[
https://issues.apache.org/jira/browse/HADOOP-12862?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Konstantin Shvachko updated HADOOP-12862:
-----------------------------------------
Resolution: Fixed
Hadoop Flags: Reviewed
Fix Version/s: 3.1.1
3.0.2
3.2.0
2.7.6
2.8.4
2.9.1
2.10.0
Status: Resolved (was: Patch Available)
I just committed this to the following branches:
{code}
2c6cfad5a31..2216bde3229 trunk -> trunk
2960592c6f9..99b5b9dce1b branch-3.1 -> branch-3.1
cd74a281a76..3912bdb2b03 branch-3.0 -> branch-3.0
7e5c8faeb7c..c138682e048 branch-2 -> branch-2
f71128f056f..5cbbc4c374b branch-2.9 -> branch-2.9
dff546156dc..fb15e41737d branch-2.8 -> branch-2.8
65baefb5381..caf518cd3f1 branch-2.7 -> branch-2.7
{code}
Thank you [~jojochuang].
> LDAP Group Mapping over SSL can not specify trust store
> -------------------------------------------------------
>
> Key: HADOOP-12862
> URL: https://issues.apache.org/jira/browse/HADOOP-12862
> Project: Hadoop Common
> Issue Type: Bug
> Reporter: Wei-Chiu Chuang
> Assignee: Wei-Chiu Chuang
> Priority: Major
> Labels: release-blocker
> Fix For: 2.10.0, 2.9.1, 2.8.4, 2.7.6, 3.2.0, 3.0.2, 3.1.1
>
> Attachments: HADOOP-12862.001.patch, HADOOP-12862.002.patch,
> HADOOP-12862.003.patch, HADOOP-12862.004.patch, HADOOP-12862.005.patch,
> HADOOP-12862.006.patch, HADOOP-12862.007.patch, HADOOP-12862.008.patch,
> HADOOP-12862.009.patch
>
>
> In a secure environment, SSL is used to encrypt LDAP request for group
> mapping resolution.
> We (+[~yoderme], +[~tgrayson]) have found that its implementation is strange.
> For information, Hadoop name node, as an LDAP client, talks to a LDAP server
> to resolve the group mapping of a user. In the case of LDAP over SSL, a
> typical scenario is to establish one-way authentication (the client verifies
> the server's certificate is real) by storing the server's certificate in the
> client's truststore.
> A rarer scenario is to establish two-way authentication: in addition to store
> truststore for the client to verify the server, the server also verifies the
> client's certificate is real, and the client stores its own certificate in
> its keystore.
> However, the current implementation for LDAP over SSL does not seem to be
> correct in that it only configures keystore but no truststore (so LDAP server
> can verify Hadoop's certificate, but Hadoop may not be able to verify LDAP
> server's certificate)
> I think there should an extra pair of properties to specify the
> truststore/password for LDAP server, and use that to configure system
> properties {{javax.net.ssl.trustStore}}/{{javax.net.ssl.trustStorePassword}}
> I am a security layman so my words can be imprecise. But I hope this makes
> sense.
> Oracle's SSL LDAP documentation:
> http://docs.oracle.com/javase/jndi/tutorial/ldap/security/ssl.html
> JSSE reference guide:
> http://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/JSSERefGuide.html
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
