Uploaded image for project: 'Hadoop HDFS'
  1. Hadoop HDFS
  2. HDFS-13061

SaslDataTransferClient#checkTrustAndSend should not trust a partially trusted channel

VotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • None
    • 3.1.0
    • None
    • None
    • Reviewed

    Description

      HDFS-5910 introduces encryption negotiation between client and server based on a customizable TrustedChannelResolver class. The TrustedChannelResolver is invoked on both client and server side. If the resolver indicates that the channel is trusted, then the data transfer will not be encrypted even if dfs.encrypt.data.transfer is set to true.

      SaslDataTransferClient#checkTrustAndSend ask the channel resolve whether the client and server address are trusted, respectively. It decides the channel is untrusted only if both client and server are not trusted to enforce encryption. This ticket is opened to change it to not trust (and encrypt) if either client or server address are not trusted.

      Attachments

        1. HDFS-13061.000.patch
          5 kB
          Ajay Kumar
        2. HDFS-13061.001.patch
          8 kB
          Ajay Kumar
        3. HDFS-13061.002.patch
          8 kB
          Ajay Kumar
        4. HDFS-13061.003.patch
          8 kB
          Ajay Kumar

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            ajayydv Ajay Kumar
            xyao Xiaoyu Yao
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment