hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Steve Loughran (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-13836) Securing Hadoop RPC using SSL
Date Mon, 28 Nov 2016 13:46:58 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-13836?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15701980#comment-15701980
] 

Steve Loughran commented on HADOOP-13836:
-----------------------------------------

wire encryption can only be good, though the cost of negotiating secure HTTPS connections
can be high; I don't know if this proposal will have the same problem. At least with Hadoop
RPC the channel can be kept open for a while, a luxury we don't get so much with the object
store clients.

one thing to consider is that although SASL supports encryption, it rarely gets used in large
systems —even when the CPUs have opcodes for encryption. Why? The performance of the standard
Java APIs are pretty bad; the API always allocates new buffers for the encrypted result, rather
than allowing buffer re-use. It may be necessary to achieve necessary performance though some
more native code in the hadoop native libs, and having the clients optionally use it.

> Securing Hadoop RPC using SSL
> -----------------------------
>
>                 Key: HADOOP-13836
>                 URL: https://issues.apache.org/jira/browse/HADOOP-13836
>             Project: Hadoop Common
>          Issue Type: New Feature
>          Components: ipc
>            Reporter: kartheek muthyala
>
> Today, RPC connections in Hadoop are encrypted using Simple Authentication & Security
Layer (SASL), with the Kerberos ticket based authentication or Digest-md5 checksum based authentication
protocols. This proposal is about enhancing this cipher suite with SSL/TLS based encryption
and authentication. SSL/TLS is a proposed Internet Engineering Task Force (IETF) standard,
that provides data security and integrity across two different end points in a network. This
protocol has made its way to a number of applications such as web browsing, email, internet
faxing, messaging, VOIP etc. And supporting this cipher suite at the core of Hadoop would
give a good synergy with the applications on top and also bolster industry adoption of Hadoop.
> The Server and Client code in Hadoop IPC should support the following modes of communication
> 1.	Plain 
> 2.     SASL encryption with an underlying authentication
> 3.     SSL based encryption and authentication (x509 certificate)



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org


Mime
View raw message