jojochuang commented on code in PR #193: URL: https://github.com/apache/ozone-site/pull/193#discussion_r2656608835
########## docs/05-administrator-guide/02-configuration/03-security/05-encryption/01-network-encryption/01-hadoop-rpc.md: ########## @@ -4,4 +4,15 @@ sidebar_label: Hadoop RPC # Configuring Hadoop RPC With SASL -**TODO:** File a subtask under [HDDS-9859](https://issues.apache.org/jira/browse/HDDS-9859) and complete this page or section. +Ozone traffic, whether between the cluster and client, or internal inside the cluster, may be transferred via Hadoop RPC (e.g. client to Ozone Manager). To encrypt client-OM (Ozone Manager) communication, configure `hadoop.rpc.protection` to `privacy` in your `core-site.xml`. This ensures that all data exchanged over Hadoop RPC is encrypted. + +```xml +<property> + <name>hadoop.rpc.protection</name> + <value>privacy</value> +</property> +``` + +## OM Transport Class + +While the default is `org.apache.hadoop.ozone.om.protocolPB.Hadoop3OmTransportFactory`, it is possible to specify a gRPC based transport using the `ozone.om.transport.class` configuration property: `org.apache.hadoop.ozone.om.protocolPB.GrpcOmTransportFactory`. In this case, the Hadoop RPC configuration is not applicable. Review Comment: See "Configuring gRPC With TLS" page to encrypt gRPC in this case. ########## docs/05-administrator-guide/02-configuration/03-security/05-encryption/01-network-encryption/01-hadoop-rpc.md: ########## @@ -4,4 +4,15 @@ sidebar_label: Hadoop RPC # Configuring Hadoop RPC With SASL -**TODO:** File a subtask under [HDDS-9859](https://issues.apache.org/jira/browse/HDDS-9859) and complete this page or section. +Ozone traffic, whether between the cluster and client, or internal inside the cluster, may be transferred via Hadoop RPC (e.g. client to Ozone Manager). To encrypt client-OM (Ozone Manager) communication, configure `hadoop.rpc.protection` to `privacy` in your `core-site.xml`. This ensures that all data exchanged over Hadoop RPC is encrypted. + +```xml +<property> + <name>hadoop.rpc.protection</name> + <value>privacy</value> +</property> +``` + +## OM Transport Class + +While the default is `org.apache.hadoop.ozone.om.protocolPB.Hadoop3OmTransportFactory`, it is possible to specify a gRPC based transport using the `ozone.om.transport.class` configuration property: `org.apache.hadoop.ozone.om.protocolPB.GrpcOmTransportFactory`. In this case, the Hadoop RPC configuration is not applicable. Review Comment: This is only applicable to the client-OM (Ozone Manager) communication. ########## docs/05-administrator-guide/02-configuration/03-security/05-encryption/01-network-encryption/01-hadoop-rpc.md: ########## @@ -4,4 +4,15 @@ sidebar_label: Hadoop RPC # Configuring Hadoop RPC With SASL -**TODO:** File a subtask under [HDDS-9859](https://issues.apache.org/jira/browse/HDDS-9859) and complete this page or section. +Ozone traffic, whether between the cluster and client, or internal inside the cluster, may be transferred via Hadoop RPC (e.g. client to Ozone Manager). To encrypt client-OM (Ozone Manager) communication, configure `hadoop.rpc.protection` to `privacy` in your `core-site.xml`. This ensures that all data exchanged over Hadoop RPC is encrypted. + +```xml +<property> + <name>hadoop.rpc.protection</name> + <value>privacy</value> +</property> +``` + +## OM Transport Class + +While the default is `org.apache.hadoop.ozone.om.protocolPB.Hadoop3OmTransportFactory`, it is possible to specify a gRPC based transport using the `ozone.om.transport.class` configuration property: `org.apache.hadoop.ozone.om.protocolPB.GrpcOmTransportFactory`. In this case, the Hadoop RPC configuration is not applicable. Review Comment: Let's rewrite the paragraphs as follows: The default transport class for communication with the Ozone Manager (OM) is org.apache.hadoop.ozone.om.protocolPB.Hadoop3OmTransportFactory. However, users can configure the system to use a gRPC-based transport class for client-to-OM communication by setting the ozone.om.transport.class configuration property to org.apache.hadoop.ozone.om.protocolPB.GrpcOmTransportFactory. In this case, the Hadoop RPC encryption configuration is not applicable. Refer to the "Configuring gRPC With TLS" page to encrypt gRPC-based communication. ########## docs/05-administrator-guide/02-configuration/03-security/05-encryption/01-network-encryption/01-hadoop-rpc.md: ########## @@ -4,4 +4,15 @@ sidebar_label: Hadoop RPC # Configuring Hadoop RPC With SASL -**TODO:** File a subtask under [HDDS-9859](https://issues.apache.org/jira/browse/HDDS-9859) and complete this page or section. +Ozone traffic, whether between the cluster and client, or internal inside the cluster, may be transferred via Hadoop RPC (e.g. client to Ozone Manager). To encrypt client-OM (Ozone Manager) communication, configure `hadoop.rpc.protection` to `privacy` in your `core-site.xml`. This ensures that all data exchanged over Hadoop RPC is encrypted. + Review Comment: Might also want to add that Hadoop RPC is encrypted using the algorithm selected by the Java SASL, which is typically 3DES or RC4. The Hadoop RPC throughput may drop due to encryption overhead. For more information, check out Hadoop in Secure Mode https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/SecureMode.html -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
