9fe62c3ec6
Prior to this patch hbase always used the MD5 hash algorithm to store a hash for encryption keys.
This hash is needed to verify the secret key of the subject. (e.g. making
sure that the same secrey key is used during encrypted HFile read and write).
The MD5 algorithm is considered weak, and can not be used in some
(e.g. FIPS compliant) clusters.
In this patch we:
- add a config parameter to globally enable/disable column family encryption (def enabled)
- introduce a backward compatible way of specifying the hash algorithm.
This enable us to use newer and more secure hash algorithms like SHA-384
or SHA-512 (which are FIPS compliant).
- add a config parameter to fail if an hfile is encountered that uses a
different hash algorithm than the one currently configured to ease validation after
migrating key hash algorithms (def disabled)
Closes #2539
Signed-off-by: Sean Busbey <busbey@apache.org>
Signed-off-by: Esteban Gutierrez <esteban@apache.org>
(cherry picked from commit
|
||
|---|---|---|
| .idea | ||
| bin | ||
| conf | ||
| dev-support | ||
| hbase-annotations | ||
| hbase-archetypes | ||
| hbase-assembly | ||
| hbase-asyncfs | ||
| hbase-build-configuration | ||
| hbase-checkstyle | ||
| hbase-client | ||
| hbase-common | ||
| hbase-endpoint | ||
| hbase-examples | ||
| hbase-external-blockcache | ||
| hbase-hadoop-compat | ||
| hbase-hadoop2-compat | ||
| hbase-hbtop | ||
| hbase-http | ||
| hbase-it | ||
| hbase-logging | ||
| hbase-mapreduce | ||
| hbase-metrics | ||
| hbase-metrics-api | ||
| hbase-procedure | ||
| hbase-protocol | ||
| hbase-protocol-shaded | ||
| hbase-replication | ||
| hbase-resource-bundle | ||
| hbase-rest | ||
| hbase-rsgroup | ||
| hbase-server | ||
| hbase-shaded | ||
| hbase-shell | ||
| hbase-testing-util | ||
| hbase-thrift | ||
| hbase-zookeeper | ||
| src | ||
| .editorconfig | ||
| .gitattributes | ||
| .gitignore | ||
| .pylintrc | ||
| .rubocop.yml | ||
| CHANGES.md | ||
| LICENSE.txt | ||
| NOTICE.txt | ||
| README.txt | ||
| RELEASENOTES.md | ||
| pom.xml | ||
README.txt
Apache HBase [1] is an open-source, distributed, versioned, column-oriented store modeled after Google' Bigtable: A Distributed Storage System for Structured Data by Chang et al.[2] Just as Bigtable leverages the distributed data storage provided by the Google File System, HBase provides Bigtable-like capabilities on top of Apache Hadoop [3]. To get started using HBase, the full documentation for this release can be found under the doc/ directory that accompanies this README. Using a browser, open the docs/index.html to view the project home page (or browse to [1]). The hbase 'book' at http://hbase.apache.org/book.html has a 'quick start' section and is where you should being your exploration of the hbase project. The latest HBase can be downloaded from an Apache Mirror [4]. The source code can be found at [5] The HBase issue tracker is at [6] Apache HBase is made available under the Apache License, version 2.0 [7] The HBase mailing lists and archives are listed here [8]. The HBase distribution includes cryptographic software. See the export control notice here [9]. 1. http://hbase.apache.org 2. http://research.google.com/archive/bigtable.html 3. http://hadoop.apache.org 4. http://www.apache.org/dyn/closer.cgi/hbase/ 5. https://hbase.apache.org/source-repository.html 6. https://hbase.apache.org/issue-tracking.html 7. http://hbase.apache.org/license.html 8. http://hbase.apache.org/mail-lists.html 9. https://hbase.apache.org/export_control.html