[
https://issues.apache.org/jira/browse/HIVE-21848?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16868263#comment-16868263
]
Gidon Gershinsky edited comment on HIVE-21848 at 6/20/19 5:23 AM:
------------------------------------------------------------------
Yep, agreed, this seems to be the minimum common set. In any case, it looks
like we are talking about two layers: one of the Hive table properties, and the
other of format-specific (ORC, Parquet) properties. They wont be the same, and
Hive will need to translate from the former to the latter. Eg, most of Hive
properties for Parquet encryption will be "parquet.encrypt.abcd", which should
be changed into "encryption.abcd" when calling the Parquet API. For the
question of "which column to be encrypted with which key", I personally prefer
the approach #2, but it can be easily translated by Hive into #1 for ORC files.
If #1 is adopted for Hive, it can be easily translated into #2 for Parquet
files.
was (Author: gershinsky):
Yep, agreed, this seems to be the minimum common set. In any case, it looks
like we are talking about two layers: one of the Hive table properties, and the
other of format-specific (ORC, Parquet) properties. They wont be the same, and
Hive will need to translate from the former to the latter. Eg, most of Hive
properties for Parquet encryption will be "parquet.encrypt.abcd", which should
be changed into "encryption.abcd" for Parquet files. For the question of "which
column to be encrypted with which key", I personally prefer the approach #2,
but it can be easily translated by Hive into #1 for ORC files. If #1 is adopted
for Hive, it can be easily translated into #2 for Parquet files.
> Table property name definition between ORC and Parquet encrytion
> ----------------------------------------------------------------
>
> Key: HIVE-21848
> URL: https://issues.apache.org/jira/browse/HIVE-21848
> Project: Hive
> Issue Type: Task
> Components: Metastore
> Affects Versions: 3.0.0
> Reporter: Xinli Shang
> Assignee: Xinli Shang
> Priority: Major
> Fix For: 3.0.0
>
>
> The goal of this Jira is to define a superset of unified table property names
> that can be used for both Parquet and ORC column encryption. There is no code
> change needed for this Jira.
> *Background:*
> ORC-14 and Parquet-1178 introduced column encryption to ORC and Parquet. To
> configure the encryption, e.g. which column is sensitive, what master key to
> be used, algorithm, etc, table properties can be used. It is important that
> both Parquet and ORC can use unified names.
> According to the slide
> [https://www.slideshare.net/oom65/fine-grain-access-control-for-big-data-orc-column-encryption-137308692],
> ORC use table properties like orc.encrypt.pii, orc.encrypt.credit. While in
> the Parquet community, it is still discussing to provide several ways and
> using table properties is one of the options, while there is no detailed
> design of the table property names yet.
> So it is a good time to discuss within two communities to have unified table
> names as a superset.
> *Proposal:*
> There are several encryption properties that need to be specified for a
> table. Here is the list. This is the superset of Parquet and ORC. Some of
> them might not apply to both.
> # PII columns including nest columns
> # Column key metadata, master key metadata
> # Encryption algorithm, for example, Parquet support AES_GCM and AES_CTR.
> ORC might support AES_CTR.
> # Encryption footer - Parquet allow footer to be encrypted or plaintext
> # Footer key metadata
> Here is the table properties proposal.
> |*Table Property Name*|*Value*|*Notes*|
> |encrypt_algorithm|aes_ctr, aes_gcm|The algorithm to be used for encryption.|
> |encrypt_footer_plaintext|true, false|Parquet support plaintext and encrypted
> footer. By default, it is encrypted.|
> |encrypt_footer_key_metadata|base64 string of footer key metadata|It is up to
> the KMS to define what key metadata is. The metadata should have enough
> information to figure out the corresponding key by the KMS. |
> |encrypt_col_xxx|base64 string of column key metadata|‘xxx’ is the column
> name for example, ‘address.zipcode’.
>
> It is up to the KMS to define what key metadata is. The metadata should have
> enough information to figure out the corresponding key by the KMS.|
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
