[
https://issues.apache.org/jira/browse/HADOOP-9709?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Benoy Antony updated HADOOP-9709:
---------------------------------
Description:
Hadoop Servers currently support only one QOP for the whole cluster.
We want Hadoop servers to support different quality of protection at the same
time. This will enable different clients to use different QOP.
A simple usecase:
Let each Hadoop server support two QOP .
1. Authentication
2. Privacy (Privacy includes Authentication) .
The Hadoop servers and internal clients does Authentication without incurring
cost of encryption. External clients use Privacy.
The hadoop servers and internal clients are inside the firewall. External
clients are outside the firewall.
As an enhancement , it is possible to add a pluggable check (eg. IP whitelist)
to identify internal and external clients.
The implementation is simple.
Each Hadoop server listens on multiple ports by configuration with different
QOP.
For the above usecase mentioned above, the servers - NameNode, DataNode,
ResourceManager listen on two ports (much like 80(http) and 443(https)) for RPC
and Streaming. ApplicationMaster uses a range of ports for privacy and
non-privacy and picks up a port and QOP based on client's config for client
communication.
The clients specify the port which they are supposed to connect to. Clients
specify the rpc protection as well encryption policy for streaming layer.
This is an umbrella jira .
I have divided this feature into multiple small tasks. I'll add testcases once
the approach is reviewed.
was:
Hadoop Servers currently support only one QOP for the whole cluster.
We want Hadoop servers to support different quality of protection at the same
time. This will enable different clients to use a different QOP.
A simple usecase will be to define two QOP .
1. Authentication
2. Privacy (Privacy includes Authentication) .
The Hadoop servers and internal clients does Authentication without incurring
cost of encryption. External clients use Privacy.
The hadoop servers and internal clients are inside the firewall. External
clients are outside the firewall.
As an enhancement , it is possible to add a pluggable check (eg. IP whitelist)
to identify internal and external clients.
The implementation is simple.
Each Hadoop server listens on two ports by configuration with different QOP.
The servers - NameNode, DataNode, ResourceManager listen on two ports (much
like 80(http) and 443(https)) for RPC and Streaming. ApplicationMaster uses a
range of ports for privacy and non-privacy and picks up a port and QOP based on
client's config.
The clients specify the port which they are suppose to connect to. Clients
specify the rpc protection as well encryption policy for streaming layer.
This is an umbrella jira .
I have divided this feature into multiple small tasks. I'll add testcases once
the approach is reviewed.
> Add ability in Hadoop servers (Namenode, Datanode, ResourceManager ) to
> support multiple QOP (Authentication , Privacy)
> -------------------------------------------------------------------------------------------------------------------------
>
> Key: HADOOP-9709
> URL: https://issues.apache.org/jira/browse/HADOOP-9709
> Project: Hadoop Common
> Issue Type: New Feature
> Reporter: Benoy Antony
> Assignee: Benoy Antony
>
> Hadoop Servers currently support only one QOP for the whole cluster.
> We want Hadoop servers to support different quality of protection at the same
> time. This will enable different clients to use different QOP.
> A simple usecase:
> Let each Hadoop server support two QOP .
> 1. Authentication
> 2. Privacy (Privacy includes Authentication) .
> The Hadoop servers and internal clients does Authentication without incurring
> cost of encryption. External clients use Privacy.
> The hadoop servers and internal clients are inside the firewall. External
> clients are outside the firewall.
> As an enhancement , it is possible to add a pluggable check (eg. IP
> whitelist) to identify internal and external clients.
> The implementation is simple.
> Each Hadoop server listens on multiple ports by configuration with different
> QOP.
> For the above usecase mentioned above, the servers - NameNode, DataNode,
> ResourceManager listen on two ports (much like 80(http) and 443(https)) for
> RPC and Streaming. ApplicationMaster uses a range of ports for privacy and
> non-privacy and picks up a port and QOP based on client's config for client
> communication.
> The clients specify the port which they are supposed to connect to. Clients
> specify the rpc protection as well encryption policy for streaming layer.
> This is an umbrella jira .
> I have divided this feature into multiple small tasks. I'll add testcases
> once the approach is reviewed.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
