You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ozone.apache.org by sa...@apache.org on 2020/07/22 13:00:30 UTC
[hadoop-ozone] 20/39: HDDS-2767. security/SecuringTDE.md (#1184)
This is an automated email from the ASF dual-hosted git repository.
sammichen pushed a commit to branch ozone-0.6.0
in repository https://gitbox.apache.org/repos/asf/hadoop-ozone.git
commit 0c8f2c839f83dbe17ae31324ea2e1fbb75b1c525
Author: Xiang Zhang <xi...@gmail.com>
AuthorDate: Thu Jul 16 09:03:35 2020 +0800
HDDS-2767. security/SecuringTDE.md (#1184)
(cherry picked from commit 22d03f657a1680875a2e022b45e94c87e080188b)
---
hadoop-hdds/docs/content/security/SecuringTDE.md | 4 +-
.../docs/content/security/SecuringTDE.zh.md | 52 ++++++++++++++++++++++
2 files changed, 54 insertions(+), 2 deletions(-)
diff --git a/hadoop-hdds/docs/content/security/SecuringTDE.md b/hadoop-hdds/docs/content/security/SecuringTDE.md
index 3e8f2d1..0e21b62 100644
--- a/hadoop-hdds/docs/content/security/SecuringTDE.md
+++ b/hadoop-hdds/docs/content/security/SecuringTDE.md
@@ -1,7 +1,7 @@
---
title: "Transparent Data Encryption"
date: "2019-April-03"
-summary: TDE allows data on the disks to be encrypted-at-rest and automatically decrypted during access. You can enable this per key or per bucket.
+summary: TDE allows data on the disks to be encrypted-at-rest and automatically decrypted during access.
weight: 3
icon: lock
---
@@ -28,7 +28,7 @@ when a bucket is created.
### Setting up the Key Management Server
-To use TDE, clients must setup a Key Management Server and provide that URI to
+To use TDE, admin must setup a Key Management Server and provide that URI to
Ozone/HDFS. Since Ozone and HDFS can use the same Key Management Server, this
configuration can be provided via *hdfs-site.xml*.
diff --git a/hadoop-hdds/docs/content/security/SecuringTDE.zh.md b/hadoop-hdds/docs/content/security/SecuringTDE.zh.md
new file mode 100644
index 0000000..35baaa0
--- /dev/null
+++ b/hadoop-hdds/docs/content/security/SecuringTDE.zh.md
@@ -0,0 +1,52 @@
+---
+title: "透明数据加密"
+date: "2019-April-03"
+summary: 透明数据加密(Transparent Data Encryption,TDE)以密文形式在磁盘上保存数据,但可以在用户访问的时候自动进行解密。
+weight: 3
+icon: lock
+---
+<!---
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+
+Ozone TDE 的配置和使用和 HDFS TDE 十分相似,主要的区别是,Ozone 中桶级别的 TDE 必须在创建桶时启用。
+
+### 配置密钥管理服务器
+
+使用 TDE 之前,管理员必须要提前配置密钥管理服务 KMS,并且把 KMS 的 URI 通过 core-site.xml 提供给 Ozone。
+
+参数名 | 值
+-----------------------------------|-----------------------------------------
+hadoop.security.key.provider.path | KMS uri. <br> 比如 kms://http@kms-host:9600/kms
+
+### 使用 TDE
+如果你的集群已经配置好了 TDE,那么你只需要创建加密密钥并启用桶加密即可。
+
+创建加密密钥的方法为:
+ * 使用 hadoop key 命令创建桶加密密钥,和 HDFS 加密区域的使用方法类似。
+
+ ```bash
+ hadoop key create encKey
+ ```
+ 上面这个命令会创建一个用于保护桶数据的密钥。创建完成之后,你可以告诉 Ozone 在读写某个桶中的数据时使用这个密钥。
+
+ * 将加密密钥分配给桶
+
+ ```bash
+ ozone sh bucket create -k encKey /vol/encryptedBucket
+ ```
+
+这条命令执行后,所以写往 _encryptedBucket_ 的数据都会用 encKey 进行加密,当读取里面的数据时,客户端通过 KMS 获取密钥进行解密。换句话说,Ozone 中存储的数据一直是加密的,但用户和客户端对此完全无感知。
---------------------------------------------------------------------
To unsubscribe, e-mail: ozone-commits-unsubscribe@hadoop.apache.org
For additional commands, e-mail: ozone-commits-help@hadoop.apache.org