[
https://issues.apache.org/jira/browse/KNOX-733?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15427036#comment-15427036
]
Larry McCay commented on KNOX-733:
----------------------------------
[~snowch] - those are reasonable requirements.
We need to consider backward compatibility for existing usecases as well.
I think that it may be reasonable to introduce a replacement for the Hadoop
class with the secure context enabled and to deprecate and very visibly LOG
that the use of Hadoop is deprecated, insecure and is superseded by the new
Knox class.
Since service definitions are much easier to use to add API support through, we
probably shouldn't assume that an API is part of the Hadoop ecosystem and
migrate to login to Knox sessions rather than Hadoop.
In terms of implementation, I think that we have a few options:
1. simple properties file for: location of cert/pem or truststore file,
truststrategyID with defaults of null (cacerts) and a secureTrustStrategy
a. where should the file be? user home directory?
~/.knoxshell/.shell.properties? something like that.
2. System properties for same?
3. Environment variables for same?
> Knox shell client is susceptible to man-in-the-middle attack
> -------------------------------------------------------------
>
> Key: KNOX-733
> URL: https://issues.apache.org/jira/browse/KNOX-733
> Project: Apache Knox
> Issue Type: Bug
> Reporter: chris snow
> Assignee: chris snow
>
> The Knox shell client does not verify the certificate of the server.
> One option would be to provide another method where developers can provide
> their own client, e.g.
> public static Hadoop login( String url, String username, String password,
> HttpClient client ) throws URISyntaxException { }
> https://github.com/apache/knox/blob/master/gateway-shell/src/main/java/org/apache/hadoop/gateway/shell/Hadoop.java#L60
> I can provide a patch if you are happy with this approach.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
