hadoop-hdfs-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Chen Liang (JIRA)" <j...@apache.org>
Subject [jira] [Created] (HDFS-13541) NameNode Port based selective encryption
Date Wed, 09 May 2018 17:28:00 GMT
Chen Liang created HDFS-13541:

             Summary: NameNode Port based selective encryption
                 Key: HDFS-13541
                 URL: https://issues.apache.org/jira/browse/HDFS-13541
             Project: Hadoop HDFS
          Issue Type: Improvement
          Components: datanode, namenode, security
            Reporter: Chen Liang
            Assignee: Chen Liang
         Attachments: NameNode Port based selective encryption-v1.pdf

Here at LinkedIn, one issue we face is that we need to enforce different security requirement
based on the location of client and the cluster. Specifically, for clients from outside
of the data center, it is required by regulation that all traffic must be encrypted. But for
clients within the same data center, unencrypted connections are more desired to avoid the
high encryption overhead. 

HADOOP-10221 introduced pluggable SASL resolver, based on which HADOOP-10335 introduced WhitelistBasedResolver
which solves the same problem. However we found it difficult to fit into our environment for
several reasons. In this JIRA, on top of pluggable SASL resolver, *we propose a different
approach of running RPC two ports on NameNode, and the two ports will be enforcing encrypted
and unencrypted connections respectively, and the following DataNode access will simply follow
the same behaviour of encryption/unencryption*. Then by blocking unencrypted port on datacenter
firewall, we can completely block unencrypted external access.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: hdfs-dev-unsubscribe@hadoop.apache.org
For additional commands, e-mail: hdfs-dev-help@hadoop.apache.org

View raw message