Uploaded image for project: 'Hadoop HDFS'
  1. Hadoop HDFS
  2. HDFS-2856

Fix block protocol so that Datanodes don't require root or jsvc

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.4.0, 3.0.0-alpha1
    • Fix Version/s: 2.6.0
    • Component/s: datanode, security
    • Labels:
      None
    • Target Version/s:
    • Hadoop Flags:
      Reviewed
    • Release Note:
      Hide
      SASL now can be used to secure the DataTransferProtocol, which transfers file block content between HDFS clients and DataNodes. In this configuration, it is no longer required for secured clusters to start the DataNode as root and bind to privileged ports.
      Show
      SASL now can be used to secure the DataTransferProtocol, which transfers file block content between HDFS clients and DataNodes. In this configuration, it is no longer required for secured clusters to start the DataNode as root and bind to privileged ports.

      Description

      Since we send the block tokens unencrypted to the datanode, we currently start the datanode as root using jsvc and get a secure (< 1024) port.

      If we have the datanode generate a nonce and send it on the connection and the sends an hmac of the nonce back instead of the block token it won't reveal any secrets. Thus, we wouldn't require a secure port and would not require root or jsvc.

        Attachments

        1. Datanode-Security-Design.pdf
          93 kB
          Chris Nauroth
        2. Datanode-Security-Design.pdf
          95 kB
          Chris Nauroth
        3. Datanode-Security-Design.pdf
          95 kB
          Chris Nauroth
        4. HDFS-2856.prototype.patch
          32 kB
          Chris Nauroth
        5. HDFS-2856.1.patch
          137 kB
          Chris Nauroth
        6. HDFS-2856.2.patch
          143 kB
          Chris Nauroth
        7. HDFS-2856.3.patch
          147 kB
          Chris Nauroth
        8. HDFS-2856-Test-Plan-1.pdf
          154 kB
          Chris Nauroth
        9. HDFS-2856.4.patch
          149 kB
          Chris Nauroth
        10. HDFS-2856.5.patch
          150 kB
          Chris Nauroth
        11. HDFS-2856.6.patch
          150 kB
          Chris Nauroth
        12. HDFS-2856-branch-2.7.patch
          157 kB
          Chris Nauroth
        13. HDFS-2856.7.patch
          150 kB
          Chris Nauroth

          Issue Links

            Activity

              People

              • Assignee:
                cnauroth Chris Nauroth
                Reporter:
                owen.omalley Owen O'Malley
              • Votes:
                0 Vote for this issue
                Watchers:
                38 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: