[jira] [Commented] (HDFS-6134) Transparent data at rest encryption

Thu, 14 Aug 2014 11:24:53 -0700 

    [ 
https://issues.apache.org/jira/browse/HDFS-6134?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14097330#comment-14097330
 ] 

Sanjay Radia commented on HDFS-6134:
------------------------------------

Had a chat with Owen over the wehbhdfs issue and the solution I had proposed in 
[comment | 
https://issues.apache.org/jira/browse/HDFS-6134?focusedCommentId=14096027&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-14096027].
 He said that restricting the client connections from user hdfs are not 
necessary: the DN does a doAs(user) . KMS is configured for hdfs to be proxy 
but it also blacklists hdfs (and other superusers). That is the DN as a proxy 
cannot get a key for hdfs but it can get the keys for other users. So this 
brings the httpfs and webhdfs solutions to be the same.

Owen proposed another solution where the  httpfs or DN daemons do *not* need to 
be trusted proxies for the KMS. The user simply passes a KMS delegation token 
in the REST request (we already pass HDFS delegation tokens). 



> Transparent data at rest encryption
> -----------------------------------
>
>                 Key: HDFS-6134
>                 URL: https://issues.apache.org/jira/browse/HDFS-6134
>             Project: Hadoop HDFS
>          Issue Type: New Feature
>          Components: security
>    Affects Versions: 3.0.0, 2.3.0
>            Reporter: Alejandro Abdelnur
>            Assignee: Charles Lamb
>         Attachments: HDFS-6134.001.patch, HDFS-6134.002.patch, 
> HDFS-6134_test_plan.pdf, HDFSDataatRestEncryption.pdf, 
> HDFSDataatRestEncryptionProposal_obsolete.pdf, 
> HDFSEncryptionConceptualDesignProposal-2014-06-20.pdf
>
>
> Because of privacy and security regulations, for many industries, sensitive 
> data at rest must be in encrypted form. For example: the health­care industry 
> (HIPAA regulations), the card payment industry (PCI DSS regulations) or the 
> US government (FISMA regulations).
> This JIRA aims to provide a mechanism to encrypt HDFS data at rest that can 
> be used transparently by any application accessing HDFS via Hadoop Filesystem 
> Java API, Hadoop libhdfs C library, or WebHDFS REST API.
> The resulting implementation should be able to be used in compliance with 
> different regulation requirements.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Reply via email to