nucypher / hadoop-oss Goto Github PK
View Code? Open in Web Editor NEWOpen source edition of NuCypher for Hadoop
License: Apache License 2.0
hadoop-oss's Introduction
NuCypher hadoop components
In this repository set ot NuCypher hadoop componetns can be found.
The list of essential components:
nucypher-crypto - crypto alghorithms for deligates access implementation
nucypher-hadoop-common - modified hadoop core framework with support for public/private key pairs and deligated access
nucypher-kms - set of KMS-based daemons for deligated access
nucypher-hadoop-plugins - plugin to support bulk files' attributes mofication with single RPC call
nucypher-keyrotation - simple utility for distributed key rotation
INSTALLATION
There are three kind of nodes in NuCypher KMS service
GlobalKMS - main storage of keys
LocalKMS - proxy KMS, should be located on any host, which will use KMS to access data
REN - ReEncryption Node - special daemon used to hold re-encryption keys, which converts global keys to local ones.
We should have number of such nodes, to balance load. They should be located on separate hosts from LocalKMSes and GlobalKMS
Daemons can be started with
$NUCYPHER_KMS_PREFIX/sbin/kms.sh start
--Daemons common configuration:
Following enviromental variables should be set:
NUCYPHER_KMS_PREFIX should point to the directory NuCypher KMS service is installed on host
NUCYPHER_KMS_CONF_DIR should point to the directory with specific daemon configuration, ie core-site.xml, kms-site.xml and related files can be found
optionaly HADOOP_LOG_DIR can be set ot directory with logs
HADOOP_CATALINA_PREFIX & HADOOP_IDENT_STRING can be set ot daemon names to get correct log file naming
Sample configuration files can be found in nucypher-kms/src/main/conf directory. They should be placed to appropriate configuration directory
kms-acls.xml - ACL file with special tokens for deligated access
kms-env.sh - env config for GlobaKMS
kms-site.xml - main config for GlobalKMS
log4j.properties - common log config for GlobalKMS
kms-log4j.properties - log config for GlobalKMS
kms-env.local-kms.sh - env config for LocalKMS
kms-site.local-kms.xml - main config for LocalKMS
kms-log4j.local-kms.properties - log configuration for LocalKMS
kms-env.ren.sh - env config for REN
kms-site.ren.xml - kms-site.xml config file for REN
kms-log4j.ren.properties - log configuration for REN
--GlobalKMS configuration:
kms-site.xml
Path to keystore should be setup here:
<property>
<name>hadoop.kms.key.provider.uri</name>
<value>jcekps://file@/${user.home}/kms.keystore</value>
<description>
URI of the backing KeyProvider for the KMS.
</description>
</property>
Also special setup for crypto codecs required:
<property>
<name>hadoop.security.crypto.codec.classes.bbs98.none.padding</name>
<value>org.apache.hadoop.crypto.BBS98BCCryptoCodec</value>
</property>
<property>
<name>hadoop.security.crypto.cipher.suite</name>
<value>BBS98/None/Padding</value>
</property>
--LocalKMS configuration:
kms-site.xml:
Here should be set mode of current NuCypher KMS daemon, LOCAL_KMS
<property>
<name>hadoop.kms.mode</name>
<value>LOCAL_KMS</value>
</property>
Also, REN and GlobalKMS addresses should be set:
<property>
<name>hadoop.kms.re.key.provider.uri</name>
<value>ren://http@localhost:16110/kms</value>
</property>
<property>
<name>hadoop.kms.key.provider.uri</name>
<value>prekms://http@localhost:16000/kms</value>
<description>
URI of the backing KeyProvider for the KMS.
</description>
</property>
crypto codecs setup:
<property>
<name>hadoop.security.crypto.codec.classes.bbs98.none.padding</name>
<value>org.apache.hadoop.crypto.BBS98BCCryptoCodec</value>
</property>
cipher setup:
<!-- KeyProvider.DEFAULT_CIPHER_NAME Used to encrypt and decrypt data-->
<property>
<name>hadoop.security.key.default.cipher</name>
<value>AES/CTR/NoPadding</value>
</property>
<!-- CommonConfigurationKeysPublic.HADOOP_SECURITY_CRYPTO_CIPHER_SUITE_KEY
Used to encrypt and decrypt DEK -->
<property>
<name>hadoop.security.crypto.cipher.suite</name>
<value>BBS98/None/Padding</value>
</property>
--REN configuration:
kms-env.sh:
mode should be set
<property>
<name>hadoop.kms.mode</name>
<value>RE_NODE</value>
</property>
here we set keys are stored in memory only
<property>
<name>hadoop.kms.re.key.provider.uri</name>
<value>memren://file@/${user.home}/some.fake.file.path</value>
</property>
set address of GlobalKMS
<property>
<name>hadoop.kms.key.provider.uri</name>
<value>prekms://http@localhost:16000/kms</value>
<description>
URI of the backing KeyProvider for the KMS.
</description>
</property>
codecs and cipher setup:
<property>
<name>hadoop.security.crypto.codec.classes.bbs98.none.padding</name>
<value>org.apache.hadoop.crypto.BBS98BCCryptoCodec</value>
</property>
<property>
<name>hadoop.security.crypto.codec.classes.bbs98re.none.nopadding</name>
<value>org.apache.hadoop.crypto.BBS98BCTransformationCryptoCodec</value>
</property>
<!-- KeyProvider.DEFAULT_CIPHER_NAME Used to encrypt and decrypt data-->
<property>
<name>hadoop.security.key.default.cipher</name>
<value>AES/CTR/NoPadding</value>
</property>
<!-- CommonConfigurationKeysPublic.HADOOP_SECURITY_CRYPTO_CIPHER_SUITE_KEY
Used to encrypt and decrypt DEK -->
<property>
<name>hadoop.ren.re.enc.suite</name>
<value>BBS98RE/None/NoPadding</value>
</property>
-- Hadoop nodes configuration
main change should be made, we should set address of LocalKMS, located on the same node:
core-site.xml:
<property>
<name>hadoop.security.key.provider.path</name>
<value>kms://http@localhost:16000/kms</value>
<description>
The KeyProvider to use when interacting with encryption keys used
when reading and writing to an encryption zone.
</description>
</property>
-- Hadoop namenode configuration
Also, we should setup here address of LocalKMS, located on NameNode
core-site.xml:
<property>
<name>dfs.encryption.key.provider.uri</name>
<value>kms://http@localhost:16000/kms</value>
</property>
<property>
<name>hadoop.security.key.provider.path</name>
<value>kms://http@localhost:16000/kms</value>
<description>
The KeyProvider to use when interacting with encryption keys used
when reading and writing to an encryption zone.
</description>
</property>
hadoop-oss's People
Contributors
Stargazers
Watchers
hadoop-oss's Issues
Failed to start KMS service with java keystore provider keys and its password
In the KMS kms-site.xml we did set the keystore path and password. The password for the generated keystore is 'password'and the same did configure as given below.
<property>
<name>hadoop.kms.key.provider.uri</name>
<value>jcekps://file@/${user.home}/kms.keystore</value>
<description>
URI of the backing KeyProvider for the KMS.
</description>
</property>
<property>
<name>hadoop.security.keystore.JavaKeyStoreProvider.password</name>
<value>password</value>
<description>
If using the JavaKeyStoreProvider, the password for the keystore file.
</description>
</property>
Main issues:
-
After we set the key file with its password then we are getting key file tempered error all the time when we start the KMS service.
-
Kindly provide more information on how to set up keys in kms-site.xml and to configure Hadoop hdfs (datanode & namenode settings) with nucypher kms.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.