[jira] [Updated] (HADOOP-17367) Add InetAddress api to ProxyUsers.authorize

Mon, 09 Nov 2020 12:21:12 -0800 


     [ 
https://issues.apache.org/jira/browse/HADOOP-17367?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Ahmed Hussein updated HADOOP-17367:
-----------------------------------
    Component/s: security
                 performance
    Description: 
Improve the ProxyUsers implementation by passing the address of the remote peer 
to avoid resolving the hostname.
Similarly, this requires adding InetAddress api to MachineList.

  was:
[~kihwal] reported that {{HttpServer2}} is still accepting TLS 1.1 or 1.0. 
These are only rejected when the java security setting excludes them. The 
expensive algorithms arte still being used.


{code:bash}
main, WRITE: TLSv1.2 Handshake, length = 239
main, READ: TLSv1.2 Handshake, length = 1508
*** ServerHello, TLSv1.2
...
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
{code}

SSLFactory calls {{sslEngine.setEnabledCipherSuites()}} to set enabled ciphers.
Apparently this does not disable unincluded ciphers, so SSLFactory's cipher 
disabling feature does not work. Or it could be jetty's undoing.

Jetty9 introduced SSLContextFactory. Following methods can be used.

{code:java}
setExcludeCipherSuites()
setExcludeProtocols()
setIncludeCipherSuites()
setIncludeProtocols()
{code}

SSLFactory is not used by HttpServer2. It is only used by 
{{DatanodeHttpServer}} and {{ShuffleHandler}}. The reloading feature is also 
broken for the same reason.

     Issue Type: Improvement  (was: Bug)
        Summary: Add InetAddress api to ProxyUsers.authorize  (was: Improve 
TLS/SSL default settings for security and performance)

> Add InetAddress api to ProxyUsers.authorize
> -------------------------------------------
>
>                 Key: HADOOP-17367
>                 URL: https://issues.apache.org/jira/browse/HADOOP-17367
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: performance, security
>            Reporter: Ahmed Hussein
>            Assignee: Ahmed Hussein
>            Priority: Major
>
> Improve the ProxyUsers implementation by passing the address of the remote 
> peer to avoid resolving the hostname.
> Similarly, this requires adding InetAddress api to MachineList.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to