Chen Liang created HDFS-13541:
---------------------------------
Summary: NameNode Port based selective encryption
Key: HDFS-13541
URL: https://issues.apache.org/jira/browse/HDFS-13541
Project: Hadoop HDFS
Issue Type: Improvement
Components: datanode, namenode, security
Reporter: Chen Liang
Assignee: Chen Liang
Attachments: NameNode Port based selective encryption-v1.pdf
Here at LinkedIn, one issue we face is that we need to enforce different
security requirement based on the location of client and the cluster.
Specifically, for clients from outside of the data center, it is required by
regulation that all traffic must be encrypted. But for clients within the same
data center, unencrypted connections are more desired to avoid the high
encryption overhead.
HADOOP-10221 introduced pluggable SASL resolver, based on which HADOOP-10335
introduced WhitelistBasedResolver which solves the same problem. However we
found it difficult to fit into our environment for several reasons. In this
JIRA, on top of pluggable SASL resolver, *we propose a different approach of
running RPC two ports on NameNode, and the two ports will be enforcing
encrypted and unencrypted connections respectively, and the following DataNode
access will simply follow the same behaviour of encryption/unencryption*. Then
by blocking unencrypted port on datacenter firewall, we can completely block
unencrypted external access.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
