Uploaded image for project: 'Hadoop HDFS'
  1. Hadoop HDFS
  2. HDFS-5305 Add https support in HDFS
  3. HDFS-5502

Fix HTTPS support in HsftpFileSystem

VotersWatch issueWatchersLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Sub-task
    • Status: Closed
    • Major
    • Resolution: Fixed
    • None
    • 2.3.0
    • None
    • None
    • Reviewed
    • Hide
      Fix the https support in HsftpFileSystem. With the change the client now verifies the server certificate. In particular, client side will verify the Common Name of the certificate using a strategy specified by the configuration property "hadoop.ssl.hostname.verifier".
      Show
      Fix the https support in HsftpFileSystem. With the change the client now verifies the server certificate. In particular, client side will verify the Common Name of the certificate using a strategy specified by the configuration property "hadoop.ssl.hostname.verifier".

    Description

      The current implementation of HsftpFileSystem suffers from the following issues:

      • It initializes the SSLContext incorrectly. It blindly trusts all server certificates which creates a security hole.
      • It tries to cancel delegation token through http, not https, which leads to HDFS-5295.
      • It overrides the default socket factory for HttpsConnection. Given the fact that it trusts all server-side certificate, it accidentally disables all checks on server certificates for all https connections.

      This jira tracks the effort to fix the above issues.

      Attachments

        1. HDFS-5502.006.patch
          41 kB
          Haohui Mai
        2. HDFS-5502.005.patch
          41 kB
          Haohui Mai
        3. HDFS-5502.004.patch
          41 kB
          Haohui Mai
        4. HDFS-5502.003.patch
          39 kB
          Haohui Mai
        5. HDFS-5502.002.patch
          39 kB
          Haohui Mai
        6. HDFS-5502.001.patch
          38 kB
          Haohui Mai
        7. HDFS-5502.000.patch
          31 kB
          Haohui Mai

        Issue Links

        depends upon

        Sub-task - The sub-task of the issue HDFS-5440 Extract the logic of handling delegation tokens in HftpFileSystem to the TokenAspect class

        • Major - Major loss of function.
        • Closed

        Sub-task - The sub-task of the issue HDFS-5487 Introduce unit test for TokenAspect

        • Major - Major loss of function.
        • Closed

        Sub-task - The sub-task of the issue HDFS-5506 Use URLConnectionFactory in DelegationTokenFetcher

        • Major - Major loss of function.
        • Closed
        duplicates

        Sub-task - The sub-task of the issue HDFS-5392 Unify the initialization of the hsftp and swebhdfs clients

        • Major - Major loss of function.
        • Resolved

        Bug - A problem which impairs or prevents the functions of the product. HDFS-5295 hsftp throws an exception in the end on secure cluster with https enabled

        • Major - Major loss of function.
        • Resolved
        supercedes

        New Feature - A new feature of the product, which has yet to be developed. HDFS-594 Add support for byte-ranges to hsftp

        • Major - Major loss of function.
        • Resolved

        Activity
          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            wheat9 Haohui Mai
            wheat9 Haohui Mai
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment