hadoop-hdfs-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ajay Kumar (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (HDFS-13081) Datanode#checkSecureConfig should check HTTPS and SASL encryption
Date Thu, 01 Feb 2018 20:41:00 GMT

     [ https://issues.apache.org/jira/browse/HDFS-13081?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel

Ajay Kumar updated HDFS-13081:
    Status: Patch Available  (was: Open)

> Datanode#checkSecureConfig should check HTTPS and SASL encryption
> -----------------------------------------------------------------
>                 Key: HDFS-13081
>                 URL: https://issues.apache.org/jira/browse/HDFS-13081
>             Project: Hadoop HDFS
>          Issue Type: Bug
>          Components: datanode, security
>    Affects Versions: 3.0.0
>            Reporter: Xiaoyu Yao
>            Assignee: Ajay Kumar
>            Priority: Major
>         Attachments: HDFS-13081.000.patch
> Datanode#checkSecureConfig currently check the following to determine if secure datanode is
>  # The server has bound to privileged ports for RPC and HTTP via SecureDataNodeStarter.
>  # The configuration enables SASL on DataTransferProtocol and HTTPS (no plain HTTP) for
the HTTP server. The SASL handshake guarantees authentication of the RPC server before a client
transmits a secret, such as a block access token. Similarly, SSL guarantees authentication
of the
> HTTP server before a client transmits a secret, such as a delegation token.
> For the 2nd case, HTTPS_ONLY means all the traffic between REST client/server will be
encrypted. However, the logic to check only if SASL property resolver is configured does not
mean server requires an encrypted RPC. 
> This ticket is open to further check and ensure datanode SASL property resolver has
a QoP that includes auth-conf(PRIVACY). Note that the SASL QoP (Quality of Protection) negotiation
may drop RPC protection level from auth-conf(PRIVACY) to auth-int(integrity) or auth(authentication)
only, which should be fine by design.
> cc: [~cnauroth] , [~jnpandey] for additional feedback.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: hdfs-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-help@hadoop.apache.org

View raw message