[jira] [Commented] (HDFS-13009) Creation of Encryption zone should succeed even if directory is not empty.

Mon, 22 Jan 2018 13:45:06 -0800 

    [ 
https://issues.apache.org/jira/browse/HDFS-13009?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16334973#comment-16334973
 ] 

Andrew Wang commented on HDFS-13009:
------------------------------------

Hi Rushabh,

The original design intent of the zone was to make the security properties 
easier to reason about, since the entire directory is encrypted, and with the 
same encryption key. Many of our security-conscious users want everything in 
HDFS encrypted, and the presence of any unencrypted data would be a compliance 
issue. So, I don't think we can change the default semantics of the zone, 
though possibly we could add a flag or new concept to support the usecase you 
describe.

IIUC, the motivation is to make the initial encryption process easier, with the 
goal of encrypting everything within the directory? In any case, the encryption 
of existing data still happens via copies which might blow quotas. I think this 
change helps with encrypting the newly written data, but not that much with the 
quota problem when converting existing data.

> Creation of Encryption zone should succeed even if directory is not empty.
> --------------------------------------------------------------------------
>
>                 Key: HDFS-13009
>                 URL: https://issues.apache.org/jira/browse/HDFS-13009
>             Project: Hadoop HDFS
>          Issue Type: Improvement
>          Components: encryption
>            Reporter: Rushabh S Shah
>            Assignee: Rushabh S Shah
>            Priority: Major
>
> Currently we have a restriction that creation of encryption zone can be done 
> only on an empty directory.
> This jira is to remove that restriction.
> Motivation:
> New customers who wants to start using Encryption zone can make an existing 
> directory encrypted.
> They will be able to read the old data as it is  and will be decrypting the 
> newly written data.
> Internally we have many customers asking for this feature.
> Currently they have to ask for more space quota, encrypt the old data.
> This will make their life much more easier.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org

Reply via email to