[
https://issues.apache.org/jira/browse/HDFS-10899?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15605457#comment-15605457
]
Suraj Acharya commented on HDFS-10899:
--------------------------------------
{quote}I have a mixed feeling of this. As listed in the Alternatives of 'HDFS
client-side', it is more admin-friendly. But it will also make the already
not-so-friendly ACLs more complex.{quote}
Doesn't Roll key already have an underlying generate EEK as warming of edeks?
Since you mentioned re-encrypt will have the same ACLs as generate EEK I think
we should be okay. That was my thinking.
{quote}Also, in this example, to support the scenario where admin accidentally
missed a zone 'd', we still need the reencrypt command to re-encrypt it. {quote}
Regarding this my thought was that they can use the rencrypt zone command/
endpoint to re-encrypt zone 'd' (point1)
> Add functionality to re-encrypt EDEKs.
> --------------------------------------
>
> Key: HDFS-10899
> URL: https://issues.apache.org/jira/browse/HDFS-10899
> Project: Hadoop HDFS
> Issue Type: New Feature
> Components: encryption, kms
> Reporter: Xiao Chen
> Assignee: Xiao Chen
> Attachments: Re-encrypt edek design doc.pdf
>
>
> Currently when an encryption zone (EZ) key is rotated, it only takes effect
> on new EDEKs. We should provide a way to re-encrypt EDEKs after the EZ key
> rotation, for improved security.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
