hadoop-hdfs-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Chris Nauroth (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (HDFS-2856) Fix block protocol so that Datanodes don't require root or jsvc
Date Wed, 25 Jun 2014 17:36:24 GMT

     [ https://issues.apache.org/jira/browse/HDFS-2856?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Chris Nauroth updated HDFS-2856:
--------------------------------

    Attachment: HDFS-2856.5.patch

The test failures are unrelated.  {{TestPipelinesFailover}} has been failing intermittently
on other unrelated patches.  {{TestBalancerWithSaslDataTransfer}} reruns tests from {{TestBalancer}}
under secure configuration, and {{TestBalancer}} also has experienced intermittent failures
lately.

However, reviewing logs from the test runs made me notice that {{MiniDFSCluster}} was printing
a bogus warning about failure to bind to a privileged port, which isn't relevant when SASL
is configured on DataTransferProtocol.  This could cause confusion for people running the
tests in the future, so I'd like to stop those log messages.  I'm attaching patch v5 with
a minor change in {{MiniDFSCluster}} to stifle the bogus log messages.

> Fix block protocol so that Datanodes don't require root or jsvc
> ---------------------------------------------------------------
>
>                 Key: HDFS-2856
>                 URL: https://issues.apache.org/jira/browse/HDFS-2856
>             Project: Hadoop HDFS
>          Issue Type: Improvement
>          Components: datanode, security
>    Affects Versions: 3.0.0, 2.4.0
>            Reporter: Owen O'Malley
>            Assignee: Chris Nauroth
>         Attachments: Datanode-Security-Design.pdf, Datanode-Security-Design.pdf, Datanode-Security-Design.pdf,
HDFS-2856-Test-Plan-1.pdf, HDFS-2856.1.patch, HDFS-2856.2.patch, HDFS-2856.3.patch, HDFS-2856.4.patch,
HDFS-2856.5.patch, HDFS-2856.prototype.patch
>
>
> Since we send the block tokens unencrypted to the datanode, we currently start the datanode
as root using jsvc and get a secure (< 1024) port.
> If we have the datanode generate a nonce and send it on the connection and the sends
an hmac of the nonce back instead of the block token it won't reveal any secrets. Thus, we
wouldn't require a secure port and would not require root or jsvc.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message