[HDFS-9854] Log cipher suite negotiation more verbosely - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 2.8.0, 3.0.0-alpha1
Component/s: encryption
Labels:
- encryption
- supportability

Hadoop Flags:

Reviewed

Description

We've had difficulty probing the root cause of performance slowdown with in-transit encryption using AES-NI. We finally found the root cause was the Hadoop client did not configure encryption properties correctly, so they did not negotiate AES cipher suite when creating an encrypted stream pair, despite the server (a data node) supports it. Existing debug message did not help. We saw debug message "Server using cipher suite AES/CTR/NoPadding" on the same data node, but that refers to the communication with other data nodes.

It would be really helpful to log a debug message if a SASL server configures AES cipher suite, but the SASL client doesn't, or vice versa. This debug message should also log the client address to differentiate it from other stream pairs.

More over, the debug message "Server using cipher suite AES/CTR/NoPadding" should also be extended to include the client's address.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

HADOOP-12816.001.patch
18/Feb/16 15:41
10 kB
Wei-Chiu Chuang

Activity

People

Assignee:: Wei-Chiu Chuang

Reporter:: Wei-Chiu Chuang

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 17/Feb/16 21:02

Updated:: 02/Oct/19 17:15

Resolved:: 24/Feb/16 20:20