Protect In-Transit Traffic

This document describes how to protect data in transit within Apache Ozone, both between the cluster and clients, and internally within the cluster.

Hadoop RPC Encryption

Ozone traffic, whether between the cluster and client, or internal inside the cluster, may be transferred via Hadoop RPC (e.g. client to Ozone Manager). To encrypt client-OM (Ozone Manager) communication, configure hadoop.rpc.protection to privacy in your core-site.xml. This ensures that all data exchanged over Hadoop RPC is encrypted.

<property>
  <name>hadoop.rpc.protection</name>
  <value>privacy</value>
</property>

ozone.om.transport.class

While the default is org.apache.hadoop.ozone.om.protocolPB.Hadoop3OmTransportFactory, it is possible to specify a gRPC based transport using the ozone.om.transport.class configuration property: org.apache.hadoop.ozone.om.protocolPB.GrpcOmTransportFactory. In this case, the Hadoop RPC configuration is not applicable.

gRPC TLS Encryption

Ozone traffic may also be transferred via gRPC (e.g., Ratis write pipeline or client reading blocks from DataNode). To enable TLS for gRPC traffic, set hdds.grpc.tls.enabled to true. This encrypts communication between Ozone services that use gRPC.

<property>
  <name>hdds.grpc.tls.enabled</name>
  <value>true</value>
</property>

Ozone HTTP Web Console

For information on securing the Ozone HTTP web console, please refer to the Securing HTTP documentation.

Further Reading

For details on the specific network ports used by Ozone roles and the types of transport between them, refer to the Network Ports documentation.