hadoop-hdfs-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Allen Wittenauer (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HDFS-2617) Replaced Kerberized SSL for image transfer and fsck with SPNEGO-based solution
Date Tue, 26 Jun 2012 22:44:44 GMT

    [ https://issues.apache.org/jira/browse/HDFS-2617?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13401756#comment-13401756
] 

Allen Wittenauer commented on HDFS-2617:
----------------------------------------

Given that 2.x is a major release, it seems a reasonable time to break HFTP over KSSL especially
given that one has to severely cripple their security in order to make secure Hadoop work
on recent Kerberos implementations.  

It also seems reasonable to explain to users as part of their transition to 2.x from prior
releases that this functionality is going away.  This primarily is going to sting the early
adopters, an audience who has essentially volunteered to do be our lab rats.  But for the
folks who favor stability, now is the time to get the word out to start switching to a 1.x
branch with a working WebHDFS.  By the time 2.0 is stable and/or ready for those people to
deploy, they should be in relatively good shape.  

Something else to consider:  the impacted audience is likely low, as I suspect most people
probably aren't running a 1.x release yet and/or have security turned on.  (I'd *love* to
see some stats though.  I really hope I'm wrong.  However knowing that it took us several
months to transition from 0.20.2 to secure 1.x... and part of that time is directly correlated
to the lack of the code in this patch... I have a feeling I'm correct.)
                
> Replaced Kerberized SSL for image transfer and fsck with SPNEGO-based solution
> ------------------------------------------------------------------------------
>
>                 Key: HDFS-2617
>                 URL: https://issues.apache.org/jira/browse/HDFS-2617
>             Project: Hadoop HDFS
>          Issue Type: Improvement
>          Components: security
>            Reporter: Jakob Homan
>            Assignee: Jakob Homan
>             Fix For: 2.0.1-alpha
>
>         Attachments: HDFS-2617-a.patch, HDFS-2617-b.patch, HDFS-2617-config.patch, HDFS-2617-trunk.patch,
HDFS-2617-trunk.patch, HDFS-2617-trunk.patch, HDFS-2617-trunk.patch, hdfs-2617-1.1.patch
>
>
> The current approach to secure and authenticate nn web services is based on Kerberized
SSL and was developed when a SPNEGO solution wasn't available. Now that we have one, we can
get rid of the non-standard KSSL and use SPNEGO throughout.  This will simplify setup and
configuration.  Also, Kerberized SSL is a non-standard approach with its own quirks and dark
corners (HDFS-2386).

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message