[jira] [Comment Edited] (HDFS-13081) Datanode#checkSecureConfig should check HTTPS and SASL encryption

[Ajay Kumar (JIRA)]

    [ 
https://issues.apache.org/jira/browse/HDFS-13081?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16379248#comment-16379248
 ] 

Ajay Kumar edited comment on HDFS-13081 at 2/27/18 8:46 PM:
------------------------------------------------------------

Patch v4 to update documentation for SASL as following:

Tested patch in single node secure cluster for SASL. DataNode started with 
non-privileged rpc port and privileged http port. hdfs operations confirms SASL 
qop.
 dfs.datanode.address = 0.0.0.0:10040 (non-privileged)
 dfs.datanode.http.address = 0.0.0.0:1016 (privileged)
{code:java}
18/02/27 19:40:14 DEBUG sasl.SaslDataTransferClient: SASL encryption trust 
check: localHostTrusted = false, remoteHostTrusted = false
18/02/27 19:40:14 DEBUG sasl.SaslDataTransferClient: SASL client doing general 
handshake for addr = /192.168.7.205, datanodeId = 
DatanodeInfoWithStorage[192.168.7.205:10040,DS-aa5225d7-f60a-4c2d-b780-119fc1d60879,DISK]
18/02/27 19:40:14 DEBUG sasl.DataTransferSaslUtil: Verifying QOP, requested QOP 
= [auth-conf], negotiated QOP = auth-conf
18/02/27 19:40:14 DEBUG security.SaslInputStream: Actual length is 22
18/02/27 19:40:14 DEBUG hdfs.DataStreamer: nodes 
[DatanodeInfoWithStorage[192.168.7.205:10040,DS-aa5225d7-f60a-4c2d-b780-119fc1d60879,DISK]]
 storageTypes [DISK] storageIDs [DS-aa5225d7-f60a-4c2d-b780-119fc1d60879]
{code}


was (Author: ajayydv):
Patch v4 to update documentation for SASL as following:


Tested patch in single node secure cluster for SASL. DataNode started with 
non-privileged rpc port and privileged http port. Http operations confirms SASL 
qop.
dfs.datanode.address = 0.0.0.0:10040 (non-privileged)
dfs.datanode.http.address = 0.0.0.0:1016 (privileged)
{code}
18/02/27 19:40:14 DEBUG sasl.SaslDataTransferClient: SASL encryption trust 
check: localHostTrusted = false, remoteHostTrusted = false
18/02/27 19:40:14 DEBUG sasl.SaslDataTransferClient: SASL client doing general 
handshake for addr = /192.168.7.205, datanodeId = 
DatanodeInfoWithStorage[192.168.7.205:10040,DS-aa5225d7-f60a-4c2d-b780-119fc1d60879,DISK]
18/02/27 19:40:14 DEBUG sasl.DataTransferSaslUtil: Verifying QOP, requested QOP 
= [auth-conf], negotiated QOP = auth-conf
18/02/27 19:40:14 DEBUG security.SaslInputStream: Actual length is 22
18/02/27 19:40:14 DEBUG hdfs.DataStreamer: nodes 
[DatanodeInfoWithStorage[192.168.7.205:10040,DS-aa5225d7-f60a-4c2d-b780-119fc1d60879,DISK]]
 storageTypes [DISK] storageIDs [DS-aa5225d7-f60a-4c2d-b780-119fc1d60879]
{code}

> Datanode#checkSecureConfig should check HTTPS and SASL encryption
> -----------------------------------------------------------------
>
>                 Key: HDFS-13081
>                 URL: https://issues.apache.org/jira/browse/HDFS-13081
>             Project: Hadoop HDFS
>          Issue Type: Bug
>          Components: datanode, security
>    Affects Versions: 3.0.0
>            Reporter: Xiaoyu Yao
>            Assignee: Ajay Kumar
>            Priority: Major
>         Attachments: HDFS-13081.000.patch, HDFS-13081.001.patch, 
> HDFS-13081.002.patch, HDFS-13081.003.patch, HDFS-13081.004.patch
>
>
> Datanode#checkSecureConfig currently check the following to determine if 
> secure datanode is enabled. 
>  # The server has bound to privileged ports for RPC and HTTP via 
> SecureDataNodeStarter.
>  # The configuration enables SASL on DataTransferProtocol and HTTPS (no plain 
> HTTP) for the HTTP server. The SASL handshake guarantees authentication of 
> the RPC server before a client transmits a secret, such as a block access 
> token. Similarly, SSL guarantees authentication of the
>  HTTP server before a client transmits a secret, such as a delegation token.
> For the 2nd case, HTTPS_ONLY means all the traffic between REST client/server 
> will be encrypted. However, the logic to check only if SASL property resolver 
> is configured does not mean server requires an encrypted RPC. 
> This ticket is open to further check and ensure datanode SASL property 
> resolver has a QoP that includes auth-conf(PRIVACY). Note that the SASL QoP 
> (Quality of Protection) negotiation may drop RPC protection level from 
> auth-conf(PRIVACY) to auth-int(integrity) or auth(authentication) only, which 
> should be fine by design.
>  
> cc: [~cnauroth] , [~daryn], [~jnpandey] for additional feedback.
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org