Uploaded image for project: 'Hadoop HDFS'
  1. Hadoop HDFS
  2. HDFS-2617

Replaced Kerberized SSL for image transfer and fsck with SPNEGO-based solution

    XMLWordPrintableJSON

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.0.0-alpha
    • Fix Version/s: 1.1.0, 2.0.2-alpha
    • Component/s: security
    • Labels:
      None
    • Target Version/s:
    • Hadoop Flags:
      Incompatible change, Reviewed
    • Release Note:
      Hide
      Due to the requirement that KSSL use weak encryption types for Kerberos tickets, HTTP authentication to the NameNode will now use SPNEGO by default. This will require users of previous branch-1 releases with security enabled to modify their configurations and create new Kerberos principals in order to use SPNEGO. The old behavior of using KSSL can optionally be enabled by setting the configuration option "hadoop.security.use-weak-http-crypto" to "true".
      Show
      Due to the requirement that KSSL use weak encryption types for Kerberos tickets, HTTP authentication to the NameNode will now use SPNEGO by default. This will require users of previous branch-1 releases with security enabled to modify their configurations and create new Kerberos principals in order to use SPNEGO. The old behavior of using KSSL can optionally be enabled by setting the configuration option "hadoop.security.use-weak-http-crypto" to "true".

      Description

      The current approach to secure and authenticate nn web services is based on Kerberized SSL and was developed when a SPNEGO solution wasn't available. Now that we have one, we can get rid of the non-standard KSSL and use SPNEGO throughout. This will simplify setup and configuration. Also, Kerberized SSL is a non-standard approach with its own quirks and dark corners (HDFS-2386).

        Attachments

        1. HDFS-2617-branch-1.patch
          42 kB
          Aaron Myers
        2. HDFS-2617-branch-1.patch
          41 kB
          Aaron Myers
        3. HDFS-2617-branch-1.patch
          44 kB
          Aaron Myers
        4. hdfs-2617-1.1.patch
          58 kB
          Owen O'Malley
        5. HDFS-2617-trunk.patch
          61 kB
          Aaron Myers
        6. HDFS-2617-trunk.patch
          60 kB
          Aaron Myers
        7. HDFS-2617-config.patch
          0.6 kB
          Owen O'Malley
        8. HDFS-2617-trunk.patch
          59 kB
          Alejandro Abdelnur
        9. HDFS-2617-trunk.patch
          58 kB
          Alejandro Abdelnur
        10. HDFS-2617-b.patch
          57 kB
          Owen O'Malley
        11. HDFS-2617-a.patch
          56 kB
          Jakob Homan

          Issue Links

          breaks

          Bug - A problem which impairs or prevents the functions of the product. HDFS-3434 InvalidProtocolBufferException when visiting DN browseDirectory.jsp

          • Major - Major loss of function.
          • Resolved

          Bug - A problem which impairs or prevents the functions of the product. HDFS-3698 TestHftpFileSystem is failing in branch-1 due to changed default secure port

          • Major - Major loss of function.
          • Closed
          is depended upon by

          Bug - A problem which impairs or prevents the functions of the product. HDFS-3348 After HDFS-2617 can't use 0.0.0.0 in dfs.http.address

          • Major - Major loss of function.
          • Open
          is related to

          Sub-task - The sub-task of the issue HDFS-3426 Replaced Kerberized SSL for journal segment transfer with SPNEGO-based solution

          • Major - Major loss of function.
          • Open

          Bug - A problem which impairs or prevents the functions of the product. HDFS-3989 Remove duplicate Http server SSL code

          • Major - Major loss of function.
          • Open

          Bug - A problem which impairs or prevents the functions of the product. HDFS-3461 HFTP should use the same port & protocol for getting the delegation token

          • Major - Major loss of function.
          • Closed
          relates to

          Bug - A problem which impairs or prevents the functions of the product. HDFS-2386 with security enabled fsck calls lead to handshake_failure and hftp fails throwing the same exception in the logs

          • Major - Major loss of function.
          • Resolved

            Activity

              People

              • Assignee:
                jghoman Jakob Homan
                Reporter:
                jghoman Jakob Homan
              • Votes:
                1 Vote for this issue
                Watchers:
                30 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: