HDDS-2016. Add option to enforce GDPR in Bucket Create command

Closes #1458
This commit is contained in:
dchitlangia 2019-09-19 10:58:01 +02:00 committed by Márton Elek
parent 1029060e61
commit 5c963a75d6
No known key found for this signature in database
GPG Key ID: D51EA8F00EE79B28
7 changed files with 106 additions and 0 deletions

View File

@ -0,0 +1,42 @@
---
title: "GDPR in Ozone"
date: "2019-September-17"
weight: 5
summary: GDPR in Ozone
icon: user
---
<!---
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
Enabling GDPR compliance in Ozone is very straight forward. During bucket
creation, you can specify `--enforcegdpr=true` or `-g=true` and this will
ensure the bucket is GDPR compliant. Thus, any key created under this bucket
will automatically be GDPR compliant.
GDPR can only be enabled on a new bucket. For existing buckets, you would
have to create a new GDPR compliant bucket and copy data from old bucket into
new bucket to take advantage of GDPR.
Example to create a GDPR compliant bucket:
`ozone sh bucket create --enforcegdpr=true /hive/jan`
`ozone sh bucket create -g=true /hive/jan`
If you want to create an ordinary bucket then you can skip `--enforcegdpr`
and `-g` flags.

View File

@ -0,0 +1,38 @@
---
title: GDPR
name: GDPR
identifier: gdpr
menu: main
weight: 5
---
<!---
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
{{<jumbotron title="GDPR compliance in Ozone">}}
The General Data Protection Regulation (GDPR) is a law that governs how personal data should be handled. This is an European Union law, but due to the nature of software oftentimes spills into other geographies.
Ozone supports GDPR's Right to Erasure(Right to be Forgotten).
{{</jumbotron>}}
<div class="alert alert-warning" role="alert">
If you would like to understand Ozone's GDPR framework at a greater
depth, please take a look at <a href="https://issues.apache.org/jira/secure/attachment/12978992/Ozone%20GDPR%20Framework.pdf">Ozone GDPR Framework.</a>
</div>
Once you create a GDPR compliant bucket, any key created in that bucket will
automatically by GDPR compliant.

View File

@ -35,8 +35,10 @@ The `bucket create` command allows users to create a bucket.
| Arguments | Comment |
|--------------------------------|-----------------------------------------|
| -g, \-\-enforcegdpr | Optional, if set to true it creates a GDPR compliant bucket, if not specified or set to false, it creates an ordinary bucket.
| Uri | The name of the bucket in **/volume/bucket** format.
{{< highlight bash >}}
ozone sh bucket create /hive/jan
{{< /highlight >}}

View File

@ -112,6 +112,8 @@ public Map<String, String> toAuditMap() {
Map<String, String> auditMap = new LinkedHashMap<>();
auditMap.put(OzoneConsts.VOLUME, this.volumeName);
auditMap.put(OzoneConsts.BUCKET, this.bucketName);
auditMap.put(OzoneConsts.GDPR_FLAG,
this.metadata.get(OzoneConsts.GDPR_FLAG));
auditMap.put(OzoneConsts.IS_VERSION_ENABLED,
String.valueOf(this.isVersionEnabled));
if(this.storageType != null){

View File

@ -202,6 +202,8 @@ public Map<String, String> toAuditMap() {
Map<String, String> auditMap = new LinkedHashMap<>();
auditMap.put(OzoneConsts.VOLUME, this.volumeName);
auditMap.put(OzoneConsts.BUCKET, this.bucketName);
auditMap.put(OzoneConsts.GDPR_FLAG,
this.metadata.get(OzoneConsts.GDPR_FLAG));
auditMap.put(OzoneConsts.ACLS,
(this.acls != null) ? this.acls.toString() : null);
auditMap.put(OzoneConsts.IS_VERSION_ENABLED,

View File

@ -18,6 +18,7 @@
package org.apache.hadoop.ozone.web.ozShell.bucket;
import org.apache.hadoop.hdds.protocol.StorageType;
import org.apache.hadoop.ozone.OzoneConsts;
import org.apache.hadoop.ozone.client.BucketArgs;
import org.apache.hadoop.ozone.client.OzoneBucket;
import org.apache.hadoop.ozone.client.OzoneClient;
@ -44,6 +45,11 @@ public class CreateBucketHandler extends Handler {
description = "bucket encryption key name")
private String bekName;
@Option(names = {"--enforcegdpr", "-g"},
description = "if true, indicates GDPR enforced bucket, " +
"false/unspecified indicates otherwise")
private Boolean isGdprEnforced;
/**
* Executes create bucket.
*/
@ -61,6 +67,14 @@ public Void call() throws Exception {
.setStorageType(StorageType.DEFAULT)
.setVersioning(false);
if(isGdprEnforced != null) {
if(isGdprEnforced) {
bb.addMetadata(OzoneConsts.GDPR_FLAG, String.valueOf(Boolean.TRUE));
} else {
bb.addMetadata(OzoneConsts.GDPR_FLAG, String.valueOf(Boolean.FALSE));
}
}
if (bekName != null) {
if (!bekName.isEmpty()) {
bb.setBucketEncryptionKey(bekName);

View File

@ -18,6 +18,7 @@
package org.apache.hadoop.ozone.web.ozShell.keys;
import org.apache.hadoop.ozone.OzoneConsts;
import org.apache.hadoop.ozone.client.OzoneBucket;
import org.apache.hadoop.ozone.client.OzoneClient;
import org.apache.hadoop.ozone.client.OzoneKeyDetails;
@ -62,6 +63,11 @@ public Void call() throws Exception {
OzoneVolume vol = client.getObjectStore().getVolume(volumeName);
OzoneBucket bucket = vol.getBucket(bucketName);
OzoneKeyDetails key = bucket.getKey(keyName);
// For compliance/security, GDPR Secret & Algorithm details are removed
// from local copy of metadata before printing. This doesn't remove these
// from Ozone Manager's actual metadata.
key.getMetadata().remove(OzoneConsts.GDPR_SECRET);
key.getMetadata().remove(OzoneConsts.GDPR_ALGORITHM);
ObjectPrinter.printObjectAsJson(key);
return null;