[jira] [Resolved] (HDDS-11227) Use OM's KMS from client side when connecting to a cluster and dealing with encrypted data

[Wei-Chiu Chuang (Jira)]

     [ 
https://issues.apache.org/jira/browse/HDDS-11227?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Wei-Chiu Chuang resolved HDDS-11227.
------------------------------------
    Fix Version/s: 1.5.0
       Resolution: Fixed

> Use OM's KMS from client side when connecting to a cluster and dealing with 
> encrypted data
> ------------------------------------------------------------------------------------------
>
>                 Key: HDDS-11227
>                 URL: https://issues.apache.org/jira/browse/HDDS-11227
>             Project: Apache Ozone
>          Issue Type: Improvement
>            Reporter: István Fajth
>            Assignee: Saketa Chalamchala
>            Priority: Major
>              Labels: pull-request-available
>             Fix For: 1.5.0
>
>
> In the FileSystem API in Hadoop, there is a method to get some server 
> defaults.
> In Ozone's filesystem implementation this call is not implemented, so that 
> defaults to the implementation that is provided in the FileSystem class.
> The FileSystem class itself provides defaults by default based on the 
> client's configuration, which is overridden for HDFS within the 
> DistributedFileSystem class in Hadoop.
> Our implementations does not override this, and we do not provide any server 
> side configs to the client side at the moment.
> We seen a problematic use case recently, when one client on one cluster tries 
> to read encrypted data on an other cluster. In HDFS this works, as the 
> {{hadoop.security.key.provider.path}} is part of the server defaults provided 
> to the client by the NameNode, and the client is using it unless 
> {{dfs.client.ignore.namenode.default.kms.uri}} is configured to be true, it 
> is false by default.
> If we want to enable this use case where a client needs to communicate with 
> encryption zones on multiple clusters, then we need to resolve providing this 
> information to the client side. I believe this should be solved for the 
> FileSystem API based clients and for the Ozone client itself also.
> I don't believe our S3 API is affected by this problem.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@ozone.apache.org
For additional commands, e-mail: issues-h...@ozone.apache.org