Uploaded image for project: 'Hadoop HDFS'
  1. Hadoop HDFS
  2. HDFS-13081

Datanode#checkSecureConfig should allow SASL and privileged HTTP


    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.0.0
    • Fix Version/s: 3.1.0, 3.0.3
    • Component/s: datanode, security
    • Labels:
    • Hadoop Flags:


      Datanode#checkSecureConfig currently check the following to determine if secure datanode is enabled. 

      1. The server has bound to privileged ports for RPC and HTTP via SecureDataNodeStarter.
      2. The configuration enables SASL on DataTransferProtocol and HTTPS (no plain HTTP) for the HTTP server.

      Authentication of Datanode RPC server can be done either via SASL handshake or JSVC/privilege RPC port.
      This guarantees authentication of the datanode RPC server before a client transmits a secret, such as a block access token.

      Authentication of the HTTP server can also be done either via HTTPS/SSL or JSVC/privilege HTTP port. This guarantees authentication of datandoe HTTP server before a client transmits a secret, such as a delegation token.

      This ticket is open to allow privileged HTTP as an alternative to HTTPS to work with SASL based RPC protection.
      cc: Chris NaurothDaryn Sharp, Jitendra Nath Pandey for additional feedback.



        1. HDFS-13081.000.patch
          4 kB
          Ajay Kumar
        2. HDFS-13081.001.patch
          12 kB
          Ajay Kumar
        3. HDFS-13081.002.patch
          12 kB
          Ajay Kumar
        4. HDFS-13081.003.patch
          12 kB
          Ajay Kumar
        5. HDFS-13081.004.patch
          12 kB
          Ajay Kumar
        6. HDFS-13081.005.patch
          12 kB
          Ajay Kumar
        7. HDFS-13081.006.patch
          12 kB
          Ajay Kumar

          Issue Links



              • Assignee:
                ajayydv Ajay Kumar
                xyao Xiaoyu Yao
              • Votes:
                0 Vote for this issue
                8 Start watching this issue


                • Created: