Hadoop Security Guide
Also available as:
PDF
loading table of contents...

Delete Files from an Encryption Zone with Trash Enabled

The trash location for encrypted HDFS files is different than the default trash location for unencrypted files (/user/$USER/.Trash/Current/OriginalPathToDeletedFile).

When trash is enabled and an encrypted file is deleted, the file is moved to the .Trash subdirectory under the root of the encryption zone as /EncryptionZoneRoot/.Trash/$USER/Current/OriginalPathToDeletedFile. The file remains encrypted without additional decryption/re-encryption overhead during the move to trash. The move operation preserves the name of the user who executes the deletion, and the full path of the deleted file.

For example, if user hdp-admin deletes file /zone_name/file1 using the following command:

  hdfs dfs -rm /zone_name/file1

file1 will remain encrypted, and it will be moved to the following location within the encryption zone:

  /zone_name/.Trash/hdp-admin/Current/zone_name/file1

A trash checkpoint will be created for the .Trash subdirectory in each encryption zone. Checkpoints will be deleted/created according to the value of fs.trash.checkpoint.interval (number of minutes between trash checkpoints). A checkpoint for this example would be:

  /zone_name/.Trash/hdp-admin/<CheckPointTimeStamp>/zone_name/file1

For additional information, see Apache HDFS-8831.