[jira] [Commented] (HDFS-13617) Allow wrapping NN QOP into token in encrypted message

Wed, 27 Jun 2018 10:20:22 -0700 


    [ 
https://issues.apache.org/jira/browse/HDFS-13617?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16525318#comment-16525318
 ] 

Chen Liang commented on HDFS-13617:
-----------------------------------

Thanks [~xkrogen] for the great comments! I think v002 patch has been rebased. 
Any chance you were applying v001 patch? Also, this Jira's patch needs to be 
applied on top of HDFS-13566. Dependency link added.

It is great point on including more information into the encrypted message! I 
considered client IP address, user name is definitely another good candidate. 
Adding more info definitely improves security, but we need to be careful about 
what exactly information should be included. As this will depend on whether 
this info may change at runtime, whether this info is available at NN rpc 
server layer, whether that info is too long, which adds more encryption 
overhead etc. I will try to think of all the possibly good candidates and 
follow up in next patch. As for now, post v003 patch to address all the other 
comments. For {{DFS_QOP_WRAP_HMAC_ALGORITHM_DEFAULT}}, just like you pointed 
out, this is hard coded everywhere else, so I simply go with the same way.

> Allow wrapping NN QOP into token in encrypted message
> -----------------------------------------------------
>
>                 Key: HDFS-13617
>                 URL: https://issues.apache.org/jira/browse/HDFS-13617
>             Project: Hadoop HDFS
>          Issue Type: Sub-task
>            Reporter: Chen Liang
>            Assignee: Chen Liang
>            Priority: Major
>         Attachments: HDFS-13617.001.patch, HDFS-13617.002.patch, 
> HDFS-13617.003.patch
>
>
> This Jira allows NN to configurably wrap the QOP it has established with the 
> client into the token message sent back to the client. The QOP is sent back 
> in encrypted message, using BlockAccessToken encryption key as the key.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org

Reply via email to