Stephen Chu created HDFS-6785:
---------------------------------
Summary: Should not be able to create encryption zone using path
to a non-directory file
Key: HDFS-6785
URL: https://issues.apache.org/jira/browse/HDFS-6785
Project: Hadoop HDFS
Issue Type: Sub-task
Components: security
Affects Versions: fs-encryption (HADOOP-10150 and HDFS-6134)
Reporter: Stephen Chu
Currently, users can create an encryption zone while specifying a path to a
file, as seen below.
{code}
[hdfs@schu-enc2 ~]$ cat hi
hi
[hdfs@schu-enc2 ~]$ hadoop fs -put hi /hi
[hdfs@schu-enc2 ~]$ hadoop key create testKey
testKey has been successfully created.
KMSClientProvider[http://schu-enc2.vpc.com:16000/kms/v1/] has been updated.
[hdfs@schu-enc2 ~]$ hdfs crypto -createZone -keyName testKey -path /hi
Added encryption zone /hi
[hdfs@schu-enc2 ~]$ hdfs crypto -listZones
/hi testKey
{code}
Based on my understanding, admins should be able to create encryption zones
only on empty directories, not files.
If the design changed to allow creating EZ on files, then we should change the
javadoc of {{HdfsAdmin#createEncryptionZone}}, which currently states, "Create
an encryption zone rooted at an empty existing directory, using the specified
encryption key. An encryption zone has an associated encryption key used when
reading and writing files within the zone."
--
This message was sent by Atlassian JIRA
(v6.2#6252)
