[jira] [Updated] (HDFS-2856) Fix block protocol so that Datanodes don't require root or jsvc

Thu, 02 May 2013 10:32:18 -0700 

     [ 
https://issues.apache.org/jira/browse/HDFS-2856?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Chris Nauroth updated HDFS-2856:
--------------------------------

    Attachment: Datanode-Security-Design.pdf

Thanks, Owen.  Here is a new version of the design doc.

{quote}
Chris, can you update the document with a read path?
{quote}

The preliminary handshake is the same, so I didn't clone all of that 
information to discuss readBlock.  Instead, I added a statement that other 
operations like readBlock are similar in steps 1-6.  If you still prefer to see 
a detailed section dedicated to readBlock, let me know, and I'll add it.

{quote}
We should also include the current timestamp from the client to the datanode 
(both directly and in the hmac) to make replay attacks harder.
{quote}

Good idea.  I've changed step 3 to include client timestamp in the arguments 
and the calculation of client digest.  I've changed step 4 so that the datanode 
checks client timestamp is within a threshold.  I've changed step 5 to include 
client timestamp in calculation of server digest.
                
> Fix block protocol so that Datanodes don't require root or jsvc
> ---------------------------------------------------------------
>
>                 Key: HDFS-2856
>                 URL: https://issues.apache.org/jira/browse/HDFS-2856
>             Project: Hadoop HDFS
>          Issue Type: Improvement
>          Components: datanode, security
>            Reporter: Owen O'Malley
>            Assignee: Chris Nauroth
>            Priority: Blocker
>         Attachments: Datanode-Security-Design.pdf, 
> Datanode-Security-Design.pdf
>
>
> Since we send the block tokens unencrypted to the datanode, we currently 
> start the datanode as root using jsvc and get a secure (< 1024) port.
> If we have the datanode generate a nonce and send it on the connection and 
> the sends an hmac of the nonce back instead of the block token it won't 
> reveal any secrets. Thus, we wouldn't require a secure port and would not 
> require root or jsvc.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to