[GitHub] [accumulo] milleruntime commented on a change in pull request #2197: Per table crypto + other crypto improvements

Thu, 29 Jul 2021 13:17:30 -0700 


milleruntime commented on a change in pull request #2197:
URL: https://github.com/apache/accumulo/pull/2197#discussion_r679458629



##########
File path: core/src/main/java/org/apache/accumulo/core/conf/Property.java
##########
@@ -894,6 +893,21 @@
   TABLE_COMPACTION_STRATEGY_PREFIX("table.majc.compaction.strategy.opts.", 
null,
       PropertyType.PREFIX,
       "Properties in this category are used to configure the compaction 
strategy.", "1.6.0"),
+  // Crypto-related properties
+  @Experimental
+  TABLE_CRYPTO_PREFIX("table.crypto.opts.", null, PropertyType.PREFIX,
+      "Properties related to on-disk file encryption.", "2.1.0"),
+  @Experimental
+  @Sensitive
+  TABLE_CRYPTO_SENSITIVE_PREFIX("table.crypto.opts.sensitive.", null, 
PropertyType.PREFIX,
+      "Sensitive properties related to on-disk file encryption.", "2.1.0"),
+  @Experimental
+  TABLE_CRYPTO_SERVICE("table.crypto.service",
+      "org.apache.accumulo.core.spi.crypto.NoCryptoService", 
PropertyType.CLASSNAME,
+      "The class which executes on-disk table encryption/decryption. The 
default does "
+          + "nothing. This property must be a classname with an implementation 
of the "
+          + "org.apache.accumulo.core.spi.crypto.CryptoService interface.",
+      "2.1.0"),

Review comment:
       OK. Yeah I like `table.crypto.` better as well. 
   
   If we are not specifying the crypto service in the table config, do we use 
the same crypto service for all tables? If not, what in the table config will 
determine which crypto service to use. Based on what you are saying, I am 
imagining a config like this:
   <pre>
   instance.crypto.factory=MyCryptoServiceFactoryThatSupportsPerTableConfig
   instance.wal.enabled=true
   
instance.crypto.wal.opts.key.uri=/home/mike/workspace/uno/CryptoTest-testkeyfile
   secureTable:
   table.crypto.enabled=true
   table.crypto.type=strong
   table.crypto.opts.key=/something/more/secure/than/a/file
   lessSecureTable:
   table.crypto.enabled=true
   table.crypto.type=weak
   table.crypto.opts.key.uri=/home/mike/workspace/uno/CryptoTest-testkeyfile2
   </pre>
   
   With the impl of MyCryptoServiceFactoryThatSupportsPerTableConfig looking 
like this:
   <pre>
   if scope == wal && enabled, return AESCryptoService
   if scope == table && enabled && type=strong, return StrongerCryptoService
   if scope == table && enabled && type=weak, return WeakerCryptoService
   </pre>




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to