Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Is it possible to use trash in HDFS encryption zone?

Labels:
avatar
author-rank naveen1
Contributor

Created on ‎01-24-2016 07:18 PM - edited ‎09-16-2022 02:59 AM

I am using -skipTrash to delete an HDFS file from encryption zone. Is there any way that I can use trash to recover a deleted file from encryption zone?

7,901 Views
0 Kudos
3 ACCEPTED SOLUTIONS

avatar
author-rank Harsh J author-rank
Mentor

Created ‎01-25-2016 01:43 AM

Regardless of an encryption zone in use or not, an 'hadoop fs -rm' with
-skipTrash will permanently remove a file unless you have a snapshot
referencing it. If you want to use the trash ability, you need to use
'hadoop fs -rm' without -skipTrash.

Encryption zones merely create the blocks with encrypted data and associate
keys with it. Other HDFS behaviour remains the same, with the exception
being that you cannot move a file within one EZ to another, or move it
outside of the EZ.

View solution in original post

7,892 Views
0 Kudos

avatar
author-rank Consult
Expert Contributor

Created ‎01-27-2016 08:27 AM

Hello naveen1,

 

For a file in encrypted zone a LOGICAL workaround could be to introduce .trash folder in same zone. This folder can be used as destination to move the redundant file(s) before removing them permanently.

 

In a scenario where full encrypted zone is deleted, MAY use trash bin if trash feature is enable (Please test before you implement. I haven't tested it yet.)

 

Hope that helps.

View solution in original post

7,837 Views

avatar
author-rank Harsh J author-rank
Mentor

Created ‎01-28-2016 12:34 AM

Consult has already posted some alternative solutions, but its worth understanding why it fails.

The effective issue is this:

When you use 'fs -rm' with trash enabled, we move the file to the authenticated user's /user/{user.name}/.Trash sub-directory. For ex., if the path of deletion is '/data/myapp/part-00000.gz', and the user you delete it as is 'hive', then the trash feature moves it to directory '/user/hive/.Trash/Current/'.

When encrypted zones come into play, HDFS disallows you from moving a file from one Encrypted Zone to another Encrypted Zone, as well as from within an Encrypted Zone to a non-Encrypted Zone. This is for security reasons, and ties into how the encryption zone features of HDFS are managed globally within a directory (zone), vs. arbitrary files holding all of the necessary info independently.

So if /data/ is an EZ, but /user/hive is not, or is a separate EZ, then the trash moving will fail expectedly.

But if / is the EZ, then the moves may work, since both paths come under it.

What Consult proposes is a manual step (i.e. use hadoop fs -mv instead of hadoop fs -rm), and keep a manually created /data/.Trash directory to move the files into, followed by scripts to periodically clean it (i.e. Bring-Your-Own-Trash). Its not a great solution but its what may work if you need some data retention.

Another option is to consider using limited and periodic snapshots (via BDR, etc.), which give you similar (but not exactly the same) data retention capabilities.

View solution in original post

7,784 Views
9 REPLIES 9

avatar
author-rank Harsh J author-rank
Mentor

Created ‎01-25-2016 01:43 AM

Regardless of an encryption zone in use or not, an 'hadoop fs -rm' with
-skipTrash will permanently remove a file unless you have a snapshot
referencing it. If you want to use the trash ability, you need to use
'hadoop fs -rm' without -skipTrash.

Encryption zones merely create the blocks with encrypted data and associate
keys with it. Other HDFS behaviour remains the same, with the exception
being that you cannot move a file within one EZ to another, or move it
outside of the EZ.
7,893 Views
0 Kudos

avatar
author-rank naveen1
Contributor

Created ‎01-25-2016 06:01 AM

I didnt mean to use skipTrash, I was suggested to use that as I couldnt delete a file from encryption zone. If there is any way to use trash for encryption zone please let me know.

7,886 Views
0 Kudos

avatar
author-rank Consult
Expert Contributor

Created ‎01-27-2016 08:27 AM

Hello naveen1,

 

For a file in encrypted zone a LOGICAL workaround could be to introduce .trash folder in same zone. This folder can be used as destination to move the redundant file(s) before removing them permanently.

 

In a scenario where full encrypted zone is deleted, MAY use trash bin if trash feature is enable (Please test before you implement. I haven't tested it yet.)

 

Hope that helps.

7,838 Views

avatar
author-rank SiddeshSamarth
Explorer

Created ‎01-25-2016 08:37 AM

I had the same question too.

 

When we try to delete something from encryption zone, it says the directory cannot be moved to /user/xyz/.trash.

So we have to forcefully use -skipTrash option.

 

So, is there a way to delete a file from encyption zone without using -skipTrash option?

7,876 Views
0 Kudos

avatar
author-rank Consult
Expert Contributor

Created ‎01-27-2016 08:29 AM

Hello SiddeshSamarth,

 

Currently, there is no option to send encrypted files to global bin for obvious reasons.

7,836 Views
0 Kudos

avatar
author-rank SiddeshSamarth
Explorer

Created ‎01-27-2016 08:44 AM

So, Do I have to forcibly use –skipTrash to delete anything in Encrypted zone or is there any workaround?
7,833 Views
0 Kudos

avatar
author-rank Consult
Expert Contributor

Created ‎01-28-2016 12:11 AM

Hello SiddeshSamarth,

 

For a file in encrypted zone a LOGICAL workaround could be to introduce .trash folder in same zone. This folder can be used as destination to move the redundant file(s) before removing them permanently.

7,790 Views
0 Kudos

avatar
author-rank Harsh J author-rank
Mentor

Created ‎01-28-2016 12:34 AM

Consult has already posted some alternative solutions, but its worth understanding why it fails.

The effective issue is this:

When you use 'fs -rm' with trash enabled, we move the file to the authenticated user's /user/{user.name}/.Trash sub-directory. For ex., if the path of deletion is '/data/myapp/part-00000.gz', and the user you delete it as is 'hive', then the trash feature moves it to directory '/user/hive/.Trash/Current/'.

When encrypted zones come into play, HDFS disallows you from moving a file from one Encrypted Zone to another Encrypted Zone, as well as from within an Encrypted Zone to a non-Encrypted Zone. This is for security reasons, and ties into how the encryption zone features of HDFS are managed globally within a directory (zone), vs. arbitrary files holding all of the necessary info independently.

So if /data/ is an EZ, but /user/hive is not, or is a separate EZ, then the trash moving will fail expectedly.

But if / is the EZ, then the moves may work, since both paths come under it.

What Consult proposes is a manual step (i.e. use hadoop fs -mv instead of hadoop fs -rm), and keep a manually created /data/.Trash directory to move the files into, followed by scripts to periodically clean it (i.e. Bring-Your-Own-Trash). Its not a great solution but its what may work if you need some data retention.

Another option is to consider using limited and periodic snapshots (via BDR, etc.), which give you similar (but not exactly the same) data retention capabilities.
7,785 Views

avatar
author-rank naveen1
Contributor

Created ‎01-28-2016 05:39 PM

Thank you all for your time, logical workaround sounds good to me.

7,774 Views
0 Kudos
Announcements
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics 1.14 for Cloudera Pu...
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
View More Announcements