[jira] [Commented] (HDFS-15230) Sanity check should not assume key base name can be derived from version name
[
https://issues.apache.org/jira/browse/HDFS-15230?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17411426#comment-17411426
]
Jason Wen commented on HDFS-15230:
--
+1 for fixing this issue. We also hit same issue with our custom KeyProvider.
We can keep this sanity check but should allow a configuration option to skip
this check.
> Sanity check should not assume key base name can be derived from version name
> -
>
> Key: HDFS-15230
> URL: https://issues.apache.org/jira/browse/HDFS-15230
> Project: Hadoop HDFS
> Issue Type: Bug
>Reporter: Wei-Chiu Chuang
>Priority: Major
>
> HDFS-14884 checks if the encryption info of a file matches the encryption
> zone key.
> {code}
> if (!KeyProviderCryptoExtension.
> getBaseName(keyVersionName).equals(zoneKeyName)) {
> throw new IllegalArgumentException(String.format(
> "KeyVersion '%s' does not belong to the key '%s'",
> keyVersionName, zoneKeyName));
> }
> {code}
> Here it assumes the "base name" can be derived from key version name, and
> that the base name should be the same as zone key.
> However, there is no published definition of what a key version name should
> be.
> While the code works for the builtin JKS key provider, it may not work for
> other kind of key providers. (Specifically, it breaks Cloudera's KeyTrustee
> KMS KeyProvider)
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
-
To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org
[jira] [Commented] (HDFS-15230) Sanity check should not assume key base name can be derived from version name
[
https://issues.apache.org/jira/browse/HDFS-15230?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17063543#comment-17063543
]
Wei-Chiu Chuang commented on HDFS-15230:
[~msingh] fyi
> Sanity check should not assume key base name can be derived from version name
> -
>
> Key: HDFS-15230
> URL: https://issues.apache.org/jira/browse/HDFS-15230
> Project: Hadoop HDFS
> Issue Type: Bug
>Reporter: Wei-Chiu Chuang
>Priority: Major
>
> HDFS-14884 checks if the encryption info of a file matches the encryption
> zone key.
> {code}
> if (!KeyProviderCryptoExtension.
> getBaseName(keyVersionName).equals(zoneKeyName)) {
> throw new IllegalArgumentException(String.format(
> "KeyVersion '%s' does not belong to the key '%s'",
> keyVersionName, zoneKeyName));
> }
> {code}
> Here it assumes the "base name" can be derived from key version name, and
> that the base name should be the same as zone key.
> However, there is no published definition of what a key version name should
> be.
> While the code works for the builtin JKS key provider, it may not work for
> other kind of key providers. (Specifically, it breaks Cloudera's KeyTrustee
> KMS KeyProvider)
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
-
To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org
