[
https://issues.apache.org/jira/browse/HDFS-2617?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13168748#comment-13168748
]
Jakob Homan commented on HDFS-2617:
-----------------------------------
@Aaron - think about this some more, and not hearing any comments, I think it'd
be better to go with SPNEGO for a couple of reasons: (1) keep a consistent
approach to the web interfaces for the NN/2NN (we could re-use tokens from the
map-output fetch, but it would be a bit messy) and (2) the current kerbssl
approach is used to fetch/renew/etc delegation tokens explicitly so we don't
have to have an API call (to enabled hftp). Moving to SPNEGO for these would
preserve this behavior.
The next question is - how to deprecate the kerbssl. It'll be quite annoying
to have to support both for a couple releases.
> Replaced Kerberized SSL for image transfer and fsck with SPNEGO-based solution
> ------------------------------------------------------------------------------
>
> Key: HDFS-2617
> URL: https://issues.apache.org/jira/browse/HDFS-2617
> Project: Hadoop HDFS
> Issue Type: Improvement
> Reporter: Jakob Homan
> Assignee: Jakob Homan
>
> The current approach to secure and authenticate nn web services is based on
> Kerberized SSL and was developed when a SPNEGO solution wasn't available. Now
> that we have one, we can get rid of the non-standard KSSL and use SPNEGO
> throughout. This will simplify setup and configuration. Also, Kerberized
> SSL is a non-standard approach with its own quirks and dark corners
> (HDFS-2386).
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
