You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hive.apache.org by "Xiaomeng Huang (JIRA)" <ji...@apache.org> on 2014/09/25 12:59:33 UTC

[jira] [Updated] (HIVE-8049) Transparent column level encryption using kms

     [ https://issues.apache.org/jira/browse/HIVE-8049?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Xiaomeng Huang updated HIVE-8049:
---------------------------------
    Summary: Transparent column level encryption using kms  (was: Transparent column level encryption using key management)

> Transparent column level encryption using kms
> ---------------------------------------------
>
>                 Key: HIVE-8049
>                 URL: https://issues.apache.org/jira/browse/HIVE-8049
>             Project: Hive
>          Issue Type: Sub-task
>            Reporter: Xiaomeng Huang
>            Assignee: Xiaomeng Huang
>         Attachments: HIVE-8049.001.patch
>
>
> This patch implement transparent column level encryption. Users don't need to set anything when they quey tables.
> # setup kms and set kms-acls.xml (e.g. user1 and root has permission to get key)
> {code}
>  <property>
>     <name>hadoop.kms.acl.GET</name>
>     <value>user1 root</value>
>     <description>
>       ACL for get-key-version and get-current-key operations.
>     </description>
>   </property>
> {code}
> # set hive-site.xml 
> {code}
>  <property>  
>     <name>hadoop.security.kms.uri</name>  
>     <value>http://localhost:16000/kms</value>  
>  </property> 
> {code}
> # create an encrypted table
> {code}
> -- region-aes-column.q
> drop table region_aes_column;
> create table region_aes_column (r_regionkey int, r_name string) ROW FORMAT SERDE 'org.apache.hadoop.hive.serde2.lazy.LazySimpleSerDe'
>   WITH SERDEPROPERTIES ('column.encode.columns'='r_name', 'column.encode.classname'='org.apache.hadoop.hive.serde2.aes.AESRewriter')
>   STORED AS TEXTFILE TBLPROPERTIES("hive.encrypt.keynames"="hive.k1");
> insert overwrite table region_aes_column
> select
>   r_regionkey, r_name
> from region;
> {code}
> # query table by different user, this is transparent to users. It is very convenient and don't need to set anything.
> {code}
> [root@huang1 hive_data]# hive
> hive> select * from region_aes_column;
> OK
> 0	AFRICA
> 1	AMERICA
> 2	ASIA
> 3	EUROPE
> 4	MIDDLE EAST
> Time taken: 0.9 seconds, Fetched: 5 row(s)
> [root@huang1 hive_data]# su user1
> [user1@huang1 hive_data]$ hive
> hive> select * from region_aes_column;
> OK
> 0	AFRICA
> 1	AMERICA
> 2	ASIA
> 3	EUROPE
> 4	MIDDLE EAST
> Time taken: 0.899 seconds, Fetched: 5 row(s)
> [root@huang1 hive_data]# su user2
> [user2@huang1 hive_data]$ hive
> hive> select * from region_aes_column;
> OK
> 0	RcQycWVD
> 1	Rc8lam9Bxg==
> 2	RdEpeQ==
> 3	Qdcyd3ZH
> 4	ScskfGpHp8KIIuY=
> Time taken: 0.749 seconds, Fetched: 5 row(s)
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)