Uploaded image for project: 'Hadoop Common'
  1. Hadoop Common
  2. HADOOP-12862

LDAP Group Mapping over SSL can not specify trust store

VotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • None
    • 2.10.0, 2.9.1, 2.8.4, 2.7.6, 3.2.0, 3.1.1, 3.0.3
    • None
    • None
    • Reviewed

    Description

      In a secure environment, SSL is used to encrypt LDAP request for group mapping resolution.
      We (+Mike Yoder, +Todd Grayson) have found that its implementation is strange.

      For information, Hadoop name node, as an LDAP client, talks to a LDAP server to resolve the group mapping of a user. In the case of LDAP over SSL, a typical scenario is to establish one-way authentication (the client verifies the server's certificate is real) by storing the server's certificate in the client's truststore.

      A rarer scenario is to establish two-way authentication: in addition to store truststore for the client to verify the server, the server also verifies the client's certificate is real, and the client stores its own certificate in its keystore.

      However, the current implementation for LDAP over SSL does not seem to be correct in that it only configures keystore but no truststore (so LDAP server can verify Hadoop's certificate, but Hadoop may not be able to verify LDAP server's certificate)

      I think there should an extra pair of properties to specify the truststore/password for LDAP server, and use that to configure system properties javax.net.ssl.trustStore/javax.net.ssl.trustStorePassword

      I am a security layman so my words can be imprecise. But I hope this makes sense.

      Oracle's SSL LDAP documentation: http://docs.oracle.com/javase/jndi/tutorial/ldap/security/ssl.html
      JSSE reference guide: http://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/JSSERefGuide.html

      Attachments

        1. HADOOP-12862.001.patch
          4 kB
          Wei-Chiu Chuang
        2. HADOOP-12862.002.patch
          4 kB
          Wei-Chiu Chuang
        3. HADOOP-12862.003.patch
          7 kB
          Wei-Chiu Chuang
        4. HADOOP-12862.004.patch
          7 kB
          Wei-Chiu Chuang
        5. HADOOP-12862.005.patch
          8 kB
          Wei-Chiu Chuang
        6. HADOOP-12862.006.patch
          8 kB
          Wei-Chiu Chuang
        7. HADOOP-12862.007.patch
          8 kB
          Wei-Chiu Chuang
        8. HADOOP-12862.008.patch
          7 kB
          Wei-Chiu Chuang
        9. HADOOP-12862.009.patch
          8 kB
          Konstantin Shvachko

        Issue Links

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            weichiu Wei-Chiu Chuang
            weichiu Wei-Chiu Chuang
            Votes:
            0 Vote for this issue
            Watchers:
            14 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment