[
https://issues.apache.org/jira/browse/HADOOP-18967?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17788825#comment-17788825
]
ASF GitHub Bot commented on HADOOP-18967:
-----------------------------------------
charlesconnell opened a new pull request, #6293:
URL: https://github.com/apache/hadoop/pull/6293
### Description of PR
This PR adds two new boolean settings to DataNodes:
- `dfs.datanode.block.access.token.unsafe.allowed-not-required`
- `dfs.datanode.unsafe.sasl.allowed-not-required`
With these two new settings, it is now possible for a Hadoop cluster with
HDFS to enable secure mode without downtime. Please see the included
documentation changes for more detailed discussion, and usage recommendations.
### How was this patch tested?
My employer (HubSpot) used a version of this patch on our internal fork of
Hadoop to transition all of our HBase clusters into secure mode, without major
incident. The company's SaaS product is running on secure-mode HBase clusters
now.
### For code changes:
- [x] Does the title or this PR starts with the corresponding JIRA issue id
(e.g. 'HADOOP-17799. Your PR title ...')?
- [ ] Object storage: have the integration tests been executed and the
endpoint declared according to the connector-specific documentation?
- [ ] If adding new dependencies to the code, are these dependencies
licensed in a way that is compatible for inclusion under [ASF
2.0](http://www.apache.org/legal/resolved.html#category-a)?
- [ ] If applicable, have you updated the `LICENSE`, `LICENSE-binary`,
`NOTICE-binary` files?
> Allow secure mode to be enabled with no downtime
> ------------------------------------------------
>
> Key: HADOOP-18967
> URL: https://issues.apache.org/jira/browse/HADOOP-18967
> Project: Hadoop Common
> Issue Type: Improvement
> Reporter: Charles Connell
> Priority: Minor
>
> My employer (HubSpot) recently completed transitioning all of the Hadoop
> clusters underlying our HBase databases into secure mode. It was important to
> us that we be able to make this change without impacting the functionality of
> our SaaS product. To accomplish this, we added some new settings to our fork
> of Hadoop, and fixed a latent bug (HADOOP-18972). This ticket is my intention
> to contribute these changes back to the mainline code, so others can benefit.
> A patch will be incoming.
> The basic theme of the new functionality is the ability to accept incoming
> secure connections without requiring them or making them outgoing. Secure
> mode enablement will then be done in two stages.
> * First, all nodes are given configuration to accept secure connections, and
> are gracefully rolling-restarted to adopt this new functionality. I'll be
> adding the new settings to make this stage possible.
> * Second, all nodes are told to require incoming connections be secure, and
> to make secure outgoing connections, and the settings added in the first
> stage are removed. Nodes are again rolling-restarted to adopt this
> functionality. The settings in this final state will look the same as in any
> secure Hadoop cluster today.
> I'll include documentation changes explaining how to do this.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org
