For security mode, HDFS now supports that Datanodes don't require root or jsvc if dfs.data.transfer.protection is configured.
Log message for InvalidMagicNumberException, we miss one case:
when the datanodes run on unprivileged port and dfs.data.transfer.protection is configured to authentication but dfs.encrypt.data.transfer is not configured. SASL handshake is required and a low version dfs client is used, then InvalidMagicNumberException is thrown and we write log:
Failed to read expected encryption handshake from client at .... Perhaps the client is running an older version of Hadoop which does not support encryption
Recently I run HDFS built on trunk and security is enabled, but the client is 2.5.1 version. Then I got the above log message, but actually I have not configured encryption.