[
https://issues.apache.org/jira/browse/HDDS-13148?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Wei-Chiu Chuang updated HDDS-13148:
-----------------------------------
Description:
I want to update the current Ozone's Transparent Data Encryption
page [https://ozone.apache.org/docs/edge/security/securingtde.html] with the
following instructions:
The Ozone TDE doc is written with the assumption that user is familiar with
HDFS TDE, which may not be the case.
We should update the doc such that
(1) It does not require prior knowledge in HDFS TDE.
(2) Ozone can work with Hadoop KMS and Ranger KMS. We should mention Ranger KMS
in the doc.
(3) For Ranger KMS, encryption key can also be managed by Ranger KMS management
console or its REST API.
(4) {{hadoop key create enckey}} command has additional parameters: -size:
specifies key bit length. Ozone supports 128 and 256 bits; -cipher: only
AES/CTR/NoPadding (default) is supported as of now.
(5) Add reference to Transparent Encryption in HDFS:
[https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-hdfs/TransparentEncryption.html]
and Hadoop KMS doc:
[https://hadoop.apache.org/docs/r3.4.1/hadoop-kms/index.html]
(6) For the section {*}Using Transparent Data Encryption from S3G{*}, we should
mention Ozone does not support S3-SSE (Server-Side Encryption) or S3-CSE
(Client-Side Encryption). That said, Ozone S3 buckets can be encrypted using
Ranger/Hadoop KMS to provide the same guarantee as S3-SSE with client-supplied
key (S3 SSE-C).
(7) For section KMS Authorization: provide examples.
Be succinct. Insert new text to the existing content, instead of rewriting
everything.
was:
I want to update the current Ozone's Transparent Data Encryption
page [https://ozone.apache.org/docs/edge/security/securingtde.html] with the
following instructions:
The Ozone TDE doc is written with the assumption that user is familiar with
HDFS TDE, which may not be the case.
We should update the doc such that
(1) It does not require prior knowledge in HDFS TDE.
(2) Ozone can work with Hadoop KMS and Ranger KMS. We should mention Ranger KMS
in the doc.
(3) For Ranger KMS, encryption key can also be managed by Ranger KMS management
console or its REST API.
(4) {{hadoop key create enckey}} command has additional parameters: -size:
specifies key bit length. Ozone supports 128 and 256 bits; -cipher: only
AES/CTR/NoPadding (default) is supported as of now.
(5) Add reference to Transparent Encryption in HDFS:
[https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-hdfs/TransparentEncryption.html]
and Hadoop KMS doc:
[https://hadoop.apache.org/docs/r3.4.1/hadoop-kms/index.html]
(6) For the section {*}Using Transparent Data Encryption from S3G{*}, we should
mention Ozone does not support S3-SSE (Server-Side Encryption) or S3-CSE
(Client-Side Encryption). That said, Ozone S3 buckets can be encrypted using
Ranger/Hadoop KMS to provide the same guarantee as S3-SSE with client-supplied
key (S3 SSE-C).
> [Docs] Update Transparent Data Encryption doc
> ---------------------------------------------
>
> Key: HDDS-13148
> URL: https://issues.apache.org/jira/browse/HDDS-13148
> Project: Apache Ozone
> Issue Type: Improvement
> Components: documentation
> Reporter: Wei-Chiu Chuang
> Assignee: Wei-Chiu Chuang
> Priority: Major
>
> I want to update the current Ozone's Transparent Data Encryption
> page [https://ozone.apache.org/docs/edge/security/securingtde.html] with the
> following instructions:
> The Ozone TDE doc is written with the assumption that user is familiar with
> HDFS TDE, which may not be the case.
> We should update the doc such that
> (1) It does not require prior knowledge in HDFS TDE.
> (2) Ozone can work with Hadoop KMS and Ranger KMS. We should mention Ranger
> KMS in the doc.
> (3) For Ranger KMS, encryption key can also be managed by Ranger KMS
> management console or its REST API.
> (4) {{hadoop key create enckey}} command has additional parameters: -size:
> specifies key bit length. Ozone supports 128 and 256 bits; -cipher: only
> AES/CTR/NoPadding (default) is supported as of now.
> (5) Add reference to Transparent Encryption in HDFS:
> [https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-hdfs/TransparentEncryption.html]
> and Hadoop KMS doc:
> [https://hadoop.apache.org/docs/r3.4.1/hadoop-kms/index.html]
> (6) For the section {*}Using Transparent Data Encryption from S3G{*}, we
> should mention Ozone does not support S3-SSE (Server-Side Encryption) or
> S3-CSE (Client-Side Encryption). That said, Ozone S3 buckets can be encrypted
> using Ranger/Hadoop KMS to provide the same guarantee as S3-SSE with
> client-supplied key (S3 SSE-C).
> (7) For section KMS Authorization: provide examples.
> Be succinct. Insert new text to the existing content, instead of rewriting
> everything.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
