[
https://issues.apache.org/jira/browse/HDFS-11210?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15857057#comment-15857057
]
Xiao Chen commented on HDFS-11210:
----------------------------------
Thanks Andrew, if you have any other comments, please don't hold back. :)
bq. Noticed you changed indexFor from modulo to a mask. What was the reason for
this? The masking only works when the array size is a power of 2.
Because I forgot to change the symbol bit to 0, hence all those test failures
when {{int hashCode}} return a negative value. Instead of modulo then 0-out the
first bit, I figured masking it once is more elegant.
True it'll be problematic when array size isn't 2, maybe add a comment for
future since array size is hardcoded currently?
And finally we have the item in NN:
bq. The Client instance inside NN(s), and corresponding cache(s). When {{hadoop
key roll}} is succeeded, the client provider inside NN should be drained too.
Still think my 1st comment of {{invalidateCache}} when receiving re-encrypt is
the way to go, and should probably add that line to the mighty HDFS-10899....
> Enhance key rolling to guarantee new KeyVersion is returned from
> generateEncryptedKeys after a key is rolled
> ------------------------------------------------------------------------------------------------------------
>
> Key: HDFS-11210
> URL: https://issues.apache.org/jira/browse/HDFS-11210
> Project: Hadoop HDFS
> Issue Type: Improvement
> Components: encryption, kms
> Affects Versions: 2.6.5
> Reporter: Xiao Chen
> Assignee: Xiao Chen
> Attachments: HDFS-11210.01.patch, HDFS-11210.02.patch,
> HDFS-11210.03.patch, HDFS-11210.04.patch, HDFS-11210.05.patch
>
>
> To support re-encrypting EDEK, we need to make sure after a key is rolled, no
> old version EDEKs are used anymore. This includes various caches when
> generating EDEK.
> This is not true currently, simply because no such requirements / necessities
> before.
> This includes
> - Client Provider(s), and corresponding cache(s).
> When LoadBalancingKMSCP is used, we need to clear all KMSCPs.
> - KMS server instance(s), and corresponding cache(s)
> When KMS HA is configured with multiple KMS instances, only 1 will receive
> the {{rollNewVersion}} request, we need to make sure other instances are
> rolled too.
> - The Client instance inside NN(s), and corresponding cache(s)
> When {{hadoop key roll}} is succeeded, the client provider inside NN should
> be drained too.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
