[
https://issues.apache.org/jira/browse/HDFS-2617?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jakob Homan updated HDFS-2617:
------------------------------
Attachment: HDFS-2617-a.patch
Here's a draft patch for 1.0 we're testing here. I'm not planning on
committing this for reasons described below. Getting away from Kerberized SSL
makes lots of things simpler, most significantly not having to switch users in
the NN and 2NN since the spnego filter handles that itself.
One issue that this patch creates is that the next Hadoop release that uses it
won't be able to obtain/renew/cancel delegation tokens from earlier clusters
since this is done over http, which was supposed to be our never-change
protocol. Older clusters will speak kerb-ssl and not be able to support
spnego. For this reason, it's probably best to just apply this to trunk.
Supporting both SPNEGO and KerbSSL would be really, really gnarly, so I still
don't recommend trying to do that.
Thoughts?
> Replaced Kerberized SSL for image transfer and fsck with SPNEGO-based solution
> ------------------------------------------------------------------------------
>
> Key: HDFS-2617
> URL: https://issues.apache.org/jira/browse/HDFS-2617
> Project: Hadoop HDFS
> Issue Type: Improvement
> Reporter: Jakob Homan
> Assignee: Jakob Homan
> Attachments: HDFS-2617-a.patch
>
>
> The current approach to secure and authenticate nn web services is based on
> Kerberized SSL and was developed when a SPNEGO solution wasn't available. Now
> that we have one, we can get rid of the non-standard KSSL and use SPNEGO
> throughout. This will simplify setup and configuration. Also, Kerberized
> SSL is a non-standard approach with its own quirks and dark corners
> (HDFS-2386).
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
