Details

    • Type: Sub-task Sub-task
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 2.3.0
    • Component/s: None
    • Labels:
      None
    • Hadoop Flags:
      Reviewed
    • Release Note:
      Hide
      Fix the https support in HsftpFileSystem. With the change the client now verifies the server certificate. In particular, client side will verify the Common Name of the certificate using a strategy specified by the configuration property "hadoop.ssl.hostname.verifier".
      Show
      Fix the https support in HsftpFileSystem. With the change the client now verifies the server certificate. In particular, client side will verify the Common Name of the certificate using a strategy specified by the configuration property "hadoop.ssl.hostname.verifier".

      Description

      The current implementation of HsftpFileSystem suffers from the following issues:

      • It initializes the SSLContext incorrectly. It blindly trusts all server certificates which creates a security hole.
      • It tries to cancel delegation token through http, not https, which leads to HDFS-5295.
      • It overrides the default socket factory for HttpsConnection. Given the fact that it trusts all server-side certificate, it accidentally disables all checks on server certificates for all https connections.

      This jira tracks the effort to fix the above issues.

      1. HDFS-5502.006.patch
        41 kB
        Haohui Mai
      2. HDFS-5502.005.patch
        41 kB
        Haohui Mai
      3. HDFS-5502.004.patch
        41 kB
        Haohui Mai
      4. HDFS-5502.003.patch
        39 kB
        Haohui Mai
      5. HDFS-5502.002.patch
        39 kB
        Haohui Mai
      6. HDFS-5502.001.patch
        38 kB
        Haohui Mai
      7. HDFS-5502.000.patch
        31 kB
        Haohui Mai

        Issue Links

          Activity

          Arun C Murthy made changes -
          Status Resolved [ 5 ] Closed [ 6 ]
          Arun C Murthy made changes -
          Fix Version/s 2.3.0 [ 12325255 ]
          Fix Version/s 2.4.0 [ 12324588 ]
          Haohui Mai made changes -
          Link This issue duplicates HDFS-5392 [ HDFS-5392 ]
          Jing Zhao made changes -
          Status Patch Available [ 10002 ] Resolved [ 5 ]
          Hadoop Flags Reviewed [ 10343 ]
          Release Note Fix the https support in HsftpFileSystem. With the change the client now verifies the server certificate. In particular, client side will verify the Common Name of the certificate using a strategy specified by the configuration property "hadoop.ssl.hostname.verifier".
          Fix Version/s 2.3.0 [ 12324588 ]
          Resolution Fixed [ 1 ]
          Haohui Mai made changes -
          Attachment HDFS-5502.006.patch [ 12614120 ]
          Haohui Mai made changes -
          Attachment HDFS-5506.003.patch [ 12614119 ]
          Haohui Mai made changes -
          Attachment HDFS-5506.003.patch [ 12614119 ]
          Haohui Mai made changes -
          Attachment HDFS-5502.005.patch [ 12614018 ]
          Haohui Mai made changes -
          Attachment HDFS-5502.004.patch [ 12613991 ]
          Haohui Mai made changes -
          Attachment HDFS-5502.003.patch [ 12613986 ]
          Haohui Mai made changes -
          Attachment HDFS-5502.002.patch [ 12613971 ]
          Haohui Mai made changes -
          Status Open [ 1 ] Patch Available [ 10002 ]
          Haohui Mai made changes -
          Attachment HDFS-5502.001.patch [ 12613895 ]
          Haohui Mai made changes -
          Link This issue depends upon HDFS-5506 [ HDFS-5506 ]
          Haohui Mai made changes -
          Link This issue duplicates HDFS-5295 [ HDFS-5295 ]
          Haohui Mai made changes -
          Link This issue supercedes HDFS-594 [ HDFS-594 ]
          Haohui Mai made changes -
          Link This issue depends upon HDFS-5487 [ HDFS-5487 ]
          Haohui Mai made changes -
          Link This issue depends upon HDFS-5440 [ HDFS-5440 ]
          Haohui Mai made changes -
          Attachment HDFS-5502.000.patch [ 12613305 ]
          Haohui Mai made changes -
          Field Original Value New Value
          Summary Fix HTTPS support for HsftpFileSystem Fix HTTPS support in HsftpFileSystem
          Haohui Mai created issue -

            People

            • Assignee:
              Haohui Mai
              Reporter:
              Haohui Mai
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development