Details
-
New Feature
-
Status: In Progress
-
Major
-
Resolution: Unresolved
-
None
-
None
-
None
-
None
Description
Per discussion on common-dev and text copied here for ease of reference.
Thanks all for the inputs, To offer additional information (while Daryn is working on his stuff), optimizing RPC encryption opens up another possibility: migrating KMS service to use Hadoop RPC. Today's KMS uses HTTPS + REST API, much like webhdfs. It has very undesirable performance (a few thousand ops per second) compared to NameNode. Unfortunately for each NameNode namespace operation you also need to access KMS too. Migrating KMS to Hadoop RPC greatly improves its performance (if implemented correctly), and RPC encryption would be a prerequisite. So please keep that in mind when discussing the Hadoop RPC encryption improvements. Cloudera is very interested to help with the Hadoop RPC encryption project because a lot of our customers are using at-rest encryption, and some of them are starting to hit KMS performance limit. This whole "migrating KMS to Hadoop RPC" was Daryn's idea. I heard this idea in the meetup and I am very thrilled to see this happening because it is a real issue bothering some of our customers, and I suspect it is the right solution to address this tech debt.
Attachments
Attachments
Issue Links
- is blocked by
-
HADOOP-15977 RPC support for TLS
-
- Open
-
- relates to
-
-
- In Progress
-
1.
|
Abstract transport layer implementation out of KMS |
|
Open | Unassigned |
2.
|
Add protobuf and associated helper classes/interfaces for KMS |
|
Open | Unassigned |
3.
|
Create a KeyManagerRpcServer for KMS |
|
Open | Unassigned |
4.
|
Create a Hadoop RPC based KMS client |
|
Patch Available | Anu Engineer |
5.
|
Support delegation token operations in KMS Benchmark |
|
Open | George Huang |
6.
|
Support reencrypt in KMS Benchmark |
|
Patch Available | George Huang |