Add cipher suite (AES/CTR/NoPadding) per default (#693)

maltesander · web-flow · commit ec416ebdad17 · 2025-06-12T07:36:42.000Z
* add cipher suite and key site per default

* adapted changelog

* do not default cipher key length

* do not mention the default keylength
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -10,6 +10,7 @@ All notable changes to this project will be documented in this file.
   - Use `--file-log-max-files` (or `FILE_LOG_MAX_FILES`) to limit the number of log files kept.
   - Use `--file-log-rotation-period` (or `FILE_LOG_ROTATION_PERIOD`) to configure the frequency of rotation.
   - Use `--console-log-format` (or `CONSOLE_LOG_FORMAT`) to set the format to `plain` (default) or `json`.
+- The operator now defaults to `AES/CTR/NoPadding` for `dfs.encrypt.data.transfer.cipher.suite` to improve security and performance ([#693]).
 
 ### Changed
 
@@ -46,6 +47,7 @@ All notable changes to this project will be documented in this file.
 [#677]: https://github.com/stackabletech/hdfs-operator/pull/677
 [#683]: https://github.com/stackabletech/hdfs-operator/pull/683
 [#684]: https://github.com/stackabletech/hdfs-operator/pull/684
+[#693]: https://github.com/stackabletech/hdfs-operator/pull/693
 
 ## [25.3.0] - 2025-03-21
 
diff --git a/docs/modules/hdfs/pages/usage-guide/security.adoc b/docs/modules/hdfs/pages/usage-guide/security.adoc
@@ -33,6 +33,7 @@ The `kerberos.secretClass` is used to give HDFS the possibility to request keyta
 
 The `tlsSecretClass` is needed to request TLS certificates, used e.g. for the Web UIs.
 
+NOTE: The hdfs-operator defaults to `AES/CTR/NoPadding` for `dfs.encrypt.data.transfer.cipher.suite`. This can be changed using config overrides.
 
 === 4. Verify that Kerberos authentication is required
 Use `stackablectl stacklet list` to get the endpoints where the HDFS namenodes are reachable.
diff --git a/rust/operator-binary/src/security/kerberos.rs b/rust/operator-binary/src/security/kerberos.rs
@@ -52,6 +52,10 @@ impl HdfsSiteConfigBuilder {
     fn add_wire_encryption_settings(&mut self) -> &mut Self {
         self.add("dfs.data.transfer.protection", "privacy");
         self.add("dfs.encrypt.data.transfer", "true");
+        self.add(
+            "dfs.encrypt.data.transfer.cipher.suite",
+            "AES/CTR/NoPadding",
+        );
         self
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -52,6 +52,10 @@ impl HdfsSiteConfigBuilder {`
`52`	`52`	`fn add_wire_encryption_settings(&mut self) -> &mut Self {`
`53`	`53`	`self.add("dfs.data.transfer.protection", "privacy");`
`54`	`54`	`self.add("dfs.encrypt.data.transfer", "true");`
	`55`	`+ self.add(`
	`56`	`+ "dfs.encrypt.data.transfer.cipher.suite",`
	`57`	`+ "AES/CTR/NoPadding",`
	`58`	`+ );`
`55`	`59`	`self`
`56`	`60`	`}`
`57`	`61`	`}`