[ 
https://issues.apache.org/jira/browse/YARN-11738?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17895537#comment-17895537
 ] 

Bence Kosztolnik commented on YARN-11738:
-----------------------------------------

Hi [~szetszwo]

I am planning to update the hash alg to HmacSHA256 and the length to 128.

I don't want to make this configurable in the name of KISS. 

Based on some perf test in my local machine avg create time of a 64 bit 
HmacSHA1 is ~ 0.000162 ms and 0.000287 ms for HmacSHA256 128 bit length, so 
roughly costs 2x resource, but still not much. On the other hand, we will 
always increase the security of hadoop clusters and AFAIK now the mainstream 
topic in open source development to improve the security.

> Modernize SecretManager config
> ------------------------------
>
>                 Key: YARN-11738
>                 URL: https://issues.apache.org/jira/browse/YARN-11738
>             Project: Hadoop YARN
>          Issue Type: Improvement
>          Components: yarn
>    Affects Versions: 3.4.1
>            Reporter: Bence Kosztolnik
>            Assignee: Bence Kosztolnik
>            Priority: Major
>              Labels: pull-request-available
>
> FIPS-compliant HMAC-SHA1 algorithms require secret keys to be at least 112 
> bits long. 
> https://github.com/apache/hadoop/blob/98c2bc87b1445c533268c58d382ea4e4297303fd/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/SecretManager.java#L144
> Should be set to 128 to be FIPS compatible.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org

Reply via email to