-Re: Regarding Datanode secure ports
Raghu Doppalapudi 2013-05-21, 23:23
Thanks Chris, very good information, it helps.
On Tue, May 21, 2013 at 2:35 PM, Chris Nauroth <[EMAIL PROTECTED]>wrote:
> Hi Raghu,
> I'm aware of no immediate plans to eliminate this property, but HDFS-2856
> will change the security design on the protocol between HDFS client and
> datanode such that secure datanodes will not require a privileged port, and
> thus you won't need this configuration property. HDFS-2856 is still under
> design review.
> Please note that ignore.secure.ports.for.testing is not suitable for
> running a secure production cluster. It opens a risk of a rogue map or
> reduce task binding to the datanode's RPC port, impersonating a legitimate
> datanode, and stealing secrets or sensitive data. (That jira includes a
> full description of the attack vector if you're interested.)
> I hope this helps. Thanks!
> Chris Nauroth
> On Tue, May 21, 2013 at 12:24 PM, Raghu Doppalapudi
> <[EMAIL PROTECTED]>wrote:
> > I am starting datanode in secure mode on higher default ports by
> > the following property.
> > <property>
> > <name>ignore.secure.ports.for.testing</name>
> > <value>true</value>
> > </property>
> > Is this property going to be a permanent one, please suggest whether this
> > property good to use, I just want to check whether this is temporary or
> > permanent property.
> > Thanks