[jira] [Updated] (HDFS-2617) Replaced Kerberized SSL for image transfer and fsck with SPNEGO-based solution

Thu, 19 Jul 2012 16:18:38 -0700 

     [ 
https://issues.apache.org/jira/browse/HDFS-2617?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Aaron T. Myers updated HDFS-2617:
---------------------------------

          Resolution: Fixed
       Fix Version/s: 1.2.0
    Target Version/s: 2.0.0-alpha, 1.2.0  (was: 1.2.0, 2.0.0-alpha)
        Release Note: Due to the requirement that KSSL use weak encryption 
types for Kerberos tickets, HTTP authentication to the NameNode will now use 
SPNEGO by default. This will require users of previous branch-1 releases with 
security enabled to modify their configurations and create new Kerberos 
principals in order to use SPNEGO. The old behavior of using KSSL can 
optionally be enabled by setting the configuration option 
"hadoop.security.use-weak-http-crypto" to "true".
              Status: Resolved  (was: Patch Available)

I've just committed this to branch-1. Thanks a lot for the contribution and 
discussion, all. Particular thanks go out to Jakob Homan for getting the ball 
rolling on this issue and posting the original rev of this patch.
                
> Replaced Kerberized SSL for image transfer and fsck with SPNEGO-based solution
> ------------------------------------------------------------------------------
>
>                 Key: HDFS-2617
>                 URL: https://issues.apache.org/jira/browse/HDFS-2617
>             Project: Hadoop HDFS
>          Issue Type: Improvement
>          Components: security
>            Reporter: Jakob Homan
>            Assignee: Jakob Homan
>             Fix For: 1.2.0, 2.1.0-alpha
>
>         Attachments: HDFS-2617-a.patch, HDFS-2617-b.patch, 
> HDFS-2617-branch-1.patch, HDFS-2617-branch-1.patch, HDFS-2617-branch-1.patch, 
> HDFS-2617-config.patch, HDFS-2617-trunk.patch, HDFS-2617-trunk.patch, 
> HDFS-2617-trunk.patch, HDFS-2617-trunk.patch, hdfs-2617-1.1.patch
>
>
> The current approach to secure and authenticate nn web services is based on 
> Kerberized SSL and was developed when a SPNEGO solution wasn't available. Now 
> that we have one, we can get rid of the non-standard KSSL and use SPNEGO 
> throughout.  This will simplify setup and configuration.  Also, Kerberized 
> SSL is a non-standard approach with its own quirks and dark corners 
> (HDFS-2386).

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to