vivekratnavel commented on a change in pull request #2504:
URL: https://github.com/apache/ozone/pull/2504#discussion_r686204006
##########
File path: hadoop-hdds/docs/content/security/SecuringTDE.md
##########
@@ -66,3 +66,57 @@ via the encKey and while reading the clients will talk to
Key Management
Server and read the key and decrypt it. In other words, the data stored
inside Ozone is always encrypted. The fact that data is encrypted at rest
will be completely transparent to the clients and end users.
+
+### Using Transparent Data Encryption from S3G
+
+To use TDE from S3 interface, it can be done in 2 ways.
+
+####1. Create a bucket using shell under "/s3v" volume
+
+ ```bash
+ ozone sh bucket create -k encKey /s3v/encryptedBucket
+ ```
+####2. Create a link to an encrypted bucket under "/s3v" volume
+
+ ```bash
+ ozone sh bucket create -k encKey /vol/encryptedBucket
+ ozone sh bucket link /vol/encryptedBucket /s3v/linkencryptedbucket
+ ```
+
+After this, all the keys created using s3g in the buckets will be encrypted.
Review comment:
```suggestion
After creating an encrypted bucket, all the keys added to this bucket using
s3g will be encrypted.
```
##########
File path: hadoop-hdds/docs/content/security/SecuringTDE.md
##########
@@ -66,3 +66,57 @@ via the encKey and while reading the clients will talk to
Key Management
Server and read the key and decrypt it. In other words, the data stored
inside Ozone is always encrypted. The fact that data is encrypted at rest
will be completely transparent to the clients and end users.
+
+### Using Transparent Data Encryption from S3G
+
+To use TDE from S3 interface, it can be done in 2 ways.
+
+####1. Create a bucket using shell under "/s3v" volume
+
+ ```bash
+ ozone sh bucket create -k encKey /s3v/encryptedBucket
+ ```
+####2. Create a link to an encrypted bucket under "/s3v" volume
+
+ ```bash
+ ozone sh bucket create -k encKey /vol/encryptedBucket
+ ozone sh bucket link /vol/encryptedBucket /s3v/linkencryptedbucket
+ ```
+
+After this, all the keys created using s3g in the buckets will be encrypted.
+
+In non-secure mode, the user running the S3Gateway is the proxy user,
+while in secure mode the user in Kerberos keytab is the proxy user.
Review comment:
```suggestion
while in secure mode the user accessing the S3Gateway is the proxy user.
```
##########
File path: hadoop-hdds/docs/content/security/SecuringTDE.md
##########
@@ -66,3 +66,57 @@ via the encKey and while reading the clients will talk to
Key Management
Server and read the key and decrypt it. In other words, the data stored
inside Ozone is always encrypted. The fact that data is encrypted at rest
will be completely transparent to the clients and end users.
+
+### Using Transparent Data Encryption from S3G
+
+To use TDE from S3 interface, it can be done in 2 ways.
Review comment:
How about this?
```suggestion
There are two ways to create an encrypted bucket that can be accessed via S3
Gateway.
```
##########
File path: hadoop-hdds/docs/content/security/SecuringTDE.md
##########
@@ -66,3 +66,57 @@ via the encKey and while reading the clients will talk to
Key Management
Server and read the key and decrypt it. In other words, the data stored
inside Ozone is always encrypted. The fact that data is encrypted at rest
will be completely transparent to the clients and end users.
+
+### Using Transparent Data Encryption from S3G
+
+To use TDE from S3 interface, it can be done in 2 ways.
+
+####1. Create a bucket using shell under "/s3v" volume
+
+ ```bash
+ ozone sh bucket create -k encKey /s3v/encryptedBucket
+ ```
+####2. Create a link to an encrypted bucket under "/s3v" volume
+
+ ```bash
+ ozone sh bucket create -k encKey /vol/encryptedBucket
+ ozone sh bucket link /vol/encryptedBucket /s3v/linkencryptedbucket
+ ```
+
+After this, all the keys created using s3g in the buckets will be encrypted.
+
+In non-secure mode, the user running the S3Gateway is the proxy user,
Review comment:
```suggestion
In non-secure mode, the user running the S3Gateway daemon process is the
proxy user,
```
##########
File path: hadoop-hdds/docs/content/security/SecuringTDE.md
##########
@@ -66,3 +66,57 @@ via the encKey and while reading the clients will talk to
Key Management
Server and read the key and decrypt it. In other words, the data stored
inside Ozone is always encrypted. The fact that data is encrypted at rest
will be completely transparent to the clients and end users.
+
+### Using Transparent Data Encryption from S3G
+
+To use TDE from S3 interface, it can be done in 2 ways.
+
+####1. Create a bucket using shell under "/s3v" volume
+
+ ```bash
+ ozone sh bucket create -k encKey /s3v/encryptedBucket
+ ```
+####2. Create a link to an encrypted bucket under "/s3v" volume
+
+ ```bash
+ ozone sh bucket create -k encKey /vol/encryptedBucket
+ ozone sh bucket link /vol/encryptedBucket /s3v/linkencryptedbucket
+ ```
+
Review comment:
```suggestion
Note: An encrypted bucket cannot be created via S3 APIs. It must be done
using Ozone shell commands as shown above.
```
##########
File path: hadoop-hdds/docs/content/security/SecuringTDE.md
##########
@@ -66,3 +66,57 @@ via the encKey and while reading the clients will talk to
Key Management
Server and read the key and decrypt it. In other words, the data stored
inside Ozone is always encrypted. The fact that data is encrypted at rest
will be completely transparent to the clients and end users.
+
+### Using Transparent Data Encryption from S3G
+
+To use TDE from S3 interface, it can be done in 2 ways.
+
+####1. Create a bucket using shell under "/s3v" volume
+
+ ```bash
+ ozone sh bucket create -k encKey /s3v/encryptedBucket
+ ```
+####2. Create a link to an encrypted bucket under "/s3v" volume
+
+ ```bash
+ ozone sh bucket create -k encKey /vol/encryptedBucket
+ ozone sh bucket link /vol/encryptedBucket /s3v/linkencryptedbucket
+ ```
+
+After this, all the keys created using s3g in the buckets will be encrypted.
+
+In non-secure mode, the user running the S3Gateway is the proxy user,
+while in secure mode the user in Kerberos keytab is the proxy user.
+S3Gateway proxy's all the users accessing the encrypted buckets to decrypt the
key.
+For this purpose on security enabled cluster, during S3Gateway server startup
+logins using configured
+**ozone.s3g.kerberos.keytab.file** and **ozone.s3g.kerberos.principal**.
+
+Below 2 configuration need to be added to kms-site.xml
Review comment:
```suggestion
The below two configurations must be added to the kms-site.xml to allow the
S3Gateway principal to act as a proxy for other users.
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
