hadoop-hdfs-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jakob Homan (Commented) (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HDFS-2617) Replaced Kerberized SSL for image transfer and fsck with SPNEGO-based solution
Date Tue, 13 Dec 2011 21:33:30 GMT

    [ https://issues.apache.org/jira/browse/HDFS-2617?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13168748#comment-13168748
] 

Jakob Homan commented on HDFS-2617:
-----------------------------------

@Aaron - think about this some more, and not hearing any comments, I think it'd be better
to go with SPNEGO for a couple of reasons: (1) keep a consistent approach to the web interfaces
for the NN/2NN (we could re-use tokens from the map-output fetch, but it would be a bit messy)
and (2) the current kerbssl approach is used to fetch/renew/etc delegation tokens explicitly
so we don't have to have an API call (to enabled hftp).  Moving to SPNEGO for these would
preserve this behavior.

The next question is - how to deprecate the kerbssl.  It'll be quite annoying to have to support
both for a couple releases.  
                
> Replaced Kerberized SSL for image transfer and fsck with SPNEGO-based solution
> ------------------------------------------------------------------------------
>
>                 Key: HDFS-2617
>                 URL: https://issues.apache.org/jira/browse/HDFS-2617
>             Project: Hadoop HDFS
>          Issue Type: Improvement
>            Reporter: Jakob Homan
>            Assignee: Jakob Homan
>
> The current approach to secure and authenticate nn web services is based on Kerberized
SSL and was developed when a SPNEGO solution wasn't available. Now that we have one, we can
get rid of the non-standard KSSL and use SPNEGO throughout.  This will simplify setup and
configuration.  Also, Kerberized SSL is a non-standard approach with its own quirks and dark
corners (HDFS-2386).

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message