[jira] [Commented] (HDFS-13541) NameNode Port based selective encryption

[Konstantin Shvachko (Jira)]

    [ 
https://issues.apache.org/jira/browse/HDFS-13541?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16916256#comment-16916256
 ] 

Konstantin Shvachko commented on HDFS-13541:
--------------------------------------------

Comments for branch-2 v02 patch:
# {{SaslDataTransferServer}} has a bunch of new unused imports. Not sure where 
do they come from.
# Long lines in {{BlockManager}}
# In {{SaslDataTransferClient.checkTrustAndSend()}}
{code}LOG.info("SASL encryption trust check: localHostTrusted = {}, "{code}
is info level, while on trunk it is debug. Should it be debug for branch-2 as 
well?
# Do we need any changes in {{PBHelperClient}}?

> NameNode Port based selective encryption
> ----------------------------------------
>
>                 Key: HDFS-13541
>                 URL: https://issues.apache.org/jira/browse/HDFS-13541
>             Project: Hadoop HDFS
>          Issue Type: Improvement
>          Components: datanode, namenode, security
>            Reporter: Chen Liang
>            Assignee: Chen Liang
>            Priority: Major
>              Labels: release-blocker
>         Attachments: HDFS-13541-branch-2.001.patch, 
> HDFS-13541-branch-2.002.patch, HDFS-13541-branch-3.1.001.patch, 
> HDFS-13541-branch-3.1.002.patch, HDFS-13541-branch-3.2.001.patch, 
> HDFS-13541-branch-3.2.002.patch, NameNode Port based selective 
> encryption-v1.pdf
>
>
> Here at LinkedIn, one issue we face is that we need to enforce different 
> security requirement based on the location of client and the cluster. 
> Specifically, for clients from outside of the data center, it is required by 
> regulation that all traffic must be encrypted. But for clients within the 
> same data center, unencrypted connections are more desired to avoid the high 
> encryption overhead. 
> HADOOP-10221 introduced pluggable SASL resolver, based on which HADOOP-10335 
> introduced WhitelistBasedResolver which solves the same problem. However we 
> found it difficult to fit into our environment for several reasons. In this 
> JIRA, on top of pluggable SASL resolver, *we propose a different approach of 
> running RPC two ports on NameNode, and the two ports will be enforcing 
> encrypted and unencrypted connections respectively, and the following 
> DataNode access will simply follow the same behaviour of 
> encryption/unencryption*. Then by blocking unencrypted port on datacenter 
> firewall, we can completely block unencrypted external access.



--
This message was sent by Atlassian Jira
(v8.3.2#803003)

---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org