> However, HDFS uses HTTP to serve blocks up -that needs to be locked down > too. Would the signing work there?
I am not familiar with HDFS over HTTP. Could it simply sign the stream and include the signature at the end of the HTTP message returned? On Tue, Sep 30, 2008 at 8:56 AM, Steve Loughran <[EMAIL PROTECTED]> wrote: > Jason Rutherglen wrote: >> >> I implemented an RMI protocol using Hadoop IPC and implemented basic >> HMAC signing. It is I believe faster than public key private key >> because it uses a secret key and does not require public key >> provisioning like PKI would. Perhaps it would be a baseline way to >> sign the data. > > That should work for authenticating messages between (trusted) nodes. > Presumably the ipc.key value could be set in the Conf and all would be well. > > External job submitters shouldn't be given those keys; they'd need an > HTTP(S) front end that could authenticate them however the organisation > worked. > > Yes, that would be simpler. I am not enough of a security expert to say if > it will work, but the keys should be easier to work with. As long as the > configuration files are kept secure, your cluster will be locked. > > However, HDFS uses HTTP to serve blocks up -that needs to be locked down > too. Would the signing work there? > > -steve >
