tez-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eric Yang (Jira)" <j...@apache.org>
Subject [jira] [Commented] (TEZ-4096) SSLFactory should make an attempt to add ssl config resources as "Path"
Date Wed, 06 Nov 2019 04:11:00 GMT

    [ https://issues.apache.org/jira/browse/TEZ-4096?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16968068#comment-16968068
] 

Eric Yang commented on TEZ-4096:
--------------------------------

[~jayeshseshadri@gmail.com], Application can explicitly ignore server certificates, if additional
code are implemented and easy to be spotted by code scan.  Content of ssl-client.xml isn't
converted to tez-conf protobuf is a interesting bug of inconsistency with Hadoop, but Tez
is actually more secure without the patch.  Java cacerts truststore will remain authoritative
source for validating CA certificates.  This patch allows job configuration to override ssl.server.keystore.location,
hence it is harder for code scan to pick up vulnerabilities.  Because Hadoop has a weak way
of allowing truststore override by non-privileged user, doesn't mean that Tez should follow
the same pattern to weaken CA certificate management privileges.

> SSLFactory should make an attempt to add ssl config resources as "Path"
> -----------------------------------------------------------------------
>
>                 Key: TEZ-4096
>                 URL: https://issues.apache.org/jira/browse/TEZ-4096
>             Project: Apache Tez
>          Issue Type: Improvement
>            Reporter: Rajesh Balamohan
>            Priority: Major
>         Attachments: TEZ-4096.1.patch, TEZ-4096.2.patch
>
>
> SSLFactory uses "String" instead of "Path" for adding "ssl-client.xml". When addResource
is invoked with string, {{Configuration}} tries to find it in classloader and does not load
the file correctly.
> [https://github.com/apache/tez/blob/master/tez-runtime-library/src/main/java/org/apache/tez/http/SSLFactory.java#L107]
> Conf: [https://github.com/apache/hadoop/blob/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/conf/Configuration.java#L3064]
> This creates issue when ssl-client.xml is located in different path other than the classpath.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Mime
View raw message