From issues-return-40918-archive-asf-public=cust-asf.ponee.io@tez.apache.org Wed Nov 6 00:50:03 2019 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [207.244.88.153]) by mx-eu-01.ponee.io (Postfix) with SMTP id 9BE90180648 for ; Wed, 6 Nov 2019 01:50:03 +0100 (CET) Received: (qmail 54196 invoked by uid 500); 6 Nov 2019 00:50:02 -0000 Mailing-List: contact issues-help@tez.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@tez.apache.org Delivered-To: mailing list issues@tez.apache.org Received: (qmail 54183 invoked by uid 99); 6 Nov 2019 00:50:02 -0000 Received: from mailrelay1-us-west.apache.org (HELO mailrelay1-us-west.apache.org) (209.188.14.139) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 06 Nov 2019 00:50:02 +0000 Received: from jira-he-de.apache.org (static.172.67.40.188.clients.your-server.de [188.40.67.172]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id 00CD3E30FB for ; Wed, 6 Nov 2019 00:50:02 +0000 (UTC) Received: from jira-he-de.apache.org (localhost.localdomain [127.0.0.1]) by jira-he-de.apache.org (ASF Mail Server at jira-he-de.apache.org) with ESMTP id 6B12F7808F5 for ; Wed, 6 Nov 2019 00:50:00 +0000 (UTC) Date: Wed, 6 Nov 2019 00:50:00 +0000 (UTC) From: "Eric Yang (Jira)" To: issues@tez.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (TEZ-4096) SSLFactory should make an attempt to add ssl config resources as "Path" MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/TEZ-4096?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16967986#comment-16967986 ] Eric Yang commented on TEZ-4096: -------------------------------- [~jeagles] I don't recommend to add this feature into Hadoop. Ssl-client.xml is one of those weak spot in Hadoop that allows application user to override system admin in truststore certificate management. This allows POODLE like attack to downgrade encryption used by weak certificate. Ssl-client.xml should not be used on production system IMHO. > SSLFactory should make an attempt to add ssl config resources as "Path" > ----------------------------------------------------------------------- > > Key: TEZ-4096 > URL: https://issues.apache.org/jira/browse/TEZ-4096 > Project: Apache Tez > Issue Type: Improvement > Reporter: Rajesh Balamohan > Priority: Major > Attachments: TEZ-4096.1.patch, TEZ-4096.2.patch > > > SSLFactory uses "String" instead of "Path" for adding "ssl-client.xml". When addResource is invoked with string, {{Configuration}} tries to find it in classloader and does not load the file correctly. > [https://github.com/apache/tez/blob/master/tez-runtime-library/src/main/java/org/apache/tez/http/SSLFactory.java#L107] > Conf: [https://github.com/apache/hadoop/blob/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/conf/Configuration.java#L3064] > This creates issue when ssl-client.xml is located in different path other than the classpath. -- This message was sent by Atlassian Jira (v8.3.4#803005)