tez-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eric Yang (Jira)" <j...@apache.org>
Subject [jira] [Commented] (TEZ-4096) SSLFactory should make an attempt to add ssl config resources as "Path"
Date Wed, 06 Nov 2019 00:50:00 GMT

    [ https://issues.apache.org/jira/browse/TEZ-4096?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16967986#comment-16967986
] 

Eric Yang commented on TEZ-4096:
--------------------------------

[~jeagles] I don't recommend to add this feature into Hadoop.  Ssl-client.xml is one of those
weak spot in Hadoop that allows application user to override system admin in truststore certificate
management.  This allows POODLE like attack to downgrade encryption used by weak certificate.
 Ssl-client.xml should not be used on production system IMHO.

> SSLFactory should make an attempt to add ssl config resources as "Path"
> -----------------------------------------------------------------------
>
>                 Key: TEZ-4096
>                 URL: https://issues.apache.org/jira/browse/TEZ-4096
>             Project: Apache Tez
>          Issue Type: Improvement
>            Reporter: Rajesh Balamohan
>            Priority: Major
>         Attachments: TEZ-4096.1.patch, TEZ-4096.2.patch
>
>
> SSLFactory uses "String" instead of "Path" for adding "ssl-client.xml". When addResource
is invoked with string, {{Configuration}} tries to find it in classloader and does not load
the file correctly.
> [https://github.com/apache/tez/blob/master/tez-runtime-library/src/main/java/org/apache/tez/http/SSLFactory.java#L107]
> Conf: [https://github.com/apache/hadoop/blob/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/conf/Configuration.java#L3064]
> This creates issue when ssl-client.xml is located in different path other than the classpath.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Mime
View raw message