[jira] [Commented] (HDFS-2617) Replaced Kerberized SSL for image transfer and fsck with SPNEGO-based solution

Mon, 16 Jul 2012 11:28:37 -0700 

    [ 
https://issues.apache.org/jira/browse/HDFS-2617?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13415488#comment-13415488
 ] 

Devaraj Das commented on HDFS-2617:
-----------------------------------

Should we look at what use cases we must absolutely support (so that folks in 
production are not impacted):
1. Is it (a) old clients talking to new servers, or, (b) new clients talking to 
old servers, or, (c) both.
2. If (a), then it can be addressed without many complications IMO. NameNode 
would try to login using HOST/ and HTTP/ principals (first for the KerbSSL and 
second for the SPNEGO), so that it can serve both KerbSSL and SPNEGO clients.
3. If (b) (where I think most users with prod deployments would fall), it's 
slightly more tricky - the client would have to discover that the server can't 
speak SPNEGO.
  3.1 Hack exception handling and try KerbSSL as a fallback.
  3.2 Configure the client to talk different protocols (http or https) based on 
the namenode's address.
4. If (c), then yeah, its a combination of (2) and (3).

Thoughts?
                
> Replaced Kerberized SSL for image transfer and fsck with SPNEGO-based solution
> ------------------------------------------------------------------------------
>
>                 Key: HDFS-2617
>                 URL: https://issues.apache.org/jira/browse/HDFS-2617
>             Project: Hadoop HDFS
>          Issue Type: Improvement
>          Components: security
>            Reporter: Jakob Homan
>            Assignee: Jakob Homan
>             Fix For: 2.1.0-alpha
>
>         Attachments: HDFS-2617-a.patch, HDFS-2617-b.patch, 
> HDFS-2617-config.patch, HDFS-2617-trunk.patch, HDFS-2617-trunk.patch, 
> HDFS-2617-trunk.patch, HDFS-2617-trunk.patch, hdfs-2617-1.1.patch
>
>
> The current approach to secure and authenticate nn web services is based on 
> Kerberized SSL and was developed when a SPNEGO solution wasn't available. Now 
> that we have one, we can get rid of the non-standard KSSL and use SPNEGO 
> throughout.  This will simplify setup and configuration.  Also, Kerberized 
> SSL is a non-standard approach with its own quirks and dark corners 
> (HDFS-2386).

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to