[jira] [Commented] (HDFS-15230) Sanity check should not assume key base name can be derived from version name
[ https://issues.apache.org/jira/browse/HDFS-15230?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17411426#comment-17411426 ] Jason Wen commented on HDFS-15230: -- +1 for fixing this issue. We also hit same issue with our custom KeyProvider. We can keep this sanity check but should allow a configuration option to skip this check. > Sanity check should not assume key base name can be derived from version name > - > > Key: HDFS-15230 > URL: https://issues.apache.org/jira/browse/HDFS-15230 > Project: Hadoop HDFS > Issue Type: Bug >Reporter: Wei-Chiu Chuang >Priority: Major > > HDFS-14884 checks if the encryption info of a file matches the encryption > zone key. > {code} > if (!KeyProviderCryptoExtension. > getBaseName(keyVersionName).equals(zoneKeyName)) { > throw new IllegalArgumentException(String.format( > "KeyVersion '%s' does not belong to the key '%s'", > keyVersionName, zoneKeyName)); > } > {code} > Here it assumes the "base name" can be derived from key version name, and > that the base name should be the same as zone key. > However, there is no published definition of what a key version name should > be. > While the code works for the builtin JKS key provider, it may not work for > other kind of key providers. (Specifically, it breaks Cloudera's KeyTrustee > KMS KeyProvider) -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org
[jira] [Commented] (HDFS-15230) Sanity check should not assume key base name can be derived from version name
[ https://issues.apache.org/jira/browse/HDFS-15230?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17063543#comment-17063543 ] Wei-Chiu Chuang commented on HDFS-15230: [~msingh] fyi > Sanity check should not assume key base name can be derived from version name > - > > Key: HDFS-15230 > URL: https://issues.apache.org/jira/browse/HDFS-15230 > Project: Hadoop HDFS > Issue Type: Bug >Reporter: Wei-Chiu Chuang >Priority: Major > > HDFS-14884 checks if the encryption info of a file matches the encryption > zone key. > {code} > if (!KeyProviderCryptoExtension. > getBaseName(keyVersionName).equals(zoneKeyName)) { > throw new IllegalArgumentException(String.format( > "KeyVersion '%s' does not belong to the key '%s'", > keyVersionName, zoneKeyName)); > } > {code} > Here it assumes the "base name" can be derived from key version name, and > that the base name should be the same as zone key. > However, there is no published definition of what a key version name should > be. > While the code works for the builtin JKS key provider, it may not work for > other kind of key providers. (Specifically, it breaks Cloudera's KeyTrustee > KMS KeyProvider) -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org