Details

    • Type: Improvement Improvement
    • Status: In Progress
    • Priority: Major Major
    • Resolution: Unresolved
    • Affects Version/s: 1.0.3
    • Fix Version/s: None
    • Component/s: security, webapps
    • Labels:
      None
    • Target Version/s:

      Description

      After investigating the methodology used to add HTTPS support in branch-2, I feel that this same approach should be back-ported to branch-1. I have taken many of the patches used for branch-2 and merged them in.

      I was working on top of HDP 1 at the time - I will provide a patch for trunk soon once I can confirm I am adding only the necessities for supporting HTTPS on the webUIs.

      As an added benefit – this patch actually provides HTTPS webUI to HBase by extension. If you take a hadoop-core jar compiled with this patch and put it into the hbase/lib directory and apply the necessary configs to hbase/conf.

      ========= OLD IDEA(s) BEHIND ADDING HTTPS (look @ Sept 17th patch) ==========

      In order to provide full security around the cluster, the webUI should also be secure if desired to prevent cookie theft and user masquerading.

      Here is my proposed work. Currently I can only add HTTPS support. I do not know how to switch reliance of the HttpServer from HTTP to HTTPS fully.

      In order to facilitate this change I propose the following configuration additions:
      CONFIG PROPERTY -> DEFAULT VALUE
      mapred.https.enable -> false
      mapred.https.need.client.auth -> false
      mapred.https.server.keystore.resource -> "ssl-server.xml"
      mapred.job.tracker.https.port -> 50035
      mapred.job.tracker.https.address -> "<IP_ADDR>:50035"
      mapred.task.tracker.https.port -> 50065
      mapred.task.tracker.https.address -> "<IP_ADDR>:50065"

      I tested this on my local box after using keytool to generate a SSL certficate. You will need to change ssl-server.xml to point to the .keystore file after. Truststore may not be necessary; you can just point it to the keystore.

      1. branch-1.2-patch.txt7
        193 kB
        Michael Weng
      2. branch-1.2-patch.txt6
        193 kB
        Michael Weng
      3. branch-1.2-patch.txt5
        194 kB
        Michael Weng
      4. branch-1.2-patch.txt4
        194 kB
        Michael Weng
      5. branch-1.2-patch.txt3
        192 kB
        Michael Weng
      6. branch-1.2-patch.txt2
        192 kB
        Michael Weng
      7. branch-1.2-patch.txt
        192 kB
        Michael Weng
      8. MAPREDUCE-4661.patch
        120 kB
        Plamen Jeliazkov
      9. MAPREDUCE-4661.patch
        123 kB
        Plamen Jeliazkov
      10. MAPREDUCE-4661.patch
        88 kB
        Plamen Jeliazkov
      11. MAPREDUCE-4461.patch
        4 kB
        Plamen Jeliazkov

        Issue Links

          Activity

          Plamen Jeliazkov created issue -
          Plamen Jeliazkov made changes -
          Field Original Value New Value
          Attachment MAPREDUCE-4461.patch [ 12545486 ]
          Plamen Jeliazkov made changes -
          Status Open [ 1 ] Patch Available [ 10002 ]
          Plamen Jeliazkov made changes -
          Status Patch Available [ 10002 ] Open [ 1 ]
          Plamen Jeliazkov made changes -
          Status Open [ 1 ] Patch Available [ 10002 ]
          Target Version/s 1.0.0 [ 12318240 ]
          Fix Version/s 1.1.0 [ 12317960 ]
          Plamen Jeliazkov made changes -
          Description In order to provide full security around the cluster, the webUI should also be secure if desired to prevent cookie theft and user masquerading.

          Here is my proposed work. Currently I can only add HTTPS support. I do not know how to switch reliance of the HttpServer from HTTP to HTTPS fully.
          In order to provide full security around the cluster, the webUI should also be secure if desired to prevent cookie theft and user masquerading.

          Here is my proposed work. Currently I can only add HTTPS support. I do not know how to switch reliance of the HttpServer from HTTP to HTTPS fully.

          In order to facilitate this change I propose the following configuration additions:
          CONFIG PROPERTY -> DEFAULT VALUE
          mapred.https.enable -> true
          mapred.https.need.client.auth -> false
          mapred.job.tracker.https.port -> 50035
          mapred.job.tracker.https.address -> IP:50035
          mapred.https.server.keystore.resource -> "ssl-server.xml"
          mapred.task.tracker.https.port -> 50065
          mapred.task.tracker.https.address -> IP:50065
          Plamen Jeliazkov made changes -
          Status Patch Available [ 10002 ] Open [ 1 ]
          Plamen Jeliazkov made changes -
          Status Open [ 1 ] Patch Available [ 10002 ]
          Plamen Jeliazkov made changes -
          Description In order to provide full security around the cluster, the webUI should also be secure if desired to prevent cookie theft and user masquerading.

          Here is my proposed work. Currently I can only add HTTPS support. I do not know how to switch reliance of the HttpServer from HTTP to HTTPS fully.

          In order to facilitate this change I propose the following configuration additions:
          CONFIG PROPERTY -> DEFAULT VALUE
          mapred.https.enable -> true
          mapred.https.need.client.auth -> false
          mapred.job.tracker.https.port -> 50035
          mapred.job.tracker.https.address -> IP:50035
          mapred.https.server.keystore.resource -> "ssl-server.xml"
          mapred.task.tracker.https.port -> 50065
          mapred.task.tracker.https.address -> IP:50065
          In order to provide full security around the cluster, the webUI should also be secure if desired to prevent cookie theft and user masquerading.

          Here is my proposed work. Currently I can only add HTTPS support. I do not know how to switch reliance of the HttpServer from HTTP to HTTPS fully.

          In order to facilitate this change I propose the following configuration additions:
          CONFIG PROPERTY -> DEFAULT VALUE
          mapred.https.enable -> true
          mapred.https.need.client.auth -> false
          mapred.https.server.keystore.resource -> "ssl-server.xml"
          mapred.job.tracker.https.port -> 50035
          mapred.job.tracker.https.address -> "<IP_ADDR>:50035"
          mapred.task.tracker.https.port -> 50065
          mapred.task.tracker.https.address -> "<IP_ADDR>:50065"

          I tested this on my local box after using keytool to generate a SSL certficate. You will need to change ssl-server.xml to point to the .keystore file after. Truststore may not be necessary; you can just point it to the keystore.
          Plamen Jeliazkov made changes -
          Affects Version/s 2.0.0-alpha [ 12320354 ]
          Plamen Jeliazkov made changes -
          Attachment MAPREDUCE-4461.patch [ 12545514 ]
          Plamen Jeliazkov made changes -
          Description In order to provide full security around the cluster, the webUI should also be secure if desired to prevent cookie theft and user masquerading.

          Here is my proposed work. Currently I can only add HTTPS support. I do not know how to switch reliance of the HttpServer from HTTP to HTTPS fully.

          In order to facilitate this change I propose the following configuration additions:
          CONFIG PROPERTY -> DEFAULT VALUE
          mapred.https.enable -> true
          mapred.https.need.client.auth -> false
          mapred.https.server.keystore.resource -> "ssl-server.xml"
          mapred.job.tracker.https.port -> 50035
          mapred.job.tracker.https.address -> "<IP_ADDR>:50035"
          mapred.task.tracker.https.port -> 50065
          mapred.task.tracker.https.address -> "<IP_ADDR>:50065"

          I tested this on my local box after using keytool to generate a SSL certficate. You will need to change ssl-server.xml to point to the .keystore file after. Truststore may not be necessary; you can just point it to the keystore.
          In order to provide full security around the cluster, the webUI should also be secure if desired to prevent cookie theft and user masquerading.

          Here is my proposed work. Currently I can only add HTTPS support. I do not know how to switch reliance of the HttpServer from HTTP to HTTPS fully.

          In order to facilitate this change I propose the following configuration additions:
          CONFIG PROPERTY -> DEFAULT VALUE
          mapred.https.enable -> false
          mapred.https.need.client.auth -> false
          mapred.https.server.keystore.resource -> "ssl-server.xml"
          mapred.job.tracker.https.port -> 50035
          mapred.job.tracker.https.address -> "<IP_ADDR>:50035"
          mapred.task.tracker.https.port -> 50065
          mapred.task.tracker.https.address -> "<IP_ADDR>:50065"

          I tested this on my local box after using keytool to generate a SSL certficate. You will need to change ssl-server.xml to point to the .keystore file after. Truststore may not be necessary; you can just point it to the keystore.
          Plamen Jeliazkov made changes -
          Status Patch Available [ 10002 ] Open [ 1 ]
          Plamen Jeliazkov made changes -
          Status Open [ 1 ] Patch Available [ 10002 ]
          Plamen Jeliazkov made changes -
          Attachment MAPREDUCE-4461.patch [ 12545486 ]
          Plamen Jeliazkov made changes -
          Link This issue duplicates HADOOP-8581 [ HADOOP-8581 ]
          Plamen Jeliazkov made changes -
          Fix Version/s 1.0.4 [ 12323325 ]
          Affects Version/s 1.0.3 [ 12320250 ]
          Affects Version/s 1.0.0 [ 12318240 ]
          Affects Version/s 2.0.0-alpha [ 12320354 ]
          Target Version/s 1.0.0 [ 12318240 ] 1.0.3 [ 12320250 ]
          Component/s webapps [ 12316700 ]
          Plamen Jeliazkov made changes -
          Attachment MAPREDUCE-4661.patch [ 12548296 ]
          Plamen Jeliazkov made changes -
          Status Patch Available [ 10002 ] Open [ 1 ]
          Plamen Jeliazkov made changes -
          Attachment https.patch [ 12548342 ]
          Plamen Jeliazkov made changes -
          Attachment MAPREDUCE-4661.patch [ 12548474 ]
          Plamen Jeliazkov made changes -
          Attachment MAPREDUCE-4661.patch [ 12548803 ]
          Plamen Jeliazkov made changes -
          Status Open [ 1 ] In Progress [ 3 ]
          Plamen Jeliazkov made changes -
          Summary Add HTTPS for JobTracker and TaskTracker Add HTTPS for WebUIs on Branch-1
          Plamen Jeliazkov made changes -
          Description In order to provide full security around the cluster, the webUI should also be secure if desired to prevent cookie theft and user masquerading.

          Here is my proposed work. Currently I can only add HTTPS support. I do not know how to switch reliance of the HttpServer from HTTP to HTTPS fully.

          In order to facilitate this change I propose the following configuration additions:
          CONFIG PROPERTY -> DEFAULT VALUE
          mapred.https.enable -> false
          mapred.https.need.client.auth -> false
          mapred.https.server.keystore.resource -> "ssl-server.xml"
          mapred.job.tracker.https.port -> 50035
          mapred.job.tracker.https.address -> "<IP_ADDR>:50035"
          mapred.task.tracker.https.port -> 50065
          mapred.task.tracker.https.address -> "<IP_ADDR>:50065"

          I tested this on my local box after using keytool to generate a SSL certficate. You will need to change ssl-server.xml to point to the .keystore file after. Truststore may not be necessary; you can just point it to the keystore.
          After investigating the methodology used to add HTTPS support in branch-2, I feel that this same approach should be back-ported to branch-1. I have taken many of the patches used for branch-2 and merged them in.

          I was working on top of HDP 1 at the time - I will provide a patch for trunk soon once I can confirm I am adding only the necessities for supporting HTTPS on the webUIs.

          ========= OLD IDEA(s) BEHIND ADDING HTTPS (look @ Sept 17th patch) ==========

          In order to provide full security around the cluster, the webUI should also be secure if desired to prevent cookie theft and user masquerading.

          Here is my proposed work. Currently I can only add HTTPS support. I do not know how to switch reliance of the HttpServer from HTTP to HTTPS fully.

          In order to facilitate this change I propose the following configuration additions:
          CONFIG PROPERTY -> DEFAULT VALUE
          mapred.https.enable -> false
          mapred.https.need.client.auth -> false
          mapred.https.server.keystore.resource -> "ssl-server.xml"
          mapred.job.tracker.https.port -> 50035
          mapred.job.tracker.https.address -> "<IP_ADDR>:50035"
          mapred.task.tracker.https.port -> 50065
          mapred.task.tracker.https.address -> "<IP_ADDR>:50065"

          I tested this on my local box after using keytool to generate a SSL certficate. You will need to change ssl-server.xml to point to the .keystore file after. Truststore may not be necessary; you can just point it to the keystore.
          Plamen Jeliazkov made changes -
          Description After investigating the methodology used to add HTTPS support in branch-2, I feel that this same approach should be back-ported to branch-1. I have taken many of the patches used for branch-2 and merged them in.

          I was working on top of HDP 1 at the time - I will provide a patch for trunk soon once I can confirm I am adding only the necessities for supporting HTTPS on the webUIs.

          ========= OLD IDEA(s) BEHIND ADDING HTTPS (look @ Sept 17th patch) ==========

          In order to provide full security around the cluster, the webUI should also be secure if desired to prevent cookie theft and user masquerading.

          Here is my proposed work. Currently I can only add HTTPS support. I do not know how to switch reliance of the HttpServer from HTTP to HTTPS fully.

          In order to facilitate this change I propose the following configuration additions:
          CONFIG PROPERTY -> DEFAULT VALUE
          mapred.https.enable -> false
          mapred.https.need.client.auth -> false
          mapred.https.server.keystore.resource -> "ssl-server.xml"
          mapred.job.tracker.https.port -> 50035
          mapred.job.tracker.https.address -> "<IP_ADDR>:50035"
          mapred.task.tracker.https.port -> 50065
          mapred.task.tracker.https.address -> "<IP_ADDR>:50065"

          I tested this on my local box after using keytool to generate a SSL certficate. You will need to change ssl-server.xml to point to the .keystore file after. Truststore may not be necessary; you can just point it to the keystore.
          After investigating the methodology used to add HTTPS support in branch-2, I feel that this same approach should be back-ported to branch-1. I have taken many of the patches used for branch-2 and merged them in.

          I was working on top of HDP 1 at the time - I will provide a patch for trunk soon once I can confirm I am adding only the necessities for supporting HTTPS on the webUIs.

          As an added benefit -- this patch actually provides HTTPS webUI to HBase by extension. If you take a hadoop-core jar compiled with this patch and put it into the hbase/lib directory and apply the necessary configs to hbase/conf.

          ========= OLD IDEA(s) BEHIND ADDING HTTPS (look @ Sept 17th patch) ==========

          In order to provide full security around the cluster, the webUI should also be secure if desired to prevent cookie theft and user masquerading.

          Here is my proposed work. Currently I can only add HTTPS support. I do not know how to switch reliance of the HttpServer from HTTP to HTTPS fully.

          In order to facilitate this change I propose the following configuration additions:
          CONFIG PROPERTY -> DEFAULT VALUE
          mapred.https.enable -> false
          mapred.https.need.client.auth -> false
          mapred.https.server.keystore.resource -> "ssl-server.xml"
          mapred.job.tracker.https.port -> 50035
          mapred.job.tracker.https.address -> "<IP_ADDR>:50035"
          mapred.task.tracker.https.port -> 50065
          mapred.task.tracker.https.address -> "<IP_ADDR>:50065"

          I tested this on my local box after using keytool to generate a SSL certficate. You will need to change ssl-server.xml to point to the .keystore file after. Truststore may not be necessary; you can just point it to the keystore.
          Plamen Jeliazkov made changes -
          Component/s security [ 12313041 ]
          Matt Foley made changes -
          Fix Version/s 1.0.4 [ 12323325 ]
          Target Version/s 1.0.3 [ 12320250 ] 1.2.0 [ 12321661 ]
          Benoy Antony made changes -
          Link This issue is depended upon by HDFS-4108 [ HDFS-4108 ]
          Plamen Jeliazkov made changes -
          Attachment https.patch [ 12548342 ]
          Benoy Antony made changes -
          Link This issue is depended upon by HDFS-4108 [ HDFS-4108 ]
          Michael Weng made changes -
          Assignee Plamen Jeliazkov [ zero45 ] Michael Weng [ michaelweng ]
          Michael Weng made changes -
          Attachment branch-1.2-patch.txt [ 12574623 ]
          Michael Weng made changes -
          Attachment branch-1.2-patch.txt2 [ 12574860 ]
          Michael Weng made changes -
          Link This issue blocks HBASE-8181 [ HBASE-8181 ]
          Gavin made changes -
          Link This issue blocks HBASE-8181 [ HBASE-8181 ]
          Gavin made changes -
          Link This issue is depended upon by HBASE-8181 [ HBASE-8181 ]
          Matt Foley made changes -
          Target Version/s 1.2.0 [ 12321661 ] 1.3.0 [ 12324153 ]
          Michael Weng made changes -
          Attachment branch-1.2-patch.txt3 [ 12584060 ]
          Michael Weng made changes -
          Attachment branch-1.2-patch.txt4 [ 12592433 ]
          Michael Weng made changes -
          Attachment branch-1.2-patch.txt5 [ 12593258 ]
          Michael Weng made changes -
          Attachment branch-1.2-patch.txt6 [ 12596246 ]
          Michael Weng made changes -
          Attachment branch-1.2-patch.txt7 [ 12596479 ]

            People

            • Assignee:
              Michael Weng
              Reporter:
              Plamen Jeliazkov
            • Votes:
              0 Vote for this issue
              Watchers:
              10 Start watching this issue

              Dates

              • Created:
                Updated:

                Development