[ 
https://issues.apache.org/jira/browse/AMBARI-22803?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Sandor Molnar updated AMBARI-22803:
-----------------------------------
    Description: 
When *HDP 3.0.0* is installed, clients should have the ability to choose 
encrypted communication over RPC when talking to core hadoop components. Today, 
the properties that control this are:
 - {{core-site.xml : hadoop.rpc.protection = authentication}}
 - {{hdfs-site.xml : dfs.data.transfer.protection = authentication}}

The new value of {{privacy}} enables clients to choose an encrypted means of 
communication. By keeping {{authentication}} first, it will be taken as the 
default mechanism so that wire encryption is not automatically enabled by 
accident.

The following properties should be changed to add {{privacy}}:
 - {{core-site.xml : hadoop.rpc.protection = authentication,privacy}}
 - {{hdfs-site.xml : dfs.data.transfer.protection = authentication,privacy}}

The following are cases when this needs to be performed:
 - During Kerberization, the above two properties should be automatically 
reconfigured.
 - During a stack upgrade to any version of *HDP 3.0.0* is covered by 
AMBARI-22981

Blueprint deployment is not a scenario being covered here.

  was:
When *HDP 3.0.0* is installed, clients should have the ability to choose 
encrypted communication over RPC when talking to core hadoop components. Today, 
the properties that control this are:
 - {{core-site.xml : hadoop.rpc.protection = authentication}}
 - {{hdfs-site.xml : dfs.data.transfer.protection = authentication}}

The new value of {{privacy}} enables clients to choose an encrypted means of 
communication. By keeping {{authentication}} first, it will be taken as the 
default mechanism so that wire encryption is not automatically enabled by 
accident.

The following properties should be changed to add {{privacy}}:
 - {{core-site.xml : hadoop.rpc.protection = authentication,privacy}}
 - {{hdfs-site.xml : dfs.data.transfer.protection = authentication,privacy}}

The following are cases when this needs to be performed:
 - During Kerberization, the above two properties should be automatically 
reconfigured.
 - During a stack upgrade to any version of *HDP 3.0.0*, they should be 
automatically merged

Blueprint deployment is not a scenario being covered here.


> Update Hadoop RPC Encryption Properties During Kerberization
> ------------------------------------------------------------
>
>                 Key: AMBARI-22803
>                 URL: https://issues.apache.org/jira/browse/AMBARI-22803
>             Project: Ambari
>          Issue Type: Task
>          Components: ambari-server
>    Affects Versions: 2.7.0
>            Reporter: Jonathan Hurley
>            Assignee: Sandor Molnar
>            Priority: Critical
>             Fix For: 2.7.0
>
>         Attachments: AMBARI-22803.patch
>
>
> When *HDP 3.0.0* is installed, clients should have the ability to choose 
> encrypted communication over RPC when talking to core hadoop components. 
> Today, the properties that control this are:
>  - {{core-site.xml : hadoop.rpc.protection = authentication}}
>  - {{hdfs-site.xml : dfs.data.transfer.protection = authentication}}
> The new value of {{privacy}} enables clients to choose an encrypted means of 
> communication. By keeping {{authentication}} first, it will be taken as the 
> default mechanism so that wire encryption is not automatically enabled by 
> accident.
> The following properties should be changed to add {{privacy}}:
>  - {{core-site.xml : hadoop.rpc.protection = authentication,privacy}}
>  - {{hdfs-site.xml : dfs.data.transfer.protection = authentication,privacy}}
> The following are cases when this needs to be performed:
>  - During Kerberization, the above two properties should be automatically 
> reconfigured.
>  - During a stack upgrade to any version of *HDP 3.0.0* is covered by 
> AMBARI-22981
> Blueprint deployment is not a scenario being covered here.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to