[
https://issues.apache.org/jira/browse/HDFS-13541?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16470684#comment-16470684
]
Benoy Antony commented on HDFS-13541:
-------------------------------------
Thanks [~vagarychen]. I have reviewed the document. Overall, I believe, this
approach makes the administration of selective encryption simpler. The
selection can be done using firewall rules.
I have a few comments based on my understanding of the design.
# Currently the input to _SaslPropertiesResolver_ methods is ip address. This
feature adds ingress port as an input. I believe, it should be made generic so
that we do not have to change it in future. We could also think of passing
additional parameters based on the connection even though they may not be used
in the current implementations of _SaslPropertiesResolver._
# _The_ _selective data transfer protection_ design needs more scrutiny as
it's protection is derived from _selective RPC protection_. Based on what I
understood, the protection is dictated by the value of _encrypted message_ sent
by the client when it handshakes with datanode just before the data transfer.
The _encrypted message is either_ _auth_ or _auth_conf_ encrypted by the secret
shared between namenode and the datanode. If so, what prevents the external
client from replaying the _encrypted message_ from a different connection
between an internal client and datanode ?
# Another side effect of derived QOP for data transfer protection is that one
cannot enable RPC protection alone with this approach.
# As mentioned in the document, Encrypting the entire data pipeline is not
necessary. I believe, it should be optimized.
# All things equal, I prefer the approach where datanode also listens on two
ports, as it makes the entire approach easy to understand. It will also solve
issues specified in #2 and #3 above. Those issues are the result of QOP of
data transfer operation becoming a derivative of RPC operation.
> NameNode Port based selective encryption
> ----------------------------------------
>
> Key: HDFS-13541
> URL: https://issues.apache.org/jira/browse/HDFS-13541
> Project: Hadoop HDFS
> Issue Type: Improvement
> Components: datanode, namenode, security
> Reporter: Chen Liang
> Assignee: Chen Liang
> Priority: Major
> Attachments: NameNode Port based selective encryption-v1.pdf
>
>
> Here at LinkedIn, one issue we face is that we need to enforce different
> security requirement based on the location of client and the cluster.
> Specifically, for clients from outside of the data center, it is required by
> regulation that all traffic must be encrypted. But for clients within the
> same data center, unencrypted connections are more desired to avoid the high
> encryption overhead.
> HADOOP-10221 introduced pluggable SASL resolver, based on which HADOOP-10335
> introduced WhitelistBasedResolver which solves the same problem. However we
> found it difficult to fit into our environment for several reasons. In this
> JIRA, on top of pluggable SASL resolver, *we propose a different approach of
> running RPC two ports on NameNode, and the two ports will be enforcing
> encrypted and unencrypted connections respectively, and the following
> DataNode access will simply follow the same behaviour of
> encryption/unencryption*. Then by blocking unencrypted port on datacenter
> firewall, we can completely block unencrypted external access.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
