hadoop-common-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kan Zhang (JIRA)" <j...@apache.org>
Subject [jira] Commented: (HADOOP-4284) Support for user configurable global filters on HttpServer
Date Wed, 08 Oct 2008 00:16:44 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-4284?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12637724#action_12637724

Kan Zhang commented on HADOOP-4284:

Chris, thanks for your detailed comments.

> dfs.https.permission.file.recheck.interval probably belongs in ssl-server.xml instead
of hadoop-default.xml
I think it's better in hadoop-default.xml since it's a property of the filter, which is independent
of SSL listeners.

> Would it be possible to make this available to FsShell as well as DistCp using the ssl.client.*
Yes, other clients can also make use of ssl.client.* configs. But the scope of this JIRA is
limited to DistCp.

> The parsing of the X509 distinguished name using String::split 
Those corner cases wouldn't arise for this application since leading and trailing whitespaces
in names can't be accommodated anyway (the name field in ssl-permission.xml will strip them

> Has this been tested at scale?

Your other comments are incorporated in a new patch 4284_20081007_85.patch. Please take a

> Support for user configurable global filters on HttpServer
> ----------------------------------------------------------
>                 Key: HADOOP-4284
>                 URL: https://issues.apache.org/jira/browse/HADOOP-4284
>             Project: Hadoop Core
>          Issue Type: New Feature
>    Affects Versions: 0.20.0
>            Reporter: Kan Zhang
>            Assignee: Kan Zhang
>         Attachments: 4284_20080925_78.patch, 4284_20080926_79.patch, 4284_20080929_83.patch,
> HADOOP-3854 introduced a framework for adding filters to filter browser facing urls.
Sometimes, there is a need to filter all urls. For example, at Yahoo, we need to open an SSL
port on the HttpServer and only accept hsftp requests from clients who can authenticate themselves
using client certificate and is authorized according to certain policy file. For this to happen,
we need a method to add a user configurable "global" filter, which filters on all client requests.
For our purposes, such a global filter will block all https requests except those accessing
the hsftp interface (it will let all http requests go through, so accesses through the normal
http ports are unaffected). Moreover, those hsftp requests will be subject to further authorization
checking according to the policy file.

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message