[HDFS-2617] Replaced Kerberized SSL for image transfer and fsck with SPNEGO-based solution - ASF JIRA

Details

Type: Improvement
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 2.0.0-alpha
Fix Version/s: 1.1.0, 2.0.2-alpha
Component/s: security
Labels:
None

Target Version/s:

1.1.0, 2.0.0-alpha
Hadoop Flags:

Incompatible change, Reviewed
Release Note:

Hide
Due to the requirement that KSSL use weak encryption types for Kerberos tickets, HTTP authentication to the NameNode will now use SPNEGO by default. This will require users of previous branch-1 releases with security enabled to modify their configurations and create new Kerberos principals in order to use SPNEGO. The old behavior of using KSSL can optionally be enabled by setting the configuration option "hadoop.security.use-weak-http-crypto" to "true".

Show
Due to the requirement that KSSL use weak encryption types for Kerberos tickets, HTTP authentication to the NameNode will now use SPNEGO by default. This will require users of previous branch-1 releases with security enabled to modify their configurations and create new Kerberos principals in order to use SPNEGO. The old behavior of using KSSL can optionally be enabled by setting the configuration option "hadoop.security.use-weak-http-crypto" to "true".

Description

The current approach to secure and authenticate nn web services is based on Kerberized SSL and was developed when a SPNEGO solution wasn't available. Now that we have one, we can get rid of the non-standard KSSL and use SPNEGO throughout. This will simplify setup and configuration. Also, Kerberized SSL is a non-standard approach with its own quirks and dark corners (~~HDFS-2386~~).

Options
- Sort By Name
- Sort By Date
- Ascending
- Descending

Attachments

hdfs-2617-1.1.patch

26/Jun/12 00:51

58 kB

Owen O'Malley
HDFS-2617-a.patch

25/Jan/12 22:00

56 kB

Jakob Homan
HDFS-2617-b.patch

20/Apr/12 19:13

57 kB

Owen O'Malley
HDFS-2617-branch-1.patch

19/Jul/12 19:36

42 kB

Aaron T. Myers
HDFS-2617-branch-1.patch

19/Jul/12 00:52

41 kB

Aaron T. Myers
HDFS-2617-branch-1.patch

18/Jul/12 08:22

44 kB

Aaron T. Myers
HDFS-2617-config.patch

03/May/12 22:42

0.6 kB

Owen O'Malley
HDFS-2617-trunk.patch

04/May/12 05:21

61 kB

Aaron T. Myers
HDFS-2617-trunk.patch

04/May/12 02:54

60 kB

Aaron T. Myers
HDFS-2617-trunk.patch

03/May/12 19:20

59 kB

Alejandro Abdelnur
HDFS-2617-trunk.patch

27/Apr/12 17:17

58 kB

Alejandro Abdelnur

Issue Links

breaks

HDFS-3434 InvalidProtocolBufferException when visiting DN browseDirectory.jsp

Resolved

HDFS-3698 TestHftpFileSystem is failing in branch-1 due to changed default secure port

Closed

is depended upon by

HDFS-3348 After HDFS-2617 can't use 0.0.0.0 in dfs.http.address

Open

is related to

HDFS-3426 Replaced Kerberized SSL for journal segment transfer with SPNEGO-based solution

Open

HDFS-3989 Remove duplicate Http server SSL code

Open

HDFS-3461 HFTP should use the same port & protocol for getting the delegation token

Closed

relates to

HDFS-2386 with security enabled fsck calls lead to handshake_failure and hftp fails throwing the same exception in the logs

Resolved

Show 2 more links (1 is related to, 1 relates to)

Options
- Show All
- Show Open

Sub-Tasks

There are no Sub-Tasks for this issue.

Activity

No work has yet been logged on this issue.

People

Assignee:

Jakob Homan

Reporter:

Jakob Homan

Votes:

1 Vote for this issue

Watchers:

31 Start watching this issue

Dates

Created:

01/Dec/11 02:37

Updated:

02/May/13 03:29

Resolved:

20/Jul/12 00:18

Development

Agile

View on Board