[HDFS-13060] Adding a BlacklistBasedTrustedChannelResolver for TrustedChannelResolver - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 3.1.0
Component/s: datanode, security
Labels:
None

Hadoop Flags:

Reviewed

Description

~~HDFS-5910~~ introduces encryption negotiation between client and server based on a customizable TrustedChannelResolver class. The TrustedChannelResolver is invoked on both client and server side. If the resolver indicates that the channel is trusted, then the data transfer will not be encrypted even if dfs.encrypt.data.transfer is set to true.

The default trust channel resolver implementation returns false indicating that the channel is not trusted, which always enables encryption. ~~HDFS-5910~~ also added a build-int whitelist based trust channel resolver. It allows you to put IP address/Network Mask of trusted client/server in whitelist files to skip encryption for certain traffics.

This ticket is opened to add a blacklist based trust channel resolver for cases only certain machines (IPs) are untrusted without adding each trusted IP individually.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

HDFS-13060.000.patch
26/Jan/18 23:27
11 kB
Ajay Kumar
HDFS-13060.001.patch
30/Jan/18 18:11
11 kB
Ajay Kumar
HDFS-13060.002.patch
31/Jan/18 17:11
12 kB
Ajay Kumar
HDFS-13060.003.patch
31/Jan/18 22:50
13 kB
Ajay Kumar

Issue Links

is depended upon by

HADOOP-15203 Support composite trusted channel resolver that supports both whitelist and blacklist

Patch Available

relates to

HADOOP-15202 Deprecate CombinedIPWhiteList to use CombinedIPList

Open

Activity

People

Assignee:: Ajay Kumar

Reporter:: Xiaoyu Yao

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Dates

Created:: 24/Jan/18 23:48

Updated:: 01/Feb/18 20:44

Resolved:: 01/Feb/18 06:41