Stephen Chu created HDFS-6785: --------------------------------- Summary: Should not be able to create encryption zone using path to a non-directory file Key: HDFS-6785 URL: https://issues.apache.org/jira/browse/HDFS-6785 Project: Hadoop HDFS Issue Type: Sub-task Components: security Affects Versions: fs-encryption (HADOOP-10150 and HDFS-6134) Reporter: Stephen Chu
Currently, users can create an encryption zone while specifying a path to a file, as seen below. {code} [hdfs@schu-enc2 ~]$ cat hi hi [hdfs@schu-enc2 ~]$ hadoop fs -put hi /hi [hdfs@schu-enc2 ~]$ hadoop key create testKey testKey has been successfully created. KMSClientProvider[http://schu-enc2.vpc.com:16000/kms/v1/] has been updated. [hdfs@schu-enc2 ~]$ hdfs crypto -createZone -keyName testKey -path /hi Added encryption zone /hi [hdfs@schu-enc2 ~]$ hdfs crypto -listZones /hi testKey {code} Based on my understanding, admins should be able to create encryption zones only on empty directories, not files. If the design changed to allow creating EZ on files, then we should change the javadoc of {{HdfsAdmin#createEncryptionZone}}, which currently states, "Create an encryption zone rooted at an empty existing directory, using the specified encryption key. An encryption zone has an associated encryption key used when reading and writing files within the zone." -- This message was sent by Atlassian JIRA (v6.2#6252)