Protect In-Transit Traffic
This document describes how to protect data in transit within Apache Ozone, both between the cluster and clients, and internally within the cluster.
Hadoop RPC Encryption
Ozone traffic, whether between the cluster and client, or internal inside the cluster, may be transferred via Hadoop RPC (e.g. client to Ozone Manager). To encrypt client-OM (Ozone Manager) communication, configure hadoop.rpc.protection
to privacy
in your core-site.xml
. This ensures that all data exchanged over Hadoop RPC is encrypted.
<property>
<name>hadoop.rpc.protection</name>
<value>privacy</value>
</property>
ozone.om.transport.class
While the default is org.apache.hadoop.ozone.om.protocolPB.Hadoop3OmTransportFactory
, it is possible to specify a gRPC based transport using the ozone.om.transport.class
configuration property: org.apache.hadoop.ozone.om.protocolPB.GrpcOmTransportFactory
. In this case, the Hadoop RPC configuration is not applicable.
gRPC TLS Encryption
Ozone traffic may also be transferred via gRPC (e.g., Ratis write pipeline or client reading blocks from DataNode). To enable TLS for gRPC traffic, set hdds.grpc.tls.enabled
to true
. This encrypts communication between Ozone services that use gRPC.
<property>
<name>hdds.grpc.tls.enabled</name>
<value>true</value>
</property>
Ozone HTTP Web Console
For information on securing the Ozone HTTP web console, please refer to the Securing HTTP documentation.
Further Reading
For details on the specific network ports used by Ozone roles and the types of transport between them, refer to the Network Ports documentation.
Next >>