Uploaded image for project: 'Ambari'
  1. Ambari
  2. AMBARI-20049

One way SSL fallback logic can cause some agents to be connected with 2-way SSL

Attach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • None
    • 2.5.0
    • None
    • None

    Description

      We have fallback logic since a long time in the agent to try to connect to the
      server with 2-way SSL if one-way SSL throws an exception. This can cause some
      agents to connect with 2-way SSL (connection timeout exception for one-way
      SSL) and thereby a cluster having a mix of agents, some connected with one-way
      SSL and some connected with 2-way SSL.

      Investigate why we have had this logic and if it is no longer appropriate,
      remove this fallback logic.

      <https://github.com/apache/ambari/blob/trunk/ambari-
      agent/src/main/python/ambari_agent/security.py#L57-L67>

      if not self.two_way_ssl_required:
      try:
      sock = self.create_connection()
      self.sock = ssl.wrap_socket(sock, cert_reqs=ssl.CERT_NONE)
      logger.info('SSL connection established. Two-way SSL authentication is '
      'turned off on the server.')
      except (ssl.SSLError, AttributeError):
      self.two_way_ssl_required = True
      logger.info(
      'Insecure connection to https://' + self.host + ':' + self.port +
      '/ failed. Reconnecting using two-way SSL authentication..')

      Attachments

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            aonishuk Andrew Onischuk
            aonishuk Andrew Onischuk
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment