[HBASE-26666] Add native TLS encryption support to RPC server/client - ASF JIRA

XML

Word

Printable

JSON

Details

Type: New Feature
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 3.0.0-alpha-2, 2.6.0, 2.4.12, 2.5.1
Fix Version/s: 2.6.0, 3.0.0-alpha-4
Component/s: encryption, security
Labels:
- SSL
- TLS
- encryption
- security

Release Note:

Hide
Full support for TLS/SSL encryption in Netty RPC client and server. The implementation is based on Netty's built-in SSL handler and capable of using JDK or OpenSSL implementation whichever is available on the classpath. The feature also supports side-by-side plaintext and encrypted communication which enables upgrading existing clusters with zero downtime.

Show
Full support for TLS/SSL encryption in Netty RPC client and server. The implementation is based on Netty's built-in SSL handler and capable of using JDK or OpenSSL implementation whichever is available on the classpath. The feature also supports side-by-side plaintext and encrypted communication which enables upgrading existing clusters with zero downtime.

Description

Today, HBase must complete the SASL handshake (saslClient.complete()) prior to turning on any RPC encryption (hbase.rpc.protection=privacy, sasl.QOP=auth-conf).

This is a problem because we have to transmit the bearer token to the server before we can complete the sasl handshake. This would mean that we would insecurely transmit the bearer token (which is equivalent to any other password) which is a bad smell.

Ideally, if we can solve this problem for the oauth bearer mechanism, we could also apply it to our delegation token interface for digest-md5 (which, I believe, suffers the same problem).

The plan is to port Server/Client TLS implementation from the ZooKeeper project. It's a Netty based solution which looks like the best fit for NettyRpc client/server.

Attachments

Issue Links

incorporates

ZOOKEEPER-2120 SSL feature on Netty

Resolved

is blocked by

HBASE-27271 BufferCallBeforeInitHandler should ignore the flush request

Resolved

is required by

HBASE-26553 OAuth Bearer authentication mech plugin for SASL

In Progress

HBASE-27226 Document native TLS support in Netty RPC

Resolved

relates to

HBASE-27347 Port FileWatcher from ZK to autodetect keystore/truststore changes in TLS connections

Resolved

HBASE-27278 Improve TestTlsIPC to reuse existing IPC test code

Resolved

HBASE-27279 Make SslHandler work with SaslWrapHandler/SaslUnwrapHandler

Resolved

HBASE-27342 Use Hadoop Credentials API to retrieve passwords of TLS key/trust stores

Resolved

HBASE-27346 Autodetect key/truststore file type from file extension

Resolved

links to

GitHub Pull Request #4125

GitHub Pull Request #4666

(4 relates to, 2 links to)

Activity

People

Assignee:: Andor Molnar

Reporter:: Josh Elser

Votes:: 0 Vote for this issue

Watchers:: 11 Start watching this issue

Dates

Created:: 13/Jan/22 22:17

Updated:: 30/Aug/22 12:05

Resolved:: 06/Aug/22 23:53