HDFS-5353. Merge change r1548987 from trunk.
git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/branch-2@1548988 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Jing Zhao
parent
cee74196c2
commit
6026982bcb
|
|
@ -358,6 +358,9 @@ Release 2.3.0 - UNRELEASED
|
|||
HDFS-5590. Block ID and generation stamp may be reused when persistBlocks is
|
||||
set to false. (jing9)
|
||||
|
||||
HDFS-5353. Short circuit reads fail when dfs.encrypt.data.transfer is
|
||||
enabled. (Colin Patrick McCabe via jing9)
|
||||
|
||||
Release 2.2.0 - 2013-10-13
|
||||
|
||||
INCOMPATIBLE CHANGES
|
||||
|
|
|
|||
|
|
@ -125,4 +125,9 @@ public String toString() {
|
|||
public DomainSocket getDomainSocket() {
|
||||
return null;
|
||||
}
|
||||
|
||||
@Override
|
||||
public boolean hasSecureChannel() {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -114,4 +114,19 @@ public String toString() {
|
|||
public DomainSocket getDomainSocket() {
|
||||
return socket;
|
||||
}
|
||||
|
||||
@Override
|
||||
public boolean hasSecureChannel() {
|
||||
//
|
||||
// Communication over domain sockets is assumed to be secure, since it
|
||||
// doesn't pass over any network. We also carefully control the privileges
|
||||
// that can be used on the domain socket inode and its parent directories.
|
||||
// See #{java.org.apache.hadoop.net.unix.DomainSocket#validateSocketPathSecurity0}
|
||||
// for details.
|
||||
//
|
||||
// So unless you are running as root or the hdfs superuser, you cannot
|
||||
// launch a man-in-the-middle attach on UNIX domain socket traffic.
|
||||
//
|
||||
return true;
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -139,4 +139,9 @@ public String toString() {
|
|||
public DomainSocket getDomainSocket() {
|
||||
return enclosedPeer.getDomainSocket();
|
||||
}
|
||||
|
||||
@Override
|
||||
public boolean hasSecureChannel() {
|
||||
return true;
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -128,4 +128,9 @@ public String toString() {
|
|||
public DomainSocket getDomainSocket() {
|
||||
return null;
|
||||
}
|
||||
|
||||
@Override
|
||||
public boolean hasSecureChannel() {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -112,4 +112,12 @@ public interface Peer extends Closeable {
|
|||
* peer, or null if there is none.
|
||||
*/
|
||||
public DomainSocket getDomainSocket();
|
||||
|
||||
/**
|
||||
* Return true if the channel is secure.
|
||||
*
|
||||
* @return True if our channel to this peer is not
|
||||
* susceptible to man-in-the-middle attacks.
|
||||
*/
|
||||
public boolean hasSecureChannel();
|
||||
}
|
||||
|
|
|
|||
|
|
@ -162,7 +162,7 @@ public void run() {
|
|||
try {
|
||||
peer.setWriteTimeout(datanode.getDnConf().socketWriteTimeout);
|
||||
InputStream input = socketIn;
|
||||
if (dnConf.encryptDataTransfer) {
|
||||
if ((!peer.hasSecureChannel()) && dnConf.encryptDataTransfer) {
|
||||
IOStreamPair encryptedStreams = null;
|
||||
try {
|
||||
encryptedStreams = DataTransferEncryptor.getEncryptedStreams(socketOut,
|
||||
|
|
|
|||
|
|
@ -42,6 +42,10 @@ static public void setupCluster() throws Exception {
|
|||
new File(sockDir.getDir(),
|
||||
"TestParallelShortCircuitReadUnCached._PORT.sock").getAbsolutePath());
|
||||
conf.setBoolean(DFSConfigKeys.DFS_CLIENT_READ_SHORTCIRCUIT_KEY, true);
|
||||
// Enabling data transfer encryption should have no effect when using
|
||||
// short-circuit local reads. This is a regression test for HDFS-5353.
|
||||
conf.setBoolean(DFSConfigKeys.DFS_ENCRYPT_DATA_TRANSFER_KEY, true);
|
||||
conf.setBoolean(DFSConfigKeys.DFS_BLOCK_ACCESS_TOKEN_ENABLE_KEY, true);
|
||||
conf.setBoolean(DFSConfigKeys.
|
||||
DFS_CLIENT_READ_SHORTCIRCUIT_SKIP_CHECKSUM_KEY, false);
|
||||
conf.setBoolean(DFSConfigKeys.
|
||||
|
|
|
|||
|
|
@ -140,6 +140,11 @@ public boolean equals(Object o) {
|
|||
public int hashCode() {
|
||||
return dnId.hashCode() ^ (hasDomain ? 1 : 0);
|
||||
}
|
||||
|
||||
@Override
|
||||
public boolean hasSecureChannel() {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
@Test
|
||||
|
|
|
|||
Loading…
Reference in New Issue