hadoop-hdfs-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Arpit Agarwal (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HDFS-5910) Enhance DataTransferProtocol to allow per-connection choice of encryption/plain-text
Date Thu, 20 Mar 2014 23:39:44 GMT

    [ https://issues.apache.org/jira/browse/HDFS-5910?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13942523#comment-13942523

Arpit Agarwal commented on HDFS-5910:

Thanks for the clarifications [~benoyantony].

Few comments on the patch:
# {{isSecureOnClient}} may also want to use the peer's address to make a decision. e.g. intra-cluster
transfer vs. distcp to remote cluster.
# Related to #1, {{isSecureOnClient}} and {{isSecureOnServer}} look awkward. How about replacing
both with {{isTrustedChannel}} that takes the peer's IP address? We should probably avoid
overloading the term secure in this context since there is a related concept of {{Peer#hasSecureChannel()}}.
# Could you please update the documentation for {{dfs.encrypt.data.transfer}} to state that
per-connection override is possible via a custom resolver which can be configured with {{dfs.securechannel.resolver.class}}.
Also move the two settings to be next to each other in the docs?
# Is the {{InetAddress.getByName}} call in {{DataXceiver#getClientAddress}} necessary? If
it were necessary it would have been a security hole since DNS resolution may yield a different
IP address than the one used by the client. It turns out for the kinds of Peers we are interested
in this will be an IP address, so let's just remove the call.

The patch looks fine otherwise.

> Enhance DataTransferProtocol to allow per-connection choice of encryption/plain-text
> ------------------------------------------------------------------------------------
>                 Key: HDFS-5910
>                 URL: https://issues.apache.org/jira/browse/HDFS-5910
>             Project: Hadoop HDFS
>          Issue Type: Improvement
>          Components: security
>    Affects Versions: 2.2.0
>            Reporter: Benoy Antony
>            Assignee: Benoy Antony
>         Attachments: HDFS-5910.patch, HDFS-5910.patch
> It is possible to enable encryption of DataTransferProtocol. 
> In some use cases, it is required to encrypt data transfer with some clients , but communicate
in plain text with some other clients and data nodes.
> A sample use case will be that any data transfer inside a firewall can be in plain text
whereas any data transfer from clients  outside the firewall needs to be encrypted.

This message was sent by Atlassian JIRA

View raw message