[
https://issues.apache.org/jira/browse/HDFS-13081?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Ajay Kumar updated HDFS-13081:
------------------------------
Attachment: HDFS-13081.000.patch
> Datanode#checkSecureConfig should check HTTPS and SASL encryption
> -----------------------------------------------------------------
>
> Key: HDFS-13081
> URL: https://issues.apache.org/jira/browse/HDFS-13081
> Project: Hadoop HDFS
> Issue Type: Bug
> Components: datanode, security
> Affects Versions: 3.0.0
> Reporter: Xiaoyu Yao
> Assignee: Ajay Kumar
> Priority: Major
> Attachments: HDFS-13081.000.patch
>
>
> Datanode#checkSecureConfig currently check the following to determine if
> secure datanode is enabled.
> # The server has bound to privileged ports for RPC and HTTP via
> SecureDataNodeStarter.
> # The configuration enables SASL on DataTransferProtocol and HTTPS (no plain
> HTTP) for the HTTP server. The SASL handshake guarantees authentication of
> the RPC server before a client transmits a secret, such as a block access
> token. Similarly, SSL guarantees authentication of the
> HTTP server before a client transmits a secret, such as a delegation token.
> For the 2nd case, HTTPS_ONLY means all the traffic between REST client/server
> will be encrypted. However, the logic to check only if SASL property resolver
> is configured does not mean server requires an encrypted RPC.
> This ticket is open to further check and ensure datanode SASL property
> resolver has a QoP that includes auth-conf(PRIVACY). Note that the SASL QoP
> (Quality of Protection) negotiation may drop RPC protection level from
> auth-conf(PRIVACY) to auth-int(integrity) or auth(authentication) only, which
> should be fine by design.
>
> cc: [~cnauroth] , [~jnpandey] for additional feedback.
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
