[
https://issues.apache.org/jira/browse/HDFS-6134?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14095668#comment-14095668
]
Alejandro Abdelnur commented on HDFS-6134:
------------------------------------------
Let me try to explain things a different way.
When setting up filesystem encryption in HDFS (forget about webhdfs and httpfs
for now), things will be configured so the HDFS superuser cannot retrieve
decrypted 'file encryption keys'. Because the HDFS superuser has access to the
encrypted versions of the files, having access to the decrypted 'file
encryption keys' would allow the HDFS superuser to get access to the decrypted
file. One of the goals of HDFS encryption is to prevent that.
This is achieved by blacklisting the HDFS superuser from retrieving decrypted
'file encryption keys' from the KMS. This blacklist is must be enforced on the
real UGI hitting the KMS (regardless if it is doing a doAs or not).
If you set up httpfs, it runs using the 'httpfs' user, a HDFS regular user
configured as proxyuser to interact with HDFS and KMS doing doAs calls.
If you set up webhdfs, it runs using the 'hdfs' user, the HDFS superuser, and
this user will have to be configured as proxyuser in the KMS to work with doAs
calls. Also the 'hdfs' user will have to be removed from the KMS decrypt-keys
blacklist (*and this is the problem*).
Even if you audit the webhdfs code running in the DNs to ensure things are
always done using doAs and that there is no foul play in the DN code there is
an issue. The issue is:
* An HDFS admin logins to a DN in the cluster as 'hdfs'
* Then he kinits as 'hdsf/HOST'
* Then he curls the KMS asking to decrypted keys as user X doing a doAs
* Because he has access to the encrypted file, and now has the decrypted key,
gets access to the file in clear
hope this clarifies.
> Transparent data at rest encryption
> -----------------------------------
>
> Key: HDFS-6134
> URL: https://issues.apache.org/jira/browse/HDFS-6134
> Project: Hadoop HDFS
> Issue Type: New Feature
> Components: security
> Affects Versions: 3.0.0, 2.3.0
> Reporter: Alejandro Abdelnur
> Assignee: Charles Lamb
> Attachments: HDFS-6134.001.patch, HDFS-6134.002.patch,
> HDFS-6134_test_plan.pdf, HDFSDataatRestEncryption.pdf,
> HDFSDataatRestEncryptionProposal_obsolete.pdf,
> HDFSEncryptionConceptualDesignProposal-2014-06-20.pdf
>
>
> Because of privacy and security regulations, for many industries, sensitive
> data at rest must be in encrypted form. For example: the healthÂcare industry
> (HIPAA regulations), the card payment industry (PCI DSS regulations) or the
> US government (FISMA regulations).
> This JIRA aims to provide a mechanism to encrypt HDFS data at rest that can
> be used transparently by any application accessing HDFS via Hadoop Filesystem
> Java API, Hadoop libhdfs C library, or WebHDFS REST API.
> The resulting implementation should be able to be used in compliance with
> different regulation requirements.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
