[ https://issues.apache.org/jira/browse/HDFS-13081?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16379248#comment-16379248 ]
Ajay Kumar commented on HDFS-13081: ----------------------------------- Patch v4 to update documentation for SASL as following: Tested patch in single node secure cluster for SASL. DataNode started with non-privileged rpc port and privileged http port. Http operations confirms SASL qop. dfs.datanode.address = 0.0.0.0:10040 (non-privileged) dfs.datanode.http.address = 0.0.0.0:1016 (privileged) {code} 18/02/27 19:40:14 DEBUG sasl.SaslDataTransferClient: SASL encryption trust check: localHostTrusted = false, remoteHostTrusted = false 18/02/27 19:40:14 DEBUG sasl.SaslDataTransferClient: SASL client doing general handshake for addr = /192.168.7.205, datanodeId = DatanodeInfoWithStorage[192.168.7.205:10040,DS-aa5225d7-f60a-4c2d-b780-119fc1d60879,DISK] 18/02/27 19:40:14 DEBUG sasl.DataTransferSaslUtil: Verifying QOP, requested QOP = [auth-conf], negotiated QOP = auth-conf 18/02/27 19:40:14 DEBUG security.SaslInputStream: Actual length is 22 18/02/27 19:40:14 DEBUG hdfs.DataStreamer: nodes [DatanodeInfoWithStorage[192.168.7.205:10040,DS-aa5225d7-f60a-4c2d-b780-119fc1d60879,DISK]] storageTypes [DISK] storageIDs [DS-aa5225d7-f60a-4c2d-b780-119fc1d60879] {code} > Datanode#checkSecureConfig should check HTTPS and SASL encryption > ----------------------------------------------------------------- > > Key: HDFS-13081 > URL: https://issues.apache.org/jira/browse/HDFS-13081 > Project: Hadoop HDFS > Issue Type: Bug > Components: datanode, security > Affects Versions: 3.0.0 > Reporter: Xiaoyu Yao > Assignee: Ajay Kumar > Priority: Major > Attachments: HDFS-13081.000.patch, HDFS-13081.001.patch, > HDFS-13081.002.patch, HDFS-13081.003.patch, HDFS-13081.004.patch > > > Datanode#checkSecureConfig currently check the following to determine if > secure datanode is enabled. > # The server has bound to privileged ports for RPC and HTTP via > SecureDataNodeStarter. > # The configuration enables SASL on DataTransferProtocol and HTTPS (no plain > HTTP) for the HTTP server. The SASL handshake guarantees authentication of > the RPC server before a client transmits a secret, such as a block access > token. Similarly, SSL guarantees authentication of the > HTTP server before a client transmits a secret, such as a delegation token. > For the 2nd case, HTTPS_ONLY means all the traffic between REST client/server > will be encrypted. However, the logic to check only if SASL property resolver > is configured does not mean server requires an encrypted RPC. > This ticket is open to further check and ensure datanode SASL property > resolver has a QoP that includes auth-conf(PRIVACY). Note that the SASL QoP > (Quality of Protection) negotiation may drop RPC protection level from > auth-conf(PRIVACY) to auth-int(integrity) or auth(authentication) only, which > should be fine by design. > > cc: [~cnauroth] , [~daryn], [~jnpandey] for additional feedback. > -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org