[jira] [Commented] (HADOOP-14104) Client should always ask namenode for kms provider path.

Mon, 03 Apr 2017 15:37:16 -0700 

    [ 
https://issues.apache.org/jira/browse/HADOOP-14104?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15954265#comment-15954265
 ] 

Andrew Wang commented on HADOOP-14104:
--------------------------------------

Hi Rushabh, thanks for revving. Yongjun and I reviewed this together, posted 
here are our combined review comments. Looks really good overall!

Nits:
* Change DFS_KMS_PREFIX to private
* Rename getKmsSecretKey to getKeyProviderMapKey (included in item below), 
since "SecretKey" sounds like an encryption key, a javadoc would also help


Bigger things:

In DistributedFileSystem, this changes the uri passed to DFSClient:
{code}
   this.dfs = new DFSClient(uri, conf, statistics);
   this.uri = URI.create(uri.getScheme()+"://"+uri.getAuthority());
{code}
to
{code}
   this.uri = URI.create(uri.getScheme()+"://"+uri.getAuthority());
   this.dfs = new DFSClient(uri, conf, statistics);
{code}

To be safe, I'd suggest that we don't change the order of the above code, and 
instead change the method in DFSClient.java to just grab the scheme and 
authority:

{code}
 public Text getKmsSecretKey() {
    return new Text(DFS_KMS_PREFIX + namenodeUri.toString());
  }
{code}

to
{code}
  public Text getKeyProviderMapKey() {
    return new Text(DFS_KMS_PREFIX + nnUri.getScheme()
        + "://" + nnUri.getAuthority());
  }
{code}

> Client should always ask namenode for kms provider path.
> --------------------------------------------------------
>
>                 Key: HADOOP-14104
>                 URL: https://issues.apache.org/jira/browse/HADOOP-14104
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: kms
>            Reporter: Rushabh S Shah
>            Assignee: Rushabh S Shah
>         Attachments: HADOOP-14104-trunk.patch, HADOOP-14104-trunk-v1.patch, 
> HADOOP-14104-trunk-v2.patch, HADOOP-14104-trunk-v3.patch, 
> HADOOP-14104-trunk-v4.patch
>
>
> According to current implementation of kms provider in client conf, there can 
> only be one kms.
> In multi-cluster environment, if a client is reading encrypted data from 
> multiple clusters it will only get kms token for local cluster.
> Not sure whether the target version is correct or not.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to