[jira] [Created] (HDFS-17680) HDFS ui in the datanodes doesn't redirect to https when dfs.http.policy is HTTPS_ONLY

Mon, 02 Dec 2024 13:22:08 -0800 

Luis Pigueiras created HDFS-17680:
-------------------------------------

             Summary: HDFS ui in the datanodes doesn't redirect to https when 
dfs.http.policy is HTTPS_ONLY
                 Key: HDFS-17680
                 URL: https://issues.apache.org/jira/browse/HDFS-17680
             Project: Hadoop HDFS
          Issue Type: Bug
          Components: datanode, ui
    Affects Versions: 3.4.1
            Reporter: Luis Pigueiras


_(I'm not sure if I should put it in HDFS or in HADOOP, feel free to move it if 
it's not the correct place)_

We have noticed that with having a https_only configuration when accessing the 
datanodes from the namenode UI, there is a wrong redirection when clicking on 
the link of the datanodes.

If you visit in the hdfs UI of a namenode:

https://<node>:50070/ -> datanodes -> click on the datanode you get redirected 
from https://<node>:9865 to http://<node>:9865. The 302 should redirect to 
https and not to http. If you do a curl to the link that is exposed on the 
website, you get the redirected to the wrong place.
{code}
curl -k https://testing2475891.example.org:9865 -vvv
...
< HTTP/1.1 302 Found
< Location: http://testing2475891.example.org:9865/index.html 
{code}

This issue is present in our 3.3.6 but it's also present in 3.4.1 because I 
managed to reproduce it with the following steps:

 - Download latest version (binary from: 
[https://hadoop.apache.org/releases.html] -> 3.4.1)
 - Uncompress the binaries:
{code:java}
tar -xvf hadoop-3.4.1.tar.gz
cd hadoop-3.4.1
{code}

 - Generate dummy certs for TLS and move them to {{etc/hadoop}}
{code:java}
keytool -genkeypair -alias hadoop -keyalg RSA -keystore hadoop.keystore 
-storepass changeit -validity 365
keytool -export -alias hadoop -keystore hadoop.keystore -file hadoop.cer 
-storepass changeit
keytool -import -alias hadoop -file hadoop.cer -keystore hadoop.truststore 
-storepass changeit -noprompt
cp hadoop.* etc/hadoop
{code}

 - Add this to {{etc/hadoop/hadoop-env.sh}}
{code:java}
export JAVA_HOME=/usr/lib/jvm/java-11-openjdk
export HDFS_NAMENODE_USER=root
export HDFS_DATANODE_USER=root
export HDFS_SECONDARYNAMENODE_USER=root
{code}

 - Create a etc/hadoop/ssl-server.xml with:
{code:java}
<configuration>

<property>
  <name>ssl.server.truststore.location</name>
  <value>/root/hadoop/hadoop-3.4.1/etc/hadoop/hadoop.truststore</value>
  <description>Truststore to be used by NN and DN. Must be specified.
  </description>
</property>

<property>
  <name>ssl.server.truststore.password</name>
  <value>changeit</value>
  <description>Optional. Default value is "".
  </description>
</property>

<property>
  <name>ssl.server.truststore.type</name>
  <value>jks</value>
  <description>Optional. The keystore file format, default value is "jks".
  </description>
</property>

<property>
  <name>ssl.server.truststore.reload.interval</name>
  <value>10000</value>
  <description>Truststore reload check interval, in milliseconds.
  Default value is 10000 (10 seconds).
  </description>
</property>

<property>
  <name>ssl.server.keystore.location</name>
  <value>/root/hadoop/hadoop-3.4.1/etc/hadoop/hadoop.keystore</value>
  <description>Keystore to be used by NN and DN. Must be specified.
  </description>
</property>

<property>
  <name>ssl.server.keystore.password</name>
  <value>changeit</value>
  <description>Must be specified.
  </description>
</property>

<property>
  <name>ssl.server.keystore.keypassword</name>
  <value>changeit</value>
  <description>Must be specified.
  </description>
</property>

<property>
  <name>ssl.server.keystore.type</name>
  <value>jks</value>
  <description>Optional. The keystore file format, default value is "jks".
  </description>
</property>

<property>
  <name>ssl.server.exclude.cipher.list</name>
  <value>TLS_ECDHE_RSA_WITH_RC4_128_SHA,SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
  SSL_RSA_WITH_DES_CBC_SHA,SSL_DHE_RSA_WITH_DES_CBC_SHA,
  SSL_RSA_EXPORT_WITH_RC4_40_MD5,SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,
  SSL_RSA_WITH_RC4_128_MD5</value>
  <description>Optional. The weak security cipher suites that you want excluded
  from SSL communication.</description>
</property>

</configuration>
{code}

 - hdfs-site.xml:

{code:java}
<?xml version="1.0" encoding="UTF-8"?>
<?xml-stylesheet type="text/xsl" href="configuration.xsl"?>
<!--
  Licensed under the Apache License, Version 2.0 (the "License");
  you may not use this file except in compliance with the License.
  You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

  Unless required by applicable law or agreed to in writing, software
  distributed under the License is distributed on an "AS IS" BASIS,
  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  See the License for the specific language governing permissions and
  limitations under the License. See accompanying LICENSE file.
-->

<!-- Put site-specific property overrides in this file. -->

<configuration>
        <configuration>
    <property>
        <name>dfs.replication</name>
        <value>1</value>
    </property>
</configuration>

<property>
  <name>dfs.http.policy</name>
  <value>HTTPS_ONLY</value>
</property>
<property>
    <name>dfs.https.enable</name>
    <value>true</value>
</property>
<property>
    <name>dfs.namenode.https-address</name>
    <value>0.0.0.0:50070</value>
</property>
<property>
  <name>dfs.https.server.keystore.resource</name>
  <value>ssl-server.xml</value>
</property>

</configuration>
{code}
 - core-site.xml:

{code:java}
<configuration>
        <configuration>
    <property>
        <name>fs.defaultFS</name>
        <value>hdfs://localhost:9000</value>
    </property>
</configuration>

<property>
  <name>hadoop.ssl.enabled</name>
  <value>true</value>
</property>
<property>
  <name>hadoop.ssl.keystores.factory.class&lt;/name>
  <value>org.apache.hadoop.security.ssl.FileBasedKeyStoresFactory</value>
</property>
<property>
  <name>hadoop.ssl.server.keystore.resource</name>
  <value>hadoop.keystore</value>
</property>
<property>
  <name>hadoop.ssl.server.keystore.password</name>
  <value>changeit</value>
</property>
<property>
  <name>hadoop.ssl.server.truststore.resource</name>
  <value>hadoop.truststore</value>
</property>
<property>
  <name>hadoop.ssl.server.truststore.password</name>
  <value>changeit</value>
</property>

</configuration>
{code}
 - Now you can initialize:

{code:java}
bin/hdfs namenode -format
sbin/start-dfs.sh
{code}
 - If you visit https://<node>:50070/ -> datanodes -> click on the datanode you 
get redirected from https://<node>:9865 to http://<node>:9865

{code}
 curl -k https://testing2475891.example.org:9865 -vvv
...
< HTTP/1.1 302 Found
< Location: http://testing2475891.example.org:9865/index.html
{code}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-dev-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-dev-h...@hadoop.apache.org

Reply via email to