[jira] Commented: (HADOOP-4284) Support for user configurable global filters on HttpServer

Thu, 16 Oct 2008 18:39:37 -0700 

    [ 
https://issues.apache.org/jira/browse/HADOOP-4284?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12640408#action_12640408
 ] 

Kan Zhang commented on HADOOP-4284:
-----------------------------------

Attached a new patch 4284_20081016_96.patch

> I think it belongs to DistCp.setup(...).
It's too late to put it in setup(), since checkSrcPath() needs to use it before 
setup() is called. I did refactor it into a new method setupSsl() in the new 
patch. Thanks!

> How about defining a new class, say SslUtil in org.apache.hadoop.security?
I don't think it's worth the trouble. Note that although DistCp and Child set 
the same set of System properties, they use different ssl-client conf options. 
On the server side, most of the options are not set as System properties, but 
used to call addSslListener().

> BTW, what are the files ssl-client.xml.example and ssl-server.xml.example 
> for? They seem templates but not examples.
I renamed them to be templates.

> Support for user configurable global filters on HttpServer
> ----------------------------------------------------------
>
>                 Key: HADOOP-4284
>                 URL: https://issues.apache.org/jira/browse/HADOOP-4284
>             Project: Hadoop Core
>          Issue Type: New Feature
>    Affects Versions: 0.20.0
>            Reporter: Kan Zhang
>            Assignee: Kan Zhang
>             Fix For: 0.20.0
>
>         Attachments: 4284_20080925_78.patch, 4284_20080926_79.patch, 
> 4284_20080929_83.patch, 4284_20081007_85.patch, 4284_20081016_93.patch, 
> 4284_20081016_94.patch, 4284_20081016_96.patch
>
>
> HADOOP-3854 introduced a framework for adding filters to filter browser 
> facing urls. Sometimes, there is a need to filter all urls. For example, at 
> Yahoo, we need to open an SSL port on the HttpServer and only accept hsftp 
> requests from clients who can authenticate themselves using client 
> certificate and is authorized according to certain policy file. For this to 
> happen, we need a method to add a user configurable "global" filter, which 
> filters on all client requests. For our purposes, such a global filter will 
> block all https requests except those accessing the hsftp interface (it will 
> let all http requests go through, so accesses through the normal http ports 
> are unaffected). Moreover, those hsftp requests will be subject to further 
> authorization checking according to the policy file.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to