hadoop-hdfs-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Aaron T. Myers (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (HDFS-2617) Replaced Kerberized SSL for image transfer and fsck with SPNEGO-based solution
Date Thu, 19 Jul 2012 23:18:35 GMT

     [ https://issues.apache.org/jira/browse/HDFS-2617?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Aaron T. Myers updated HDFS-2617:
---------------------------------

          Resolution: Fixed
       Fix Version/s: 1.2.0
    Target Version/s: 2.0.0-alpha, 1.2.0  (was: 1.2.0, 2.0.0-alpha)
        Release Note: Due to the requirement that KSSL use weak encryption types for Kerberos
tickets, HTTP authentication to the NameNode will now use SPNEGO by default. This will require
users of previous branch-1 releases with security enabled to modify their configurations and
create new Kerberos principals in order to use SPNEGO. The old behavior of using KSSL can
optionally be enabled by setting the configuration option "hadoop.security.use-weak-http-crypto"
to "true".
              Status: Resolved  (was: Patch Available)

I've just committed this to branch-1. Thanks a lot for the contribution and discussion, all.
Particular thanks go out to Jakob Homan for getting the ball rolling on this issue and posting
the original rev of this patch.
                
> Replaced Kerberized SSL for image transfer and fsck with SPNEGO-based solution
> ------------------------------------------------------------------------------
>
>                 Key: HDFS-2617
>                 URL: https://issues.apache.org/jira/browse/HDFS-2617
>             Project: Hadoop HDFS
>          Issue Type: Improvement
>          Components: security
>            Reporter: Jakob Homan
>            Assignee: Jakob Homan
>             Fix For: 1.2.0, 2.1.0-alpha
>
>         Attachments: HDFS-2617-a.patch, HDFS-2617-b.patch, HDFS-2617-branch-1.patch,
HDFS-2617-branch-1.patch, HDFS-2617-branch-1.patch, HDFS-2617-config.patch, HDFS-2617-trunk.patch,
HDFS-2617-trunk.patch, HDFS-2617-trunk.patch, HDFS-2617-trunk.patch, hdfs-2617-1.1.patch
>
>
> The current approach to secure and authenticate nn web services is based on Kerberized
SSL and was developed when a SPNEGO solution wasn't available. Now that we have one, we can
get rid of the non-standard KSSL and use SPNEGO throughout.  This will simplify setup and
configuration.  Also, Kerberized SSL is a non-standard approach with its own quirks and dark
corners (HDFS-2386).

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message