[
https://issues.apache.org/jira/browse/HADOOP-10768?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16472743#comment-16472743
]
Wei-Chiu Chuang commented on HADOOP-10768:
------------------------------------------
I am reviewing this patch now, and trying to push this feature as far as
possible, as RPC encryption performance problem is blocking some clusters that
need to meet more stringent security compliance.
There are already excellent reviews and comments made by [~daryn], [~atm],
[~dapengsun] so I am just trying to clear roadblocks.
rev008 still applies against trunk but does not compile due to changes in
HDFS-13087, HDFS-12594, .. and etc.
To expedite the review process, here's rev 009 that compiles against trunk.
We are testing rev008 on a live cluster now (Hadoop 3.0.0 + HBase 2.0.0-beta1 +
other components). So far, I found HBase2 does not compile with it, so filed
HBASE-20572 to address that.
Protocol-wise, it looks backward compatible, which is good since we won't wait
for Hadoop4 to include this feature.
Ran some simple tests (reading/writing files) successfully that involve mixing
new clients with old cluster. So that verifies the ciphers&codecs are
compatible too.
After applying the patch, rolling upgrade performed successfully with Cloudera
Manager.
Full cluster restart performed successfully too.
More reviews to come ...
> Optimize Hadoop RPC encryption performance
> ------------------------------------------
>
> Key: HADOOP-10768
> URL: https://issues.apache.org/jira/browse/HADOOP-10768
> Project: Hadoop Common
> Issue Type: Improvement
> Components: performance, security
> Affects Versions: 3.0.0-alpha1
> Reporter: Yi Liu
> Assignee: Dapeng Sun
> Priority: Major
> Attachments: HADOOP-10768.001.patch, HADOOP-10768.002.patch,
> HADOOP-10768.003.patch, HADOOP-10768.004.patch, HADOOP-10768.005.patch,
> HADOOP-10768.006.patch, HADOOP-10768.007.patch, HADOOP-10768.008.patch,
> HADOOP-10768.009.patch, Optimize Hadoop RPC encryption performance.pdf
>
>
> Hadoop RPC encryption is enabled by setting {{hadoop.rpc.protection}} to
> "privacy". It utilized SASL {{GSSAPI}} and {{DIGEST-MD5}} mechanisms for
> secure authentication and data protection. Even {{GSSAPI}} supports using
> AES, but without AES-NI support by default, so the encryption is slow and
> will become bottleneck.
> After discuss with [~atm], [~tucu00] and [~umamaheswararao], we can do the
> same optimization as in HDFS-6606. Use AES-NI with more than *20x* speedup.
> On the other hand, RPC message is small, but RPC is frequent and there may be
> lots of RPC calls in one connection, we needs to setup benchmark to see real
> improvement and then make a trade-off.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org
