Benoy Antony created HDFS-6201:
----------------------------------
Summary: Get EncryptionKey from NN only if data transfer
encryption is required
Key: HDFS-6201
URL: https://issues.apache.org/jira/browse/HDFS-6201
Project: Hadoop HDFS
Issue Type: Improvement
Components: security
Reporter: Benoy Antony
Assignee: Benoy Antony
HDFS-5910 allowed data transfer encryption to be decided by custom logic based
on the Ip address of client and datanode. This is on top of the
_dfs.encrypt.data.transfer_ flag.
There are some invocations where encryptionkey is fetched first and the
datanode is identified later. In these cases, encryptionkey is fetched after
invoking the custom logic without the ip address of the datanode. This might
result in fetching fetching encryptionkey when it is not required and vice
versa.
To correct this, a refactoring is required so that encryptionkey is fetched
only when it is required.
Per [~arpitagarwal] on HDFS-5910
{quote}
For the usage in getDataEncryptionKey(), we can refactor to pass a functor as
the encryption key to e.g. getFileChecksum. However I am okay with doing the
refactoring in a separate change. We can leave the parameter-less overload of
isTrusted for now and just use it fromgetEcnryptionKey and file a separate Jira
to fix it.
{quote}
--
This message was sent by Atlassian JIRA
(v6.2#6252)
