Details
-
Bug
-
Status: Open
-
Major
-
Resolution: Unresolved
-
3.3.4
-
None
-
None
-
We saw this issue when running in a Kubernetes environment.
Hadoop was deployed using the [Stackable Operator for Apache Hadoop|https://github.com/stackabletech/hdfs-operator].
The binaries contained in the deployed images are taken from the ASF mirrors, not self-compiled.
Description
It looks like some hdfs servers default the cipher suite to not encrypt traffic when the keystore password is not set or set to an empty string.
Historically this has probably not often been an issue as java `keytool` refuses to create a keystore with less than 6 characters, so usually people would need to set passwords on the keystores (and hence in the config).
When using keystores without a password, we noticed that HDFS refuses to load keys from this keystore when `ssl.server.keystore.password` is unset or set to an empty string - and instead of erroring out sets the cipher suite for rpc connections to `TLS_NULL_WITH_NULL_NULL` which is basically TLS but without any encryption.
The impact varies depending on which communication channel we looked at, what we saw was:
- JournalNodes seem to happily go along with this and NameNodes equally happily connect to the JournalNodes without any warnings - we do have tls enabled after all
- NameNodes refuse connections with a handshake exception, so the real world impact of this should hopefully be small, but it does seem like less than ideal behavior.
So effectively, HDFS cannot use keystores without passwords, as connections cannot be established successfully.