vivekratnavel commented on a change in pull request #2504:
URL: https://github.com/apache/ozone/pull/2504#discussion_r687102859
##########
File path: hadoop-hdds/docs/content/security/SecuringTDE.md
##########
@@ -66,3 +66,57 @@ via the encKey and while reading the clients will talk to
Key Management
Server and read the key and decrypt it. In other words, the data stored
inside Ozone is always encrypted. The fact that data is encrypted at rest
will be completely transparent to the clients and end users.
+
+### Using Transparent Data Encryption from S3G
+
+There are two ways to create an encrypted bucket that can be accessed via S3
Gateway.
+
+####1. Create a bucket using shell under "/s3v" volume
+
+ ```bash
+ ozone sh bucket create -k encKey /s3v/encryptedBucket
+ ```
+####2. Create a link to an encrypted bucket under "/s3v" volume
+
+ ```bash
+ ozone sh bucket create -k encKey /vol/encryptedBucket
+ ozone sh bucket link /vol/encryptedBucket /s3v/linkencryptedbucket
+ ```
+Note: An encrypted bucket cannot be created via S3 APIs. It must be done using
Ozone shell commands as shown above.
+After creating an encrypted bucket, all the keys added to this bucket using
s3g will be encrypted.
+
+In non-secure mode, the user running the S3Gateway daemon process is the proxy
user,
+while in secure mode the user in Kerberos keytab is the proxy user.
+S3Gateway proxy's all the users accessing the encrypted buckets to decrypt the
key.
+For this purpose on security enabled cluster, during S3Gateway server startup
+logins using configured
+**ozone.s3g.kerberos.keytab.file** and **ozone.s3g.kerberos.principal**.
+
+The below two configurations must be added to the kms-site.xml to allow the
S3Gateway principal to act as a proxy for other users.
Review comment:
```suggestion
The below two configurations must be added to the kms-site.xml to allow the
S3Gateway principal to act as a proxy for other users. In this example,
"ozone.s3g.kerberos.principal" is assumed to be "s3g"
```
##########
File path: hadoop-hdds/docs/content/security/SecuringTDE.md
##########
@@ -66,3 +66,57 @@ via the encKey and while reading the clients will talk to
Key Management
Server and read the key and decrypt it. In other words, the data stored
inside Ozone is always encrypted. The fact that data is encrypted at rest
will be completely transparent to the clients and end users.
+
+### Using Transparent Data Encryption from S3G
+
+To use TDE from S3 interface, it can be done in 2 ways.
+
+####1. Create a bucket using shell under "/s3v" volume
+
+ ```bash
+ ozone sh bucket create -k encKey /s3v/encryptedBucket
+ ```
+####2. Create a link to an encrypted bucket under "/s3v" volume
+
+ ```bash
+ ozone sh bucket create -k encKey /vol/encryptedBucket
+ ozone sh bucket link /vol/encryptedBucket /s3v/linkencryptedbucket
+ ```
+
+After this, all the keys created using s3g in the buckets will be encrypted.
+
+In non-secure mode, the user running the S3Gateway is the proxy user,
+while in secure mode the user in Kerberos keytab is the proxy user.
Review comment:
I have updated the suggestion
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
