Uploaded image for project: 'Hadoop Common'
  1. Hadoop Common
  2. HADOOP-14340

Enable KMS and HttpFS to exclude SSL ciphers

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 3.0.0-alpha2
    • Fix Version/s: 3.0.0-alpha4
    • Component/s: kms
    • Labels:
      None

      Description

      HADOOP-12668 added HttpServer2$Builder#excludeCiphers to exclude SSL ciphers. Enable KMS and HttpFS to use this feature by modifying HttpServer2$Builder#loadSSLConfiguration calld by both.

        Issue Links

          Activity

          Hide
          hudson Hudson added a comment -

          SUCCESS: Integrated in Jenkins build Hadoop-trunk-Commit #11635 (See https://builds.apache.org/job/Hadoop-trunk-Commit/11635/)
          HADOOP-14340. Enable KMS and HttpFS to exclude SSL ciphers. Contributed (jzhuge: rev edd693833b468623562c1b1085f79cbafbee9f15)

          • (edit) hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java
          Show
          hudson Hudson added a comment - SUCCESS: Integrated in Jenkins build Hadoop-trunk-Commit #11635 (See https://builds.apache.org/job/Hadoop-trunk-Commit/11635/ ) HADOOP-14340 . Enable KMS and HttpFS to exclude SSL ciphers. Contributed (jzhuge: rev edd693833b468623562c1b1085f79cbafbee9f15) (edit) hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java
          Hide
          jzhuge John Zhuge added a comment -

          Committed to trunk.

          Thanks Lei (Eddy) Xu for the review!

          Show
          jzhuge John Zhuge added a comment - Committed to trunk. Thanks Lei (Eddy) Xu for the review!
          Hide
          eddyxu Lei (Eddy) Xu added a comment -

          +1. Thanks for the fix, John Zhuge!

          Show
          eddyxu Lei (Eddy) Xu added a comment - +1. Thanks for the fix, John Zhuge !
          Hide
          hadoopqa Hadoop QA added a comment -
          -1 overall



          Vote Subsystem Runtime Comment
          0 reexec 0m 18s Docker mode activated.
          +1 @author 0m 0s The patch does not contain any @author tags.
          -1 test4tests 0m 0s The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch.
          +1 mvninstall 13m 41s trunk passed
          +1 compile 17m 16s trunk passed
          +1 checkstyle 0m 36s trunk passed
          +1 mvnsite 1m 7s trunk passed
          +1 mvneclipse 0m 20s trunk passed
          -1 findbugs 1m 26s hadoop-common-project/hadoop-common in trunk has 17 extant Findbugs warnings.
          +1 javadoc 0m 50s trunk passed
          +1 mvninstall 0m 40s the patch passed
          +1 compile 15m 23s the patch passed
          +1 javac 15m 23s the patch passed
          +1 checkstyle 0m 40s the patch passed
          +1 mvnsite 1m 16s the patch passed
          +1 mvneclipse 0m 23s the patch passed
          +1 whitespace 0m 0s The patch has no whitespace issues.
          +1 findbugs 1m 57s the patch passed
          +1 javadoc 0m 59s the patch passed
          -1 unit 7m 32s hadoop-common in the patch failed.
          +1 asflicense 0m 35s The patch does not generate ASF License warnings.
          67m 4s



          Reason Tests
          Failed junit tests hadoop.security.TestRaceWhenRelogin



          Subsystem Report/Notes
          Docker Image:yetus/hadoop:0ac17dc
          JIRA Issue HADOOP-14340
          JIRA Patch URL https://issues.apache.org/jira/secure/attachment/12864464/HADOOP-14340.001.patch
          Optional Tests asflicense compile javac javadoc mvninstall mvnsite unit findbugs checkstyle
          uname Linux a1dde4638b9d 3.13.0-108-generic #155-Ubuntu SMP Wed Jan 11 16:58:52 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
          Build tool maven
          Personality /testptch/hadoop/patchprocess/precommit/personality/provided.sh
          git revision trunk / b080338
          Default Java 1.8.0_121
          findbugs v3.1.0-RC1
          findbugs https://builds.apache.org/job/PreCommit-HADOOP-Build/12148/artifact/patchprocess/branch-findbugs-hadoop-common-project_hadoop-common-warnings.html
          unit https://builds.apache.org/job/PreCommit-HADOOP-Build/12148/artifact/patchprocess/patch-unit-hadoop-common-project_hadoop-common.txt
          Test Results https://builds.apache.org/job/PreCommit-HADOOP-Build/12148/testReport/
          modules C: hadoop-common-project/hadoop-common U: hadoop-common-project/hadoop-common
          Console output https://builds.apache.org/job/PreCommit-HADOOP-Build/12148/console
          Powered by Apache Yetus 0.5.0-SNAPSHOT http://yetus.apache.org

          This message was automatically generated.

          Show
          hadoopqa Hadoop QA added a comment - -1 overall Vote Subsystem Runtime Comment 0 reexec 0m 18s Docker mode activated. +1 @author 0m 0s The patch does not contain any @author tags. -1 test4tests 0m 0s The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch. +1 mvninstall 13m 41s trunk passed +1 compile 17m 16s trunk passed +1 checkstyle 0m 36s trunk passed +1 mvnsite 1m 7s trunk passed +1 mvneclipse 0m 20s trunk passed -1 findbugs 1m 26s hadoop-common-project/hadoop-common in trunk has 17 extant Findbugs warnings. +1 javadoc 0m 50s trunk passed +1 mvninstall 0m 40s the patch passed +1 compile 15m 23s the patch passed +1 javac 15m 23s the patch passed +1 checkstyle 0m 40s the patch passed +1 mvnsite 1m 16s the patch passed +1 mvneclipse 0m 23s the patch passed +1 whitespace 0m 0s The patch has no whitespace issues. +1 findbugs 1m 57s the patch passed +1 javadoc 0m 59s the patch passed -1 unit 7m 32s hadoop-common in the patch failed. +1 asflicense 0m 35s The patch does not generate ASF License warnings. 67m 4s Reason Tests Failed junit tests hadoop.security.TestRaceWhenRelogin Subsystem Report/Notes Docker Image:yetus/hadoop:0ac17dc JIRA Issue HADOOP-14340 JIRA Patch URL https://issues.apache.org/jira/secure/attachment/12864464/HADOOP-14340.001.patch Optional Tests asflicense compile javac javadoc mvninstall mvnsite unit findbugs checkstyle uname Linux a1dde4638b9d 3.13.0-108-generic #155-Ubuntu SMP Wed Jan 11 16:58:52 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux Build tool maven Personality /testptch/hadoop/patchprocess/precommit/personality/provided.sh git revision trunk / b080338 Default Java 1.8.0_121 findbugs v3.1.0-RC1 findbugs https://builds.apache.org/job/PreCommit-HADOOP-Build/12148/artifact/patchprocess/branch-findbugs-hadoop-common-project_hadoop-common-warnings.html unit https://builds.apache.org/job/PreCommit-HADOOP-Build/12148/artifact/patchprocess/patch-unit-hadoop-common-project_hadoop-common.txt Test Results https://builds.apache.org/job/PreCommit-HADOOP-Build/12148/testReport/ modules C: hadoop-common-project/hadoop-common U: hadoop-common-project/hadoop-common Console output https://builds.apache.org/job/PreCommit-HADOOP-Build/12148/console Powered by Apache Yetus 0.5.0-SNAPSHOT http://yetus.apache.org This message was automatically generated.
          Hide
          jzhuge John Zhuge added a comment -

          Patch 001

          • Call excludeCiphers in loadSSLConfiguration

          Test log

          # Start KMS and HttpFS using the configuration in config/ssl
          $ ./pseudo_dist start config/ssl
          …
          $ sslscan 127.0.0.1:9600 > /tmp/kms.ssl
          $ sslscan 127.0.0.1:14000 > /tmp/httpfs.ssl
          
          # Restart KMS and HttpFS using the configuration in config/ssl_1
          $ ./pseudo_dist restart config/ssl_1
          …
          $ sslscan 127.0.0.1:9600 > /tmp/kms.ssl_1
          $ sslscan 127.0.0.1:14000 > /tmp/httpfs.ssl_1
          
          # The only difference between the 2 config dirs is the extra cipher to exclude
          $ diff config/{ssl,ssl_1}/ssl-server.xml
          60a61
          >   TLS_RSA_WITH_AES_128_GCM_SHA256,
          
          # The extra cipher is properly excluded by KMS
          $ diff /tmp/kms.ssl /tmp/kms.ssl_1
          31d30
          < Accepted  TLSv1.2  128 bits  AES128-GCM-SHA256
          
          # The extra cipher is properly excluded by HttpFS
          $ diff /tmp/httpfs.ssl /tmp/httpfs.ssl_1
          31d30
          < Accepted  TLSv1.2  128 bits  AES128-GCM-SHA256
          
          Show
          jzhuge John Zhuge added a comment - Patch 001 Call excludeCiphers in loadSSLConfiguration Test log # Start KMS and HttpFS using the configuration in config/ssl $ ./pseudo_dist start config/ssl … $ sslscan 127.0.0.1:9600 > /tmp/kms.ssl $ sslscan 127.0.0.1:14000 > /tmp/httpfs.ssl # Restart KMS and HttpFS using the configuration in config/ssl_1 $ ./pseudo_dist restart config/ssl_1 … $ sslscan 127.0.0.1:9600 > /tmp/kms.ssl_1 $ sslscan 127.0.0.1:14000 > /tmp/httpfs.ssl_1 # The only difference between the 2 config dirs is the extra cipher to exclude $ diff config/{ssl,ssl_1}/ssl-server.xml 60a61 > TLS_RSA_WITH_AES_128_GCM_SHA256, # The extra cipher is properly excluded by KMS $ diff /tmp/kms.ssl /tmp/kms.ssl_1 31d30 < Accepted TLSv1.2 128 bits AES128-GCM-SHA256 # The extra cipher is properly excluded by HttpFS $ diff /tmp/httpfs.ssl /tmp/httpfs.ssl_1 31d30 < Accepted TLSv1.2 128 bits AES128-GCM-SHA256

            People

            • Assignee:
              jzhuge John Zhuge
              Reporter:
              jzhuge John Zhuge
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development