hadoop-common-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Doug Cutting (JIRA)" <j...@apache.org>
Subject [jira] Commented: (HADOOP-4284) Support for user configurable global filters on HttpServer
Date Fri, 26 Sep 2008 21:33:44 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-4284?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12635034#action_12635034
] 

Doug Cutting commented on HADOOP-4284:
--------------------------------------

> our security policy requires that we block all other https url requests [ ... ]

I see.

So maybe another way to address my concern is to add a public method that returns a regex
that matches HSFTP urls.  That would future-proof filters from changes in HSFTP urls, and
provide an example for other services.  To properly support such filters we'd need such a
method for each service.  So, for extra-credit, you could add these for, e.g., the shuffle,
the datanode, the namenode, etc.  In most cases we should probably define a constant and use
it both when adding the servlets and in this new method.  Does that make sense?  Is this overkill?
 It would permit us to change our internal urls without breaking filters.

> Support for user configurable global filters on HttpServer
> ----------------------------------------------------------
>
>                 Key: HADOOP-4284
>                 URL: https://issues.apache.org/jira/browse/HADOOP-4284
>             Project: Hadoop Core
>          Issue Type: New Feature
>            Reporter: Kan Zhang
>         Attachments: 4284_20080925_78.patch, 4284_20080926_79.patch
>
>
> HADOOP-3854 introduced a framework for adding filters to filter browser facing urls.
Sometimes, there is a need to filter all urls. For example, at Yahoo, we need to open an SSL
port on the HttpServer and only accept hsftp requests from clients who can authenticate themselves
using client certificate and is authorized according to certain policy file. For this to happen,
we need a method to add a user configurable "global" filter, which filters on all client requests.
For our purposes, such a global filter will block all https requests except those accessing
the hsftp interface (it will let all http requests go through, so accesses through the normal
http ports are unaffected). Moreover, those hsftp requests will be subject to further authorization
checking according to the policy file.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message