hadoop-hdfs-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Konstantin Shvachko (Jira)" <j...@apache.org>
Subject [jira] [Commented] (HDFS-13541) NameNode Port based selective encryption
Date Wed, 21 Aug 2019 00:16:00 GMT

    [ https://issues.apache.org/jira/browse/HDFS-13541?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16911832#comment-16911832

Konstantin Shvachko commented on HDFS-13541:

Couple things for 3.1 patch:
# In {{hdfs-default.xml}} new auxiliary port and qop variables should go before {{dfs.namenode.blockreport.queue.size}},
rather than after, as in trunk.
# Noticed some blank line changes.
# {{TestJournalNodeSync}} failed for me with the patch, but passed without. Worth checking.

> NameNode Port based selective encryption
> ----------------------------------------
>                 Key: HDFS-13541
>                 URL: https://issues.apache.org/jira/browse/HDFS-13541
>             Project: Hadoop HDFS
>          Issue Type: Improvement
>          Components: datanode, namenode, security
>            Reporter: Chen Liang
>            Assignee: Chen Liang
>            Priority: Major
>              Labels: release-blocker
>         Attachments: HDFS-13541-branch-3.1.001.patch, HDFS-13541-branch-3.2.001.patch,
HDFS-13541-branch-3.2.002.patch, NameNode Port based selective encryption-v1.pdf
> Here at LinkedIn, one issue we face is that we need to enforce different security requirement
based on the location of client and the cluster. Specifically, for clients from outside
of the data center, it is required by regulation that all traffic must be encrypted. But for
clients within the same data center, unencrypted connections are more desired to avoid the
high encryption overhead. 
> HADOOP-10221 introduced pluggable SASL resolver, based on which HADOOP-10335 introduced
WhitelistBasedResolver which solves the same problem. However we found it difficult to fit
into our environment for several reasons. In this JIRA, on top of pluggable SASL resolver,
*we propose a different approach of running RPC two ports on NameNode, and the two ports will
be enforcing encrypted and unencrypted connections respectively, and the following DataNode
access will simply follow the same behaviour of encryption/unencryption*. Then by blocking
unencrypted port on datacenter firewall, we can completely block unencrypted external access.

This message was sent by Atlassian Jira

To unsubscribe, e-mail: hdfs-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-help@hadoop.apache.org

View raw message