[
https://issues.apache.org/jira/browse/HDFS-9644?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15143406#comment-15143406
]
Andrew Wang commented on HDFS-9644:
-----------------------------------
Overall looks good, thanks for fixing the anchors. Few comments:
* Rather than "lowest ancestor" I would say "closest ancestor" since trees can
be drawn splaying upwards.
* Recommend introducing the section with the rename restriction before
explaining why, e.g. "HDFS restricts renames into and out of an encryption
zone. This includes renames of unencrypted contents into...<give some
examples>".
* "All file EDEKs under an encryption zone are generated with its encryption
zone key." change "generated" to "encrypted", "its" to "the"
* The reason for the rename restriction is for security / ease of management.
Imagine a situation where an EZ key is compromised. We want a way of
identifying all potentially vulnerable files, and re-encrypting them. This is
easy if all files must remain within the EZ. It's hard if they can be scattered
anywhere around the filesystem. We also store the EZ key version in the xattr,
so there's no memory overhead savings.
* "encryption zone status" is a new phrase and not used again, so I don't think
we need to introduce it.
> Update encryption documentation to reflect nested EZs
> -----------------------------------------------------
>
> Key: HDFS-9644
> URL: https://issues.apache.org/jira/browse/HDFS-9644
> Project: Hadoop HDFS
> Issue Type: New Feature
> Components: documentation, encryption
> Affects Versions: 2.7.1
> Reporter: Zhe Zhang
> Assignee: Zhe Zhang
> Attachments: HDFS-9644.00.patch
>
>
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
