[
https://issues.apache.org/jira/browse/AMBARI-22725?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16321318#comment-16321318
]
ASF GitHub Bot commented on AMBARI-22725:
-----------------------------------------
jonathan-hurley opened a new pull request #84: AMBARI-22725 - Update Hadoop RPC
Encryption Properties During Kerberization and Upgrade (jonathanhurley)
URL: https://github.com/apache/ambari/pull/84
## What changes were proposed in this pull request?
Clients should have the ability to choose encrypted communication over RPC
when talking to core hadoop components. Today, the properties that control this
are:
- {{core-site.xml : hadoop.rpc.protection = authentication}}
- {{hdfs-site.xml : dfs.data.transfer.protection = authentication}}
The new value of {{privacy}} enables clients to choose an encrypted means of
communication. By keeping {{authentication}} first, it will be taken as the
default mechanism so that wire encryption is not automatically enabled by
accident.
The following properties should be changed to add {{privacy}}:
- {{core-site.xml : hadoop.rpc.protection = authentication,privacy}}
- {{hdfs-site.xml : dfs.data.transfer.protection = authentication,privacy}}
The following are cases when this needs to be performed:
- During Kerberization, the above two properties should be automatically
reconfigured.
- During a stack upgrade to any version of HDP 2.6, they should be
automatically merged
Blueprint deployment is not a scenario being covered here.
## How was this patch tested?
Manual testing performed on a cluster by upgrading it and then kerberzing
it.
```
Total run:1201
Total errors:0
Total failures:0
OK
[INFO]
------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO]
------------------------------------------------------------------------
[INFO] Total time: 01:01 min
[INFO] Finished at: 2018-01-04T15:55:20-05:00
[INFO] Final Memory: 21M/619M
[INFO]
------------------------------------------------------------------------
```
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
> Update Hadoop RPC Encryption Properties During Kerberization and Upgrade
> ------------------------------------------------------------------------
>
> Key: AMBARI-22725
> URL: https://issues.apache.org/jira/browse/AMBARI-22725
> Project: Ambari
> Issue Type: Task
> Affects Versions: 2.6.2
> Reporter: Jonathan Hurley
> Assignee: Jonathan Hurley
> Priority: Critical
> Fix For: 2.6.2
>
> Attachments: AMBARI-22725.patch
>
>
> Clients should have the ability to choose encrypted communication over RPC
> when talking to core hadoop components. Today, the properties that control
> this are:
> - {{core-site.xml : hadoop.rpc.protection = authentication}}
> - {{hdfs-site.xml : dfs.data.transfer.protection = authentication}}
> The new value of {{privacy}} enables clients to choose an encrypted means of
> communication. By keeping {{authentication}} first, it will be taken as the
> default mechanism so that wire encryption is not automatically enabled by
> accident.
> The following properties should be changed to add {{privacy}}:
> - {{core-site.xml : hadoop.rpc.protection = authentication,privacy}}
> - {{hdfs-site.xml : dfs.data.transfer.protection = authentication,privacy}}
> The following are cases when this needs to be performed:
> - During Kerberization, the above two properties should be automatically
> reconfigured.
> - During a stack upgrade to any version of HDP 2.6, they should be
> automatically merged
> Blueprint deployment is not a scenario being covered here.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
