hadoop-hdfs-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Xiaoyu Yao (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HDFS-13061) SaslDataTransferClient#checkTrustAndSend should not trust a partially trusted channel
Date Wed, 31 Jan 2018 17:56:00 GMT

    [ https://issues.apache.org/jira/browse/HDFS-13061?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16347274#comment-16347274

Xiaoyu Yao commented on HDFS-13061:

Thanks [~ajayydv] for the update. +1 for the v4 patch. 
The test failures are unrelated. I will commit it shortly.

> SaslDataTransferClient#checkTrustAndSend should not trust a partially trusted channel
> -------------------------------------------------------------------------------------
>                 Key: HDFS-13061
>                 URL: https://issues.apache.org/jira/browse/HDFS-13061
>             Project: Hadoop HDFS
>          Issue Type: Bug
>            Reporter: Xiaoyu Yao
>            Assignee: Ajay Kumar
>            Priority: Major
>         Attachments: HDFS-13061.000.patch, HDFS-13061.001.patch, HDFS-13061.002.patch,
> HDFS-5910 introduces encryption negotiation between client and server based on a customizable
TrustedChannelResolver class. The TrustedChannelResolver is invoked on both client and server
side. If the resolver indicates that the channel is trusted, then the data transfer will not
be encrypted even if dfs.encrypt.data.transfer is set to true. 
> SaslDataTransferClient#checkTrustAndSend ask the channel resolve whether the client and
server address are trusted, respectively. It decides the channel is untrusted only if both
client and server are not trusted to enforce encryption. *This ticket is opened to change
it to not trust (and encrypt) if either client or server address are not trusted.*

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: hdfs-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-help@hadoop.apache.org

View raw message