[jira] [Updated] (HDFS-2617) Replaced Kerberized SSL for image transfer and fsck with SPNEGO-based solution

Wed, 18 Jul 2012 00:23:42 -0700 

     [ 
https://issues.apache.org/jira/browse/HDFS-2617?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Aaron T. Myers updated HDFS-2617:
---------------------------------

    Attachment: HDFS-2617-branch-1.patch

Here's a patch against branch-1 which provides the option of using either KSSL 
or SPNEGO for HTTP authentication. It's basically the same as Owen's last 
patch, except that instead of completely removing KSSL support, it adds a new 
configuration option (dfs.use.kssl.auth) which defaults to "true", to preserve 
the existing branch-1 behavior. If this new option is set to "false", then KSSL 
will not be used for any authentication, and HTTP will be used instead.

I've tested this patch manually on a pseudo cluster by ensuring that 2NN 
checkpointing, HFTP, and WebHdfs all work without security enabled, with 
security enabled and KSSL for auth, and with security enabled and SPNEGO for 
auth.

I'm running the full HDFS test suite tonight, and will report back with any 
errors encountered tomorrow.
                
> Replaced Kerberized SSL for image transfer and fsck with SPNEGO-based solution
> ------------------------------------------------------------------------------
>
>                 Key: HDFS-2617
>                 URL: https://issues.apache.org/jira/browse/HDFS-2617
>             Project: Hadoop HDFS
>          Issue Type: Improvement
>          Components: security
>            Reporter: Jakob Homan
>            Assignee: Jakob Homan
>             Fix For: 2.1.0-alpha
>
>         Attachments: HDFS-2617-a.patch, HDFS-2617-b.patch, 
> HDFS-2617-branch-1.patch, HDFS-2617-config.patch, HDFS-2617-trunk.patch, 
> HDFS-2617-trunk.patch, HDFS-2617-trunk.patch, HDFS-2617-trunk.patch, 
> hdfs-2617-1.1.patch
>
>
> The current approach to secure and authenticate nn web services is based on 
> Kerberized SSL and was developed when a SPNEGO solution wasn't available. Now 
> that we have one, we can get rid of the non-standard KSSL and use SPNEGO 
> throughout.  This will simplify setup and configuration.  Also, Kerberized 
> SSL is a non-standard approach with its own quirks and dark corners 
> (HDFS-2386).

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to