After investigating the methodology used to add HTTPS support in branch-2, I feel that this same approach should be back-ported to branch-1. I have taken many of the patches used for branch-2 and merged them in.
I was working on top of HDP 1 at the time - I will provide a patch for trunk soon once I can confirm I am adding only the necessities for supporting HTTPS on the webUIs.
As an added benefit – this patch actually provides HTTPS webUI to HBase by extension. If you take a hadoop-core jar compiled with this patch and put it into the hbase/lib directory and apply the necessary configs to hbase/conf.
========= OLD IDEA(s) BEHIND ADDING HTTPS (look @ Sept 17th patch) ==========
In order to provide full security around the cluster, the webUI should also be secure if desired to prevent cookie theft and user masquerading.
Here is my proposed work. Currently I can only add HTTPS support. I do not know how to switch reliance of the HttpServer from HTTP to HTTPS fully.
In order to facilitate this change I propose the following configuration additions:
CONFIG PROPERTY -> DEFAULT VALUE
mapred.https.enable -> false
mapred.https.need.client.auth -> false
mapred.https.server.keystore.resource -> "ssl-server.xml"
mapred.job.tracker.https.port -> 50035
mapred.job.tracker.https.address -> "<IP_ADDR>:50035"
mapred.task.tracker.https.port -> 50065
mapred.task.tracker.https.address -> "<IP_ADDR>:50065"
I tested this on my local box after using keytool to generate a SSL certficate. You will need to change ssl-server.xml to point to the .keystore file after. Truststore may not be necessary; you can just point it to the keystore.
HADOOP-8581 add support for HTTPS to the web UIs
- is depended upon by
HBASE-8181 WebUIs HTTPS support