[
https://issues.apache.org/jira/browse/HADOOP-18967?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Charles Connell updated HADOOP-18967:
-------------------------------------
Description:
My employer (HubSpot) recently completed transitioning all of the Hadoop
clusters underlying our HBase databases into secure mode. It was important to
us that we be able to make this change without impacting the functionality of
our SaaS product. To accomplish this, we added some new settings to our fork of
Hadoop, and fixed a latent bug (HADOOP-18972). This ticket is my intention to
contribute these changes back to the mainline code, so others can benefit. A
patch will be incoming.
It was only necessary to change the HDFS code, because other Hadoop components
are already able to seamlessly switch into secure mode.
The basic theme of the new functionality is the ability to accept incoming
secure connections without requiring them or making them outgoing. Secure mode
enablement will then be done in two stages.
* First, all nodes are given configuration to accept secure connections, and
are gracefully rolling-restarted to adopt this new functionality. I'll be
adding the new settings to make this stage possible.
* Second, all nodes are told to require incoming connections be secure, and to
make secure outgoing connections, and the settings added in the first stage are
removed. Nodes are again rolling-restarted to adopt this functionality. The
settings in this final state will look the same as in any secure Hadoop cluster
today.
I'll include documentation changes explaining how to do this.
was:
My employer (HubSpot) recently completed transitioning all of the Hadoop
clusters underlying our HBase databases into secure mode. It was important to
us that we be able to make this change without impacting the functionality of
our SaaS product. To accomplish this, we added some new settings to our fork of
Hadoop, and fixed a latent bug (HADOOP-18972). This ticket is my intention to
contribute these changes back to the mainline code, so others can benefit. A
patch will be incoming.
The basic theme of the new functionality is the ability to accept incoming
secure connections without requiring them or making them outgoing. Secure mode
enablement will then be done in two stages.
* First, all nodes are given configuration to accept secure connections, and
are gracefully rolling-restarted to adopt this new functionality. I'll be
adding the new settings to make this stage possible.
* Second, all nodes are told to require incoming connections be secure, and to
make secure outgoing connections, and the settings added in the first stage are
removed. Nodes are again rolling-restarted to adopt this functionality. The
settings in this final state will look the same as in any secure Hadoop cluster
today.
I'll include documentation changes explaining how to do this.
> Allow no-downtime migration of HDFS clusters into secure mode
> -------------------------------------------------------------
>
> Key: HADOOP-18967
> URL: https://issues.apache.org/jira/browse/HADOOP-18967
> Project: Hadoop Common
> Issue Type: Improvement
> Reporter: Charles Connell
> Priority: Minor
> Labels: pull-request-available
> Fix For: 3.4.0
>
>
> My employer (HubSpot) recently completed transitioning all of the Hadoop
> clusters underlying our HBase databases into secure mode. It was important to
> us that we be able to make this change without impacting the functionality of
> our SaaS product. To accomplish this, we added some new settings to our fork
> of Hadoop, and fixed a latent bug (HADOOP-18972). This ticket is my intention
> to contribute these changes back to the mainline code, so others can benefit.
> A patch will be incoming.
> It was only necessary to change the HDFS code, because other Hadoop
> components are already able to seamlessly switch into secure mode.
> The basic theme of the new functionality is the ability to accept incoming
> secure connections without requiring them or making them outgoing. Secure
> mode enablement will then be done in two stages.
> * First, all nodes are given configuration to accept secure connections, and
> are gracefully rolling-restarted to adopt this new functionality. I'll be
> adding the new settings to make this stage possible.
> * Second, all nodes are told to require incoming connections be secure, and
> to make secure outgoing connections, and the settings added in the first
> stage are removed. Nodes are again rolling-restarted to adopt this
> functionality. The settings in this final state will look the same as in any
> secure Hadoop cluster today.
> I'll include documentation changes explaining how to do this.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
