hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kai Zheng (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-12862) LDAP Group Mapping over SSL can not specify trust store
Date Thu, 07 Sep 2017 01:56:00 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-12862?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16156312#comment-16156312
] 

Kai Zheng commented on HADOOP-12862:
------------------------------------

Sorry for the late, pretty busy with EC related issues.

The issue was well documented in the description and I totally agree. The patch looks good
overall, with some comments:
1. {{setSslConf}} could be => {{loadSslConf}}.

2. Writing some plain password in configuration file should be discouraged, if allowed; could
we go for the password from reading the file first? 
{code}
 <property>
+  <name>hadoop.security.group.mapping.ldap.ssl.keystore.password</name>
+  <value></value>
+  <description>
+    Password for LDAP SSL keystore. If this value is empty, Hadoop will attempt
+    to read the password from the file in
+    hadoop.security.group.mapping.ldap.ssl.keystore.password.file.
+  </description>
+</property>
{code}

3. Lots of _empty_ default values defined here. If we don't really appreciate or favor the
*empty* value at all, I guess we could avoid the overhead of defining them at all.
{code}
   public static final String LDAP_KEYSTORE_PASSWORD_DEFAULT = "";
..
   public static final String LDAP_KEYSTORE_PASSWORD_FILE_DEFAULT = "";
..
+  /*
+   * Password for the keystore
+   */
+  public static final String LDAP_TRUSTSTORE_PASSWORD_KEY =
+      LDAP_CONFIG_PREFIX +".ssl.truststore.password";
+  public static final String LDAP_TRUSTSTORE_PASSWORD_DEFAULT = "";
+
+  public static final String LDAP_TRUSTSTORE_PASSWORD_FILE_KEY =
+      LDAP_TRUSTSTORE_PASSWORD_KEY + ".file";
+  public static final String LDAP_TRUSTSTORE_PASSWORD_FILE_DEFAULT = "";
+
{code}

> LDAP Group Mapping over SSL can not specify trust store
> -------------------------------------------------------
>
>                 Key: HADOOP-12862
>                 URL: https://issues.apache.org/jira/browse/HADOOP-12862
>             Project: Hadoop Common
>          Issue Type: Bug
>            Reporter: Wei-Chiu Chuang
>            Assignee: Wei-Chiu Chuang
>         Attachments: HADOOP-12862.001.patch, HADOOP-12862.002.patch, HADOOP-12862.003.patch,
HADOOP-12862.004.patch, HADOOP-12862.005.patch, HADOOP-12862.006.patch, HADOOP-12862.007.patch
>
>
> In a secure environment, SSL is used to encrypt LDAP request for group mapping resolution.
> We (+[~yoderme], +[~tgrayson]) have found that its implementation is strange.
> For information, Hadoop name node, as an LDAP client, talks to a LDAP server to resolve
the group mapping of a user. In the case of LDAP over SSL, a typical scenario is to establish
one-way authentication (the client verifies the server's certificate is real) by storing the
server's certificate in the client's truststore.
> A rarer scenario is to establish two-way authentication: in addition to store truststore
for the client to verify the server, the server also verifies the client's certificate is
real, and the client stores its own certificate in its keystore.
> However, the current implementation for LDAP over SSL does not seem to be correct in
that it only configures keystore but no truststore (so LDAP server can verify Hadoop's certificate,
but Hadoop may not be able to verify LDAP server's certificate)
> I think there should an extra pair of properties to specify the truststore/password for
LDAP server, and use that to configure system properties {{javax.net.ssl.trustStore}}/{{javax.net.ssl.trustStorePassword}}
> I am a security layman so my words can be imprecise. But I hope this makes sense.
> Oracle's SSL LDAP documentation: http://docs.oracle.com/javase/jndi/tutorial/ldap/security/ssl.html
> JSSE reference guide: http://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/JSSERefGuide.html



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org


Mime
View raw message