[jira] [Commented] (HDFS-13541) NameNode Port based selective encryption

Wed, 31 Jul 2019 15:19:15 -0700 


    [ 
https://issues.apache.org/jira/browse/HDFS-13541?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16897581#comment-16897581
 ] 

Chen Liang commented on HDFS-13541:
-----------------------------------

Working on backport to branch-3.x and branch-2, post synthesized patch to 
trigger jenkins tests.

> NameNode Port based selective encryption
> ----------------------------------------
>
>                 Key: HDFS-13541
>                 URL: https://issues.apache.org/jira/browse/HDFS-13541
>             Project: Hadoop HDFS
>          Issue Type: Improvement
>          Components: datanode, namenode, security
>            Reporter: Chen Liang
>            Assignee: Chen Liang
>            Priority: Major
>         Attachments: HDFS-13541-branch-3.2.001.patch, NameNode Port based 
> selective encryption-v1.pdf
>
>
> Here at LinkedIn, one issue we face is that we need to enforce different 
> security requirement based on the location of client and the cluster. 
> Specifically, for clients from outside of the data center, it is required by 
> regulation that all traffic must be encrypted. But for clients within the 
> same data center, unencrypted connections are more desired to avoid the high 
> encryption overhead. 
> HADOOP-10221 introduced pluggable SASL resolver, based on which HADOOP-10335 
> introduced WhitelistBasedResolver which solves the same problem. However we 
> found it difficult to fit into our environment for several reasons. In this 
> JIRA, on top of pluggable SASL resolver, *we propose a different approach of 
> running RPC two ports on NameNode, and the two ports will be enforcing 
> encrypted and unencrypted connections respectively, and the following 
> DataNode access will simply follow the same behaviour of 
> encryption/unencryption*. Then by blocking unencrypted port on datacenter 
> firewall, we can completely block unencrypted external access.



--
This message was sent by Atlassian JIRA
(v7.6.14#76016)

---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org

Reply via email to