[jira] [Commented] (HADOOP-16050) Support setting cipher suites for s3a file system

Fri, 18 Jan 2019 05:15:42 -0800 


    [ 
https://issues.apache.org/jira/browse/HADOOP-16050?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16746272#comment-16746272
 ] 

Steve Loughran commented on HADOOP-16050:
-----------------------------------------

some hints that this can be done in the connector setup, so we aren't dependent 
on the AWS SDK: https://developer.jboss.org/thread/275721

* there's a risk that in java 9+ we'd be coding in some regression: making this 
optional and experimental would be the obvious tactic, 
"fs.s3a.experimental.ciphers" & let people list them.
* mark wildfly openssl as optional, doc etc.

I can see the value of this on java 8 clusters. At the same time, I don't see 
space in my schedule to work on it. Can you take this up? It looks like you are 
best placed to do it.

Note: we're only likely to be targeting Hadoop 3.1+, though I am thinking it's 
time to backport the latest AWS SDK updates to branch-2,  because the shaded 
jackson there has a known security issue. Once this is in branch-2 we can look 
at backporting

> Support setting cipher suites for s3a file system
> -------------------------------------------------
>
>                 Key: HADOOP-16050
>                 URL: https://issues.apache.org/jira/browse/HADOOP-16050
>             Project: Hadoop Common
>          Issue Type: Sub-task
>          Components: fs/s3
>    Affects Versions: 2.9.1
>            Reporter: Justin Uang
>            Priority: Major
>         Attachments: Screen Shot 2019-01-17 at 2.57.06 PM.png
>
>
> We have found that when running the S3AFileSystem, it picks GCM as the ssl 
> cipher suite. Unfortunately this is well known to be slow on java 8: 
> [https://stackoverflow.com/questions/25992131/slow-aes-gcm-encryption-and-decryption-with-java-8u20.]
>  
> In practice we have seen that it can take well over 50% of our CPU time in 
> spark workflows. We should add an option to set the list of cipher suites we 
> would like to use. !Screen Shot 2019-01-17 at 2.57.06 PM.png!



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

Reply via email to