[
https://issues.apache.org/jira/browse/HBASE-16414?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15433992#comment-15433992
]
Andrew Purtell edited comment on HBASE-16414 at 8/24/16 1:12 AM:
-----------------------------------------------------------------
Oh, I see. This ignores HBase's crypto codec suite and only focuses on RPC
acceleration. Guess that's where the "sasl" comes from, and does it by wrapping
RPC with custom and what looks like nonstandard negotiation. I don't think we
should take this as is, unless, with this change in place, HBase can still
negotiation encrypted transport with standard SASL negotiation. Even so why not
use the AES options provided by standard SASL+krb negotiation? What is the
advantage (benchmarks, please)? Maybe there's a good reason, let's see the
numbers.
In any case, you might also want to look at HBase's "AES" cipher for data
encryption as an acceleration opportunity. A replacement for that would just
drop in without controversy I'd expect
was (Author: apurtell):
Oh, I see. This ignores HBase's crypto codec suite and only focuses on RPC
acceleration. Guess that's where the "sasl" comes from, and does it by wrapping
RPC with custom and what looks like nonstandard negotiation. I don't think we
should take this as is.
> Improve performance for RPC encryption with Apache Common Crypto
> ----------------------------------------------------------------
>
> Key: HBASE-16414
> URL: https://issues.apache.org/jira/browse/HBASE-16414
> Project: HBase
> Issue Type: Improvement
> Components: IPC/RPC
> Affects Versions: 2.0.0
> Reporter: Colin Ma
> Assignee: Colin Ma
> Attachments: HBASE-16414.001.patch, HbaseRpcEncryptionWithCrypoto.docx
>
>
> Hbase RPC encryption is enabled by setting “hbase.rpc.protection” to
> "privacy". With the token authentication, it utilized DIGEST-MD5 mechanisms
> for secure authentication and data protection. For DIGEST-MD5, it uses DES,
> 3DES or RC4 to do encryption and it is very slow, especially for Scan. This
> will become the bottleneck of the RPC throughput.
> Apache Commons Crypto is a cryptographic library optimized with AES-NI. It
> provides Java API for both cipher level and Java stream level. Developers can
> use it to implement high performance AES encryption/decryption with the
> minimum code and effort. Compare with the current implementation of
> org.apache.hadoop.hbase.io.crypto.aes.AES, Crypto supports both JCE Cipher
> and OpenSSL Cipher which is better performance than JCE Cipher. User can
> configure the cipher type and the default is JCE Cipher.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
