Uploaded image for project: 'Hadoop HDFS'
  1. Hadoop HDFS
  2. HDFS-13541

NameNode Port based selective encryption



    • Type: Improvement
    • Status: Patch Available
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: datanode, namenode, security
    • Labels:
    • Target Version/s:


      Here at LinkedIn, one issue we face is that we need to enforce different security requirement based on the location of client and the cluster. Specifically, for clients from outside of the data center, it is required by regulation that all traffic must be encrypted. But for clients within the same data center, unencrypted connections are more desired to avoid the high encryption overhead. 

      HADOOP-10221 introduced pluggable SASL resolver, based on which HADOOP-10335 introduced WhitelistBasedResolver which solves the same problem. However we found it difficult to fit into our environment for several reasons. In this JIRA, on top of pluggable SASL resolver, we propose a different approach of running RPC two ports on NameNode, and the two ports will be enforcing encrypted and unencrypted connections respectively, and the following DataNode access will simply follow the same behaviour of encryption/unencryption. Then by blocking unencrypted port on datacenter firewall, we can completely block unencrypted external access.


        1. NameNode Port based selective encryption-v1.pdf
          133 kB
          Chen Liang
        2. HDFS-13541-branch-3.2.001.patch
          96 kB
          Chen Liang
        3. HDFS-13541-branch-3.2.002.patch
          96 kB
          Chen Liang
        4. HDFS-13541-branch-3.1.001.patch
          107 kB
          Chen Liang



            • Assignee:
              vagarychen Chen Liang
              vagarychen Chen Liang
            • Votes:
              0 Vote for this issue
              13 Start watching this issue


              • Created: