You are viewing a plain text version of this content. The canonical link for it is here.
Posted to hdfs-dev@hadoop.apache.org by "Xiaoyu Yao (JIRA)" <ji...@apache.org> on 2018/01/29 20:16:00 UTC
[jira] [Created] (HDFS-13081) Datanode#checkSecureConfig should
check HTTPS and SASL encryption
Xiaoyu Yao created HDFS-13081:
---------------------------------
Summary: Datanode#checkSecureConfig should check HTTPS and SASL encryption
Key: HDFS-13081
URL: https://issues.apache.org/jira/browse/HDFS-13081
Project: Hadoop HDFS
Issue Type: Bug
Components: datanode, security
Affects Versions: 3.0.0
Reporter: Xiaoyu Yao
Assignee: Ajay Kumar
Datanode#checkSecureConfig currently check the following to determine if secure datanode is enabled.
# The server has bound to privileged ports for RPC and HTTP via SecureDataNodeStarter.
# The configuration enables SASL on DataTransferProtocol and HTTPS (no plain HTTP) for the HTTP server. The SASL handshake guarantees authentication of the RPC server before a client transmits a secret, such as a block access token. Similarly, SSL guarantees authentication of the
HTTP server before a client transmits a secret, such as a delegation token.
For the 2nd case, HTTPS_ONLY means all the traffic between REST client/server will be encrypted. However, the logic to check only if SASL property resolver is configured does not mean server requires an encrypted RPC.
This ticket is open to further check and ensure datanode SASL property resolver has a QoP that includes auth-conf(PRIVACY). Note that the SASL QoP (Quality of Protection) negotiation may drop RPC protection level from auth-conf(PRIVACY) to auth-int(integrity) or auth(authentication) only, which should be fine by design.
cc: [~cnauroth] , [~jnpandey] for additional feedback.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-dev-unsubscribe@hadoop.apache.org
For additional commands, e-mail: hdfs-dev-help@hadoop.apache.org