Hadoop HDFS
  1. Hadoop HDFS
  2. HDFS-2856

Fix block protocol so that Datanodes don't require root or jsvc

    Details

    • Type: Improvement Improvement
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 3.0.0, 2.4.0
    • Fix Version/s: 2.6.0
    • Component/s: datanode, security
    • Labels:
      None
    • Target Version/s:
    • Hadoop Flags:
      Reviewed
    • Release Note:
      Hide
      SASL now can be used to secure the DataTransferProtocol, which transfers file block content between HDFS clients and DataNodes. In this configuration, it is no longer required for secured clusters to start the DataNode as root and bind to privileged ports.
      Show
      SASL now can be used to secure the DataTransferProtocol, which transfers file block content between HDFS clients and DataNodes. In this configuration, it is no longer required for secured clusters to start the DataNode as root and bind to privileged ports.

      Description

      Since we send the block tokens unencrypted to the datanode, we currently start the datanode as root using jsvc and get a secure (< 1024) port.

      If we have the datanode generate a nonce and send it on the connection and the sends an hmac of the nonce back instead of the block token it won't reveal any secrets. Thus, we wouldn't require a secure port and would not require root or jsvc.

      1. HDFS-2856.7.patch
        150 kB
        Chris Nauroth
      2. HDFS-2856-branch-2.7.patch
        157 kB
        Chris Nauroth
      3. HDFS-2856.6.patch
        150 kB
        Chris Nauroth
      4. HDFS-2856.5.patch
        150 kB
        Chris Nauroth
      5. HDFS-2856.4.patch
        149 kB
        Chris Nauroth
      6. HDFS-2856-Test-Plan-1.pdf
        154 kB
        Chris Nauroth
      7. HDFS-2856.3.patch
        147 kB
        Chris Nauroth
      8. HDFS-2856.2.patch
        143 kB
        Chris Nauroth
      9. HDFS-2856.1.patch
        137 kB
        Chris Nauroth
      10. HDFS-2856.prototype.patch
        32 kB
        Chris Nauroth
      11. Datanode-Security-Design.pdf
        95 kB
        Chris Nauroth
      12. Datanode-Security-Design.pdf
        95 kB
        Chris Nauroth
      13. Datanode-Security-Design.pdf
        93 kB
        Chris Nauroth

        Issue Links

          Activity

            People

            • Assignee:
              Chris Nauroth
              Reporter:
              Owen O'Malley
            • Votes:
              0 Vote for this issue
              Watchers:
              37 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development