You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-issues@hadoop.apache.org by "Wei-Chiu Chuang (JIRA)" <ji...@apache.org> on 2019/02/19 18:13:00 UTC

[jira] [Comment Edited] (HADOOP-16120) Lazily allocate KMS delegation tokens

    [ https://issues.apache.org/jira/browse/HADOOP-16120?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16772164#comment-16772164 ] 

Wei-Chiu Chuang edited comment on HADOOP-16120 at 2/19/19 6:12 PM:
-------------------------------------------------------------------

Hi Ruslan, thanks for reporting the issue.

KMS delegation tokens are issued when an application invokes FileSystem#addDelegationTokens() API. An application typically invokes this API because the delegation tokens may be used later. For example, a MapReduce client invokes it, so that the DTs can be passed along to mapper and reducer. And typically it's not possible to know if you would ever access an encryption zone a priori.


was (Author: jojochuang):
Hi,

KMS delegation tokens are issued when an application invokes FileSystem#addDelegationTokens() API. An application typically invokes this API because the delegation tokens may be used later. For example, a MapReduce client invokes it, so that the DTs can be passed along to mapper and reducer. And typically it's not possible to know if you would ever access an encryption zone a priori.

> Lazily allocate KMS delegation tokens
> -------------------------------------
>
>                 Key: HADOOP-16120
>                 URL: https://issues.apache.org/jira/browse/HADOOP-16120
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: kms, security
>    Affects Versions: 2.8.5, 3.1.2
>            Reporter: Ruslan Dautkhanov
>            Priority: Major
>
> We noticed that HDFS clients talk to KMS even when they try to access not encrypted databases.. Is there is a way to make HDFS clients to talk to KMS servers *only* when they need access to encrypted data? Since we will be encrypting only one database (and 50+ other much more critical production databases will not be encrypted), in case if KMS is down for maintenance or for some other reason, we want to limit outage only to encrypted data.
> In other words, it would be great if KMS delegation toekns would be allocated lazily - on first request to encrypted data.
> This could be a non-default option to lazily allocate KMS delegation tokens, to improve availability of non-encrypted data.
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org