.hive.serde2.aes.AESRewriter')
STORED AS TEXTFILE;
insert overwrite table region_aes_column
select
r_regionkey, r_name
from region;
hive> select * from region_aes_column;
OK
0 /q5RTO1X
1 /qVGV+dV3g==
2 /rtKRA==
3 +r1RSv5T
4 8qFHQeJTvxWUadw=
Time taken: 0.666 seconds, Fetched: 5 row(s)
hive> set hive.encrypt.key=123456789;
hive> set hive.encrypt.iv=123456;
hive> select * from region_aes_column;
OK
0 AFRICA
1 AMERICA
2 ASIA
3 EUROPE
4 MIDDLE EAST
Time taken: 0.714 seconds, Fetched: 5 row(s)
{code}
was:
Now HIVE-6329 is a framework of column level encryption/decryption. But the
implementation in HIVE-6329 is just use Base64, it is not safe and have some
problems:
Base64WriteOnly can just get the ciphertext from client for any users. And
Base64Rewriter can just get plaintext from client for any users.
I have an improvement based HIVE-7934 using key management.
{code}
-- region-aes-column.q
set hive.encrypt.key=123456789;
set hive.encrypt.iv=123456;
drop table region_aes_column;
create table region_aes_column (r_regionkey int, r_name string) ROW FORMAT
SERDE 'org.apache.hadoop.hive.serde2.lazy.LazySimpleSerDe'
WITH SERDEPROPERTIES ('column.encode.columns'='r_name',
'column.encode.classname'='org.apache.hadoop.hive.serde2.aes.AESRewriter',
'column.encode.key'='123456789', 'column.encode.iv'='123456')
STORED AS TEXTFILE;
insert overwrite table region_aes_column
select
r_regionkey, r_name
from region;
hive> select * from region_aes_column;
OK
0 /q5RTO1X
1 /qVGV+dV3g==
2 /rtKRA==
3 +r1RSv5T
4 8qFHQeJTvxWUadw=
Time taken: 0.666 seconds, Fetched: 5 row(s)
hive> set hive.encrypt.key=123456789;
hive> set hive.encrypt.iv=123456;
hive> select * from region_aes_column;
OK
0 AFRICA
1 AMERICA
2 ASIA
3 EUROPE
4 MIDDLE EAST
Time taken: 0.714 seconds, Fetched: 5 row(s)
{code}
> Improve column level encryption with key management
> ---------------------------------------------------
>
> Key: HIVE-7934
> URL: https://issues.apache.org/jira/browse/HIVE-7934
> Project: Hive
> Issue Type: Improvement
> Reporter: Xiaomeng Huang
> Assignee: Xiaomeng Huang
> Priority: Minor
>
> Now HIVE-6329 is a framework of column level encryption/decryption. But the
> implementation in HIVE-6329 is just use Base64, it is not safe and have some
> problems:
> Base64WriteOnly can just get the ciphertext from client for any users. And
> Base64Rewriter can just get plaintext from client for any users.
> I have an improvement based HIVE-7934 using key management.
> {code}
> -- region-aes-column.q
> set hive.encrypt.key=123456789;
> set hive.encrypt.iv=123456;
> drop table region_aes_column;
> create table region_aes_column (r_regionkey int, r_name string) ROW FORMAT
> SERDE 'org.apache.hadoop.hive.serde2.lazy.LazySimpleSerDe'
> WITH SERDEPROPERTIES ('column.encode.columns'='r_name',
> 'column.encode.classname'='org.apache.hadoop.hive.serde2.aes.AESRewriter')
> STORED AS TEXTFILE;
> insert overwrite table region_aes_column
> select
> r_regionkey, r_name
> from region;
> hive> select * from region_aes_column;
> OK
> 0 /q5RTO1X
> 1 /qVGV+dV3g==
> 2 /rtKRA==
> 3 +r1RSv5T
> 4 8qFHQeJTvxWUadw=
> Time taken: 0.666 seconds, Fetched: 5 row(s)
> hive> set hive.encrypt.key=123456789;
> hive> set hive.encrypt.iv=123456;
> hive> select * from region_aes_column;
> OK
> 0 AFRICA
> 1 AMERICA
> 2 ASIA
> 3 EUROPE
> 4 MIDDLE EAST
> Time taken: 0.714 seconds, Fetched: 5 row(s)
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
