[
https://issues.apache.org/jira/browse/HDFS-8509?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15114422#comment-15114422
]
Wellington Chevreuil commented on HDFS-8509:
--------------------------------------------
Here a summary of the changes proposed on the given patch:
1) *pom.xml* files changed on "*hadoop-project*",
"*hadoop-common-project/hadoop-kms*" and
"*hadoop-hdfs-project/hadoop-hdfs-httpfs*" projects were changed to refer to
tomcat version 8;
2) Tomcat "*server.xml*" configuration file has some changes on Tomcat 8, in
relation to Tomcat 6 (mainly some listener class definitions that had been
changed and are not backward compatible), so it was needed to update this file
on both "*hadoop-common-project/hadoop-kms*" and
"*hadoop-hdfs-project/hadoop-hdfs-httpfs*" projects;
3) Changed
"*hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/conf/httpfs-env.sh*" file to
define new variable "*HTTPFS_SSL_KEY_PASS*" for the key password. For some
reason, "*HTTPFS_SSL_ENABLED*" variable was not defined on *httpfs-env.sh*
script, even though
[documentation|https://hadoop.apache.org/docs/stable/hadoop-hdfs-httpfs/ServerSetup.html#HTTPFS_SSL_ENABLED]
refers this should be set to *true* on this script in order to enable *SSL*.
Had added this variable as comment to this script;
4) From Tomcat 7 onwards, *server.xml* connector defines *keyPass* attribute
where a specific password for the key can be informed. Changed
"*hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/sbin/httpfs.sh*" script to
copy the key password *(if)* defined on "*httpfs-env.sh*" script and set it
properly on *server.xml* to be used by *httpfs* tomcat instance. Also noticed
that "*hdfs-httpfs*" used to have a *server-xml* template for *SSL*, named
"*ssl-server.xml.conf*", from where specific *SSL* options were copied to a
*server.xml* file. While testing the changes for this patch, noticed that once
*SSL* has been enabled, the standard *server.xml* would be _regenerated with
the SSL options, but switching back to non SSL (by simply disabling the
HTTPFS_SSL_ENABLED flag on httpfs-env.sh script) would not suffice to revert
SSL_, as now the original *server.xml* file had been overwritten with *SSL*
options. For this reason, introduced also a "*server.xml.conf*" template file,
to _allow for easily rollback from SSL to non-SSL deployment_.
> Support different passwords for key and keystore on HTTPFS using SSL. This
> requires for a Tomcat version update.
> ----------------------------------------------------------------------------------------------------------------
>
> Key: HDFS-8509
> URL: https://issues.apache.org/jira/browse/HDFS-8509
> Project: Hadoop HDFS
> Issue Type: Task
> Components: webhdfs
> Affects Versions: 2.7.0
> Reporter: Wellington Chevreuil
> Assignee: Wellington Chevreuil
> Priority: Minor
> Attachments: HDFS-8509.patch
>
>
> Currently, SSL for HTTPFS requires that keystore/truststore and key passwords
> be the same. This is a limitation from Tomcat version 6, which didn't have
> support for different passwords. From Tomcat 7, this is now possible by
> defining "keyPass" property for "Connector" configuration on Tomcat's
> server.xml file.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
