https://github.com/palantir/hadoop-crypto/blob/develop/hadoop-crypto/src/main/java/com/palantir/crypto2/hadoop/EncryptedFileSystem.java#L147

I may be missing some complexity, but it seems like recursive delete would just be a few more lines. Is there something I'm missing that would make this more complicated? Would a PR to support this be accepted?

For this to work with tools like Spark, support is required for renaming directories. Currently, EncryptedFileSystem naively assumes the path being renamed is a regular file and barfs when it cannot find a key material for the directory. This is related to "Recursive delete support #93", in that there appears to be a general lack of consideration for recursive directory operations.

I have had no luck with seeking on encrypted file streams when using the "AES/CBC/PKCS5Padding" cipher. On the other hand, the "AES/CTR/NoPadding" cipher works 100% of the time. My case is using StandaloneEncryptedFileSystem to write a parquet file to encrypted local file system and then reading the parquet file. One of the first things done with the parquet reader is to read the footer (one of the last records). This is where it is always failing for me. Seeking to the footer is hitting a premature EOF, typically 2 bytes short. I suspect this has something to do with the padding. FYI, I am using the latest IBM JDK (not Oracle or OpenJDK) ... not that it should make any difference. Any ideas? Should I create a simplified test case for you?

Trying to initialize the cipher results in

Exception in thread "main" java.io.IOException: java.security.GeneralSecurityException: CryptoCipher {org.apache.commons.crypto.cipher.OpenSslCipher} is not available or transformation AES/CTR/NoPadding is not supported.
	at org.apache.commons.crypto.utils.Utils.getCipherInstance(Utils.java:130)
	at ApacheCommonsCryptoLoad.main(ApacheCommonsCryptoLoad.java:10)
Caused by: java.security.GeneralSecurityException: CryptoCipher {org.apache.commons.crypto.cipher.OpenSslCipher} is not available or transformation AES/CTR/NoPadding is not supported.
	at org.apache.commons.crypto.cipher.CryptoCipherFactory.getCryptoCipher(CryptoCipherFactory.java:176)
	at org.apache.commons.crypto.utils.Utils.getCipherInstance(Utils.java:128)
	... 1 more
Caused by: java.lang.RuntimeException: java.lang.reflect.InvocationTargetException
	at org.apache.commons.crypto.utils.ReflectionUtils.newInstance(ReflectionUtils.java:90)
	at org.apache.commons.crypto.cipher.CryptoCipherFactory.getCryptoCipher(CryptoCipherFactory.java:160)
	... 2 more
Caused by: java.lang.reflect.InvocationTargetException
	at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
	at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
	at java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
	at java.base/java.lang.reflect.Constructor.newInstance(Unknown Source)
	at org.apache.commons.crypto.utils.ReflectionUtils.newInstance(ReflectionUtils.java:88)
	... 3 more
Caused by: java.lang.RuntimeException: java.lang.UnsatisfiedLinkError: EVP_CIPHER_CTX_cleanup
	at org.apache.commons.crypto.cipher.OpenSslCipher.<init>(OpenSslCipher.java:59)
	... 8 more
Caused by: java.lang.UnsatisfiedLinkError: EVP_CIPHER_CTX_cleanup
	at org.apache.commons.crypto.cipher.OpenSslNative.initIDs(Native Method)
	at org.apache.commons.crypto.cipher.OpenSsl.<clinit>(OpenSsl.java:95)
	at org.apache.commons.crypto.cipher.OpenSslCipher.<init>(OpenSslCipher.java:57)
	... 8 more

Should have been fixed upstream in apache/commons-crypto@2875340

BLUF: Applications that use this library will attempt to read at most 512 bytes at a time, likely due to the behavior of CipherInputStream. I will stop neglecting #35, and try to get that over the line asap.

Earlier today I was investigating the impact of setting fs.s3a.experimental.input.fadvise equal to random for a Spark application that reads Parquet files from an S3 bucket. This is one of the cooler new features in Hadoop 2.8.0, and I was hoping to observe a noticeable improvement in read performance. Disappointingly and confusingly, reads actually became much slower unless I changed the value of fs.s3a.readahead.range to something much larger than the default, which is 64 kb.

DEBUG logging for org.apache.hadoop.s3a on the Spark executors indicated that the S3AInputStream for the object being read was being closed and reopened many times. This doesn't really make sense, since the number of bytes that s3a will request in this case is the maximum of the readahead and value and the length that the application is requesting. No matter how ridiculously small the readahead, the stream should not be closed and reopened repeatedly unless the client is reading in small chunks.

A closer look at the DEBUG logging on S3AInputStream#reopen indicated that the value of the length variable was 512 for each read. That is, the client was reading 512 bytes, closing the stream, reopening it to read another 512 bytes, and so on. (EDIT: The client was requesting 512 bytes at a time, but s3a was reading 64 kb at a time, since max(512,65536)=65536).

I haven't pulled out YourKit or the IntelliJ debugger, so can't confirm for certain, but I'm fairly certain after reading some code that this mysterious 512 number comes from the ibuffer variable in CipherInputStream, and the way it's used in CipherInputstream#read. From what I can tell, that class will read 512 bytes at a time, and it's not configurable.

To confirm that something in this library -- likely but not certainly the use of CipherInputStream -- was the source of the 512 number, I wrote the same data into HDFS twice, once using an hdfs:// url, and the second time using an ehdfs:// url. I then added some logging to DFSInputStream#read which prints the value of the len variable that it's given. For the hdfs:// url, the value of len was consistently 65536 when I read the data, which is the value of io.file.buffer.size for the HDFS cluster in question. However, for the ehdfs:// url, it was consistently 512.

People using this library with s3a in Hadoop 2.7.3 and earlier are unaffected by this issue, as s3a will ignore the length given to it by the client, and always request the value of getFileStatus().getLen(). However, users of this library on Hadoop 2.8.0+ will be unable to take advantage of the random reads feature without specifying a non-default readahead range, a reasonable value for which is hard to compute given this issue. More importantly, anyone who attempts to use this library for data stored in HDFS is likely going to have a bad time.

Switching to openssl, as in #35, is one solution, though there may be others as well.

cc some people: @schlosna @pwoody @robert3005 @ash211

Sometime between 2.0.0-rc7 and 2.3.2 recursive deletes started throwing an exception about them being unsupported.

It would be nice if this was supported so that whole folders of encrypted data can be deleted easily. See internal backup solution PR 720.

#65 uses OpenSSL for reads, but not for writes.

This would've been fixed by #35, but now that that's closed, there needs to be an alternate implementation.

Now that EncryptedFileSystem extends FilterFileSystem, many of the create and open methods will not get forwarded to the create and open methods currently implemented by FilterFileSystem (see: #104). To fix this we either need to go back to implementing FileSystem and overriding all of the methods that are known to be broken (eg: copyFromLocal), or continue to extend FilterFilesystem and override all of the create and open methods.

Hi guys,

Are you planning on making the KEY_SIZE static field modifiable so as this library to work when running on JREs/JVMs that do not ship with the enhanced security files? If not, is it something that you feel it is worth contributing back to the project if I coded myself?

Thanks!

Hadoop's distcp utility first writes output to a temporary directory in the target filesystem: https://github.com/apache/hadoop/blob/branch-2.8.0/hadoop-tools/hadoop-distcp/src/main/java/org/apache/hadoop/tools/mapred/RetriableFileCopyCommand.java#L174. This intermediate data is later copied to the destination Path.

Currently, EncryptedFileSystem does not implement the version of create() that is called in the linked code. Therefore the attempt to write intermediate data to ehdfs fails, and instead, the mapper falls back to writing to hdfs. Therefore the data is not encrypted, and there is no symmetric key.

The lack of a symmetric key (correctly) causes EncryptedFileSystem#rename to fail when the intermediate data is promoted to the target path: java.lang.RuntimeException: java.io.FileNotFoundException: File does not exist: /.distcp.tmp.attempt_local913233795_0001_m_000000_0.keymaterial.

The ExampleUsage.java references TestKeyPairs which is not exposed, and the README.md references KeyPairs.generateKeyPair which was moved to TestKeyPairs.

They became out of date in #6 ( @ellisjoe )

There should be substantive perf improvements on reads after #65. Need to make sure though through some testing. Should also make sure that perf is at least as good as it was on the branch for #35.

More generally, it would be amazing if there were a way to test the perf impact of changes to this library to catch regressions. Something that compares the perf of hdfs vs ehdfs or s3a vs es3a would be great, though I have no idea how one sets up such a thing in the absence of an actual HDFS cluster or S3 bucket (I doubt that fake ones running inside docker containers are particularly useful for testing perf).

It currently does not encrypt to file when writing due to https://issues.apache.org/jira/browse/HADOOP-13870