[
https://issues.apache.org/jira/browse/HADOOP-4284?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12637724#action_12637724
]
Kan Zhang commented on HADOOP-4284:
-----------------------------------
Chris, thanks for your detailed comments.
> dfs.https.permission.file.recheck.interval probably belongs in ssl-server.xml
> instead of hadoop-default.xml
I think it's better in hadoop-default.xml since it's a property of the filter,
which is independent of SSL listeners.
> Would it be possible to make this available to FsShell as well as DistCp
> using the ssl.client.* config?
Yes, other clients can also make use of ssl.client.* configs. But the scope of
this JIRA is limited to DistCp.
> The parsing of the X509 distinguished name using String::split
Those corner cases wouldn't arise for this application since leading and
trailing whitespaces in names can't be accommodated anyway (the name field in
ssl-permission.xml will strip them off).
> Has this been tested at scale?
No.
Your other comments are incorporated in a new patch 4284_20081007_85.patch.
Please take a look.
> Support for user configurable global filters on HttpServer
> ----------------------------------------------------------
>
> Key: HADOOP-4284
> URL: https://issues.apache.org/jira/browse/HADOOP-4284
> Project: Hadoop Core
> Issue Type: New Feature
> Affects Versions: 0.20.0
> Reporter: Kan Zhang
> Assignee: Kan Zhang
> Attachments: 4284_20080925_78.patch, 4284_20080926_79.patch,
> 4284_20080929_83.patch, 4284_20081007_85.patch
>
>
> HADOOP-3854 introduced a framework for adding filters to filter browser
> facing urls. Sometimes, there is a need to filter all urls. For example, at
> Yahoo, we need to open an SSL port on the HttpServer and only accept hsftp
> requests from clients who can authenticate themselves using client
> certificate and is authorized according to certain policy file. For this to
> happen, we need a method to add a user configurable "global" filter, which
> filters on all client requests. For our purposes, such a global filter will
> block all https requests except those accessing the hsftp interface (it will
> let all http requests go through, so accesses through the normal http ports
> are unaffected). Moreover, those hsftp requests will be subject to further
> authorization checking according to the policy file.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
