From 6c93c5afe2a56c0310c219dbf6d599959e3f48c4 Mon Sep 17 00:00:00 2001 From: Malte Sander Date: Wed, 11 Jun 2025 13:01:11 +0200 Subject: [PATCH 1/4] add cipher suite and key site per default --- docs/modules/hdfs/pages/usage-guide/security.adoc | 1 + rust/operator-binary/src/security/kerberos.rs | 5 +++++ 2 files changed, 6 insertions(+) diff --git a/docs/modules/hdfs/pages/usage-guide/security.adoc b/docs/modules/hdfs/pages/usage-guide/security.adoc index c4fba6c9..ed0a4f3b 100644 --- a/docs/modules/hdfs/pages/usage-guide/security.adoc +++ b/docs/modules/hdfs/pages/usage-guide/security.adoc @@ -33,6 +33,7 @@ The `kerberos.secretClass` is used to give HDFS the possibility to request keyta The `tlsSecretClass` is needed to request TLS certificates, used e.g. for the Web UIs. +NOTE: The hdfs-operator uses the cipher suite `AES/CTR/NoPadding` with a 128 Bit key per default. This can be changed using config overrides. === 4. Verify that Kerberos authentication is required Use `stackablectl stacklet list` to get the endpoints where the HDFS namenodes are reachable. diff --git a/rust/operator-binary/src/security/kerberos.rs b/rust/operator-binary/src/security/kerberos.rs index c960d913..ea312c54 100644 --- a/rust/operator-binary/src/security/kerberos.rs +++ b/rust/operator-binary/src/security/kerberos.rs @@ -52,6 +52,11 @@ impl HdfsSiteConfigBuilder { fn add_wire_encryption_settings(&mut self) -> &mut Self { self.add("dfs.data.transfer.protection", "privacy"); self.add("dfs.encrypt.data.transfer", "true"); + self.add( + "dfs.encrypt.data.transfer.cipher.suite", + "AES/CTR/NoPadding", + ); + self.add("dfs.encrypt.data.transfer.cipher.key.bitlength", "128"); self } } From 70912a5e86af5a094fa2d0275b9daed9620ae353 Mon Sep 17 00:00:00 2001 From: Malte Sander Date: Wed, 11 Jun 2025 13:07:36 +0200 Subject: [PATCH 2/4] adapted changelog --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index fabbf13c..17f4bc09 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,6 +10,7 @@ All notable changes to this project will be documented in this file. - Use `--file-log-max-files` (or `FILE_LOG_MAX_FILES`) to limit the number of log files kept. - Use `--file-log-rotation-period` (or `FILE_LOG_ROTATION_PERIOD`) to configure the frequency of rotation. - Use `--console-log-format` (or `CONSOLE_LOG_FORMAT`) to set the format to `plain` (default) or `json`. +- The operator now sets defaults for `dfs.encrypt.data.transfer.cipher.suite` (`AES/CTR/NoPadding`) and `dfs.encrypt.data.transfer.cipher.key.bitlength` (`128`) to improve security and performance ([#693]). ### Changed @@ -46,6 +47,7 @@ All notable changes to this project will be documented in this file. [#677]: https://github.com/stackabletech/hdfs-operator/pull/677 [#683]: https://github.com/stackabletech/hdfs-operator/pull/683 [#684]: https://github.com/stackabletech/hdfs-operator/pull/684 +[#693]: https://github.com/stackabletech/hdfs-operator/pull/693 ## [25.3.0] - 2025-03-21 From 0fa4937045b62621426b946263ece965fc3f0789 Mon Sep 17 00:00:00 2001 From: Malte Sander Date: Thu, 12 Jun 2025 09:11:40 +0200 Subject: [PATCH 3/4] do not default cipher key length --- CHANGELOG.md | 2 +- docs/modules/hdfs/pages/usage-guide/security.adoc | 2 +- rust/operator-binary/src/security/kerberos.rs | 1 - 3 files changed, 2 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 17f4bc09..8a7b0fef 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,7 +10,7 @@ All notable changes to this project will be documented in this file. - Use `--file-log-max-files` (or `FILE_LOG_MAX_FILES`) to limit the number of log files kept. - Use `--file-log-rotation-period` (or `FILE_LOG_ROTATION_PERIOD`) to configure the frequency of rotation. - Use `--console-log-format` (or `CONSOLE_LOG_FORMAT`) to set the format to `plain` (default) or `json`. -- The operator now sets defaults for `dfs.encrypt.data.transfer.cipher.suite` (`AES/CTR/NoPadding`) and `dfs.encrypt.data.transfer.cipher.key.bitlength` (`128`) to improve security and performance ([#693]). +- The operator now defaults to `AES/CTR/NoPadding` for `dfs.encrypt.data.transfer.cipher.suite` to improve security and performance ([#693]). ### Changed diff --git a/docs/modules/hdfs/pages/usage-guide/security.adoc b/docs/modules/hdfs/pages/usage-guide/security.adoc index ed0a4f3b..bb22cd86 100644 --- a/docs/modules/hdfs/pages/usage-guide/security.adoc +++ b/docs/modules/hdfs/pages/usage-guide/security.adoc @@ -33,7 +33,7 @@ The `kerberos.secretClass` is used to give HDFS the possibility to request keyta The `tlsSecretClass` is needed to request TLS certificates, used e.g. for the Web UIs. -NOTE: The hdfs-operator uses the cipher suite `AES/CTR/NoPadding` with a 128 Bit key per default. This can be changed using config overrides. +NOTE: The hdfs-operator defaults to `AES/CTR/NoPadding` for `dfs.encrypt.data.transfer.cipher.suite` with a default key length of 128 Bit. This can be changed using config overrides. === 4. Verify that Kerberos authentication is required Use `stackablectl stacklet list` to get the endpoints where the HDFS namenodes are reachable. diff --git a/rust/operator-binary/src/security/kerberos.rs b/rust/operator-binary/src/security/kerberos.rs index ea312c54..0b03280a 100644 --- a/rust/operator-binary/src/security/kerberos.rs +++ b/rust/operator-binary/src/security/kerberos.rs @@ -56,7 +56,6 @@ impl HdfsSiteConfigBuilder { "dfs.encrypt.data.transfer.cipher.suite", "AES/CTR/NoPadding", ); - self.add("dfs.encrypt.data.transfer.cipher.key.bitlength", "128"); self } } From 92d6c967e59f003e8f107a5139f2632f9492d28c Mon Sep 17 00:00:00 2001 From: Malte Sander Date: Thu, 12 Jun 2025 09:20:21 +0200 Subject: [PATCH 4/4] do not mention the default keylength --- docs/modules/hdfs/pages/usage-guide/security.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/modules/hdfs/pages/usage-guide/security.adoc b/docs/modules/hdfs/pages/usage-guide/security.adoc index bb22cd86..e9c3aa56 100644 --- a/docs/modules/hdfs/pages/usage-guide/security.adoc +++ b/docs/modules/hdfs/pages/usage-guide/security.adoc @@ -33,7 +33,7 @@ The `kerberos.secretClass` is used to give HDFS the possibility to request keyta The `tlsSecretClass` is needed to request TLS certificates, used e.g. for the Web UIs. -NOTE: The hdfs-operator defaults to `AES/CTR/NoPadding` for `dfs.encrypt.data.transfer.cipher.suite` with a default key length of 128 Bit. This can be changed using config overrides. +NOTE: The hdfs-operator defaults to `AES/CTR/NoPadding` for `dfs.encrypt.data.transfer.cipher.suite`. This can be changed using config overrides. === 4. Verify that Kerberos authentication is required Use `stackablectl stacklet list` to get the endpoints where the HDFS namenodes are reachable.