[
https://issues.apache.org/jira/browse/HADOOP-4284?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12640403#action_12640403
]
Chris Douglas commented on HADOOP-4284:
---------------------------------------
bq. BTW, what are the files ssl-client.xml.example and ssl-server.xml.example
for? They seem templates but not examples.
_x_.template files are automatically copied to _x_ if _x_ doesn't exist
(build.xml:240), which is unnecessary, even undesirable here. This patch fixes
the ssl setup so it no longer loads if the config is merely present, but
.example is probably still preferred.
bq. There are repeating System.setProperty(...) calls in the patch. Could we
define a method for all these common codes?
The possibilities here are pretty meager... the most straightforward
refactoring might take a prefix for the config properties, but that doesn't
exactly make the code more readable. A public class for a utility method shared
between client, datanode, and namesystem seems like a lot for so little payoff,
but I don't have strong objections to this- or another, better- approach.
bq. Yes, other clients can also make use of ssl.client.\* configs. But the
scope of this JIRA is limited to DistCp.
Users will miss this functionality... since using System.setProperty mandates
that there can be only one active instance of HsftpFileSystem, would it make
sense to move the client initialization into {{setConf}} or {{initialize}}?
Unfortunately, this complicates the client/mapred.child separation, since
HsftpFileSystem would need to know its context. The current organization is OK
for now, I think; the quirks of HsftpFileSystem are sufficient to keep it
sequestered to distcp.
Overall, this looks good to me. There's still no documentation, though. It can
be a separate JIRA, but please mark it as a blocker for 0.20.
> Support for user configurable global filters on HttpServer
> ----------------------------------------------------------
>
> Key: HADOOP-4284
> URL: https://issues.apache.org/jira/browse/HADOOP-4284
> Project: Hadoop Core
> Issue Type: New Feature
> Affects Versions: 0.20.0
> Reporter: Kan Zhang
> Assignee: Kan Zhang
> Fix For: 0.20.0
>
> Attachments: 4284_20080925_78.patch, 4284_20080926_79.patch,
> 4284_20080929_83.patch, 4284_20081007_85.patch, 4284_20081016_93.patch,
> 4284_20081016_94.patch, 4284_20081016_96.patch
>
>
> HADOOP-3854 introduced a framework for adding filters to filter browser
> facing urls. Sometimes, there is a need to filter all urls. For example, at
> Yahoo, we need to open an SSL port on the HttpServer and only accept hsftp
> requests from clients who can authenticate themselves using client
> certificate and is authorized according to certain policy file. For this to
> happen, we need a method to add a user configurable "global" filter, which
> filters on all client requests. For our purposes, such a global filter will
> block all https requests except those accessing the hsftp interface (it will
> let all http requests go through, so accesses through the normal http ports
> are unaffected). Moreover, those hsftp requests will be subject to further
> authorization checking according to the policy file.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
