[jira] [Commented] (HDFS-13541) NameNode Port based selective encryption

Fri, 23 Aug 2019 11:10:17 -0700 


    [ 
https://issues.apache.org/jira/browse/HDFS-13541?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16914529#comment-16914529
 ] 

Chen Liang commented on HDFS-13541:
-----------------------------------

Thanks [~shv]! I've committed to branch-3.1.

> NameNode Port based selective encryption
> ----------------------------------------
>
>                 Key: HDFS-13541
>                 URL: https://issues.apache.org/jira/browse/HDFS-13541
>             Project: Hadoop HDFS
>          Issue Type: Improvement
>          Components: datanode, namenode, security
>            Reporter: Chen Liang
>            Assignee: Chen Liang
>            Priority: Major
>              Labels: release-blocker
>         Attachments: HDFS-13541-branch-3.1.001.patch, 
> HDFS-13541-branch-3.1.002.patch, HDFS-13541-branch-3.2.001.patch, 
> HDFS-13541-branch-3.2.002.patch, NameNode Port based selective 
> encryption-v1.pdf
>
>
> Here at LinkedIn, one issue we face is that we need to enforce different 
> security requirement based on the location of client and the cluster. 
> Specifically, for clients from outside of the data center, it is required by 
> regulation that all traffic must be encrypted. But for clients within the 
> same data center, unencrypted connections are more desired to avoid the high 
> encryption overhead. 
> HADOOP-10221 introduced pluggable SASL resolver, based on which HADOOP-10335 
> introduced WhitelistBasedResolver which solves the same problem. However we 
> found it difficult to fit into our environment for several reasons. In this 
> JIRA, on top of pluggable SASL resolver, *we propose a different approach of 
> running RPC two ports on NameNode, and the two ports will be enforcing 
> encrypted and unencrypted connections respectively, and the following 
> DataNode access will simply follow the same behaviour of 
> encryption/unencryption*. Then by blocking unencrypted port on datacenter 
> firewall, we can completely block unencrypted external access.



--
This message was sent by Atlassian Jira
(v8.3.2#803003)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to