Uploaded image for project: 'Hadoop HDFS'
  1. Hadoop HDFS
  2. HDFS-2617

Replaced Kerberized SSL for image transfer and fsck with SPNEGO-based solution

          Details

          • Type: Improvement
          • Status: Closed
          • Priority: Major
          • Resolution: Fixed
          • Affects Version/s: 2.0.0-alpha
          • Fix Version/s: 1.1.0, 2.0.2-alpha
          • Component/s: security
          • Labels:
            None
          • Target Version/s:
          • Hadoop Flags:
            Incompatible change, Reviewed
          • Release Note:
            Hide
            Due to the requirement that KSSL use weak encryption types for Kerberos tickets, HTTP authentication to the NameNode will now use SPNEGO by default. This will require users of previous branch-1 releases with security enabled to modify their configurations and create new Kerberos principals in order to use SPNEGO. The old behavior of using KSSL can optionally be enabled by setting the configuration option "hadoop.security.use-weak-http-crypto" to "true".
            Show
            Due to the requirement that KSSL use weak encryption types for Kerberos tickets, HTTP authentication to the NameNode will now use SPNEGO by default. This will require users of previous branch-1 releases with security enabled to modify their configurations and create new Kerberos principals in order to use SPNEGO. The old behavior of using KSSL can optionally be enabled by setting the configuration option "hadoop.security.use-weak-http-crypto" to "true".

            Description

            The current approach to secure and authenticate nn web services is based on Kerberized SSL and was developed when a SPNEGO solution wasn't available. Now that we have one, we can get rid of the non-standard KSSL and use SPNEGO throughout. This will simplify setup and configuration. Also, Kerberized SSL is a non-standard approach with its own quirks and dark corners (HDFS-2386).

              Attachments

              1. hdfs-2617-1.1.patch
                58 kB
                Owen O'Malley
              2. HDFS-2617-a.patch
                56 kB
                Jakob Homan
              3. HDFS-2617-b.patch
                57 kB
                Owen O'Malley
              4. HDFS-2617-branch-1.patch
                42 kB
                Aaron T. Myers
              5. HDFS-2617-branch-1.patch
                41 kB
                Aaron T. Myers
              6. HDFS-2617-branch-1.patch
                44 kB
                Aaron T. Myers
              7. HDFS-2617-config.patch
                0.6 kB
                Owen O'Malley
              8. HDFS-2617-trunk.patch
                61 kB
                Aaron T. Myers
              9. HDFS-2617-trunk.patch
                60 kB
                Aaron T. Myers
              10. HDFS-2617-trunk.patch
                59 kB
                Alejandro Abdelnur
              11. HDFS-2617-trunk.patch
                58 kB
                Alejandro Abdelnur

                Issue Links

                breaks

                Bug - A problem which impairs or prevents the functions of the product. HDFS-3434 InvalidProtocolBufferException when visiting DN browseDirectory.jsp

                • Major - Major loss of function.
                • Resolved

                Bug - A problem which impairs or prevents the functions of the product. HDFS-3698 TestHftpFileSystem is failing in branch-1 due to changed default secure port

                • Major - Major loss of function.
                • Closed
                is depended upon by

                Bug - A problem which impairs or prevents the functions of the product. HDFS-3348 After HDFS-2617 can't use 0.0.0.0 in dfs.http.address

                • Major - Major loss of function.
                • Open
                is related to

                Sub-task - The sub-task of the issue HDFS-3426 Replaced Kerberized SSL for journal segment transfer with SPNEGO-based solution

                • Major - Major loss of function.
                • Open

                Bug - A problem which impairs or prevents the functions of the product. HDFS-3989 Remove duplicate Http server SSL code

                • Major - Major loss of function.
                • Open

                Bug - A problem which impairs or prevents the functions of the product. HDFS-3461 HFTP should use the same port & protocol for getting the delegation token

                • Major - Major loss of function.
                • Closed
                relates to

                Bug - A problem which impairs or prevents the functions of the product. HDFS-2386 with security enabled fsck calls lead to handshake_failure and hftp fails throwing the same exception in the logs

                • Major - Major loss of function.
                • Resolved

                  Activity

                    People

                    • Assignee:
                      jghoman Jakob Homan
                      Reporter:
                      jghoman Jakob Homan
                    • Votes:
                      1 Vote for this issue
                      Watchers:
                      30 Start watching this issue

                      Dates

                      • Created:
                        Updated:
                        Resolved: