Uploaded image for project: 'Hadoop Common'
  1. Hadoop Common
  2. HADOOP-11218

Add TLSv1.1,TLSv1.2 to KMS, HttpFS, SSLFactory

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 2.7.1
    • Fix Version/s: 2.8.0, 3.0.0-alpha1
    • Component/s: kms
    • Labels:
      None
    • Target Version/s:
    • Hadoop Flags:
      Reviewed

      Description

      HADOOP-11217 required us to specifically list the versions of TLS that KMS supports. With Hadoop 2.7 dropping support for Java 6 and Java 7 supporting TLSv1.1 and TLSv1.2, we should add them to the list.

        Issue Links

          Activity

          Hide
          wheat9 Haohui Mai added a comment -

          I propose a more aggressive approach, that is, to remove this configuration and pick reasonable ciphers / protocols. The reason is that it requires some domain knowledges to properly configure it correctly, and misconfiguring it can lead to security holes. It would be nice to not having a configuration that can shoot the users' foot.

          Note that the configuration is added in 2.6 which still supports Java 6. The configuration allows users that run 2.6 on Java 7 to disable the flawed protocols / ciphers. As 2.7 is going to support Java 7 only, I think that the original motivation is fulfilled thus the configuration can be removed.

          Show
          wheat9 Haohui Mai added a comment - I propose a more aggressive approach, that is, to remove this configuration and pick reasonable ciphers / protocols. The reason is that it requires some domain knowledges to properly configure it correctly, and misconfiguring it can lead to security holes. It would be nice to not having a configuration that can shoot the users' foot. Note that the configuration is added in 2.6 which still supports Java 6. The configuration allows users that run 2.6 on Java 7 to disable the flawed protocols / ciphers. As 2.7 is going to support Java 7 only, I think that the original motivation is fulfilled thus the configuration can be removed.
          Hide
          kkambatl Karthik Kambatla (Inactive) added a comment -

          We want to disable SSLv3 in Java 7 as well, and would just want to add protocols to the whitelist. I don't see how we can revert the changes altogether. Am I missing something here?

          Show
          kkambatl Karthik Kambatla (Inactive) added a comment - We want to disable SSLv3 in Java 7 as well, and would just want to add protocols to the whitelist. I don't see how we can revert the changes altogether. Am I missing something here?
          Hide
          wheat9 Haohui Mai added a comment -

          Let me try to rephrase a little bit to see whether it makes sense: I propose to not exposing the configuration to the user. Instead, the code should pick reasonable settings.

          What I'm proposing is that the code just disable SSLv3 and not exposing it as a configuration, as configuring it properly requires domain knowledges and misconfiguration can lead to security issues. Make sense?

          Show
          wheat9 Haohui Mai added a comment - Let me try to rephrase a little bit to see whether it makes sense: I propose to not exposing the configuration to the user. Instead, the code should pick reasonable settings. What I'm proposing is that the code just disable SSLv3 and not exposing it as a configuration, as configuring it properly requires domain knowledges and misconfiguration can lead to security issues. Make sense?
          Hide
          kkambatl Karthik Kambatla (Inactive) added a comment -

          I see merit to having configurations with reasonable defaults. Configs allow users to workaround any security vulnerabilities at least until an official release with fixes comes out.

          Show
          kkambatl Karthik Kambatla (Inactive) added a comment - I see merit to having configurations with reasonable defaults. Configs allow users to workaround any security vulnerabilities at least until an official release with fixes comes out.
          Hide
          aw Allen Wittenauer added a comment -

          I'm with Karthik Kambatla on this one. I'd really love the ability to disable broken implementations until a fix comes out. We tend to have this view that as soon as we release code it gets immediately installed everywhere. The reality is that it can take weeks to deploy a new version. Having the ability to disable a broken codepath is always a nicety.

          Show
          aw Allen Wittenauer added a comment - I'm with Karthik Kambatla on this one. I'd really love the ability to disable broken implementations until a fix comes out. We tend to have this view that as soon as we release code it gets immediately installed everywhere. The reality is that it can take weeks to deploy a new version. Having the ability to disable a broken codepath is always a nicety.
          Hide
          wheat9 Haohui Mai added a comment -

          Thanks for the explanation. It's fine with me as long as we have a reasonable configuration.

          Show
          wheat9 Haohui Mai added a comment - Thanks for the explanation. It's fine with me as long as we have a reasonable configuration.
          Hide
          SINGHVJD Vijay Singh added a comment -

          I posted an approach for enabling TLSv1.1 and TLSv1.2 for HttpFS service in duplicate ticket. The reason for our customers to go for TLS1.2 is that current RHEL7 and Ubuntu based HDFS client gateways when used with curl can enforce which TLS level to use. The security teams wants application using curl to enforce TLSv1.2; however, in absence of server support its not feasible. Regardless, once we allow TLSv1, TLSv1.1, TLSv1.2 options as part of server config,server can choose highest level of support for TLS available and may or may not honor client request. But, atleast client application can downgrade or choose not to use TLSv1. Since we support JDK7 I propose that we add support for TLSv1.1 and TLSv1.2 for KMS and HttpFS services atleast using SSLFactory.
          Please find the code snippet for implemented changes.

               <Connector port="${httpfs.http.port}" protocol="HTTP/1.1" SSLEnabled="true"
                         maxThreads="150" scheme="https" secure="true"
                         clientAuth="false" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2,SSLv2Hello"
                         keystoreFile="${httpfs.ssl.keystore.file}"
                         keystorePass="_httpfs_ssl_keystore_pass_"/>
          

          Changes include addition of TLSv1.1,TLSv1.2 to SSLenabledProtocols xml attribute on line 73 of file hadoop/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/tomcat/ssl-server.xml.conf

          Show
          SINGHVJD Vijay Singh added a comment - I posted an approach for enabling TLSv1.1 and TLSv1.2 for HttpFS service in duplicate ticket. The reason for our customers to go for TLS1.2 is that current RHEL7 and Ubuntu based HDFS client gateways when used with curl can enforce which TLS level to use. The security teams wants application using curl to enforce TLSv1.2; however, in absence of server support its not feasible. Regardless, once we allow TLSv1, TLSv1.1, TLSv1.2 options as part of server config,server can choose highest level of support for TLS available and may or may not honor client request. But, atleast client application can downgrade or choose not to use TLSv1. Since we support JDK7 I propose that we add support for TLSv1.1 and TLSv1.2 for KMS and HttpFS services atleast using SSLFactory. Please find the code snippet for implemented changes. <Connector port= "${httpfs.http.port}" protocol= "HTTP/1.1" SSLEnabled= "true" maxThreads= "150" scheme= "https" secure= "true" clientAuth= "false" sslEnabledProtocols= "TLSv1,TLSv1.1,TLSv1.2,SSLv2Hello" keystoreFile= "${httpfs.ssl.keystore.file}" keystorePass= "_httpfs_ssl_keystore_pass_" /> Changes include addition of TLSv1.1,TLSv1.2 to SSLenabledProtocols xml attribute on line 73 of file hadoop/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/tomcat/ssl-server.xml.conf
          Hide
          SINGHVJD Vijay Singh added a comment -

          Please find the result of tests carried out.

          [root@vjs-1 ~]# diff /opt/myclient/hadoop-httpfs/tomcat-conf.https/conf/server.xml /opt/myclient/hadoop-httpfs/tomcat-conf.https/conf/server_tls1.xml 
          73c73
          <                clientAuth="false" sslEnabledProtocols=“TLSv1,TLSv1.1,TLSv1.2,SSLv2Hello"
          ---
          >                clientAuth="false" sslEnabledProtocols="TLSv1,SSLv2Hello"
          
          [root@vjkc ~]# openssl s_client -connect vjs-1.vpc.myclient.com:14000  -tls1 -CAfile /opt/myclient/security/setup/ca-certs/VIJAY-WIN-HEN9IV5CAGA-CA.pem | grep Renegotiation
          depth=1 DC = FCE, DC = SINGH, DC = VIJAY, CN = VIJAY-WIN-HEN9IV5CAGA-CA
          verify return:1
          depth=0 C = US, ST = Illinois, L = Chicago, O = myclient, OU = EDHCLUSTER, CN = vjs-1.vpc.myclient.com
          verify return:1
          
          Secure Renegotiation IS supported
          
          [root@vjkc ~]# openssl s_client -connect vjs-1.vpc.myclient.com:14000  -tls1_1 -CAfile /opt/myclient/security/setup/ca-certs/VIJAY-WIN-HEN9IV5CAGA-CA.pem | grep -i Renegotiation
          depth=1 DC = FCE, DC = SINGH, DC = VIJAY, CN = VIJAY-WIN-HEN9IV5CAGA-CA
          verify return:1
          depth=0 C = US, ST = Illinois, L = Chicago, O = myclient, OU = EDHCLUSTER, CN = vjs-1.vpc.myclient.com
          verify return:1
          
          Secure Renegotiation IS supported
          
          [root@vjkc ~]# openssl s_client -connect vjs-1.vpc.myclient.com:14000  -tls1_2 -CAfile /opt/myclient/security/setup/ca-certs/VIJAY-WIN-HEN9IV5CAGA-CA.pem | grep -i Renegotiation
          depth=1 DC = FCE, DC = SINGH, DC = VIJAY, CN = VIJAY-WIN-HEN9IV5CAGA-CA
          verify return:1
          depth=0 C = US, ST = Illinois, L = Chicago, O = myclient, OU = EDHCLUSTER, CN = vjs-1.vpc.myclient.com
          verify return:1
          
          Secure Renegotiation IS supported
          
          Show
          SINGHVJD Vijay Singh added a comment - Please find the result of tests carried out. [root@vjs-1 ~]# diff /opt/myclient/hadoop-httpfs/tomcat-conf.https/conf/server.xml /opt/myclient/hadoop-httpfs/tomcat-conf.https/conf/server_tls1.xml  73c73 <                clientAuth="false" sslEnabledProtocols=“TLSv1,TLSv1.1,TLSv1.2,SSLv2Hello" --- >                clientAuth="false" sslEnabledProtocols="TLSv1,SSLv2Hello" [root@vjkc ~]# openssl s_client -connect vjs-1.vpc.myclient.com:14000  -tls1 -CAfile /opt/myclient/security/setup/ca-certs/VIJAY-WIN-HEN9IV5CAGA-CA.pem | grep Renegotiation depth=1 DC = FCE, DC = SINGH, DC = VIJAY, CN = VIJAY-WIN-HEN9IV5CAGA-CA verify return:1 depth=0 C = US, ST = Illinois, L = Chicago, O = myclient, OU = EDHCLUSTER, CN = vjs-1.vpc.myclient.com verify return:1 Secure Renegotiation IS supported [root@vjkc ~]# openssl s_client -connect vjs-1.vpc.myclient.com:14000  -tls1_1 -CAfile /opt/myclient/security/setup/ca-certs/VIJAY-WIN-HEN9IV5CAGA-CA.pem | grep -i Renegotiation depth=1 DC = FCE, DC = SINGH, DC = VIJAY, CN = VIJAY-WIN-HEN9IV5CAGA-CA verify return:1 depth=0 C = US, ST = Illinois, L = Chicago, O = myclient, OU = EDHCLUSTER, CN = vjs-1.vpc.myclient.com verify return:1 Secure Renegotiation IS supported [root@vjkc ~]# openssl s_client -connect vjs-1.vpc.myclient.com:14000  -tls1_2 -CAfile /opt/myclient/security/setup/ca-certs/VIJAY-WIN-HEN9IV5CAGA-CA.pem | grep -i Renegotiation depth=1 DC = FCE, DC = SINGH, DC = VIJAY, CN = VIJAY-WIN-HEN9IV5CAGA-CA verify return:1 depth=0 C = US, ST = Illinois, L = Chicago, O = myclient, OU = EDHCLUSTER, CN = vjs-1.vpc.myclient.com verify return:1 Secure Renegotiation IS supported
          Hide
          SINGHVJD Vijay Singh added a comment -

          The code snippted changes for kms will be required on line 73 of file /hadoop-common-project/hadoop-kms/src/main/tomcat/ssl-server.xml.conf. The code changes are as follows:

          
          

          <Connector port="$

          {kms.http.port}

          " protocol="HTTP/1.1" SSLEnabled="true"
          maxThreads="$

          {kms.max.threads}

          " scheme="https" secure="true"
          clientAuth="false" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2,SSLv2Hello"
          truststorePass="kms_ssl_truststore_pass"
          keystoreFile="$

          {kms.ssl.keystore.file}

          "
          keystorePass="kms_ssl_keystore_pass"/>

          
          

          Please see the excerpts from test log.

          [root@vjs-kms ~]# diff /opt/myclient/hadoop-kms/tomcat-conf.https/conf/server.xml /opt/myclient/hadoop-kms/tomcat-conf.https/conf/server_tls1.xml 
          73c73
          <                clientAuth="false" sslEnabledProtocols=“TLSv1,TLSv1.1,TLSv1.2,SSLv2Hello"
          ---
          >                clientAuth="false" sslEnabledProtocols="TLSv1,SSLv2Hello"
          
          [root@vjkc ~]# openssl s_client -connect vjs-kms.vpc.myclient.com:16000  -tls1 -CAfile /opt/myclient/security/setup/ca-certs/VIJAY-WIN-HEN9IV5CAGA-CA.pem | grep Renegotiation
          depth=1 DC = FCE, DC = SINGH, DC = VIJAY, CN = VIJAY-WIN-HEN9IV5CAGA-CA
          verify return:1
          depth=0 C = US, ST = Illinois, L = Chicago, O = myclient, OU = EDHCLUSTER, CN = vjs-kms.vpc.myclient.com
          verify return:1
          
          Secure Renegotiation IS supported
          
          [root@vjkc ~]# openssl s_client -connect vjs-kms.vpc.myclient.com:16000  -tls1_1 -CAfile /opt/myclient/security/setup/ca-certs/VIJAY-WIN-HEN9IV5CAGA-CA.pem | grep -i Renegotiation
          depth=1 DC = FCE, DC = SINGH, DC = VIJAY, CN = VIJAY-WIN-HEN9IV5CAGA-CA
          verify return:1
          depth=0 C = US, ST = Illinois, L = Chicago, O = myclient, OU = EDHCLUSTER, CN = vjs-kms.vpc.myclient.com
          verify return:1
          
          Secure Renegotiation IS supported
          
          [root@vjkc ~]# openssl s_client -connect vjs-kms.vpc.myclient.com:16000  -tls1_2 -CAfile /opt/myclient/security/setup/ca-certs/VIJAY-WIN-HEN9IV5CAGA-CA.pem | grep -i Renegotiation
          depth=1 DC = FCE, DC = SINGH, DC = VIJAY, CN = VIJAY-WIN-HEN9IV5CAGA-CA
          verify return:1
          depth=0 C = US, ST = Illinois, L = Chicago, O = myclient, OU = EDHCLUSTER, CN = vjs-kms.vpc.myclient.com
          verify return:1
          
          Secure Renegotiation IS supported
          

          Please review my proposed changes and suggest any feedback. I will work on the patch for submission in the meantime.

          Show
          SINGHVJD Vijay Singh added a comment - The code snippted changes for kms will be required on line 73 of file /hadoop-common-project/hadoop-kms/src/main/tomcat/ssl-server.xml.conf. The code changes are as follows: <Connector port="$ {kms.http.port} " protocol="HTTP/1.1" SSLEnabled="true" maxThreads="$ {kms.max.threads} " scheme="https" secure="true" clientAuth="false" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2,SSLv2Hello" truststorePass=" kms_ssl_truststore_pass " keystoreFile="$ {kms.ssl.keystore.file} " keystorePass=" kms_ssl_keystore_pass "/> Please see the excerpts from test log. [root@vjs-kms ~]# diff /opt/myclient/hadoop-kms/tomcat-conf.https/conf/server.xml /opt/myclient/hadoop-kms/tomcat-conf.https/conf/server_tls1.xml  73c73 <                clientAuth="false" sslEnabledProtocols=“TLSv1,TLSv1.1,TLSv1.2,SSLv2Hello" --- >                clientAuth="false" sslEnabledProtocols="TLSv1,SSLv2Hello" [root@vjkc ~]# openssl s_client -connect vjs-kms.vpc.myclient.com:16000  -tls1 -CAfile /opt/myclient/security/setup/ca-certs/VIJAY-WIN-HEN9IV5CAGA-CA.pem | grep Renegotiation depth=1 DC = FCE, DC = SINGH, DC = VIJAY, CN = VIJAY-WIN-HEN9IV5CAGA-CA verify return:1 depth=0 C = US, ST = Illinois, L = Chicago, O = myclient, OU = EDHCLUSTER, CN = vjs-kms.vpc.myclient.com verify return:1 Secure Renegotiation IS supported [root@vjkc ~]# openssl s_client -connect vjs-kms.vpc.myclient.com:16000  -tls1_1 -CAfile /opt/myclient/security/setup/ca-certs/VIJAY-WIN-HEN9IV5CAGA-CA.pem | grep -i Renegotiation depth=1 DC = FCE, DC = SINGH, DC = VIJAY, CN = VIJAY-WIN-HEN9IV5CAGA-CA verify return:1 depth=0 C = US, ST = Illinois, L = Chicago, O = myclient, OU = EDHCLUSTER, CN = vjs-kms.vpc.myclient.com verify return:1 Secure Renegotiation IS supported [root@vjkc ~]# openssl s_client -connect vjs-kms.vpc.myclient.com:16000  -tls1_2 -CAfile /opt/myclient/security/setup/ca-certs/VIJAY-WIN-HEN9IV5CAGA-CA.pem | grep -i Renegotiation depth=1 DC = FCE, DC = SINGH, DC = VIJAY, CN = VIJAY-WIN-HEN9IV5CAGA-CA verify return:1 depth=0 C = US, ST = Illinois, L = Chicago, O = myclient, OU = EDHCLUSTER, CN = vjs-kms.vpc.myclient.com verify return:1 Secure Renegotiation IS supported Please review my proposed changes and suggest any feedback. I will work on the patch for submission in the meantime.
          Hide
          SINGHVJD Vijay Singh added a comment -

          Please find attached the proposed patch for enabling TLSv1.1 and TLSv1.2 for HttpFS and KMS service. Please review and suggest any changes. This is my first contribution any advise is appreciated.

          Show
          SINGHVJD Vijay Singh added a comment - Please find attached the proposed patch for enabling TLSv1.1 and TLSv1.2 for HttpFS and KMS service. Please review and suggest any changes. This is my first contribution any advise is appreciated.
          Hide
          SINGHVJD Vijay Singh added a comment -

          The code changes have been attached already. Formally submitting the patch

          Show
          SINGHVJD Vijay Singh added a comment - The code changes have been attached already. Formally submitting the patch
          Hide
          hadoopqa Hadoop QA added a comment -



          -1 overall



          Vote Subsystem Runtime Comment
          0 pre-patch 15m 52s Pre-patch trunk compilation is healthy.
          +1 @author 0m 0s The patch does not contain any @author tags.
          -1 tests included 0m 0s The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch.
          +1 javac 8m 12s There were no new javac warning messages.
          +1 javadoc 10m 20s There were no new javadoc warning messages.
          -1 release audit 0m 15s The applied patch generated 1 release audit warnings.
          +1 whitespace 0m 0s The patch has no lines that end in whitespace.
          +1 install 1m 29s mvn install still works.
          +1 eclipse:eclipse 0m 34s The patch built with eclipse:eclipse.
          +1 common tests 1m 36s Tests passed in hadoop-kms.
          +1 hdfs tests 3m 35s Tests passed in hadoop-hdfs-httpfs.
              41m 58s  



          Subsystem Report/Notes
          Patch URL http://issues.apache.org/jira/secure/attachment/12764737/Enable_TLSv1_1_and_TLSv1_2_for_HttpFS_and_KMS_services.patch
          Optional Tests javadoc javac unit
          git revision trunk / fdf02d1
          Release Audit https://builds.apache.org/job/PreCommit-HADOOP-Build/7760/artifact/patchprocess/patchReleaseAuditProblems.txt
          hadoop-kms test log https://builds.apache.org/job/PreCommit-HADOOP-Build/7760/artifact/patchprocess/testrun_hadoop-kms.txt
          hadoop-hdfs-httpfs test log https://builds.apache.org/job/PreCommit-HADOOP-Build/7760/artifact/patchprocess/testrun_hadoop-hdfs-httpfs.txt
          Test Results https://builds.apache.org/job/PreCommit-HADOOP-Build/7760/testReport/
          Java 1.7.0_55
          uname Linux asf900.gq1.ygridcore.net 3.13.0-36-lowlatency #63-Ubuntu SMP PREEMPT Wed Sep 3 21:56:12 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
          Console output https://builds.apache.org/job/PreCommit-HADOOP-Build/7760/console

          This message was automatically generated.

          Show
          hadoopqa Hadoop QA added a comment - -1 overall Vote Subsystem Runtime Comment 0 pre-patch 15m 52s Pre-patch trunk compilation is healthy. +1 @author 0m 0s The patch does not contain any @author tags. -1 tests included 0m 0s The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch. +1 javac 8m 12s There were no new javac warning messages. +1 javadoc 10m 20s There were no new javadoc warning messages. -1 release audit 0m 15s The applied patch generated 1 release audit warnings. +1 whitespace 0m 0s The patch has no lines that end in whitespace. +1 install 1m 29s mvn install still works. +1 eclipse:eclipse 0m 34s The patch built with eclipse:eclipse. +1 common tests 1m 36s Tests passed in hadoop-kms. +1 hdfs tests 3m 35s Tests passed in hadoop-hdfs-httpfs.     41m 58s   Subsystem Report/Notes Patch URL http://issues.apache.org/jira/secure/attachment/12764737/Enable_TLSv1_1_and_TLSv1_2_for_HttpFS_and_KMS_services.patch Optional Tests javadoc javac unit git revision trunk / fdf02d1 Release Audit https://builds.apache.org/job/PreCommit-HADOOP-Build/7760/artifact/patchprocess/patchReleaseAuditProblems.txt hadoop-kms test log https://builds.apache.org/job/PreCommit-HADOOP-Build/7760/artifact/patchprocess/testrun_hadoop-kms.txt hadoop-hdfs-httpfs test log https://builds.apache.org/job/PreCommit-HADOOP-Build/7760/artifact/patchprocess/testrun_hadoop-hdfs-httpfs.txt Test Results https://builds.apache.org/job/PreCommit-HADOOP-Build/7760/testReport/ Java 1.7.0_55 uname Linux asf900.gq1.ygridcore.net 3.13.0-36-lowlatency #63-Ubuntu SMP PREEMPT Wed Sep 3 21:56:12 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux Console output https://builds.apache.org/job/PreCommit-HADOOP-Build/7760/console This message was automatically generated.
          Hide
          SINGHVJD Vijay Singh added a comment -

          The two -1 are encountered across all patches. Please suggest if anything is required from my side.

          Show
          SINGHVJD Vijay Singh added a comment - The two -1 are encountered across all patches. Please suggest if anything is required from my side.
          Hide
          cmccabe Colin P. McCabe added a comment -

          +1. Will commit tomorrow if there are no more comments.

          Show
          cmccabe Colin P. McCabe added a comment - +1. Will commit tomorrow if there are no more comments.
          Hide
          vinodkv Vinod Kumar Vavilapalli added a comment -

          Colin P. McCabe, can this please be committed as you've reviewed it already? Considering this for a 2.7.2 RC this weekend.

          Show
          vinodkv Vinod Kumar Vavilapalli added a comment - Colin P. McCabe , can this please be committed as you've reviewed it already? Considering this for a 2.7.2 RC this weekend.
          Hide
          vinodkv Vinod Kumar Vavilapalli added a comment -

          Colin P. McCabe, gentle bump again. Will be great if this can get committed in a day or two, as I am chasing a few other tickets besides this. Thanks.

          Show
          vinodkv Vinod Kumar Vavilapalli added a comment - Colin P. McCabe , gentle bump again. Will be great if this can get committed in a day or two, as I am chasing a few other tickets besides this. Thanks.
          Hide
          vinodkv Vinod Kumar Vavilapalli added a comment -

          Moving this out into 2.7.3 in the interest of 2.7.2's progress.

          Show
          vinodkv Vinod Kumar Vavilapalli added a comment - Moving this out into 2.7.3 in the interest of 2.7.2's progress.
          Hide
          wheat9 Haohui Mai added a comment -

          +1. Committing shortly

          Show
          wheat9 Haohui Mai added a comment - +1. Committing shortly
          Hide
          wheat9 Haohui Mai added a comment -

          I've committed the patch to trunk and branch-2. Thanks Vijay Singh for the contribution.

          Show
          wheat9 Haohui Mai added a comment - I've committed the patch to trunk and branch-2. Thanks Vijay Singh for the contribution.
          Hide
          hudson Hudson added a comment -

          SUCCESS: Integrated in Hadoop-trunk-Commit #8842 (See https://builds.apache.org/job/Hadoop-trunk-Commit/8842/)
          HADOOP-11218. Add TLSv1.1,TLSv1.2 to KMS, HttpFS, SSLFactory. (wheat9: rev 66428d33a7b6e3de59f63ecdd05d59f7d805527b)

          • hadoop-common-project/hadoop-kms/src/main/tomcat/ssl-server.xml.conf
          • hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/tomcat/ssl-server.xml.conf
          • hadoop-common-project/hadoop-common/CHANGES.txt
          Show
          hudson Hudson added a comment - SUCCESS: Integrated in Hadoop-trunk-Commit #8842 (See https://builds.apache.org/job/Hadoop-trunk-Commit/8842/ ) HADOOP-11218 . Add TLSv1.1,TLSv1.2 to KMS, HttpFS, SSLFactory. (wheat9: rev 66428d33a7b6e3de59f63ecdd05d59f7d805527b) hadoop-common-project/hadoop-kms/src/main/tomcat/ssl-server.xml.conf hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/tomcat/ssl-server.xml.conf hadoop-common-project/hadoop-common/CHANGES.txt
          Hide
          hudson Hudson added a comment -

          FAILURE: Integrated in Hadoop-Mapreduce-trunk-Java8 #696 (See https://builds.apache.org/job/Hadoop-Mapreduce-trunk-Java8/696/)
          HADOOP-11218. Add TLSv1.1,TLSv1.2 to KMS, HttpFS, SSLFactory. (wheat9: rev 66428d33a7b6e3de59f63ecdd05d59f7d805527b)

          • hadoop-common-project/hadoop-kms/src/main/tomcat/ssl-server.xml.conf
          • hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/tomcat/ssl-server.xml.conf
          • hadoop-common-project/hadoop-common/CHANGES.txt
          Show
          hudson Hudson added a comment - FAILURE: Integrated in Hadoop-Mapreduce-trunk-Java8 #696 (See https://builds.apache.org/job/Hadoop-Mapreduce-trunk-Java8/696/ ) HADOOP-11218 . Add TLSv1.1,TLSv1.2 to KMS, HttpFS, SSLFactory. (wheat9: rev 66428d33a7b6e3de59f63ecdd05d59f7d805527b) hadoop-common-project/hadoop-kms/src/main/tomcat/ssl-server.xml.conf hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/tomcat/ssl-server.xml.conf hadoop-common-project/hadoop-common/CHANGES.txt
          Hide
          hudson Hudson added a comment -

          FAILURE: Integrated in Hadoop-Mapreduce-trunk #2637 (See https://builds.apache.org/job/Hadoop-Mapreduce-trunk/2637/)
          HADOOP-11218. Add TLSv1.1,TLSv1.2 to KMS, HttpFS, SSLFactory. (wheat9: rev 66428d33a7b6e3de59f63ecdd05d59f7d805527b)

          • hadoop-common-project/hadoop-common/CHANGES.txt
          • hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/tomcat/ssl-server.xml.conf
          • hadoop-common-project/hadoop-kms/src/main/tomcat/ssl-server.xml.conf
          Show
          hudson Hudson added a comment - FAILURE: Integrated in Hadoop-Mapreduce-trunk #2637 (See https://builds.apache.org/job/Hadoop-Mapreduce-trunk/2637/ ) HADOOP-11218 . Add TLSv1.1,TLSv1.2 to KMS, HttpFS, SSLFactory. (wheat9: rev 66428d33a7b6e3de59f63ecdd05d59f7d805527b) hadoop-common-project/hadoop-common/CHANGES.txt hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/tomcat/ssl-server.xml.conf hadoop-common-project/hadoop-kms/src/main/tomcat/ssl-server.xml.conf
          Hide
          hudson Hudson added a comment -

          FAILURE: Integrated in Hadoop-Yarn-trunk-Java8 #708 (See https://builds.apache.org/job/Hadoop-Yarn-trunk-Java8/708/)
          HADOOP-11218. Add TLSv1.1,TLSv1.2 to KMS, HttpFS, SSLFactory. (wheat9: rev 66428d33a7b6e3de59f63ecdd05d59f7d805527b)

          • hadoop-common-project/hadoop-kms/src/main/tomcat/ssl-server.xml.conf
          • hadoop-common-project/hadoop-common/CHANGES.txt
          • hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/tomcat/ssl-server.xml.conf
          Show
          hudson Hudson added a comment - FAILURE: Integrated in Hadoop-Yarn-trunk-Java8 #708 (See https://builds.apache.org/job/Hadoop-Yarn-trunk-Java8/708/ ) HADOOP-11218 . Add TLSv1.1,TLSv1.2 to KMS, HttpFS, SSLFactory. (wheat9: rev 66428d33a7b6e3de59f63ecdd05d59f7d805527b) hadoop-common-project/hadoop-kms/src/main/tomcat/ssl-server.xml.conf hadoop-common-project/hadoop-common/CHANGES.txt hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/tomcat/ssl-server.xml.conf
          Hide
          hudson Hudson added a comment -

          FAILURE: Integrated in Hadoop-Yarn-trunk #1433 (See https://builds.apache.org/job/Hadoop-Yarn-trunk/1433/)
          HADOOP-11218. Add TLSv1.1,TLSv1.2 to KMS, HttpFS, SSLFactory. (wheat9: rev 66428d33a7b6e3de59f63ecdd05d59f7d805527b)

          • hadoop-common-project/hadoop-common/CHANGES.txt
          • hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/tomcat/ssl-server.xml.conf
          • hadoop-common-project/hadoop-kms/src/main/tomcat/ssl-server.xml.conf
          Show
          hudson Hudson added a comment - FAILURE: Integrated in Hadoop-Yarn-trunk #1433 (See https://builds.apache.org/job/Hadoop-Yarn-trunk/1433/ ) HADOOP-11218 . Add TLSv1.1,TLSv1.2 to KMS, HttpFS, SSLFactory. (wheat9: rev 66428d33a7b6e3de59f63ecdd05d59f7d805527b) hadoop-common-project/hadoop-common/CHANGES.txt hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/tomcat/ssl-server.xml.conf hadoop-common-project/hadoop-kms/src/main/tomcat/ssl-server.xml.conf
          Hide
          hudson Hudson added a comment -

          FAILURE: Integrated in Hadoop-Hdfs-trunk #2567 (See https://builds.apache.org/job/Hadoop-Hdfs-trunk/2567/)
          HADOOP-11218. Add TLSv1.1,TLSv1.2 to KMS, HttpFS, SSLFactory. (wheat9: rev 66428d33a7b6e3de59f63ecdd05d59f7d805527b)

          • hadoop-common-project/hadoop-kms/src/main/tomcat/ssl-server.xml.conf
          • hadoop-common-project/hadoop-common/CHANGES.txt
          • hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/tomcat/ssl-server.xml.conf
          Show
          hudson Hudson added a comment - FAILURE: Integrated in Hadoop-Hdfs-trunk #2567 (See https://builds.apache.org/job/Hadoop-Hdfs-trunk/2567/ ) HADOOP-11218 . Add TLSv1.1,TLSv1.2 to KMS, HttpFS, SSLFactory. (wheat9: rev 66428d33a7b6e3de59f63ecdd05d59f7d805527b) hadoop-common-project/hadoop-kms/src/main/tomcat/ssl-server.xml.conf hadoop-common-project/hadoop-common/CHANGES.txt hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/tomcat/ssl-server.xml.conf
          Hide
          hudson Hudson added a comment -

          FAILURE: Integrated in Hadoop-Hdfs-trunk-Java8 #629 (See https://builds.apache.org/job/Hadoop-Hdfs-trunk-Java8/629/)
          HADOOP-11218. Add TLSv1.1,TLSv1.2 to KMS, HttpFS, SSLFactory. (wheat9: rev 66428d33a7b6e3de59f63ecdd05d59f7d805527b)

          • hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/tomcat/ssl-server.xml.conf
          • hadoop-common-project/hadoop-common/CHANGES.txt
          • hadoop-common-project/hadoop-kms/src/main/tomcat/ssl-server.xml.conf
          Show
          hudson Hudson added a comment - FAILURE: Integrated in Hadoop-Hdfs-trunk-Java8 #629 (See https://builds.apache.org/job/Hadoop-Hdfs-trunk-Java8/629/ ) HADOOP-11218 . Add TLSv1.1,TLSv1.2 to KMS, HttpFS, SSLFactory. (wheat9: rev 66428d33a7b6e3de59f63ecdd05d59f7d805527b) hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/tomcat/ssl-server.xml.conf hadoop-common-project/hadoop-common/CHANGES.txt hadoop-common-project/hadoop-kms/src/main/tomcat/ssl-server.xml.conf
          Hide
          arpitagarwal Arpit Agarwal added a comment -

          This looks like a candidate for branch-2.7 (along with HADOOP-12817).

          Show
          arpitagarwal Arpit Agarwal added a comment - This looks like a candidate for branch-2.7 (along with HADOOP-12817 ).

            People

            • Assignee:
              SINGHVJD Vijay Singh
              Reporter:
              rkanter Robert Kanter
            • Votes:
              1 Vote for this issue
              Watchers:
              14 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development