You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@ozone.apache.org by GitBox <gi...@apache.org> on 2021/08/10 18:13:38 UTC
[GitHub] [ozone] vivekratnavel commented on a change in pull request #2504: HDDS-5508. Add documentation regarding access encrypted buckets from S3G
vivekratnavel commented on a change in pull request #2504:
URL: https://github.com/apache/ozone/pull/2504#discussion_r686204006
##########
File path: hadoop-hdds/docs/content/security/SecuringTDE.md
##########
@@ -66,3 +66,57 @@ via the encKey and while reading the clients will talk to Key Management
Server and read the key and decrypt it. In other words, the data stored
inside Ozone is always encrypted. The fact that data is encrypted at rest
will be completely transparent to the clients and end users.
+
+### Using Transparent Data Encryption from S3G
+
+To use TDE from S3 interface, it can be done in 2 ways.
+
+####1. Create a bucket using shell under "/s3v" volume
+
+ ```bash
+ ozone sh bucket create -k encKey /s3v/encryptedBucket
+ ```
+####2. Create a link to an encrypted bucket under "/s3v" volume
+
+ ```bash
+ ozone sh bucket create -k encKey /vol/encryptedBucket
+ ozone sh bucket link /vol/encryptedBucket /s3v/linkencryptedbucket
+ ```
+
+After this, all the keys created using s3g in the buckets will be encrypted.
Review comment:
```suggestion
After creating an encrypted bucket, all the keys added to this bucket using s3g will be encrypted.
```
##########
File path: hadoop-hdds/docs/content/security/SecuringTDE.md
##########
@@ -66,3 +66,57 @@ via the encKey and while reading the clients will talk to Key Management
Server and read the key and decrypt it. In other words, the data stored
inside Ozone is always encrypted. The fact that data is encrypted at rest
will be completely transparent to the clients and end users.
+
+### Using Transparent Data Encryption from S3G
+
+To use TDE from S3 interface, it can be done in 2 ways.
+
+####1. Create a bucket using shell under "/s3v" volume
+
+ ```bash
+ ozone sh bucket create -k encKey /s3v/encryptedBucket
+ ```
+####2. Create a link to an encrypted bucket under "/s3v" volume
+
+ ```bash
+ ozone sh bucket create -k encKey /vol/encryptedBucket
+ ozone sh bucket link /vol/encryptedBucket /s3v/linkencryptedbucket
+ ```
+
+After this, all the keys created using s3g in the buckets will be encrypted.
+
+In non-secure mode, the user running the S3Gateway is the proxy user,
+while in secure mode the user in Kerberos keytab is the proxy user.
Review comment:
```suggestion
while in secure mode the user accessing the S3Gateway is the proxy user.
```
##########
File path: hadoop-hdds/docs/content/security/SecuringTDE.md
##########
@@ -66,3 +66,57 @@ via the encKey and while reading the clients will talk to Key Management
Server and read the key and decrypt it. In other words, the data stored
inside Ozone is always encrypted. The fact that data is encrypted at rest
will be completely transparent to the clients and end users.
+
+### Using Transparent Data Encryption from S3G
+
+To use TDE from S3 interface, it can be done in 2 ways.
Review comment:
How about this?
```suggestion
There are two ways to create an encrypted bucket that can be accessed via S3 Gateway.
```
##########
File path: hadoop-hdds/docs/content/security/SecuringTDE.md
##########
@@ -66,3 +66,57 @@ via the encKey and while reading the clients will talk to Key Management
Server and read the key and decrypt it. In other words, the data stored
inside Ozone is always encrypted. The fact that data is encrypted at rest
will be completely transparent to the clients and end users.
+
+### Using Transparent Data Encryption from S3G
+
+To use TDE from S3 interface, it can be done in 2 ways.
+
+####1. Create a bucket using shell under "/s3v" volume
+
+ ```bash
+ ozone sh bucket create -k encKey /s3v/encryptedBucket
+ ```
+####2. Create a link to an encrypted bucket under "/s3v" volume
+
+ ```bash
+ ozone sh bucket create -k encKey /vol/encryptedBucket
+ ozone sh bucket link /vol/encryptedBucket /s3v/linkencryptedbucket
+ ```
+
+After this, all the keys created using s3g in the buckets will be encrypted.
+
+In non-secure mode, the user running the S3Gateway is the proxy user,
Review comment:
```suggestion
In non-secure mode, the user running the S3Gateway daemon process is the proxy user,
```
##########
File path: hadoop-hdds/docs/content/security/SecuringTDE.md
##########
@@ -66,3 +66,57 @@ via the encKey and while reading the clients will talk to Key Management
Server and read the key and decrypt it. In other words, the data stored
inside Ozone is always encrypted. The fact that data is encrypted at rest
will be completely transparent to the clients and end users.
+
+### Using Transparent Data Encryption from S3G
+
+To use TDE from S3 interface, it can be done in 2 ways.
+
+####1. Create a bucket using shell under "/s3v" volume
+
+ ```bash
+ ozone sh bucket create -k encKey /s3v/encryptedBucket
+ ```
+####2. Create a link to an encrypted bucket under "/s3v" volume
+
+ ```bash
+ ozone sh bucket create -k encKey /vol/encryptedBucket
+ ozone sh bucket link /vol/encryptedBucket /s3v/linkencryptedbucket
+ ```
+
Review comment:
```suggestion
Note: An encrypted bucket cannot be created via S3 APIs. It must be done using Ozone shell commands as shown above.
```
##########
File path: hadoop-hdds/docs/content/security/SecuringTDE.md
##########
@@ -66,3 +66,57 @@ via the encKey and while reading the clients will talk to Key Management
Server and read the key and decrypt it. In other words, the data stored
inside Ozone is always encrypted. The fact that data is encrypted at rest
will be completely transparent to the clients and end users.
+
+### Using Transparent Data Encryption from S3G
+
+To use TDE from S3 interface, it can be done in 2 ways.
+
+####1. Create a bucket using shell under "/s3v" volume
+
+ ```bash
+ ozone sh bucket create -k encKey /s3v/encryptedBucket
+ ```
+####2. Create a link to an encrypted bucket under "/s3v" volume
+
+ ```bash
+ ozone sh bucket create -k encKey /vol/encryptedBucket
+ ozone sh bucket link /vol/encryptedBucket /s3v/linkencryptedbucket
+ ```
+
+After this, all the keys created using s3g in the buckets will be encrypted.
+
+In non-secure mode, the user running the S3Gateway is the proxy user,
+while in secure mode the user in Kerberos keytab is the proxy user.
+S3Gateway proxy's all the users accessing the encrypted buckets to decrypt the key.
+For this purpose on security enabled cluster, during S3Gateway server startup
+logins using configured
+**ozone.s3g.kerberos.keytab.file** and **ozone.s3g.kerberos.principal**.
+
+Below 2 configuration need to be added to kms-site.xml
Review comment:
```suggestion
The below two configurations must be added to the kms-site.xml to allow the S3Gateway principal to act as a proxy for other users.
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org