Uploaded image for project: 'HBase'
  1. HBase
  2. HBASE-16414

Improve performance for RPC encryption with Apache Common Crypto

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 2.0.0
    • 2.0.0
    • IPC/RPC
    • None
    • Reviewed
    • Hide
      With the security RPC and encryption enabled, introduce Apache Commons Crypto to do the encryption/decryption which supports both supports both JCE Cipher and OpenSSL Cipher. Adds new configs "hbase.rpc.crypto.encryption.aes.enabled" which defaults to false, and "hbase.rpc.crypto.encryption.aes.cipher.class" which defaults to "org.apache.commons.crypto.cipher.JceCipher" to support JCE Cipher, it also can be set as "org.apache.hadoop.crypto.OpensslCipher" to support Openssl Cipher.
      Show
      With the security RPC and encryption enabled, introduce Apache Commons Crypto to do the encryption/decryption which supports both supports both JCE Cipher and OpenSSL Cipher. Adds new configs "hbase.rpc.crypto.encryption.aes.enabled" which defaults to false, and "hbase.rpc.crypto.encryption.aes.cipher.class" which defaults to "org.apache.commons.crypto.cipher.JceCipher" to support JCE Cipher, it also can be set as "org.apache.hadoop.crypto.OpensslCipher" to support Openssl Cipher.

    Description

      Hbase RPC encryption is enabled by setting “hbase.rpc.protection” to "privacy". With the token authentication, it utilized DIGEST-MD5 mechanisms for secure authentication and data protection. For DIGEST-MD5, it uses DES, 3DES or RC4 to do encryption and it is very slow, especially for Scan. This will become the bottleneck of the RPC throughput.
      Apache Commons Crypto is a cryptographic library optimized with AES-NI. It provides Java API for both cipher level and Java stream level. Developers can use it to implement high performance AES encryption/decryption with the minimum code and effort. Compare with the current implementation of org.apache.hadoop.hbase.io.crypto.aes.AES, Crypto supports both JCE Cipher and OpenSSL Cipher which is better performance than JCE Cipher. User can configure the cipher type and the default is JCE Cipher.

      Attachments

        1. HBASE-16414.009.patch
          248 kB
          Colin
        2. HBASE-16414.008.patch
          246 kB
          Colin
        3. HBASE-16414.007.patch
          249 kB
          Colin
        4. HBASE-16414.006.patch
          249 kB
          Colin
        5. HBASE-16414.005.patch
          229 kB
          Colin
        6. HBASE-16414.004.patch
          231 kB
          Colin
        7. HBASE-16414.003.patch
          231 kB
          Colin
        8. HBASE-16414.002.patch
          231 kB
          Colin
        9. HBASE-16414.001.patch
          94 kB
          Colin
        10. HbaseRpcEncryptionWithCrypoto.docx
          76 kB
          Colin

        Issue Links

          Activity

            People

              colin Colin
              colin Colin
              Votes:
              0 Vote for this issue
              Watchers:
              17 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: