[
https://issues.apache.org/jira/browse/HBASE-7544?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13832506#comment-13832506
]
Hudson commented on HBASE-7544:
-------------------------------
SUCCESS: Integrated in HBase-TRUNK-on-Hadoop-2.0.0 #852 (See
[https://builds.apache.org/job/HBase-TRUNK-on-Hadoop-2.0.0/852/])
HBASE-7544. Transparent CF encryption (apurtell: rev 1545536)
*
/hbase/trunk/hbase-client/src/main/java/org/apache/hadoop/hbase/HColumnDescriptor.java
*
/hbase/trunk/hbase-client/src/main/java/org/apache/hadoop/hbase/HTableDescriptor.java
*
/hbase/trunk/hbase-client/src/main/java/org/apache/hadoop/hbase/security/EncryptionUtil.java
* /hbase/trunk/hbase-client/src/test/java/org/apache/hadoop/hbase/security
*
/hbase/trunk/hbase-client/src/test/java/org/apache/hadoop/hbase/security/TestEncryptionUtil.java
*
/hbase/trunk/hbase-common/src/main/java/org/apache/hadoop/hbase/HConstants.java
* /hbase/trunk/hbase-common/src/main/java/org/apache/hadoop/hbase/io/crypto
*
/hbase/trunk/hbase-common/src/main/java/org/apache/hadoop/hbase/io/crypto/Cipher.java
*
/hbase/trunk/hbase-common/src/main/java/org/apache/hadoop/hbase/io/crypto/CipherProvider.java
*
/hbase/trunk/hbase-common/src/main/java/org/apache/hadoop/hbase/io/crypto/Context.java
*
/hbase/trunk/hbase-common/src/main/java/org/apache/hadoop/hbase/io/crypto/Decryptor.java
*
/hbase/trunk/hbase-common/src/main/java/org/apache/hadoop/hbase/io/crypto/DefaultCipherProvider.java
*
/hbase/trunk/hbase-common/src/main/java/org/apache/hadoop/hbase/io/crypto/Encryption.java
*
/hbase/trunk/hbase-common/src/main/java/org/apache/hadoop/hbase/io/crypto/Encryptor.java
*
/hbase/trunk/hbase-common/src/main/java/org/apache/hadoop/hbase/io/crypto/KeyProvider.java
*
/hbase/trunk/hbase-common/src/main/java/org/apache/hadoop/hbase/io/crypto/KeyStoreKeyProvider.java
* /hbase/trunk/hbase-common/src/main/java/org/apache/hadoop/hbase/io/crypto/aes
*
/hbase/trunk/hbase-common/src/main/java/org/apache/hadoop/hbase/io/crypto/aes/AES.java
*
/hbase/trunk/hbase-common/src/main/java/org/apache/hadoop/hbase/io/crypto/aes/AESDecryptor.java
*
/hbase/trunk/hbase-common/src/main/java/org/apache/hadoop/hbase/io/crypto/aes/AESEncryptor.java
*
/hbase/trunk/hbase-common/src/main/java/org/apache/hadoop/hbase/io/encoding/HFileBlockDefaultDecodingContext.java
*
/hbase/trunk/hbase-common/src/main/java/org/apache/hadoop/hbase/io/encoding/HFileBlockDefaultEncodingContext.java
*
/hbase/trunk/hbase-common/src/main/java/org/apache/hadoop/hbase/io/hfile/HFileContext.java
*
/hbase/trunk/hbase-common/src/main/java/org/apache/hadoop/hbase/io/hfile/HFileContextBuilder.java
*
/hbase/trunk/hbase-common/src/main/java/org/apache/hadoop/hbase/util/Bytes.java
* /hbase/trunk/hbase-common/src/test/java/org/apache/hadoop/hbase/io/crypto
*
/hbase/trunk/hbase-common/src/test/java/org/apache/hadoop/hbase/io/crypto/KeyProviderForTesting.java
*
/hbase/trunk/hbase-common/src/test/java/org/apache/hadoop/hbase/io/crypto/TestCipherProvider.java
*
/hbase/trunk/hbase-common/src/test/java/org/apache/hadoop/hbase/io/crypto/TestEncryption.java
*
/hbase/trunk/hbase-common/src/test/java/org/apache/hadoop/hbase/io/crypto/TestKeyProvider.java
*
/hbase/trunk/hbase-common/src/test/java/org/apache/hadoop/hbase/io/crypto/TestKeyStoreKeyProvider.java
* /hbase/trunk/hbase-common/src/test/java/org/apache/hadoop/hbase/io/crypto/aes
*
/hbase/trunk/hbase-common/src/test/java/org/apache/hadoop/hbase/io/crypto/aes/TestAES.java
*
/hbase/trunk/hbase-it/src/test/java/org/apache/hadoop/hbase/IntegrationTestIngestWithEncryption.java
*
/hbase/trunk/hbase-protocol/src/main/java/org/apache/hadoop/hbase/protobuf/generated/EncryptionProtos.java
*
/hbase/trunk/hbase-protocol/src/main/java/org/apache/hadoop/hbase/protobuf/generated/HFileProtos.java
*
/hbase/trunk/hbase-protocol/src/main/java/org/apache/hadoop/hbase/protobuf/generated/WALProtos.java
* /hbase/trunk/hbase-protocol/src/main/protobuf/Encryption.proto
* /hbase/trunk/hbase-protocol/src/main/protobuf/HFile.proto
* /hbase/trunk/hbase-protocol/src/main/protobuf/WAL.proto
*
/hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/io/HalfStoreFileReader.java
*
/hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/io/hfile/AbstractHFileReader.java
*
/hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/io/hfile/FixedFileTrailer.java
*
/hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/io/hfile/HFile.java
*
/hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/io/hfile/HFileBlock.java
*
/hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/io/hfile/HFilePrettyPrinter.java
*
/hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/io/hfile/HFileReaderV2.java
*
/hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/io/hfile/HFileReaderV3.java
*
/hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/io/hfile/HFileWriterV2.java
*
/hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/io/hfile/HFileWriterV3.java
*
/hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/mapreduce/LoadIncrementalHFiles.java
*
/hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/HStore.java
*
/hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/StoreFile.java
*
/hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/StoreFileInfo.java
*
/hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/wal/ProtobufLogReader.java
*
/hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/wal/ProtobufLogWriter.java
*
/hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/wal/SecureProtobufLogReader.java
*
/hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/wal/SecureProtobufLogWriter.java
*
/hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/wal/SecureWALCellCodec.java
*
/hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/wal/WALCellCodec.java
*
/hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/wal/WriterBase.java
*
/hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/util/CompressionTest.java
*
/hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/util/HBaseFsck.java
*
/hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/util/hbck/HFileCorruptionChecker.java
*
/hbase/trunk/hbase-server/src/test/java/org/apache/hadoop/hbase/HFilePerformanceEvaluation.java
*
/hbase/trunk/hbase-server/src/test/java/org/apache/hadoop/hbase/io/TestHalfStoreFileReader.java
*
/hbase/trunk/hbase-server/src/test/java/org/apache/hadoop/hbase/io/hfile/RandomSeek.java
*
/hbase/trunk/hbase-server/src/test/java/org/apache/hadoop/hbase/io/hfile/TestCacheOnWrite.java
*
/hbase/trunk/hbase-server/src/test/java/org/apache/hadoop/hbase/io/hfile/TestFixedFileTrailer.java
*
/hbase/trunk/hbase-server/src/test/java/org/apache/hadoop/hbase/io/hfile/TestHFile.java
*
/hbase/trunk/hbase-server/src/test/java/org/apache/hadoop/hbase/io/hfile/TestHFileBlockIndex.java
*
/hbase/trunk/hbase-server/src/test/java/org/apache/hadoop/hbase/io/hfile/TestHFileEncryption.java
*
/hbase/trunk/hbase-server/src/test/java/org/apache/hadoop/hbase/io/hfile/TestHFileInlineToRootChunkConversion.java
*
/hbase/trunk/hbase-server/src/test/java/org/apache/hadoop/hbase/io/hfile/TestHFilePerformance.java
*
/hbase/trunk/hbase-server/src/test/java/org/apache/hadoop/hbase/io/hfile/TestHFileSeek.java
*
/hbase/trunk/hbase-server/src/test/java/org/apache/hadoop/hbase/io/hfile/TestReseekTo.java
*
/hbase/trunk/hbase-server/src/test/java/org/apache/hadoop/hbase/io/hfile/TestSeekTo.java
*
/hbase/trunk/hbase-server/src/test/java/org/apache/hadoop/hbase/mapreduce/TestHFileOutputFormat.java
*
/hbase/trunk/hbase-server/src/test/java/org/apache/hadoop/hbase/mapreduce/TestLoadIncrementalHFiles.java
*
/hbase/trunk/hbase-server/src/test/java/org/apache/hadoop/hbase/regionserver/TestEncryptionKeyRotation.java
*
/hbase/trunk/hbase-server/src/test/java/org/apache/hadoop/hbase/regionserver/TestEncryptionRandomKeying.java
*
/hbase/trunk/hbase-server/src/test/java/org/apache/hadoop/hbase/regionserver/TestStore.java
*
/hbase/trunk/hbase-server/src/test/java/org/apache/hadoop/hbase/regionserver/TestStoreFile.java
*
/hbase/trunk/hbase-server/src/test/java/org/apache/hadoop/hbase/regionserver/wal/HLogPerformanceEvaluation.java
*
/hbase/trunk/hbase-server/src/test/java/org/apache/hadoop/hbase/regionserver/wal/SequenceFileLogWriter.java
*
/hbase/trunk/hbase-server/src/test/java/org/apache/hadoop/hbase/regionserver/wal/TestSecureHLog.java
*
/hbase/trunk/hbase-server/src/test/java/org/apache/hadoop/hbase/regionserver/wal/TestSecureWALReplay.java
*
/hbase/trunk/hbase-server/src/test/java/org/apache/hadoop/hbase/util/LoadTestTool.java
*
/hbase/trunk/hbase-server/src/test/java/org/apache/hadoop/hbase/util/TestHBaseFsckEncryption.java
* /hbase/trunk/hbase-shell/src/main/ruby/hbase/admin.rb
> Transparent table/CF encryption
> -------------------------------
>
> Key: HBASE-7544
> URL: https://issues.apache.org/jira/browse/HBASE-7544
> Project: HBase
> Issue Type: New Feature
> Components: HFile, io
> Reporter: Andrew Purtell
> Assignee: Andrew Purtell
> Fix For: 0.98.0
>
> Attachments: 7544-final.patch, 7544.patch, 7544.patch, 7544.patch,
> 7544.patch, 7544.patch, 7544.patch, 7544p1.patch, 7544p1.patch, 7544p2.patch,
> 7544p2.patch, 7544p3.patch, 7544p3.patch, 7544p4.patch,
> historical-7544.patch, historical-7544.pdf, historical-shell.patch,
> latency-single.7544.xlsx
>
>
> Introduce transparent encryption of HBase on disk data.
> Depends on a separate contribution of an encryption codec framework to Hadoop
> core and an AES-NI (native code) codec. This is work done in the context of
> MAPREDUCE-4491 but I'd gather there will be additional JIRAs for common and
> HDFS parts of it.
> Requirements:
> - Transparent encryption at the CF or table level
> - Protect against all data leakage from files at rest
> - Two-tier key architecture for consistency with best practices for this
> feature in the RDBMS world
> - Built-in key management
> - Flexible and non-intrusive key rotation
> - Mechanisms not exposed to or modifiable by users
> - Hardware security module integration (via Java KeyStore)
> - HBCK support for transparently encrypted files (+ plugin architecture for
> HBCK)
> Additional goals:
> - Shell support for administrative functions
> - Avoid performance impact for the null crypto codec case
> - Play nicely with other changes underway: in HFile, block coding, etc.
> We're aiming for rough parity with Oracle's transparent tablespace encryption
> feature, described in
> http://www.oracle.com/technetwork/database/owp-security-advanced-security-11gr-133411.pdf
> as
> {quote}
> “Transparent Data Encryption uses a 2-tier key architecture for flexible and
> non-intrusive key rotation and least operational and performance impact: Each
> application table with at least one encrypted column has its own table key,
> which is applied to all encrypted columns in that table. Equally, each
> encrypted tablespace has its own tablespace key. Table keys are stored in the
> data dictionary of the database, while tablespace keys are stored in the
> header of the tablespace and additionally, the header of each underlying OS
> file that makes up the tablespace. Each of these keys is encrypted with the
> TDE master encryption key, which is stored outside of the database in an
> external security module: either the Oracle Wallet (a PKCS#12 formatted file
> that is encrypted using a passphrase supplied either by the designated
> security administrator or DBA during setup), or a Hardware Security Module
> (HSM) device for higher assurance […]”
> {quote}
> Further design details forthcoming in a design document and patch as soon as
> we have all of the clearances in place.
--
This message was sent by Atlassian JIRA
(v6.1#6144)
