You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-commits@hadoop.apache.org by el...@apache.org on 2019/09/19 09:52:31 UTC
[hadoop] branch trunk updated: HDDS-2016. Add option to enforce
GDPR in Bucket Create command
This is an automated email from the ASF dual-hosted git repository.
elek pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/hadoop.git
The following commit(s) were added to refs/heads/trunk by this push:
new 5c963a7 HDDS-2016. Add option to enforce GDPR in Bucket Create command
5c963a7 is described below
commit 5c963a75d648cb36e7e36884f61616831229b25a
Author: dchitlangia <di...@gmail.com>
AuthorDate: Thu Sep 19 10:58:01 2019 +0200
HDDS-2016. Add option to enforce GDPR in Bucket Create command
Closes #1458
---
hadoop-hdds/docs/content/gdpr/GDPR in Ozone.md | 42 ++++++++++++++++++++++
hadoop-hdds/docs/content/gdpr/_index.md | 38 ++++++++++++++++++++
hadoop-hdds/docs/content/shell/BucketCommands.md | 2 ++
.../hadoop/ozone/om/helpers/OmBucketArgs.java | 2 ++
.../hadoop/ozone/om/helpers/OmBucketInfo.java | 2 ++
.../web/ozShell/bucket/CreateBucketHandler.java | 14 ++++++++
.../ozone/web/ozShell/keys/InfoKeyHandler.java | 6 ++++
7 files changed, 106 insertions(+)
diff --git a/hadoop-hdds/docs/content/gdpr/GDPR in Ozone.md b/hadoop-hdds/docs/content/gdpr/GDPR in Ozone.md
new file mode 100644
index 0000000..dd23e04
--- /dev/null
+++ b/hadoop-hdds/docs/content/gdpr/GDPR in Ozone.md
@@ -0,0 +1,42 @@
+---
+title: "GDPR in Ozone"
+date: "2019-September-17"
+weight: 5
+summary: GDPR in Ozone
+icon: user
+---
+<!---
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+
+
+Enabling GDPR compliance in Ozone is very straight forward. During bucket
+creation, you can specify `--enforcegdpr=true` or `-g=true` and this will
+ensure the bucket is GDPR compliant. Thus, any key created under this bucket
+will automatically be GDPR compliant.
+
+GDPR can only be enabled on a new bucket. For existing buckets, you would
+have to create a new GDPR compliant bucket and copy data from old bucket into
+ new bucket to take advantage of GDPR.
+
+Example to create a GDPR compliant bucket:
+
+`ozone sh bucket create --enforcegdpr=true /hive/jan`
+
+`ozone sh bucket create -g=true /hive/jan`
+
+If you want to create an ordinary bucket then you can skip `--enforcegdpr`
+and `-g` flags.
\ No newline at end of file
diff --git a/hadoop-hdds/docs/content/gdpr/_index.md b/hadoop-hdds/docs/content/gdpr/_index.md
new file mode 100644
index 0000000..9888369
--- /dev/null
+++ b/hadoop-hdds/docs/content/gdpr/_index.md
@@ -0,0 +1,38 @@
+---
+title: GDPR
+name: GDPR
+identifier: gdpr
+menu: main
+weight: 5
+---
+<!---
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+ -->
+
+{{<jumbotron title="GDPR compliance in Ozone">}}
+ The General Data Protection Regulation (GDPR) is a law that governs how personal data should be handled. This is an European Union law, but due to the nature of software oftentimes spills into other geographies.
+ Ozone supports GDPR's Right to Erasure(Right to be Forgotten).
+{{</jumbotron>}}
+
+<div class="alert alert-warning" role="alert">
+If you would like to understand Ozone's GDPR framework at a greater
+depth, please take a look at <a href="https://issues.apache.org/jira/secure/attachment/12978992/Ozone%20GDPR%20Framework.pdf">Ozone GDPR Framework.</a>
+</div>
+
+Once you create a GDPR compliant bucket, any key created in that bucket will
+automatically by GDPR compliant.
+
+
diff --git a/hadoop-hdds/docs/content/shell/BucketCommands.md b/hadoop-hdds/docs/content/shell/BucketCommands.md
index f59f1ad..e817349 100644
--- a/hadoop-hdds/docs/content/shell/BucketCommands.md
+++ b/hadoop-hdds/docs/content/shell/BucketCommands.md
@@ -35,8 +35,10 @@ The `bucket create` command allows users to create a bucket.
| Arguments | Comment |
|--------------------------------|-----------------------------------------|
+| -g, \-\-enforcegdpr | Optional, if set to true it creates a GDPR compliant bucket, if not specified or set to false, it creates an ordinary bucket.
| Uri | The name of the bucket in **/volume/bucket** format.
+
{{< highlight bash >}}
ozone sh bucket create /hive/jan
{{< /highlight >}}
diff --git a/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/helpers/OmBucketArgs.java b/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/helpers/OmBucketArgs.java
index 8a938a9..aa6e8f5 100644
--- a/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/helpers/OmBucketArgs.java
+++ b/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/helpers/OmBucketArgs.java
@@ -112,6 +112,8 @@ public final class OmBucketArgs extends WithMetadata implements Auditable {
Map<String, String> auditMap = new LinkedHashMap<>();
auditMap.put(OzoneConsts.VOLUME, this.volumeName);
auditMap.put(OzoneConsts.BUCKET, this.bucketName);
+ auditMap.put(OzoneConsts.GDPR_FLAG,
+ this.metadata.get(OzoneConsts.GDPR_FLAG));
auditMap.put(OzoneConsts.IS_VERSION_ENABLED,
String.valueOf(this.isVersionEnabled));
if(this.storageType != null){
diff --git a/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/helpers/OmBucketInfo.java b/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/helpers/OmBucketInfo.java
index 4207583..eb10802 100644
--- a/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/helpers/OmBucketInfo.java
+++ b/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/helpers/OmBucketInfo.java
@@ -202,6 +202,8 @@ public final class OmBucketInfo extends WithMetadata implements Auditable {
Map<String, String> auditMap = new LinkedHashMap<>();
auditMap.put(OzoneConsts.VOLUME, this.volumeName);
auditMap.put(OzoneConsts.BUCKET, this.bucketName);
+ auditMap.put(OzoneConsts.GDPR_FLAG,
+ this.metadata.get(OzoneConsts.GDPR_FLAG));
auditMap.put(OzoneConsts.ACLS,
(this.acls != null) ? this.acls.toString() : null);
auditMap.put(OzoneConsts.IS_VERSION_ENABLED,
diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/web/ozShell/bucket/CreateBucketHandler.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/web/ozShell/bucket/CreateBucketHandler.java
index 97d4ec7..237a7b2 100644
--- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/web/ozShell/bucket/CreateBucketHandler.java
+++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/web/ozShell/bucket/CreateBucketHandler.java
@@ -18,6 +18,7 @@
package org.apache.hadoop.ozone.web.ozShell.bucket;
import org.apache.hadoop.hdds.protocol.StorageType;
+import org.apache.hadoop.ozone.OzoneConsts;
import org.apache.hadoop.ozone.client.BucketArgs;
import org.apache.hadoop.ozone.client.OzoneBucket;
import org.apache.hadoop.ozone.client.OzoneClient;
@@ -44,6 +45,11 @@ public class CreateBucketHandler extends Handler {
description = "bucket encryption key name")
private String bekName;
+ @Option(names = {"--enforcegdpr", "-g"},
+ description = "if true, indicates GDPR enforced bucket, " +
+ "false/unspecified indicates otherwise")
+ private Boolean isGdprEnforced;
+
/**
* Executes create bucket.
*/
@@ -61,6 +67,14 @@ public class CreateBucketHandler extends Handler {
.setStorageType(StorageType.DEFAULT)
.setVersioning(false);
+ if(isGdprEnforced != null) {
+ if(isGdprEnforced) {
+ bb.addMetadata(OzoneConsts.GDPR_FLAG, String.valueOf(Boolean.TRUE));
+ } else {
+ bb.addMetadata(OzoneConsts.GDPR_FLAG, String.valueOf(Boolean.FALSE));
+ }
+ }
+
if (bekName != null) {
if (!bekName.isEmpty()) {
bb.setBucketEncryptionKey(bekName);
diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/web/ozShell/keys/InfoKeyHandler.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/web/ozShell/keys/InfoKeyHandler.java
index afc3ece..7cb54f2 100644
--- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/web/ozShell/keys/InfoKeyHandler.java
+++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/web/ozShell/keys/InfoKeyHandler.java
@@ -18,6 +18,7 @@
package org.apache.hadoop.ozone.web.ozShell.keys;
+import org.apache.hadoop.ozone.OzoneConsts;
import org.apache.hadoop.ozone.client.OzoneBucket;
import org.apache.hadoop.ozone.client.OzoneClient;
import org.apache.hadoop.ozone.client.OzoneKeyDetails;
@@ -62,6 +63,11 @@ public class InfoKeyHandler extends Handler {
OzoneVolume vol = client.getObjectStore().getVolume(volumeName);
OzoneBucket bucket = vol.getBucket(bucketName);
OzoneKeyDetails key = bucket.getKey(keyName);
+ // For compliance/security, GDPR Secret & Algorithm details are removed
+ // from local copy of metadata before printing. This doesn't remove these
+ // from Ozone Manager's actual metadata.
+ key.getMetadata().remove(OzoneConsts.GDPR_SECRET);
+ key.getMetadata().remove(OzoneConsts.GDPR_ALGORITHM);
ObjectPrinter.printObjectAsJson(key);
return null;
---------------------------------------------------------------------
To unsubscribe, e-mail: common-commits-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-commits-help@hadoop.apache.org