HDDS-2016. Add option to enforce GDPR in Bucket Create command
Closes #1458
This commit is contained in:
parent
1029060e61
commit
5c963a75d6
42
hadoop-hdds/docs/content/gdpr/GDPR in Ozone.md
Normal file
42
hadoop-hdds/docs/content/gdpr/GDPR in Ozone.md
Normal file
@ -0,0 +1,42 @@
|
||||
---
|
||||
title: "GDPR in Ozone"
|
||||
date: "2019-September-17"
|
||||
weight: 5
|
||||
summary: GDPR in Ozone
|
||||
icon: user
|
||||
---
|
||||
<!---
|
||||
Licensed to the Apache Software Foundation (ASF) under one or more
|
||||
contributor license agreements. See the NOTICE file distributed with
|
||||
this work for additional information regarding copyright ownership.
|
||||
The ASF licenses this file to You under the Apache License, Version 2.0
|
||||
(the "License"); you may not use this file except in compliance with
|
||||
the License. You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
-->
|
||||
|
||||
|
||||
Enabling GDPR compliance in Ozone is very straight forward. During bucket
|
||||
creation, you can specify `--enforcegdpr=true` or `-g=true` and this will
|
||||
ensure the bucket is GDPR compliant. Thus, any key created under this bucket
|
||||
will automatically be GDPR compliant.
|
||||
|
||||
GDPR can only be enabled on a new bucket. For existing buckets, you would
|
||||
have to create a new GDPR compliant bucket and copy data from old bucket into
|
||||
new bucket to take advantage of GDPR.
|
||||
|
||||
Example to create a GDPR compliant bucket:
|
||||
|
||||
`ozone sh bucket create --enforcegdpr=true /hive/jan`
|
||||
|
||||
`ozone sh bucket create -g=true /hive/jan`
|
||||
|
||||
If you want to create an ordinary bucket then you can skip `--enforcegdpr`
|
||||
and `-g` flags.
|
38
hadoop-hdds/docs/content/gdpr/_index.md
Normal file
38
hadoop-hdds/docs/content/gdpr/_index.md
Normal file
@ -0,0 +1,38 @@
|
||||
---
|
||||
title: GDPR
|
||||
name: GDPR
|
||||
identifier: gdpr
|
||||
menu: main
|
||||
weight: 5
|
||||
---
|
||||
<!---
|
||||
Licensed to the Apache Software Foundation (ASF) under one or more
|
||||
contributor license agreements. See the NOTICE file distributed with
|
||||
this work for additional information regarding copyright ownership.
|
||||
The ASF licenses this file to You under the Apache License, Version 2.0
|
||||
(the "License"); you may not use this file except in compliance with
|
||||
the License. You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
-->
|
||||
|
||||
{{<jumbotron title="GDPR compliance in Ozone">}}
|
||||
The General Data Protection Regulation (GDPR) is a law that governs how personal data should be handled. This is an European Union law, but due to the nature of software oftentimes spills into other geographies.
|
||||
Ozone supports GDPR's Right to Erasure(Right to be Forgotten).
|
||||
{{</jumbotron>}}
|
||||
|
||||
<div class="alert alert-warning" role="alert">
|
||||
If you would like to understand Ozone's GDPR framework at a greater
|
||||
depth, please take a look at <a href="https://issues.apache.org/jira/secure/attachment/12978992/Ozone%20GDPR%20Framework.pdf">Ozone GDPR Framework.</a>
|
||||
</div>
|
||||
|
||||
Once you create a GDPR compliant bucket, any key created in that bucket will
|
||||
automatically by GDPR compliant.
|
||||
|
||||
|
@ -35,8 +35,10 @@ The `bucket create` command allows users to create a bucket.
|
||||
|
||||
| Arguments | Comment |
|
||||
|--------------------------------|-----------------------------------------|
|
||||
| -g, \-\-enforcegdpr | Optional, if set to true it creates a GDPR compliant bucket, if not specified or set to false, it creates an ordinary bucket.
|
||||
| Uri | The name of the bucket in **/volume/bucket** format.
|
||||
|
||||
|
||||
{{< highlight bash >}}
|
||||
ozone sh bucket create /hive/jan
|
||||
{{< /highlight >}}
|
||||
|
@ -112,6 +112,8 @@ public Map<String, String> toAuditMap() {
|
||||
Map<String, String> auditMap = new LinkedHashMap<>();
|
||||
auditMap.put(OzoneConsts.VOLUME, this.volumeName);
|
||||
auditMap.put(OzoneConsts.BUCKET, this.bucketName);
|
||||
auditMap.put(OzoneConsts.GDPR_FLAG,
|
||||
this.metadata.get(OzoneConsts.GDPR_FLAG));
|
||||
auditMap.put(OzoneConsts.IS_VERSION_ENABLED,
|
||||
String.valueOf(this.isVersionEnabled));
|
||||
if(this.storageType != null){
|
||||
|
@ -202,6 +202,8 @@ public Map<String, String> toAuditMap() {
|
||||
Map<String, String> auditMap = new LinkedHashMap<>();
|
||||
auditMap.put(OzoneConsts.VOLUME, this.volumeName);
|
||||
auditMap.put(OzoneConsts.BUCKET, this.bucketName);
|
||||
auditMap.put(OzoneConsts.GDPR_FLAG,
|
||||
this.metadata.get(OzoneConsts.GDPR_FLAG));
|
||||
auditMap.put(OzoneConsts.ACLS,
|
||||
(this.acls != null) ? this.acls.toString() : null);
|
||||
auditMap.put(OzoneConsts.IS_VERSION_ENABLED,
|
||||
|
@ -18,6 +18,7 @@
|
||||
package org.apache.hadoop.ozone.web.ozShell.bucket;
|
||||
|
||||
import org.apache.hadoop.hdds.protocol.StorageType;
|
||||
import org.apache.hadoop.ozone.OzoneConsts;
|
||||
import org.apache.hadoop.ozone.client.BucketArgs;
|
||||
import org.apache.hadoop.ozone.client.OzoneBucket;
|
||||
import org.apache.hadoop.ozone.client.OzoneClient;
|
||||
@ -44,6 +45,11 @@ public class CreateBucketHandler extends Handler {
|
||||
description = "bucket encryption key name")
|
||||
private String bekName;
|
||||
|
||||
@Option(names = {"--enforcegdpr", "-g"},
|
||||
description = "if true, indicates GDPR enforced bucket, " +
|
||||
"false/unspecified indicates otherwise")
|
||||
private Boolean isGdprEnforced;
|
||||
|
||||
/**
|
||||
* Executes create bucket.
|
||||
*/
|
||||
@ -61,6 +67,14 @@ public Void call() throws Exception {
|
||||
.setStorageType(StorageType.DEFAULT)
|
||||
.setVersioning(false);
|
||||
|
||||
if(isGdprEnforced != null) {
|
||||
if(isGdprEnforced) {
|
||||
bb.addMetadata(OzoneConsts.GDPR_FLAG, String.valueOf(Boolean.TRUE));
|
||||
} else {
|
||||
bb.addMetadata(OzoneConsts.GDPR_FLAG, String.valueOf(Boolean.FALSE));
|
||||
}
|
||||
}
|
||||
|
||||
if (bekName != null) {
|
||||
if (!bekName.isEmpty()) {
|
||||
bb.setBucketEncryptionKey(bekName);
|
||||
|
@ -18,6 +18,7 @@
|
||||
|
||||
package org.apache.hadoop.ozone.web.ozShell.keys;
|
||||
|
||||
import org.apache.hadoop.ozone.OzoneConsts;
|
||||
import org.apache.hadoop.ozone.client.OzoneBucket;
|
||||
import org.apache.hadoop.ozone.client.OzoneClient;
|
||||
import org.apache.hadoop.ozone.client.OzoneKeyDetails;
|
||||
@ -62,6 +63,11 @@ public Void call() throws Exception {
|
||||
OzoneVolume vol = client.getObjectStore().getVolume(volumeName);
|
||||
OzoneBucket bucket = vol.getBucket(bucketName);
|
||||
OzoneKeyDetails key = bucket.getKey(keyName);
|
||||
// For compliance/security, GDPR Secret & Algorithm details are removed
|
||||
// from local copy of metadata before printing. This doesn't remove these
|
||||
// from Ozone Manager's actual metadata.
|
||||
key.getMetadata().remove(OzoneConsts.GDPR_SECRET);
|
||||
key.getMetadata().remove(OzoneConsts.GDPR_ALGORITHM);
|
||||
|
||||
ObjectPrinter.printObjectAsJson(key);
|
||||
return null;
|
||||
|
Loading…
Reference in New Issue
Block a user