Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
None
-
None
-
None
Description
We hard-coded the Ambari Agents to ignore certification
verification. But the reason why this was required was Python be un-secure by
default:
<https://access.redhat.com/articles/2039753>
<https://www.python.org/dev/peps/pep-0476/>
That method will cause signed certificates to not serve any purpose & is
discouraged by RedHat & Python security experts:
> "It is also possible, though highly discouraged , to globally disable
verification by monkeypatching the ssl module in versions of Python"
Instead we should abstract it to a setting (e.g. ssl_verify_cert) in the
ambari-agent.ini such that users can turn certification verification if they
provide a signed/trusted certificate.
Attachments
Attachments
Issue Links
- is related to
-
AMBARI-22135 Ambari Agent security bypassed in =>python-2.7.5-58.el7.x86_64.rpm
- Resolved
- links to