Wei-Chiu Chuang created HDFS-15230:
--------------------------------------
Summary: Sanity check should not assume key base name can be
derived from version name
Key: HDFS-15230
URL: https://issues.apache.org/jira/browse/HDFS-15230
Project: Hadoop HDFS
Issue Type: Bug
Reporter: Wei-Chiu Chuang
HDFS-14884 checks if the encryption info of a file matches the encryption zone
key.
{code}
if (!KeyProviderCryptoExtension.
getBaseName(keyVersionName).equals(zoneKeyName)) {
throw new IllegalArgumentException(String.format(
"KeyVersion '%s' does not belong to the key '%s'",
keyVersionName, zoneKeyName));
}
{code}
Here it assumes the "base name" can be derived from key version name, and that
the base name should be the same as zone key.
However, there is no published definition of what a key version name should be.
While the code works for the builtin JKS key provider, it may not work for
other kind of key providers. (Specifically, it breaks Cloudera's KeyTrustee KMS
KeyProvider)
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-dev-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-dev-h...@hadoop.apache.org
