[HDFS-2617] Replaced Kerberized SSL for image transfer and fsck with SPNEGO-based solution - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 2.0.0-alpha
Fix Version/s: 1.1.0, 2.0.2-alpha
Component/s: security
Labels:
None

Target Version/s:

1.1.0, 2.0.0-alpha
Hadoop Flags:

Incompatible change, Reviewed
Release Note:

Hide
Due to the requirement that KSSL use weak encryption types for Kerberos tickets, HTTP authentication to the NameNode will now use SPNEGO by default. This will require users of previous branch-1 releases with security enabled to modify their configurations and create new Kerberos principals in order to use SPNEGO. The old behavior of using KSSL can optionally be enabled by setting the configuration option "hadoop.security.use-weak-http-crypto" to "true".

Show
Due to the requirement that KSSL use weak encryption types for Kerberos tickets, HTTP authentication to the NameNode will now use SPNEGO by default. This will require users of previous branch-1 releases with security enabled to modify their configurations and create new Kerberos principals in order to use SPNEGO. The old behavior of using KSSL can optionally be enabled by setting the configuration option "hadoop.security.use-weak-http-crypto" to "true".

Description

The current approach to secure and authenticate nn web services is based on Kerberized SSL and was developed when a SPNEGO solution wasn't available. Now that we have one, we can get rid of the non-standard KSSL and use SPNEGO throughout. This will simplify setup and configuration. Also, Kerberized SSL is a non-standard approach with its own quirks and dark corners (~~HDFS-2386~~).

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

hdfs-2617-1.1.patch
25/Jun/12 23:51
58 kB
Owen O'Malley
HDFS-2617-a.patch
25/Jan/12 22:00
56 kB
Jakob Homan
HDFS-2617-b.patch
20/Apr/12 18:13
57 kB
Owen O'Malley
HDFS-2617-branch-1.patch
19/Jul/12 18:36
42 kB
Aaron Myers
HDFS-2617-branch-1.patch
18/Jul/12 23:52
41 kB
Aaron Myers
HDFS-2617-branch-1.patch
18/Jul/12 07:22
44 kB
Aaron Myers
HDFS-2617-config.patch
03/May/12 21:42
0.6 kB
Owen O'Malley
HDFS-2617-trunk.patch
04/May/12 04:21
61 kB
Aaron Myers
HDFS-2617-trunk.patch
04/May/12 01:54
60 kB
Aaron Myers
HDFS-2617-trunk.patch
03/May/12 18:20
59 kB
Alejandro Abdelnur
HDFS-2617-trunk.patch
27/Apr/12 16:17
58 kB
Alejandro Abdelnur

Issue Links

breaks

HDFS-3434 InvalidProtocolBufferException when visiting DN browseDirectory.jsp

Resolved

HDFS-3698 TestHftpFileSystem is failing in branch-1 due to changed default secure port

Closed

is depended upon by

HDFS-3348 After HDFS-2617 can't use 0.0.0.0 in dfs.http.address

Open

is related to

HDFS-3426 Replaced Kerberized SSL for journal segment transfer with SPNEGO-based solution

Open

HDFS-3989 Remove duplicate Http server SSL code

Open

HDFS-3461 HFTP should use the same port & protocol for getting the delegation token

Closed

relates to

HDFS-2386 with security enabled fsck calls lead to handshake_failure and hftp fails throwing the same exception in the logs

Resolved

(1 is related to, 1 relates to)

Sub-Tasks

HftpFileSystem should try both KSSL and SPNEGO when authentication is required

Closed

Unassigned

Activity

People

Assignee:: Jakob Homan

Reporter:: Jakob Homan

Votes:: 1 Vote for this issue

Watchers:: 30 Start watching this issue

Dates

Created:: 01/Dec/11 02:37

Updated:: 02/May/13 02:29

Resolved:: 19/Jul/12 23:18