[jira] [Created] (HADOOP-16245) Enabling SSL within LdapGroupsMapping can break system SSL configs

Wed, 10 Apr 2019 11:14:20 -0700 

Erik Krogen created HADOOP-16245:
------------------------------------

             Summary: Enabling SSL within LdapGroupsMapping can break system 
SSL configs
                 Key: HADOOP-16245
                 URL: https://issues.apache.org/jira/browse/HADOOP-16245
             Project: Hadoop Common
          Issue Type: Bug
          Components: common, security
    Affects Versions: 3.0.3, 3.1.1, 2.7.6, 2.8.4, 2.9.1
            Reporter: Erik Krogen
            Assignee: Erik Krogen


When debugging an issue where one of our server components was unable to 
communicate with other components via SSL, we realized that LdapGroupsMapping 
sets its SSL configurations globally, rather than scoping them to the HTTP 
clients it creates.

{code:title=LdapGroupsMapping}
  DirContext getDirContext() throws NamingException {
    if (ctx == null) {
      // Set up the initial environment for LDAP connectivity
      Hashtable<String, String> env = new Hashtable<String, String>();
      env.put(Context.INITIAL_CONTEXT_FACTORY,
          com.sun.jndi.ldap.LdapCtxFactory.class.getName());
      env.put(Context.PROVIDER_URL, ldapUrl);
      env.put(Context.SECURITY_AUTHENTICATION, "simple");

      // Set up SSL security, if necessary
      if (useSsl) {
        env.put(Context.SECURITY_PROTOCOL, "ssl");
        if (!keystore.isEmpty()) {
          System.setProperty("javax.net.ssl.keyStore", keystore);
        }
        if (!keystorePass.isEmpty()) {
          System.setProperty("javax.net.ssl.keyStorePassword", keystorePass);
        }
        if (!truststore.isEmpty()) {
          System.setProperty("javax.net.ssl.trustStore", truststore);
        }
        if (!truststorePass.isEmpty()) {
          System.setProperty("javax.net.ssl.trustStorePassword",
              truststorePass);
        }
      }

      env.put(Context.SECURITY_PRINCIPAL, bindUser);
      env.put(Context.SECURITY_CREDENTIALS, bindPassword);

      env.put("com.sun.jndi.ldap.connect.timeout", conf.get(CONNECTION_TIMEOUT,
          String.valueOf(CONNECTION_TIMEOUT_DEFAULT)));
      env.put("com.sun.jndi.ldap.read.timeout", conf.get(READ_TIMEOUT,
          String.valueOf(READ_TIMEOUT_DEFAULT)));

      ctx = new InitialDirContext(env);
    }
{code}
Notice the {{System.setProperty()}} calls, which will change settings JVM-wide. 
This causes issues for other SSL clients, which may rely on the default JVM 
truststore being used. This behavior was initially introduced by HADOOP-8121, 
and extended to include the truststore configurations in HADOOP-12862.

The correct approach is to use a mechanism which is scoped to the LDAP requests 
only. The right approach appears to be to use the 
{{java.naming.ldap.factory.socket}} parameter to set the socket factory to a 
custom SSL socket factory which correctly sets the key and trust store 
parameters. See an example [here|https://stackoverflow.com/a/4615497/4979203].



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

Reply via email to