You are viewing a plain text version of this content. The canonical link for it is here.

Posted to common-issues@hadoop.apache.org by "Steve Loughran (JIRA)" <ji...@apache.org> on 2017/04/20 20:31:04 UTC

[jira] [Commented] (HADOOP-14324) Switch to fs.s3a.server-side-encryption.key as property for encryption secret; improve error reporting and diagnostics

    [ https://issues.apache.org/jira/browse/HADOOP-14324?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15977454#comment-15977454 ] 

Steve Loughran commented on HADOOP-14324:
-----------------------------------------

I'm pretty happy with the new code; this is the first place I'm adding a hint of diagnostics on secrets too

cases
* null password => "null password"
* len == 1 => "password of length 1"
* len > 1 => "password of length $len ending with ${password[len-1]}"

That is: the length of a non-null password is returned, and the last char of it is returned if length >1. 

The pass is returned; the cost of guess it is reduced by 1 byte, while providing a hint of details on what the pwd is. for any long secret (SSE-C, ultimately *and not in this JIRA* any AWS ID/Key)) doesn't get weakened much. I'm assuming that there are never secrets of just a few bytes, which holds for anything you actually want to secure.

> Switch to fs.s3a.server-side-encryption.key as property for encryption secret; improve error reporting and diagnostics
> ----------------------------------------------------------------------------------------------------------------------
>
>                 Key: HADOOP-14324
>                 URL: https://issues.apache.org/jira/browse/HADOOP-14324
>             Project: Hadoop Common
>          Issue Type: Sub-task
>          Components: fs/s3
>    Affects Versions: 2.9.0
>            Reporter: Steve Loughran
>            Assignee: Steve Loughran
>            Priority: Blocker
>         Attachments: HADOOP-14324-branch-2-001.patch, HADOOP-14324-branch-2-002.patch, HADOOP-14324-branch-2-003.patch
>
>
> Before this ships, can we rename {{fs.s3a.server-side-encryption-key}} to {{fs.s3a.server-side-encryption.key}}.
> This makes it consistent with all other .key secrets in S3A. so
> * simplifies documentation
> * reduces confusion "is it a - or a ."? This confusion is going to surface in config and support
> I know that CDH is shipping with the old key, but it'll be easy for them to add a deprecation property to handle the migration. I do at least what the ASF release to be stable before it ships.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org