[
https://issues.apache.org/jira/browse/HDFS-7077?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14147183#comment-14147183
]
Colin Patrick McCabe commented on HDFS-7077:
--------------------------------------------
This looks good overall. I definitely agree that we should separate out
"cipher suite not supported" from "crypto version not supported."
I agree that there's no reason to send {{UnknownCipherSuiteException}} over the
wire any more. Does it make sense to keep {{UnknownCipherSuiteException}} as
an exception the {{DFSOutputStream}} / {{DFSInputStream}} throws when it can't
handle the cipher suite?
I guess that would be here:
{code}
CryptoCodec codec = CryptoCodec
.getInstance(conf, feInfo.getCipherSuite());
if (codec == null) {
throw new IOException("No configuration found for the cipher suite "
+ feInfo.getCipherSuite().getConfigSuffix() + " prefixed with "
+ HADOOP_SECURITY_CRYPTO_CODEC_CLASSES_KEY_PREFIX
+ ". Please see the example configuration "
+ "hadoop.security.crypto.codec.classes.EXAMPLECIPHERSUITE "
+ "at core-default.xml for details.");
}
{code}
+1 pending addressing that comment and pending jenkins
> Separate CipherSuite from crypto protocol version
> -------------------------------------------------
>
> Key: HDFS-7077
> URL: https://issues.apache.org/jira/browse/HDFS-7077
> Project: Hadoop HDFS
> Issue Type: Sub-task
> Components: encryption
> Affects Versions: 2.6.0
> Reporter: Andrew Wang
> Assignee: Andrew Wang
> Attachments: hdfs-7077.001.patch
>
>
> Right now the CipherSuite is used for protocol version negotiation, which is
> wrong. We need to separate it out. An EZ should be locked to a certain
> CipherSuite and protocol version. A client reading and writing to the EZ then
> needs to negotiate based on both of these parameters.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
