Home | About | Sematext search-lucene.com search-hadoop.com
NEW: Monitor These Apps!
elasticsearch, apache solr, apache hbase, hadoop, redis, casssandra, amazon cloudwatch, mysql, memcached, apache kafka, apache zookeeper, apache storm, ubuntu, centOS, red hat, debian, puppet labs, java, senseiDB
 Search Hadoop and all its subprojects:

Switch to Threaded View
Hadoop >> mail # general >> HTTP transport?


Copy link to this message
-
Re: HTTP transport?

On 10/14/09 9:37 AM, "Doug Cutting" <[EMAIL PROTECTED]> wrote:

> Kan Zhang wrote:
>> One problem I see with using HTTP is that it's expensive to provide data
>> encryption. We're currently adding 2 authentication mechanisms (Kerberos and
>> DIGEST-MD5) to our existing RPC. Both of them can provide data encryption
>> for subsequent communication over the authenticated channel. However, when
>> similar authentication mechanisms are specified for HTTP (SPNEGO and HTTP
>> DIGEST, respectively), they don't provide data encryption (correct me if I'm
>> wrong). For data encryption over HTTP, one has to use SSL, which is
>> expensive.
>
> Java supports using Kerberos-based encryption for TLS (nee SSL):
>
> http://java.sun.com/j2se/1.5.0/docs/guide/security/jsse/JSSERefGuide.html#KRB
>
> http://tools.ietf.org/html/rfc2712
>
Thanks for pointing this out. I did a little testing on it. It seems that
when you use Kerberos cipher suites with SSL, the Kerberos service name for
a TLS server has to be literally "host." For example, a TLS server running
on the machine mach1.imc.org in the Kerberos realm IMC.ORG must use
host/[EMAIL PROTECTED] as its Kerberos principal name. I couldn't find a
way to specify a different service name. Can someone confirm this? This can
be a limitation since we typically run DN and TT on the same set of nodes.

Kan
NEW: Monitor These Apps!
elasticsearch, apache solr, apache hbase, hadoop, redis, casssandra, amazon cloudwatch, mysql, memcached, apache kafka, apache zookeeper, apache storm, ubuntu, centOS, red hat, debian, puppet labs, java, senseiDB