Hadoop HDFS
  1. Hadoop HDFS
  2. HDFS-2617

Replaced Kerberized SSL for image transfer and fsck with SPNEGO-based solution

    Details

    • Type: Improvement Improvement
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 2.0.0-alpha
    • Fix Version/s: 1.1.0, 2.0.2-alpha
    • Component/s: security
    • Labels:
      None
    • Target Version/s:
    • Hadoop Flags:
      Incompatible change, Reviewed
    • Release Note:
      Hide
      Due to the requirement that KSSL use weak encryption types for Kerberos tickets, HTTP authentication to the NameNode will now use SPNEGO by default. This will require users of previous branch-1 releases with security enabled to modify their configurations and create new Kerberos principals in order to use SPNEGO. The old behavior of using KSSL can optionally be enabled by setting the configuration option "hadoop.security.use-weak-http-crypto" to "true".
      Show
      Due to the requirement that KSSL use weak encryption types for Kerberos tickets, HTTP authentication to the NameNode will now use SPNEGO by default. This will require users of previous branch-1 releases with security enabled to modify their configurations and create new Kerberos principals in order to use SPNEGO. The old behavior of using KSSL can optionally be enabled by setting the configuration option "hadoop.security.use-weak-http-crypto" to "true".

      Description

      The current approach to secure and authenticate nn web services is based on Kerberized SSL and was developed when a SPNEGO solution wasn't available. Now that we have one, we can get rid of the non-standard KSSL and use SPNEGO throughout. This will simplify setup and configuration. Also, Kerberized SSL is a non-standard approach with its own quirks and dark corners (HDFS-2386).

      1. HDFS-2617-branch-1.patch
        42 kB
        Aaron T. Myers
      2. HDFS-2617-branch-1.patch
        41 kB
        Aaron T. Myers
      3. HDFS-2617-branch-1.patch
        44 kB
        Aaron T. Myers
      4. hdfs-2617-1.1.patch
        58 kB
        Owen O'Malley
      5. HDFS-2617-trunk.patch
        61 kB
        Aaron T. Myers
      6. HDFS-2617-trunk.patch
        60 kB
        Aaron T. Myers
      7. HDFS-2617-config.patch
        0.6 kB
        Owen O'Malley
      8. HDFS-2617-trunk.patch
        59 kB
        Alejandro Abdelnur
      9. HDFS-2617-trunk.patch
        58 kB
        Alejandro Abdelnur
      10. HDFS-2617-b.patch
        57 kB
        Owen O'Malley
      11. HDFS-2617-a.patch
        56 kB
        Jakob Homan

        Issue Links

          Activity

          Gavin made changes -
          Link This issue is depended upon by HDFS-3348 [ HDFS-3348 ]
          Gavin made changes -
          Link This issue blocks HDFS-3348 [ HDFS-3348 ]
          Arun C Murthy made changes -
          Status Resolved [ 5 ] Closed [ 6 ]
          Eli Collins made changes -
          Link This issue is related to HDFS-3989 [ HDFS-3989 ]
          Arun C Murthy made changes -
          Fix Version/s 2.0.2-alpha [ 12322472 ]
          Fix Version/s 2.1.0-alpha [ 12321440 ]
          Matt Foley made changes -
          Fix Version/s 1.1.0 [ 12317959 ]
          Fix Version/s 1.2.0 [ 12321657 ]
          Target Version/s 1.2.0, 2.0.0-alpha [ 12321657, 12320353 ] 2.0.0-alpha, 1.1.0 [ 12320353, 12317959 ]
          Suresh Srinivas made changes -
          Affects Version/s 2.0.0-alpha [ 12320353 ]
          Target Version/s 1.2.0, 2.0.0-alpha [ 12321657, 12320353 ] 2.0.0-alpha, 1.2.0 [ 12320353, 12321657 ]
          Aaron T. Myers made changes -
          Link This issue breaks HDFS-3698 [ HDFS-3698 ]
          Aaron T. Myers made changes -
          Status Patch Available [ 10002 ] Resolved [ 5 ]
          Release Note Due to the requirement that KSSL use weak encryption types for Kerberos tickets, HTTP authentication to the NameNode will now use SPNEGO by default. This will require users of previous branch-1 releases with security enabled to modify their configurations and create new Kerberos principals in order to use SPNEGO. The old behavior of using KSSL can optionally be enabled by setting the configuration option "hadoop.security.use-weak-http-crypto" to "true".
          Target Version/s 1.2.0, 2.0.0-alpha [ 12321657, 12320353 ] 2.0.0-alpha, 1.2.0 [ 12320353, 12321657 ]
          Fix Version/s 1.2.0 [ 12321657 ]
          Resolution Fixed [ 1 ]
          Aaron T. Myers made changes -
          Target Version/s 1.1.0, 2.0.0-alpha [ 12317959, 12320353 ] 2.0.0-alpha, 1.2.0 [ 12320353, 12321657 ]
          Aaron T. Myers made changes -
          Attachment HDFS-2617-branch-1.patch [ 12537223 ]
          Aaron T. Myers made changes -
          Attachment HDFS-2617-branch-1.patch [ 12537100 ]
          Aaron T. Myers made changes -
          Attachment HDFS-2617-branch-1.patch [ 12536962 ]
          Owen O'Malley made changes -
          Attachment hdfs-2617-1.1.patch [ 12533408 ]
          Matt Foley made changes -
          Target Version/s 1.1.0 [ 12317959 ] 2.0.0-alpha, 1.1.0 [ 12320353, 12317959 ]
          Matt Foley made changes -
          Fix Version/s 2.0.1-alpha [ 12321440 ]
          Owen O'Malley made changes -
          Link This issue is related to HDFS-3461 [ HDFS-3461 ]
          Arun C Murthy made changes -
          Fix Version/s 2.0.0-alpha [ 12320353 ]
          Todd Lipcon made changes -
          Hadoop Flags Reviewed [ 10343 ] Incompatible change,Reviewed [ 10342, 10343 ]
          Eli Collins made changes -
          Link This issue breaks HDFS-3434 [ HDFS-3434 ]
          Brandon Li made changes -
          Link This issue is related to HDFS-3426 [ HDFS-3426 ]
          Eli Collins made changes -
          Hadoop Flags Reviewed [ 10343 ]
          Fix Version/s 2.0.0 [ 12320353 ]
          Target Version/s 3.0.0, 2.0.0, 1.1.0 [ 12320356, 12320353, 12317959 ] 1.1.0 [ 12317959 ]
          Component/s security [ 12313400 ]
          Alejandro Abdelnur made changes -
          Status Open [ 1 ] Patch Available [ 10002 ]
          Target Version/s 3.0.0, 2.0.0, 1.1.0 [ 12320356, 12320353, 12317959 ] 1.1.0, 2.0.0, 3.0.0 [ 12317959, 12320353, 12320356 ]
          Aaron T. Myers made changes -
          Attachment HDFS-2617-trunk.patch [ 12525563 ]
          Aaron T. Myers made changes -
          Attachment HDFS-2617-trunk.patch [ 12525550 ]
          Owen O'Malley made changes -
          Attachment HDFS-2617-config.patch [ 12525515 ]
          Owen O'Malley made changes -
          Target Version/s 3.0.0, 2.0.0 [ 12320356, 12320353 ] 1.1.0, 2.0.0, 3.0.0 [ 12317959, 12320353, 12320356 ]
          Alejandro Abdelnur made changes -
          Attachment HDFS-2617-trunk.patch [ 12525487 ]
          Owen O'Malley made changes -
          Link This issue blocks HDFS-3348 [ HDFS-3348 ]
          Alejandro Abdelnur made changes -
          Attachment HDFS-2617-trunk.patch [ 12524878 ]
          Owen O'Malley made changes -
          Attachment HDFS-2617-b.patch [ 12523532 ]
          Robert Joseph Evans made changes -
          Target Version/s 0.23.3 [ 12320052 ] 2.0.0, 3.0.0 [ 12320353, 12320356 ]
          Allen Wittenauer made changes -
          Link This issue relates to HDFS-2386 [ HDFS-2386 ]
          Eli Collins made changes -
          Target Version/s 0.23.1 [ 12318885 ] 0.23.3 [ 12320052 ]
          Jakob Homan made changes -
          Attachment HDFS-2617-a.patch [ 12511891 ]
          Eli Collins made changes -
          Target Version/s 0.23.1 [ 12318885 ]
          Jakob Homan made changes -
          Field Original Value New Value
          Assignee Jakob Homan [ jghoman ]
          Jakob Homan created issue -

            People

            • Assignee:
              Jakob Homan
              Reporter:
              Jakob Homan
            • Votes:
              1 Vote for this issue
              Watchers:
              31 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development