You are viewing a plain text version of this content. The canonical link for it is here.

Posted to common-user@hadoop.apache.org by Brian MacKay <Br...@MEDecision.com> on 2009/01/30 15:24:31 UTC

How To Encrypt Hadoop Socket Connections

Hello,

Found some archive posts regarding "encrypt Hadoop socket connections"

https://issues.apache.org/jira/browse/HADOOP-2239

http://markmail.org/message/pmn23y4b3gdxcpif

Couldn't find any documentation or Junit tests.  Does anyone know the
proper configuration changes to make?

It seems like the following are needed in hadoop-site.xml?

https.keystore.info.rsrc  = should refernce an external config file, in
this example called sslinfo.xml ?

https.keystore.password  =  ?
https.keystore.keypassword  = ?

-------------------------------------------------------------------
Snippet from org.apache.hadoop.dfs.DataNode

  void startDataNode(Configuration conf, 
                     AbstractList<File> dataDirs
                     ) throws IOException {

   ...
   sslConf.addResource(conf.get("https.keystore.info.rsrc",
"sslinfo.xml"));
    String keyloc = sslConf.get("https.keystore.location");
    if (null != keyloc) {
      this.infoServer.addSslListener(secInfoSocAddr, keyloc,
          sslConf.get("https.keystore.password", ""),
          sslConf.get("https.keystore.keypassword", ""));
--------------------------------------------------------------
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

The information transmitted is intended only for the person or entity to 
which it is addressed and may contain confidential and/or privileged 
material. Any review, retransmission, dissemination or other use of, or 
taking of any action in reliance upon, this information by persons or 
entities other than the intended recipient is prohibited. If you received 
this message in error, please contact the sender and delete the material 
from any computer.

Re: How To Encrypt Hadoop Socket Connections

Posted by Darren Govoni <da...@ontrenet.com>.

One alternative might be to use openvpn and bind the hadoop services to
the private VPN interface address openvpn assigns the machine. All
traffic over that IP address is thus encrypted and secured.

On Fri, 2009-01-30 at 09:24 -0500, Brian MacKay wrote:
> Hello,
> 
> Found some archive posts regarding "encrypt Hadoop socket connections"
> 
> https://issues.apache.org/jira/browse/HADOOP-2239
> 
> http://markmail.org/message/pmn23y4b3gdxcpif
> 
> Couldn't find any documentation or Junit tests.  Does anyone know the
> proper configuration changes to make?
> 
> It seems like the following are needed in hadoop-site.xml?
> 
> https.keystore.info.rsrc  = should refernce an external config file, in
> this example called sslinfo.xml ?
> 
> https.keystore.password  =  ?
> https.keystore.keypassword  = ?
> 
> -------------------------------------------------------------------
> Snippet from org.apache.hadoop.dfs.DataNode
> 
>   void startDataNode(Configuration conf, 
>                      AbstractList<File> dataDirs
>                      ) throws IOException {
> 
>    ...
>    sslConf.addResource(conf.get("https.keystore.info.rsrc",
> "sslinfo.xml"));
>     String keyloc = sslConf.get("https.keystore.location");
>     if (null != keyloc) {
>       this.infoServer.addSslListener(secInfoSocAddr, keyloc,
>           sslConf.get("https.keystore.password", ""),
>           sslConf.get("https.keystore.keypassword", ""));
> --------------------------------------------------------------
> _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
> 
> The information transmitted is intended only for the person or entity to 
> which it is addressed and may contain confidential and/or privileged 
> material. Any review, retransmission, dissemination or other use of, or 
> taking of any action in reliance upon, this information by persons or 
> entities other than the intended recipient is prohibited. If you received 
> this message in error, please contact the sender and delete the material 
> from any computer.
> 
>

Re: How To Encrypt Hadoop Socket Connections

Posted by Allen Wittenauer <aw...@yahoo-inc.com>.



On 1/30/09 6:24 AM, "Brian MacKay" <Br...@MEDecision.com> wrote:
> https://issues.apache.org/jira/browse/HADOOP-2239

    This ended up getting turned into "encrypting distcp" and not actually
encrypting intra-grid socket connections. (Can we "rename" a JIRA?)  If you
need that capability today, your best bet is likely IPsec or something
similar.

    Hadoop has lots and lots of security holes and this is but one.