Ajay Kumar commented on HDFS-13081:

[~daryn] thanks for the valuable input. Updated the patch to allow DN to start 
in case SASL is enabled and HTTP port is privileged.

cc: [~jnp],[~xyao]

> Datanode#checkSecureConfig should check HTTPS and SASL encryption
> -----------------------------------------------------------------
>                 Key: HDFS-13081
>                 URL: https://issues.apache.org/jira/browse/HDFS-13081
>             Project: Hadoop HDFS
>          Issue Type: Bug
>          Components: datanode, security
>    Affects Versions: 3.0.0
>            Reporter: Xiaoyu Yao
>            Assignee: Ajay Kumar
>            Priority: Major
>         Attachments: HDFS-13081.000.patch, HDFS-13081.001.patch
> Datanode#checkSecureConfig currently check the following to determine if 
> secure datanode is enabled. 
>  # The server has bound to privileged ports for RPC and HTTP via 
> SecureDataNodeStarter.
>  # The configuration enables SASL on DataTransferProtocol and HTTPS (no plain 
> HTTP) for the HTTP server. The SASL handshake guarantees authentication of 
> the RPC server before a client transmits a secret, such as a block access 
> token. Similarly, SSL guarantees authentication of the
>  HTTP server before a client transmits a secret, such as a delegation token.
> For the 2nd case, HTTPS_ONLY means all the traffic between REST client/server 
> will be encrypted. However, the logic to check only if SASL property resolver 
> is configured does not mean server requires an encrypted RPC. 
> This ticket is open to further check and ensure datanode SASL property 
> resolver has a QoP that includes auth-conf(PRIVACY). Note that the SASL QoP 
> (Quality of Protection) negotiation may drop RPC protection level from 
> auth-conf(PRIVACY) to auth-int(integrity) or auth(authentication) only, which 
> should be fine by design.
> cc: [~cnauroth] , [~daryn], [~jnpandey] for additional feedback.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org

Reply via email to