[jira] [Commented] (HDFS-10899) Add functionality to re-encrypt EDEKs.

Mon, 24 Oct 2016 09:34:10 -0700 

    [ 
https://issues.apache.org/jira/browse/HDFS-10899?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15602501#comment-15602501
 ] 

Xiao Chen commented on HDFS-10899:
----------------------------------

Thanks for the comments [~sacharya].

bq. It would be great if this was made as a REST API endpoint along with the 
other key creation/management REST API.
Sure, this will be part of 
http://hadoop.apache.org/docs/r3.0.0-alpha1/hadoop-kms/index.html#KMS_HTTP_REST_API

bq. May be we can add a new parameter to the key roll REST API saying something 
along the lines of roll all the zones with given key
I have a mixed feeling of this. As listed in the Alternatives of 'HDFS 
client-side', it is more admin-friendly. But it will also make the already 
not-so-friendly ACLs more complex.
Also, in this example, to support the scenario where admin accidentally missed 
a zone 'd', we still need the {{reencrypt}} command to re-encrypt it. So I'd 
like to leave out rollover's option for now, and focus on re-encrypt in this 
jira. Can choose to add the option, or maybe {{reencrypt -key}} as an 
improvement later.

bq. Create an endpoint to check the status or reencryption.
Good idea, I was thinking maybe add this to NN webui. Will work on CLI checks 
first and hook up an endpoint afterwards.

> Add functionality to re-encrypt EDEKs.
> --------------------------------------
>
>                 Key: HDFS-10899
>                 URL: https://issues.apache.org/jira/browse/HDFS-10899
>             Project: Hadoop HDFS
>          Issue Type: New Feature
>          Components: encryption, kms
>            Reporter: Xiao Chen
>            Assignee: Xiao Chen
>         Attachments: Re-encrypt edek design doc.pdf
>
>
> Currently when an encryption zone (EZ) key is rotated, it only takes effect 
> on new EDEKs. We should provide a way to re-encrypt EDEKs after the EZ key 
> rotation, for improved security.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to