Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

NiFi: How to put to HDFS with wire encryption?

avatar
author-rank gkeys
Guru

Created ‎11-18-2016 04:40 PM

In NiFi, how do I put data to HDFS with the data encrypted across the wire? NiFi cluster would be on separate cluster than HDFS.

1,971 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank knarayanan author-rank
Super Collaborator

Created ‎11-18-2016 06:06 PM

is this like an on prem to cloud kind of a situation. Why would you want to just encrypt specific flows? For encryption to happen, the server has to enable it. ex. https goes to 443 instead of 80. Enable hadoop wire encryption and try sending data without setting the encryption settings in the hdfs-site when you call puthdfs. I think it will keep both secure and unsecure channels open.

View solution in original post

1,840 Views
0 Kudos
6 REPLIES 6

avatar
author-rank knarayanan author-rank
Super Collaborator

Created ‎11-18-2016 05:05 PM

I think if you setup the cluster to use wire encryption, the name node and hdfs client will handle it for you. you just need to have the updated hdfs-site.xml file available on NiFi

1,840 Views
0 Kudos

avatar
author-rank gkeys
Guru

Created ‎11-18-2016 05:29 PM

I believe that is a cluster-wide setting for all client interactions with the the namenode/HDFS. I was hoping to isolate the encryption to specific flows on the NiFi side. Thoughts?

1,840 Views
0 Kudos

avatar
author-rank knarayanan author-rank
Super Collaborator

Created ‎11-18-2016 06:11 PM

saw this in the pdfs-default xml

dfs.encrypt.data.transferfalseWhether or not actual block data that is read/written from/to HDFS should be encrypted on the wire. This only needs to be set on the NN and DNs, clients will deduce this automatically. It is possible to override this setting per connection by specifying custom logic via dfs.trustedchannel.resolver.class.

i guess it is doable.

1,840 Views
0 Kudos

avatar
author-rank knarayanan author-rank
Super Collaborator

Created ‎11-18-2016 06:17 PM

so you would have to create a class that extends TrustedChannelResolver and overrides the isTrusted() method. then set it in hdfs properties dfs.trustedchannel.resolver.class. I have not handled this before, but if you are up to it i can assist.

1,840 Views
0 Kudos

avatar
author-rank knarayanan author-rank
Super Collaborator

Created ‎11-18-2016 06:06 PM

is this like an on prem to cloud kind of a situation. Why would you want to just encrypt specific flows? For encryption to happen, the server has to enable it. ex. https goes to 443 instead of 80. Enable hadoop wire encryption and try sending data without setting the encryption settings in the hdfs-site when you call puthdfs. I think it will keep both secure and unsecure channels open.

1,841 Views
0 Kudos

avatar
author-rank gkeys
Guru

Created ‎11-18-2016 06:45 PM

I was hoping to be granular with encryption of sensitive data vs non-sensitive data flowing into HDFS for performance reasons. If performance differences are not that large ... it is no big deal, then.

1,840 Views
0 Kudos
Announcements
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics 1.14 for Cloudera Pu...
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
View More Announcements