Xiaoyu Yao commented on HDFS-13081:

Thanks [~ajayydv] for the update. Patch v2 looks good to me overall. I just 
have few questions:

Line 137: It seems the logic to set isHttpPrivileged is dependent on whether 
Ppc Privileged port is bound successfully. If we throw here when failing to 
bind privilege RPC, we won't attempt to bind privilege HTTP. As a result, the 
SASL + privilege HTTP only won't be possible. Can you confirm?
Line 177: we should use SecurityUtil.isPrivilegedPort(localAddr.getPort()) 
without isSecure for isHttpPrivileged?

Line 1488-1498: this handles the case: Privilege RPC is always true 
We added the option to allow privilege HTTP or HTTPS for httpSecure.

Line 1502-1504: this handled the case: SASL + HTTPS

If we don't support SASL and privilege HTTP only, we should document it clearly.

Line 170: suggest edits:

1. Set a non-privileged port for `dfs.datanode.address` and make sure the 
`HDFS_DATANODE_SECURE_USER` environment variable is not defined.

2. Set `dfs.http.policy` to `HTTPS_ONLY` or Set `dfs.datanode.http.address` to 
a privileged port.

> Datanode#checkSecureConfig should check HTTPS and SASL encryption
> -----------------------------------------------------------------
>                 Key: HDFS-13081
>                 URL: https://issues.apache.org/jira/browse/HDFS-13081
>             Project: Hadoop HDFS
>          Issue Type: Bug
>          Components: datanode, security
>    Affects Versions: 3.0.0
>            Reporter: Xiaoyu Yao
>            Assignee: Ajay Kumar
>            Priority: Major
>         Attachments: HDFS-13081.000.patch, HDFS-13081.001.patch, 
> HDFS-13081.002.patch
> Datanode#checkSecureConfig currently check the following to determine if 
> secure datanode is enabled. 
>  # The server has bound to privileged ports for RPC and HTTP via 
> SecureDataNodeStarter.
>  # The configuration enables SASL on DataTransferProtocol and HTTPS (no plain 
> HTTP) for the HTTP server. The SASL handshake guarantees authentication of 
> the RPC server before a client transmits a secret, such as a block access 
> token. Similarly, SSL guarantees authentication of the
>  HTTP server before a client transmits a secret, such as a delegation token.
> For the 2nd case, HTTPS_ONLY means all the traffic between REST client/server 
> will be encrypted. However, the logic to check only if SASL property resolver 
> is configured does not mean server requires an encrypted RPC. 
> This ticket is open to further check and ensure datanode SASL property 
> resolver has a QoP that includes auth-conf(PRIVACY). Note that the SASL QoP 
> (Quality of Protection) negotiation may drop RPC protection level from 
> auth-conf(PRIVACY) to auth-int(integrity) or auth(authentication) only, which 
> should be fine by design.
> cc: [~cnauroth] , [~daryn], [~jnpandey] for additional feedback.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org

Reply via email to