hadoop-hdfs-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Aaron T. Myers (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HDFS-2617) Replaced Kerberized SSL for image transfer and fsck with SPNEGO-based solution
Date Sat, 21 Jul 2012 07:41:38 GMT

    [ https://issues.apache.org/jira/browse/HDFS-2617?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13419757#comment-13419757

Aaron T. Myers commented on HDFS-2617:

Hi Eric,

bq. 1) We patch 1.0 as proposed here


bq. 2) We do not take these patches to 2.0.

I'm not entirely sure what you mean by this. SPNEGO support is already in branch-2. Are you
saying that you just want to leave that as-is, and not add an option to use KSSL on the server
side to branch-2? If so, I agree with that.

bq. 3) We additionally patch the client to try first the SPNEGO token protocol and then KSSL
if that fails. We patch both 1.0 and 2.0 HFTP clients to do this.

That seems fine to me, but I think that should be done as a separate JIRA, along the lines
of "HftpFileSystem should try both KSSL and SPNEGO when authentication is required". If you
agree, mind filing that JIRA? If you post a patch, I'll be happy to review it.
> Replaced Kerberized SSL for image transfer and fsck with SPNEGO-based solution
> ------------------------------------------------------------------------------
>                 Key: HDFS-2617
>                 URL: https://issues.apache.org/jira/browse/HDFS-2617
>             Project: Hadoop HDFS
>          Issue Type: Improvement
>          Components: security
>            Reporter: Jakob Homan
>            Assignee: Jakob Homan
>             Fix For: 1.2.0, 2.1.0-alpha
>         Attachments: HDFS-2617-a.patch, HDFS-2617-b.patch, HDFS-2617-branch-1.patch,
HDFS-2617-branch-1.patch, HDFS-2617-branch-1.patch, HDFS-2617-config.patch, HDFS-2617-trunk.patch,
HDFS-2617-trunk.patch, HDFS-2617-trunk.patch, HDFS-2617-trunk.patch, hdfs-2617-1.1.patch
> The current approach to secure and authenticate nn web services is based on Kerberized
SSL and was developed when a SPNEGO solution wasn't available. Now that we have one, we can
get rid of the non-standard KSSL and use SPNEGO throughout.  This will simplify setup and
configuration.  Also, Kerberized SSL is a non-standard approach with its own quirks and dark
corners (HDFS-2386).

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira


View raw message