[jira] [Commented] (HDFS-6387) HDFS CLI admin tool for creating & deleting an encryption zone

Thu, 29 May 2014 11:34:45 -0700 

    [ 
https://issues.apache.org/jira/browse/HDFS-6387?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14012661#comment-14012661
 ] 

Andrew Wang commented on HDFS-6387:
-----------------------------------

Hey Charles,

My understanding is that an EZ is an HDFS specific concept right now, so I'd 
rather put these methods in HdfsAdmin (the place to expose public HDFS methods) 
rather than FileSystem.

Creating and deleting EZs I believe should also be an admin-only operation, so 
it seems somewhat odd to add parameters to mkdir/mkdirs to also specify it as 
an encryption zone. Maybe we just make it a new RPC, which only works on an 
empty directory? We should also consider making a new hdfs shell subcommand 
like CacheAdmin for these new operations, e.g. {{hdfs enc}} or {{hdfs crypto}}.

One question on deleting an EZ: is this an {{rm -rf}}? I think it's better 
*not* do this. {{rm -rf}} on an encryption root will already necessarily remove 
the EZ, and there might be some reason an admin wants to remove an EZ without 
deleting the contained data. If this is not a useful workflow, then we might 
not even need deleteEZ, since {{rm}} already takes care of this.

On user visibility into encryption zones, I think it's important that users 
have some understanding of if a path is within an EZ, and which EZ. This is 
because we'll be restricting operations like renaming between EZs, and we 
should provide the user some mental model for if an operation will or won't 
work beyond making them blindly probe to see what works.

To that end, maybe we could have a command like {{-listZones}} which lists the 
roots of all the EZs which the user has permission to know about, and 
{{-listZones -v}} would let the admin also show the key-id/key-version}}. If we 
want to be ambitious, {{-listZones <path>}} would also be nice, to show the EZ 
root for a path, if it's within an EZ and the user has permission.

Hope that covered all your q's, other thoughts welcome :)

> HDFS CLI admin tool for creating & deleting an encryption zone
> --------------------------------------------------------------
>
>                 Key: HDFS-6387
>                 URL: https://issues.apache.org/jira/browse/HDFS-6387
>             Project: Hadoop HDFS
>          Issue Type: Sub-task
>          Components: namenode, security
>            Reporter: Alejandro Abdelnur
>            Assignee: Charles Lamb
>
> CLI admin tool to create/delete an encryption zone in HDFS.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Reply via email to