[HDFS-13541] NameNode Port based selective encryption - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: None
Component/s: datanode, namenode, security
Labels:
- release-blocker

Target Version/s:

2.10.0, 3.3.0
Release Note:

Hide
This feature allows HDFS to selectively enforce encryption for both RPC (NameNode) and data transfer (DataNode). With this feature enabled, NameNode can listen on multiple ports, and different ports can have different security configurations. Depending on which NameNode port clients connect to, the RPC calls and the following data transfer will enforce security configuration corresponding to this NameNode port. This can help when there is requirement to enforce different security policies depending on the location where the clients are connecting from.

This can be enabled by setting `hadoop.security.saslproperties.resolver.class` configuration to `org.apache.hadoop.security.IngressPortBasedResolver`, and add the additional NameNode auxiliary ports by setting `dfs.namenode.rpc-address.auxiliary-ports`, and set the security individual ports by configuring `ingress.port.sasl.configured.ports`.

Show
This feature allows HDFS to selectively enforce encryption for both RPC (NameNode) and data transfer (DataNode). With this feature enabled, NameNode can listen on multiple ports, and different ports can have different security configurations. Depending on which NameNode port clients connect to, the RPC calls and the following data transfer will enforce security configuration corresponding to this NameNode port. This can help when there is requirement to enforce different security policies depending on the location where the clients are connecting from. This can be enabled by setting `hadoop.security.saslproperties.resolver.class` configuration to `org.apache.hadoop.security.IngressPortBasedResolver`, and add the additional NameNode auxiliary ports by setting `dfs.namenode.rpc-address.auxiliary-ports`, and set the security individual ports by configuring `ingress.port.sasl.configured.ports`.

Description

Here at LinkedIn, one issue we face is that we need to enforce different security requirement based on the location of client and the cluster. Specifically, for clients from outside of the data center, it is required by regulation that all traffic must be encrypted. But for clients within the same data center, unencrypted connections are more desired to avoid the high encryption overhead.

~~HADOOP-10221~~ introduced pluggable SASL resolver, based on which ~~HADOOP-10335~~ introduced WhitelistBasedResolver which solves the same problem. However we found it difficult to fit into our environment for several reasons. In this JIRA, on top of pluggable SASL resolver, we propose a different approach of running RPC two ports on NameNode, and the two ports will be enforcing encrypted and unencrypted connections respectively, and the following DataNode access will simply follow the same behaviour of encryption/unencryption. Then by blocking unencrypted port on datacenter firewall, we can completely block unencrypted external access.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

NameNode Port based selective encryption-v1.pdf
09/May/18 17:27
133 kB
Chen Liang
HDFS-13541-branch-3.2.001.patch
31/Jul/19 22:17
96 kB
Chen Liang
HDFS-13541-branch-3.2.002.patch
14/Aug/19 23:52
96 kB
Chen Liang
HDFS-13541-branch-3.1.001.patch
16/Aug/19 18:10
107 kB
Chen Liang
HDFS-13541-branch-3.1.002.patch
21/Aug/19 20:46
107 kB
Chen Liang
HDFS-13541-branch-2.001.patch
26/Aug/19 17:08
107 kB
Chen Liang
HDFS-13541-branch-2.002.patch
26/Aug/19 22:51
107 kB
Chen Liang
HDFS-13541-branch-2.003.patch
27/Aug/19 19:53
105 kB
Chen Liang

Issue Links

relates to

HDFS-16644 java.io.IOException Invalid token in javax.security.sasl.qop

Open

HDFS-17025 RBF: Support port based selective encryption on routers.

Open

Sub-Tasks

1.	Add ingress port based sasl resolver	Resolved	Chen Liang
2.	Add configurable additional RPC listener to NameNode	Resolved	Chen Liang
3.	Allow wrapping NN QOP into token in encrypted message	Resolved	Chen Liang
4.	Add DFSClient sending handshake token to DataNode, and allow DataNode overwrite downstream QOP	Resolved	Chen Liang
5.	Move handshake secret field from Token to BlockAccessToken	Resolved	Chen Liang

Activity

People

Assignee:: Chen Liang

Reporter:: Chen Liang

Votes:: 0 Vote for this issue

Watchers:: 17 Start watching this issue

Dates

Created:: 09/May/18 17:27

Updated:: 24/May/23 19:02

Resolved:: 09/Sep/19 18:39