[
https://issues.apache.org/jira/browse/HADOOP-18956?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Zita Dombi updated HADOOP-18956:
--------------------------------
Description:
HADOOP-18709 added support for Zookeeper to communicate with SSL/TLS enabled in
hadoop-common. With those changes we have the necessary parameters, that we
need to set to enable SSL/TLS in a ZK Client. That change also did changes in
ZKCuratorManager, so with that it is easy to set the SSL/TLS, for Yarn it was
done in YARN-11468.
In DelegationTokenAuthenticationFilter currently we are using
CuratorFrameworkFactory, it'd be good to change it to use ZKCuratorManager and
with that we should support SSL/TLS enablement.
*UPDATE*
So as I investigated this a bit more, it wouldn't be so easy to move to using
ZKCuratorManager.
DelegationTokenAuthenticationFilter uses ZK from two places: in
ZKDelegationTokenSecretManager and in ZKSignerSecretProvider. In both places it
uses CuratorFrameworkFactory, but the attributes and creation differentiates
from ZKCuratorManager.
In ZKDelegationTokenSecretManager it would be easy to add the new config and
based on that create ZK with CuratorFrameworkFactory. But
ZKSignerSecretProvider is in hadoop-auth module and with my change it would
need hadoop-common, so it would introduce circular dependency between modules
'hadoop-auth' and 'hadoop-common'. I'm still working on a straightforward
solution.
was:
HADOOP-18709 added support for Zookeeper to communicate with SSL/TLS enabled in
hadoop-common. With those changes we have the necessary parameters, that we
need to set to enable SSL/TLS in a ZK Client. That change also did changes in
ZKCuratorManager, so with that it is easy to set the SSL/TLS, for Yarn it was
done in YARN-11468.
In DelegationTokenAuthenticationFilter currently we are using
CuratorFrameworkFactory, it'd be good to change it to use ZKCuratorManager and
with that we should support SSL/TLS enablement.
> Zookeeper SSL/TLS support in DelegationTokenAuthenticationFilter
> ----------------------------------------------------------------
>
> Key: HADOOP-18956
> URL: https://issues.apache.org/jira/browse/HADOOP-18956
> Project: Hadoop Common
> Issue Type: Improvement
> Reporter: Zita Dombi
> Assignee: Zita Dombi
> Priority: Major
>
> HADOOP-18709 added support for Zookeeper to communicate with SSL/TLS enabled
> in hadoop-common. With those changes we have the necessary parameters, that
> we need to set to enable SSL/TLS in a ZK Client. That change also did changes
> in ZKCuratorManager, so with that it is easy to set the SSL/TLS, for Yarn it
> was done in YARN-11468.
> In DelegationTokenAuthenticationFilter currently we are using
> CuratorFrameworkFactory, it'd be good to change it to use ZKCuratorManager
> and with that we should support SSL/TLS enablement.
> *UPDATE*
> So as I investigated this a bit more, it wouldn't be so easy to move to using
> ZKCuratorManager.
> DelegationTokenAuthenticationFilter uses ZK from two places: in
> ZKDelegationTokenSecretManager and in ZKSignerSecretProvider. In both places
> it uses CuratorFrameworkFactory, but the attributes and creation
> differentiates from ZKCuratorManager.
> In ZKDelegationTokenSecretManager it would be easy to add the new config and
> based on that create ZK with CuratorFrameworkFactory. But
> ZKSignerSecretProvider is in hadoop-auth module and with my change it would
> need hadoop-common, so it would introduce circular dependency between modules
> 'hadoop-auth' and 'hadoop-common'. I'm still working on a straightforward
> solution.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org
