hadoop-hdfs-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Todd Lipcon (JIRA)" <j...@apache.org>
Subject [jira] Commented: (HDFS-1150) Verify datanodes' identities to clients in secure clusters
Date Mon, 02 Aug 2010 00:33:18 GMT

    [ https://issues.apache.org/jira/browse/HDFS-1150?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12894436#action_12894436
] 

Todd Lipcon commented on HDFS-1150:
-----------------------------------

bq. Regardless, this is a significant change to the current patch

Apologies if I haven't been clear, but the only change I'm asking for from the current patch
is the following one line addition:

{code}
-    if(UserGroupInformation.isSecurityEnabled() && resources == null)
+    if(UserGroupInformation.isSecurityEnabled() && resources == null &&
+       conf.getBoolean("dfs.datanode.require.secure.ports", true))
{code}

If you want me to open this one line change as a separate JIRA, I'll do so, but it seemed
easier to just modify the current patch. I'm *not* saying we need a full pluggability framework
at this point -- only the ability to start a secure DN without jsvc when we've already secured
it through another external mechanism. Note that the default I'm recommending doesn't change
the behavior you'd like, and we can leave this as an undocumented config for advanced users
only, so we can feel free to change it if we add some pluggability here.

> Verify datanodes' identities to clients in secure clusters
> ----------------------------------------------------------
>
>                 Key: HDFS-1150
>                 URL: https://issues.apache.org/jira/browse/HDFS-1150
>             Project: Hadoop HDFS
>          Issue Type: New Feature
>          Components: data-node
>    Affects Versions: 0.22.0
>            Reporter: Jakob Homan
>            Assignee: Jakob Homan
>         Attachments: commons-daemon-1.0.2-src.tar.gz, HDFS-1150-BF-Y20-LOG-DIRS-2.patch,
HDFS-1150-BF-Y20-LOG-DIRS.patch, HDFS-1150-BF1-Y20.patch, hdfs-1150-bugfix-1.1.patch, hdfs-1150-bugfix-1.2.patch,
hdfs-1150-bugfix-1.patch, HDFS-1150-trunk.patch, HDFS-1150-Y20-BetterJsvcHandling.patch, HDFS-1150-y20.build-script.patch,
HDFS-1150-Y20S-ready-5.patch, HDFS-1150-Y20S-ready-6.patch, HDFS-1150-Y20S-ready-7.patch,
HDFS-1150-Y20S-ready-8.patch, HDFS-1150-Y20S-Rough-2.patch, HDFS-1150-Y20S-Rough-3.patch,
HDFS-1150-Y20S-Rough-4.patch, HDFS-1150-Y20S-Rough.txt
>
>
> Currently we use block access tokens to allow datanodes to verify clients' identities,
however we don't have a way for clients to verify the authenticity of the datanodes themselves.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message