[ https://issues.apache.org/jira/browse/HBASE-26666?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Bryan Beaudreault updated HBASE-26666: -------------------------------------- Fix Version/s: 2.6.0 3.0.0-alpha-4 Resolution: Fixed Status: Resolved (was: Patch Available) Thanks for the great contribution [~andor], and thanks for all the review help from [~zhangduo] , [~meszibalu], and others! I merged this to master and branch-2 as discussed. [~andor] can you log follow-up issues and also set a release note? > Add native TLS encryption support to RPC server/client > ------------------------------------------------------ > > Key: HBASE-26666 > URL: https://issues.apache.org/jira/browse/HBASE-26666 > Project: HBase > Issue Type: New Feature > Components: encryption, security > Affects Versions: 3.0.0-alpha-2, 2.6.0, 2.4.12, 2.5.1 > Reporter: Josh Elser > Assignee: Andor Molnar > Priority: Major > Labels: SSL, TLS, encryption, security > Fix For: 2.6.0, 3.0.0-alpha-4 > > > Today, HBase must complete the SASL handshake (saslClient.complete()) prior > to turning on any RPC encryption (hbase.rpc.protection=privacy, > sasl.QOP=auth-conf). > This is a problem because we have to transmit the bearer token to the server > before we can complete the sasl handshake. This would mean that we would > insecurely transmit the bearer token (which is equivalent to any other > password) which is a bad smell. > Ideally, if we can solve this problem for the oauth bearer mechanism, we > could also apply it to our delegation token interface for digest-md5 (which, > I believe, suffers the same problem). > The plan is to port Server/Client TLS implementation from the ZooKeeper > project. It's a Netty based solution which looks like the best fit for > NettyRpc client/server. -- This message was sent by Atlassian Jira (v8.20.10#820010)