Uploaded image for project: 'Hadoop HDFS'
  1. Hadoop HDFS
  2. HDFS-5305 Add https support in HDFS
  3. HDFS-5502

Fix HTTPS support in HsftpFileSystem

    XMLWordPrintableJSON

Details

    • Sub-task
    • Status: Closed
    • Major
    • Resolution: Fixed
    • None
    • 2.3.0
    • None
    • None
    • Reviewed
    • Hide
      Fix the https support in HsftpFileSystem. With the change the client now verifies the server certificate. In particular, client side will verify the Common Name of the certificate using a strategy specified by the configuration property "hadoop.ssl.hostname.verifier".
      Show
      Fix the https support in HsftpFileSystem. With the change the client now verifies the server certificate. In particular, client side will verify the Common Name of the certificate using a strategy specified by the configuration property "hadoop.ssl.hostname.verifier".

    Description

      The current implementation of HsftpFileSystem suffers from the following issues:

      • It initializes the SSLContext incorrectly. It blindly trusts all server certificates which creates a security hole.
      • It tries to cancel delegation token through http, not https, which leads to HDFS-5295.
      • It overrides the default socket factory for HttpsConnection. Given the fact that it trusts all server-side certificate, it accidentally disables all checks on server certificates for all https connections.

      This jira tracks the effort to fix the above issues.

      Attachments

        1. HDFS-5502.006.patch
          41 kB
          Haohui Mai
        2. HDFS-5502.005.patch
          41 kB
          Haohui Mai
        3. HDFS-5502.004.patch
          41 kB
          Haohui Mai
        4. HDFS-5502.003.patch
          39 kB
          Haohui Mai
        5. HDFS-5502.002.patch
          39 kB
          Haohui Mai
        6. HDFS-5502.001.patch
          38 kB
          Haohui Mai
        7. HDFS-5502.000.patch
          31 kB
          Haohui Mai

        Issue Links

          depends upon

          Sub-task - The sub-task of the issue HDFS-5440 Extract the logic of handling delegation tokens in HftpFileSystem to the TokenAspect class

          • Major - Major loss of function.
          • Closed

          Sub-task - The sub-task of the issue HDFS-5487 Introduce unit test for TokenAspect

          • Major - Major loss of function.
          • Closed

          Sub-task - The sub-task of the issue HDFS-5506 Use URLConnectionFactory in DelegationTokenFetcher

          • Major - Major loss of function.
          • Closed
          duplicates

          Sub-task - The sub-task of the issue HDFS-5392 Unify the initialization of the hsftp and swebhdfs clients

          • Major - Major loss of function.
          • Resolved

          Bug - A problem which impairs or prevents the functions of the product. HDFS-5295 hsftp throws an exception in the end on secure cluster with https enabled

          • Major - Major loss of function.
          • Resolved
          supercedes

          New Feature - A new feature of the product, which has yet to be developed. HDFS-594 Add support for byte-ranges to hsftp

          • Major - Major loss of function.
          • Resolved

          Activity

            People

              wheat9 Haohui Mai
              wheat9 Haohui Mai
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: