hadoop-common-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kan Zhang (JIRA)" <j...@apache.org>
Subject [jira] Commented: (HADOOP-4284) Support for user configurable global filters on HttpServer
Date Fri, 17 Oct 2008 01:38:44 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-4284?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12640408#action_12640408

Kan Zhang commented on HADOOP-4284:

Attached a new patch 4284_20081016_96.patch

> I think it belongs to DistCp.setup(...).
It's too late to put it in setup(), since checkSrcPath() needs to use it before setup() is
called. I did refactor it into a new method setupSsl() in the new patch. Thanks!

> How about defining a new class, say SslUtil in org.apache.hadoop.security?
I don't think it's worth the trouble. Note that although DistCp and Child set the same set
of System properties, they use different ssl-client conf options. On the server side, most
of the options are not set as System properties, but used to call addSslListener().

> BTW, what are the files ssl-client.xml.example and ssl-server.xml.example for? They seem
templates but not examples.
I renamed them to be templates.

> Support for user configurable global filters on HttpServer
> ----------------------------------------------------------
>                 Key: HADOOP-4284
>                 URL: https://issues.apache.org/jira/browse/HADOOP-4284
>             Project: Hadoop Core
>          Issue Type: New Feature
>    Affects Versions: 0.20.0
>            Reporter: Kan Zhang
>            Assignee: Kan Zhang
>             Fix For: 0.20.0
>         Attachments: 4284_20080925_78.patch, 4284_20080926_79.patch, 4284_20080929_83.patch,
4284_20081007_85.patch, 4284_20081016_93.patch, 4284_20081016_94.patch, 4284_20081016_96.patch
> HADOOP-3854 introduced a framework for adding filters to filter browser facing urls.
Sometimes, there is a need to filter all urls. For example, at Yahoo, we need to open an SSL
port on the HttpServer and only accept hsftp requests from clients who can authenticate themselves
using client certificate and is authorized according to certain policy file. For this to happen,
we need a method to add a user configurable "global" filter, which filters on all client requests.
For our purposes, such a global filter will block all https requests except those accessing
the hsftp interface (it will let all http requests go through, so accesses through the normal
http ports are unaffected). Moreover, those hsftp requests will be subject to further authorization
checking according to the policy file.

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message