[jira] [Updated] (HDFS-2617) Replaced Kerberized SSL for image transfer and fsck with SPNEGO-based solution

Thu, 19 Jul 2012 11:38:38 -0700 

     [ 
https://issues.apache.org/jira/browse/HDFS-2617?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Aaron T. Myers updated HDFS-2617:
---------------------------------

    Attachment: HDFS-2617-branch-1.patch

Thanks a lot for the review, Eli. Here's an updated patch which addresses your 
comments.

If there are no more comments, I'm going to go ahead and commit this to 
branch-1 in an hour or two based on Eli's +1.

bq. hadoop.security.use-weak-http-crypto should go in core-default.xml with a 
comment to the effect that if it is enabled then SPNEGO is used (since this 
flag effectively controls SPNEGO enablement as well)
Added the following to core-default.xml:
{code}
<property>
  <name>hadoop.security.use-weak-http-crypto</name>
  <value>false</value>
  <description>If enabled, use KSSL to authenticate HTTP connections to the
  NameNode. Due to a bug in JDK6, using KSSL requires one to configure
  Kerberos tickets to use encryption types that are known to be
  cryptographically weak. If disabled, SPNEGO will be used for HTTP
  authentication, which supports stronger encryption types.
  </description>
</property>
{code}
bq. s/"false to use SPNEGO"/"false to use SPNEGO or if security is disabled"/
Done.
bq. Define/use KERB5_FILTER = "krb5Filter"
Done.
                
> Replaced Kerberized SSL for image transfer and fsck with SPNEGO-based solution
> ------------------------------------------------------------------------------
>
>                 Key: HDFS-2617
>                 URL: https://issues.apache.org/jira/browse/HDFS-2617
>             Project: Hadoop HDFS
>          Issue Type: Improvement
>          Components: security
>            Reporter: Jakob Homan
>            Assignee: Jakob Homan
>             Fix For: 2.1.0-alpha
>
>         Attachments: HDFS-2617-a.patch, HDFS-2617-b.patch, 
> HDFS-2617-branch-1.patch, HDFS-2617-branch-1.patch, HDFS-2617-branch-1.patch, 
> HDFS-2617-config.patch, HDFS-2617-trunk.patch, HDFS-2617-trunk.patch, 
> HDFS-2617-trunk.patch, HDFS-2617-trunk.patch, hdfs-2617-1.1.patch
>
>
> The current approach to secure and authenticate nn web services is based on 
> Kerberized SSL and was developed when a SPNEGO solution wasn't available. Now 
> that we have one, we can get rid of the non-standard KSSL and use SPNEGO 
> throughout.  This will simplify setup and configuration.  Also, Kerberized 
> SSL is a non-standard approach with its own quirks and dark corners 
> (HDFS-2386).

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to