[ https://issues.apache.org/jira/browse/HDFS-13541?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16907609#comment-16907609 ]
Konstantin Shvachko commented on HDFS-13541: -------------------------------------------- Looks good overall. # I suggest in {{hdfs-default.xml}} to place new auxiliary part and qop variable before {{dfs.namenode.blockreport.queue.size}}, rather than after, as in trunk. # {{TestDiskBalancer}} and {{TestDirectoryScanner}} failed locally for me. Probably common problem, but worth checking if it is related to the change. > NameNode Port based selective encryption > ---------------------------------------- > > Key: HDFS-13541 > URL: https://issues.apache.org/jira/browse/HDFS-13541 > Project: Hadoop HDFS > Issue Type: Improvement > Components: datanode, namenode, security > Reporter: Chen Liang > Assignee: Chen Liang > Priority: Major > Attachments: HDFS-13541-branch-3.2.001.patch, NameNode Port based > selective encryption-v1.pdf > > > Here at LinkedIn, one issue we face is that we need to enforce different > security requirement based on the location of client and the cluster. > Specifically, for clients from outside of the data center, it is required by > regulation that all traffic must be encrypted. But for clients within the > same data center, unencrypted connections are more desired to avoid the high > encryption overhead. > HADOOP-10221 introduced pluggable SASL resolver, based on which HADOOP-10335 > introduced WhitelistBasedResolver which solves the same problem. However we > found it difficult to fit into our environment for several reasons. In this > JIRA, on top of pluggable SASL resolver, *we propose a different approach of > running RPC two ports on NameNode, and the two ports will be enforcing > encrypted and unencrypted connections respectively, and the following > DataNode access will simply follow the same behaviour of > encryption/unencryption*. Then by blocking unencrypted port on datacenter > firewall, we can completely block unencrypted external access. -- This message was sent by Atlassian JIRA (v7.6.14#76016) --------------------------------------------------------------------- To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org