[jira] [Commented] (HDFS-6134) Transparent data at rest encryption

Tue, 12 Aug 2014 21:38:23 -0700 

    [ 
https://issues.apache.org/jira/browse/HDFS-6134?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14095129#comment-14095129
 ] 

Larry McCay commented on HDFS-6134:
-----------------------------------

Hey [~tucu00] - I need a little more clarification here. When you describe 
webhdfs authenticating as 'hdfs while it is accessing a file on behalf of an 
end user - are you referring to the fact that the services authenticate to one 
another even though the effective user (via doas) will be the end user and 
therefore the authorization will be checking the end user's permissions? If so, 
isn't this the same for httpfs?

What keeps an admin from using httpfs to gain access to decrypt encrypted 
files? If an admin can authenticate as an end user to either proxy then it 
seems they will be able to gain access.

I must be missing some nuance about webhdfs and hdfs user.
That doesn't lessen my concern about webhdfs not being considered a trusted API 
to encrypted files though.

> Transparent data at rest encryption
> -----------------------------------
>
>                 Key: HDFS-6134
>                 URL: https://issues.apache.org/jira/browse/HDFS-6134
>             Project: Hadoop HDFS
>          Issue Type: New Feature
>          Components: security
>    Affects Versions: 3.0.0, 2.3.0
>            Reporter: Alejandro Abdelnur
>            Assignee: Charles Lamb
>         Attachments: HDFS-6134.001.patch, HDFS-6134.002.patch, 
> HDFS-6134_test_plan.pdf, HDFSDataatRestEncryption.pdf, 
> HDFSDataatRestEncryptionProposal_obsolete.pdf, 
> HDFSEncryptionConceptualDesignProposal-2014-06-20.pdf
>
>
> Because of privacy and security regulations, for many industries, sensitive 
> data at rest must be in encrypted form. For example: the health­care industry 
> (HIPAA regulations), the card payment industry (PCI DSS regulations) or the 
> US government (FISMA regulations).
> This JIRA aims to provide a mechanism to encrypt HDFS data at rest that can 
> be used transparently by any application accessing HDFS via Hadoop Filesystem 
> Java API, Hadoop libhdfs C library, or WebHDFS REST API.
> The resulting implementation should be able to be used in compliance with 
> different regulation requirements.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Reply via email to