You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@ozone.apache.org by GitBox <gi...@apache.org> on 2021/08/05 10:39:29 UTC

[GitHub] [ozone] bharatviswa504 opened a new pull request #2504: HDDS-5508. Add documentation regarding access encrypted buckets from S3G

bharatviswa504 opened a new pull request #2504:
URL: https://github.com/apache/ozone/pull/2504


   ## What changes were proposed in this pull request?
   
   Add documentation to access encrypted buckets using S3Gateway.
   ## What is the link to the Apache JIRA
   
   https://issues.apache.org/jira/browse/HDDS-5508
   
   ## How was this patch tested?
   
   Doc change, no tests needed
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org

[GitHub] [ozone] vivekratnavel commented on a change in pull request #2504: HDDS-5508. Add documentation regarding access encrypted buckets from S3G

Posted by GitBox <gi...@apache.org>.

vivekratnavel commented on a change in pull request #2504:
URL: https://github.com/apache/ozone/pull/2504#discussion_r687102859



##########
File path: hadoop-hdds/docs/content/security/SecuringTDE.md
##########
@@ -66,3 +66,57 @@ via the encKey and while reading the clients will talk to Key Management
 Server and read the key and decrypt it. In other words, the data stored
 inside Ozone is always encrypted. The fact that data is encrypted at rest
 will be completely transparent to the clients and end users.
+
+### Using Transparent Data Encryption from S3G
+
+There are two ways to create an encrypted bucket that can be accessed via S3 Gateway.
+
+####1. Create a bucket using shell under "/s3v" volume
+
+  ```bash
+  ozone sh bucket create -k encKey /s3v/encryptedBucket
+  ```
+####2. Create a link to an encrypted bucket under "/s3v" volume
+
+  ```bash
+  ozone sh bucket create -k encKey /vol/encryptedBucket
+  ozone sh bucket link  /vol/encryptedBucket /s3v/linkencryptedbucket
+  ```
+Note: An encrypted bucket cannot be created via S3 APIs. It must be done using Ozone shell commands as shown above.
+After creating an encrypted bucket, all the keys added to this bucket using s3g will be encrypted.
+
+In non-secure mode, the user running the S3Gateway daemon process is the proxy user, 
+while in secure mode the user in Kerberos keytab is the proxy user. 
+S3Gateway proxy's all the users accessing the encrypted buckets to decrypt the key. 
+For this purpose on security enabled cluster, during S3Gateway server startup 
+logins using configured 
+**ozone.s3g.kerberos.keytab.file**  and **ozone.s3g.kerberos.principal**. 
+
+The below two configurations must be added to the kms-site.xml to allow the S3Gateway principal to act as a proxy for other users.

Review comment:
       ```suggestion
   The below two configurations must be added to the kms-site.xml to allow the S3Gateway principal to act as a proxy for other users. In this example, "ozone.s3g.kerberos.principal" is assumed to be "s3g"
   ```

##########
File path: hadoop-hdds/docs/content/security/SecuringTDE.md
##########
@@ -66,3 +66,57 @@ via the encKey and while reading the clients will talk to Key Management
 Server and read the key and decrypt it. In other words, the data stored
 inside Ozone is always encrypted. The fact that data is encrypted at rest
 will be completely transparent to the clients and end users.
+
+### Using Transparent Data Encryption from S3G
+
+To use TDE from S3 interface, it can be done in 2 ways.
+
+####1. Create a bucket using shell under "/s3v" volume
+
+  ```bash
+  ozone sh bucket create -k encKey /s3v/encryptedBucket
+  ```
+####2. Create a link to an encrypted bucket under "/s3v" volume
+
+  ```bash
+  ozone sh bucket create -k encKey /vol/encryptedBucket
+  ozone sh bucket link  /vol/encryptedBucket /s3v/linkencryptedbucket
+  ```
+
+After this, all the keys created using s3g in the buckets will be encrypted.
+
+In non-secure mode, the user running the S3Gateway is the proxy user, 
+while in secure mode the user in Kerberos keytab is the proxy user. 

Review comment:
       I have updated the suggestion




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org

[GitHub] [ozone] bharatviswa504 merged pull request #2504: HDDS-5508. Add documentation regarding access encrypted buckets from S3G

Posted by GitBox <gi...@apache.org>.

bharatviswa504 merged pull request #2504:
URL: https://github.com/apache/ozone/pull/2504


   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org

[GitHub] [ozone] vivekratnavel commented on a change in pull request #2504: HDDS-5508. Add documentation regarding access encrypted buckets from S3G

Posted by GitBox <gi...@apache.org>.

vivekratnavel commented on a change in pull request #2504:
URL: https://github.com/apache/ozone/pull/2504#discussion_r686323783



##########
File path: hadoop-hdds/docs/content/security/SecuringTDE.md
##########
@@ -66,3 +66,57 @@ via the encKey and while reading the clients will talk to Key Management
 Server and read the key and decrypt it. In other words, the data stored
 inside Ozone is always encrypted. The fact that data is encrypted at rest
 will be completely transparent to the clients and end users.
+
+### Using Transparent Data Encryption from S3G
+
+To use TDE from S3 interface, it can be done in 2 ways.
+
+####1. Create a bucket using shell under "/s3v" volume
+
+  ```bash
+  ozone sh bucket create -k encKey /s3v/encryptedBucket
+  ```
+####2. Create a link to an encrypted bucket under "/s3v" volume
+
+  ```bash
+  ozone sh bucket create -k encKey /vol/encryptedBucket
+  ozone sh bucket link  /vol/encryptedBucket /s3v/linkencryptedbucket
+  ```
+
+After this, all the keys created using s3g in the buckets will be encrypted.
+
+In non-secure mode, the user running the S3Gateway is the proxy user, 
+while in secure mode the user in Kerberos keytab is the proxy user. 

Review comment:
       Yes, Bharat. I don't have a strong opinion here. Since keytab is used only for the first time and only access key and secret key will be used to access the S3G, I used "accessing the S3G". 




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org

[GitHub] [ozone] bharatviswa504 commented on a change in pull request #2504: HDDS-5508. Add documentation regarding access encrypted buckets from S3G

Posted by GitBox <gi...@apache.org>.

bharatviswa504 commented on a change in pull request #2504:
URL: https://github.com/apache/ozone/pull/2504#discussion_r687002073



##########
File path: hadoop-hdds/docs/content/security/SecuringTDE.md
##########
@@ -66,3 +66,57 @@ via the encKey and while reading the clients will talk to Key Management
 Server and read the key and decrypt it. In other words, the data stored
 inside Ozone is always encrypted. The fact that data is encrypted at rest
 will be completely transparent to the clients and end users.
+
+### Using Transparent Data Encryption from S3G
+
+To use TDE from S3 interface, it can be done in 2 ways.
+
+####1. Create a bucket using shell under "/s3v" volume
+
+  ```bash
+  ozone sh bucket create -k encKey /s3v/encryptedBucket
+  ```
+####2. Create a link to an encrypted bucket under "/s3v" volume
+
+  ```bash
+  ozone sh bucket create -k encKey /vol/encryptedBucket
+  ozone sh bucket link  /vol/encryptedBucket /s3v/linkencryptedbucket
+  ```
+
+After this, all the keys created using s3g in the buckets will be encrypted.
+
+In non-secure mode, the user running the S3Gateway is the proxy user, 
+while in secure mode the user in Kerberos keytab is the proxy user. 

Review comment:
       No, here it is explaining which user is proxying  so in secure case it is the kerberos keytab of s3g.




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org

[GitHub] [ozone] bharatviswa504 commented on pull request #2504: HDDS-5508. Add documentation regarding access encrypted buckets from S3G

Posted by GitBox <gi...@apache.org>.

bharatviswa504 commented on pull request #2504:
URL: https://github.com/apache/ozone/pull/2504#issuecomment-896222175


   Thank You @vivekratnavel for the review. I have fixed review comments with suggestions, except one for which replied 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org

[GitHub] [ozone] vivekratnavel commented on a change in pull request #2504: HDDS-5508. Add documentation regarding access encrypted buckets from S3G

Posted by GitBox <gi...@apache.org>.

vivekratnavel commented on a change in pull request #2504:
URL: https://github.com/apache/ozone/pull/2504#discussion_r687101726



##########
File path: hadoop-hdds/docs/content/security/SecuringTDE.md
##########
@@ -66,3 +66,57 @@ via the encKey and while reading the clients will talk to Key Management
 Server and read the key and decrypt it. In other words, the data stored
 inside Ozone is always encrypted. The fact that data is encrypted at rest
 will be completely transparent to the clients and end users.
+
+### Using Transparent Data Encryption from S3G
+
+To use TDE from S3 interface, it can be done in 2 ways.
+
+####1. Create a bucket using shell under "/s3v" volume
+
+  ```bash
+  ozone sh bucket create -k encKey /s3v/encryptedBucket
+  ```
+####2. Create a link to an encrypted bucket under "/s3v" volume
+
+  ```bash
+  ozone sh bucket create -k encKey /vol/encryptedBucket
+  ozone sh bucket link  /vol/encryptedBucket /s3v/linkencryptedbucket
+  ```
+
+After this, all the keys created using s3g in the buckets will be encrypted.
+
+In non-secure mode, the user running the S3Gateway is the proxy user, 
+while in secure mode the user in Kerberos keytab is the proxy user. 

Review comment:
       Oh, yes, you are right. It will be the "ozone.s3g.kerberos.keytab.file" that will be the proxy user




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org

[GitHub] [ozone] bharatviswa504 commented on pull request #2504: HDDS-5508. Add documentation regarding access encrypted buckets from S3G

Posted by GitBox <gi...@apache.org>.

bharatviswa504 commented on pull request #2504:
URL: https://github.com/apache/ozone/pull/2504#issuecomment-897345234


   Thank You @vivekratnavel for the review and suggestions.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org

[GitHub] [ozone] vivekratnavel commented on a change in pull request #2504: HDDS-5508. Add documentation regarding access encrypted buckets from S3G

Posted by GitBox <gi...@apache.org>.

vivekratnavel commented on a change in pull request #2504:
URL: https://github.com/apache/ozone/pull/2504#discussion_r687101726



##########
File path: hadoop-hdds/docs/content/security/SecuringTDE.md
##########
@@ -66,3 +66,57 @@ via the encKey and while reading the clients will talk to Key Management
 Server and read the key and decrypt it. In other words, the data stored
 inside Ozone is always encrypted. The fact that data is encrypted at rest
 will be completely transparent to the clients and end users.
+
+### Using Transparent Data Encryption from S3G
+
+To use TDE from S3 interface, it can be done in 2 ways.
+
+####1. Create a bucket using shell under "/s3v" volume
+
+  ```bash
+  ozone sh bucket create -k encKey /s3v/encryptedBucket
+  ```
+####2. Create a link to an encrypted bucket under "/s3v" volume
+
+  ```bash
+  ozone sh bucket create -k encKey /vol/encryptedBucket
+  ozone sh bucket link  /vol/encryptedBucket /s3v/linkencryptedbucket
+  ```
+
+After this, all the keys created using s3g in the buckets will be encrypted.
+
+In non-secure mode, the user running the S3Gateway is the proxy user, 
+while in secure mode the user in Kerberos keytab is the proxy user. 

Review comment:
       Oh, yes, you are right. It will be the "ozone.s3g.kerberos.principal" that will be the proxy user




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org

[GitHub] [ozone] vivekratnavel commented on a change in pull request #2504: HDDS-5508. Add documentation regarding access encrypted buckets from S3G

Posted by GitBox <gi...@apache.org>.

vivekratnavel commented on a change in pull request #2504:
URL: https://github.com/apache/ozone/pull/2504#discussion_r686205686



##########
File path: hadoop-hdds/docs/content/security/SecuringTDE.md
##########
@@ -66,3 +66,57 @@ via the encKey and while reading the clients will talk to Key Management
 Server and read the key and decrypt it. In other words, the data stored
 inside Ozone is always encrypted. The fact that data is encrypted at rest
 will be completely transparent to the clients and end users.
+
+### Using Transparent Data Encryption from S3G
+
+To use TDE from S3 interface, it can be done in 2 ways.
+
+####1. Create a bucket using shell under "/s3v" volume
+
+  ```bash
+  ozone sh bucket create -k encKey /s3v/encryptedBucket
+  ```
+####2. Create a link to an encrypted bucket under "/s3v" volume
+
+  ```bash
+  ozone sh bucket create -k encKey /vol/encryptedBucket
+  ozone sh bucket link  /vol/encryptedBucket /s3v/linkencryptedbucket
+  ```
+
+After this, all the keys created using s3g in the buckets will be encrypted.
+
+In non-secure mode, the user running the S3Gateway is the proxy user, 
+while in secure mode the user in Kerberos keytab is the proxy user. 

Review comment:
       ```suggestion
   while in secure mode the S3Gateway Kerberos principal (ozone.s3g.kerberos.principal) is the proxy user. 
   ```




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org

[GitHub] [ozone] bharatviswa504 edited a comment on pull request #2504: HDDS-5508. Add documentation regarding access encrypted buckets from S3G

Posted by GitBox <gi...@apache.org>.

bharatviswa504 edited a comment on pull request #2504:
URL: https://github.com/apache/ozone/pull/2504#issuecomment-896222175


   Thank You @vivekratnavel for the review. I have fixed review comments with suggestions, except one for which i have replied 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org

[GitHub] [ozone] bharatviswa504 commented on a change in pull request #2504: HDDS-5508. Add documentation regarding access encrypted buckets from S3G

Posted by GitBox <gi...@apache.org>.

bharatviswa504 commented on a change in pull request #2504:
URL: https://github.com/apache/ozone/pull/2504#discussion_r686223923



##########
File path: hadoop-hdds/docs/content/security/SecuringTDE.md
##########
@@ -66,3 +66,57 @@ via the encKey and while reading the clients will talk to Key Management
 Server and read the key and decrypt it. In other words, the data stored
 inside Ozone is always encrypted. The fact that data is encrypted at rest
 will be completely transparent to the clients and end users.
+
+### Using Transparent Data Encryption from S3G
+
+To use TDE from S3 interface, it can be done in 2 ways.
+
+####1. Create a bucket using shell under "/s3v" volume
+
+  ```bash
+  ozone sh bucket create -k encKey /s3v/encryptedBucket
+  ```
+####2. Create a link to an encrypted bucket under "/s3v" volume
+
+  ```bash
+  ozone sh bucket create -k encKey /vol/encryptedBucket
+  ozone sh bucket link  /vol/encryptedBucket /s3v/linkencryptedbucket
+  ```
+
+After this, all the keys created using s3g in the buckets will be encrypted.
+
+In non-secure mode, the user running the S3Gateway is the proxy user, 
+while in secure mode the user in Kerberos keytab is the proxy user. 

Review comment:
       Accessing means here keytab user implicitly?




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org

[GitHub] [ozone] vivekratnavel commented on a change in pull request #2504: HDDS-5508. Add documentation regarding access encrypted buckets from S3G

Posted by GitBox <gi...@apache.org>.

vivekratnavel commented on a change in pull request #2504:
URL: https://github.com/apache/ozone/pull/2504#discussion_r686204006



##########
File path: hadoop-hdds/docs/content/security/SecuringTDE.md
##########
@@ -66,3 +66,57 @@ via the encKey and while reading the clients will talk to Key Management
 Server and read the key and decrypt it. In other words, the data stored
 inside Ozone is always encrypted. The fact that data is encrypted at rest
 will be completely transparent to the clients and end users.
+
+### Using Transparent Data Encryption from S3G
+
+To use TDE from S3 interface, it can be done in 2 ways.
+
+####1. Create a bucket using shell under "/s3v" volume
+
+  ```bash
+  ozone sh bucket create -k encKey /s3v/encryptedBucket
+  ```
+####2. Create a link to an encrypted bucket under "/s3v" volume
+
+  ```bash
+  ozone sh bucket create -k encKey /vol/encryptedBucket
+  ozone sh bucket link  /vol/encryptedBucket /s3v/linkencryptedbucket
+  ```
+
+After this, all the keys created using s3g in the buckets will be encrypted.

Review comment:
       ```suggestion
   After creating an encrypted bucket, all the keys added to this bucket using s3g will be encrypted.
   ```

##########
File path: hadoop-hdds/docs/content/security/SecuringTDE.md
##########
@@ -66,3 +66,57 @@ via the encKey and while reading the clients will talk to Key Management
 Server and read the key and decrypt it. In other words, the data stored
 inside Ozone is always encrypted. The fact that data is encrypted at rest
 will be completely transparent to the clients and end users.
+
+### Using Transparent Data Encryption from S3G
+
+To use TDE from S3 interface, it can be done in 2 ways.
+
+####1. Create a bucket using shell under "/s3v" volume
+
+  ```bash
+  ozone sh bucket create -k encKey /s3v/encryptedBucket
+  ```
+####2. Create a link to an encrypted bucket under "/s3v" volume
+
+  ```bash
+  ozone sh bucket create -k encKey /vol/encryptedBucket
+  ozone sh bucket link  /vol/encryptedBucket /s3v/linkencryptedbucket
+  ```
+
+After this, all the keys created using s3g in the buckets will be encrypted.
+
+In non-secure mode, the user running the S3Gateway is the proxy user, 
+while in secure mode the user in Kerberos keytab is the proxy user. 

Review comment:
       ```suggestion
   while in secure mode the user accessing the S3Gateway is the proxy user. 
   ```

##########
File path: hadoop-hdds/docs/content/security/SecuringTDE.md
##########
@@ -66,3 +66,57 @@ via the encKey and while reading the clients will talk to Key Management
 Server and read the key and decrypt it. In other words, the data stored
 inside Ozone is always encrypted. The fact that data is encrypted at rest
 will be completely transparent to the clients and end users.
+
+### Using Transparent Data Encryption from S3G
+
+To use TDE from S3 interface, it can be done in 2 ways.

Review comment:
       How about this?
   ```suggestion
   There are two ways to create an encrypted bucket that can be accessed via S3 Gateway.
   ```

##########
File path: hadoop-hdds/docs/content/security/SecuringTDE.md
##########
@@ -66,3 +66,57 @@ via the encKey and while reading the clients will talk to Key Management
 Server and read the key and decrypt it. In other words, the data stored
 inside Ozone is always encrypted. The fact that data is encrypted at rest
 will be completely transparent to the clients and end users.
+
+### Using Transparent Data Encryption from S3G
+
+To use TDE from S3 interface, it can be done in 2 ways.
+
+####1. Create a bucket using shell under "/s3v" volume
+
+  ```bash
+  ozone sh bucket create -k encKey /s3v/encryptedBucket
+  ```
+####2. Create a link to an encrypted bucket under "/s3v" volume
+
+  ```bash
+  ozone sh bucket create -k encKey /vol/encryptedBucket
+  ozone sh bucket link  /vol/encryptedBucket /s3v/linkencryptedbucket
+  ```
+
+After this, all the keys created using s3g in the buckets will be encrypted.
+
+In non-secure mode, the user running the S3Gateway is the proxy user, 

Review comment:
       ```suggestion
   In non-secure mode, the user running the S3Gateway daemon process is the proxy user, 
   ```

##########
File path: hadoop-hdds/docs/content/security/SecuringTDE.md
##########
@@ -66,3 +66,57 @@ via the encKey and while reading the clients will talk to Key Management
 Server and read the key and decrypt it. In other words, the data stored
 inside Ozone is always encrypted. The fact that data is encrypted at rest
 will be completely transparent to the clients and end users.
+
+### Using Transparent Data Encryption from S3G
+
+To use TDE from S3 interface, it can be done in 2 ways.
+
+####1. Create a bucket using shell under "/s3v" volume
+
+  ```bash
+  ozone sh bucket create -k encKey /s3v/encryptedBucket
+  ```
+####2. Create a link to an encrypted bucket under "/s3v" volume
+
+  ```bash
+  ozone sh bucket create -k encKey /vol/encryptedBucket
+  ozone sh bucket link  /vol/encryptedBucket /s3v/linkencryptedbucket
+  ```
+

Review comment:
       ```suggestion
   Note: An encrypted bucket cannot be created via S3 APIs. It must be done using Ozone shell commands as shown above.
   ```

##########
File path: hadoop-hdds/docs/content/security/SecuringTDE.md
##########
@@ -66,3 +66,57 @@ via the encKey and while reading the clients will talk to Key Management
 Server and read the key and decrypt it. In other words, the data stored
 inside Ozone is always encrypted. The fact that data is encrypted at rest
 will be completely transparent to the clients and end users.
+
+### Using Transparent Data Encryption from S3G
+
+To use TDE from S3 interface, it can be done in 2 ways.
+
+####1. Create a bucket using shell under "/s3v" volume
+
+  ```bash
+  ozone sh bucket create -k encKey /s3v/encryptedBucket
+  ```
+####2. Create a link to an encrypted bucket under "/s3v" volume
+
+  ```bash
+  ozone sh bucket create -k encKey /vol/encryptedBucket
+  ozone sh bucket link  /vol/encryptedBucket /s3v/linkencryptedbucket
+  ```
+
+After this, all the keys created using s3g in the buckets will be encrypted.
+
+In non-secure mode, the user running the S3Gateway is the proxy user, 
+while in secure mode the user in Kerberos keytab is the proxy user. 
+S3Gateway proxy's all the users accessing the encrypted buckets to decrypt the key. 
+For this purpose on security enabled cluster, during S3Gateway server startup 
+logins using configured 
+**ozone.s3g.kerberos.keytab.file**  and **ozone.s3g.kerberos.principal**. 
+
+Below 2 configuration need to be added to kms-site.xml

Review comment:
       ```suggestion
   The below two configurations must be added to the kms-site.xml to allow the S3Gateway principal to act as a proxy for other users.
   ```




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org

[GitHub] [ozone] bharatviswa504 commented on a change in pull request #2504: HDDS-5508. Add documentation regarding access encrypted buckets from S3G

Posted by GitBox <gi...@apache.org>.

bharatviswa504 commented on a change in pull request #2504:
URL: https://github.com/apache/ozone/pull/2504#discussion_r686223923



##########
File path: hadoop-hdds/docs/content/security/SecuringTDE.md
##########
@@ -66,3 +66,57 @@ via the encKey and while reading the clients will talk to Key Management
 Server and read the key and decrypt it. In other words, the data stored
 inside Ozone is always encrypted. The fact that data is encrypted at rest
 will be completely transparent to the clients and end users.
+
+### Using Transparent Data Encryption from S3G
+
+To use TDE from S3 interface, it can be done in 2 ways.
+
+####1. Create a bucket using shell under "/s3v" volume
+
+  ```bash
+  ozone sh bucket create -k encKey /s3v/encryptedBucket
+  ```
+####2. Create a link to an encrypted bucket under "/s3v" volume
+
+  ```bash
+  ozone sh bucket create -k encKey /vol/encryptedBucket
+  ozone sh bucket link  /vol/encryptedBucket /s3v/linkencryptedbucket
+  ```
+
+After this, all the keys created using s3g in the buckets will be encrypted.
+
+In non-secure mode, the user running the S3Gateway is the proxy user, 
+while in secure mode the user in Kerberos keytab is the proxy user. 

Review comment:
       Accessing means here keytab user implicitly? So clearly mentioning keytab user will it give more clarity? Because we login with kerberos keytab user right?




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org