hadoop-hdfs-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Charles Lamb (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HDFS-6605) Client server negotiation of cipher suite
Date Wed, 02 Jul 2014 20:26:24 GMT

    [ https://issues.apache.org/jira/browse/HDFS-6605?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14050664#comment-14050664
] 

Charles Lamb commented on HDFS-6605:
------------------------------------

In general, this looks pretty good to me. I have a few comments:

CryptoCodec:

Style question: Is there any reason you didn't make suite be SUITE since it's a final constant?
Is that because it is protected and might someday not be static final?

FileEncryptionInfo:

You introduced a blank line in the imports section.

FSNamesystem:

We'll have a minor merge headache because getEncryptionZoneForPath is moving to FSD in HDFS-6516.

FSNamesystem.java:

I wonder if we shouldn't extract the ciphersuite matching logic into a method of its own.

CryptoCodec:

At some point we're going to support more than one suite. Does it make sense to have a getCipherSuites()
method that returns all of the suites that are supported on the client side? That way, in
DFSClient, we can just do cipherSuites.add(getCipherSuites()).

Is it worth thinking about a unit test that would test a new client against an old NN version
(one that doesn't have this patch) or is that not typically done?


> Client server negotiation of cipher suite
> -----------------------------------------
>
>                 Key: HDFS-6605
>                 URL: https://issues.apache.org/jira/browse/HDFS-6605
>             Project: Hadoop HDFS
>          Issue Type: Sub-task
>          Components: security
>    Affects Versions: fs-encryption (HADOOP-10150 and HDFS-6134)
>            Reporter: Andrew Wang
>            Assignee: Andrew Wang
>         Attachments: hdfs-6605.001.patch
>
>
> For compatibility purposes, the client and server should negotiate what cipher suite
to use based on their respective capabilities. This is also a way for the server to reject
old clients that do not support encryption.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message