User <-> Coordinator:
- Encrypted by HTTPS
- The coordinator authenticates the user based on a secret token created by
tools/gen_passwd.py. The secret is passed to the coordinator upon creation
and served via the metadata server, all of which are secure channels.
- WARNING: The user does NOT know they are talking to the true coordinator,
since the coordinator uses a self-signed certificate. For this reason, the
system is vulnerable to man-in-the-middle attacks.
Coordinator <-> Snitch:
- Encrypted by HTTPS
- Authenticated by the source host's address. All instances have internal IPs
in the 10.* range.
Hadoop nodes:
- All instances have external IPs. Only incoming ssh traffic is enabled by
the default firewall, for debugging.
- There is no extra security implemented on top of Hadoop.
Service accounts:
- See https://developers.google.com/compute/docs/authentication for an
introduction to service accounts.
- The coordinator runs with RW Compute and Google Storage permissions.
- All slaves run with RO Google Storage permissions.
- The hadoop-namenode instance runs with RW Google Storage permissions.