[
https://issues.apache.org/jira/browse/HDFS-13081?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16352875#comment-16352875
]
Daryn Sharp commented on HDFS-13081:
------------------------------------
-1. This completely violates the premise for allowing DNs to quasi-"securely"
run on non-privileged ports. The theory is using SASL and SSL protects against
a rogue process trivially harvesting tokens and passwords.
# Any sasl QOP, privacy or not, will not send passwords in the clear. Block
tokens are protected.
# Delegation tokens send passwords in the clear over http. Webhdfs is at high
risk.
# Add SSL, assume it's "too hard" for the attacker to get the SSL cert, and
delegation tokens are "ok". This is why the current checks exist.
Relaxing the SSL requirement means an attacker crashes the DN or waits for it
to restart during a RU, listens on its port, and trivially records the tokens
and passwords in the non-SSL protected requests.
> Datanode#checkSecureConfig should check HTTPS and SASL encryption
> -----------------------------------------------------------------
>
> Key: HDFS-13081
> URL: https://issues.apache.org/jira/browse/HDFS-13081
> Project: Hadoop HDFS
> Issue Type: Bug
> Components: datanode, security
> Affects Versions: 3.0.0
> Reporter: Xiaoyu Yao
> Assignee: Ajay Kumar
> Priority: Major
> Attachments: HDFS-13081.000.patch
>
>
> Datanode#checkSecureConfig currently check the following to determine if
> secure datanode is enabled.
> # The server has bound to privileged ports for RPC and HTTP via
> SecureDataNodeStarter.
> # The configuration enables SASL on DataTransferProtocol and HTTPS (no plain
> HTTP) for the HTTP server. The SASL handshake guarantees authentication of
> the RPC server before a client transmits a secret, such as a block access
> token. Similarly, SSL guarantees authentication of the
> HTTP server before a client transmits a secret, such as a delegation token.
> For the 2nd case, HTTPS_ONLY means all the traffic between REST client/server
> will be encrypted. However, the logic to check only if SASL property resolver
> is configured does not mean server requires an encrypted RPC.
> This ticket is open to further check and ensure datanode SASL property
> resolver has a QoP that includes auth-conf(PRIVACY). Note that the SASL QoP
> (Quality of Protection) negotiation may drop RPC protection level from
> auth-conf(PRIVACY) to auth-int(integrity) or auth(authentication) only, which
> should be fine by design.
>
> cc: [~cnauroth] , [~daryn], [~jnpandey] for additional feedback.
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org
