hadoop-crypto icon indicating copy to clipboard operation
hadoop-crypto copied to clipboard

Published 20 hours ago verified publisher icon palantir

Do not delete keymaterial before file

Open mswintermeyer opened this issue 6 months ago • 1 comments

Before this PR

Two bugs exist in EncryptedFileSystem that could cause a KeyMaterial to be deleted before the file that it encrypts.

First, if rename returns false but the destination file still exists, we should never delete the destination's KeyMaterial. This could happen when trying to rename a file when the destination file already exists, though that means there's likely a bug with the code that called rename. It could also signify an edge case with the rename code itself, e.g. AzureNativeFileSystemStore#rename can succeed at renaming the file but still not fully succeed because of an error at the end of the file when calling AzureNativeFileSystemStore#safeDelete to try to delete the source file.

Second, delete should be the inverse of create. When we create a file, we create its KeyMaterial before the actual file. Thus, on delete, we should flip that order and delete the file before the KeyMaterial. Only if the file actually got deleted should we delete its KeyMaterial.

After this PR

==COMMIT_MSG== Fix some edge cases that could cause a KeyMaterial to be deleted before the file that it encrypts ==COMMIT_MSG==

Possible downsides?

mswintermeyer avatar May 12 '25 19:05 mswintermeyer

Generate changelog in changelog/@unreleased

What do the change types mean?
  • feature: A new feature of the service.
  • improvement: An incremental improvement in the functionality or operation of the service.
  • fix: Remedies the incorrect behaviour of a component of the service in a backwards-compatible way.
  • break: Has the potential to break consumers of this service's API, inclusive of both Palantir services and external consumers of the service's API (e.g. customer-written software or integrations).
  • deprecation: Advertises the intention to remove service functionality without any change to the operation of the service itself.
  • manualTask: Requires the possibility of manual intervention (running a script, eyeballing configuration, performing database surgery, ...) at the time of upgrade for it to succeed.
  • migration: A fully automatic upgrade migration task with no engineer input required.

Note: only one type should be chosen.

How are new versions calculated?
  • ❗The break and manual task changelog types will result in a major release!
  • 🐛 The fix changelog type will result in a minor release in most cases, and a patch release version for patch branches. This behaviour is configurable in autorelease.
  • ✨ All others will result in a minor version release.

Type

  • [ ] Feature
  • [ ] Improvement
  • [x] Fix
  • [ ] Break
  • [ ] Deprecation
  • [ ] Manual task
  • [ ] Migration

Description Fix some edge cases that could cause a KeyMaterial to be deleted before the file that it encrypts

Check the box to generate changelog(s)

  • [x] Generate changelog entry

changelog-app[bot] avatar May 12 '25 19:05 changelog-app[bot]