[
https://issues.apache.org/jira/browse/HDFS-2617?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13401756#comment-13401756
]
Allen Wittenauer commented on HDFS-2617:
----------------------------------------
Given that 2.x is a major release, it seems a reasonable time to break HFTP
over KSSL especially given that one has to severely cripple their security in
order to make secure Hadoop work on recent Kerberos implementations.
It also seems reasonable to explain to users as part of their transition to 2.x
from prior releases that this functionality is going away. This primarily is
going to sting the early adopters, an audience who has essentially volunteered
to do be our lab rats. But for the folks who favor stability, now is the time
to get the word out to start switching to a 1.x branch with a working WebHDFS.
By the time 2.0 is stable and/or ready for those people to deploy, they should
be in relatively good shape.
Something else to consider: the impacted audience is likely low, as I suspect
most people probably aren't running a 1.x release yet and/or have security
turned on. (I'd *love* to see some stats though. I really hope I'm wrong.
However knowing that it took us several months to transition from 0.20.2 to
secure 1.x... and part of that time is directly correlated to the lack of the
code in this patch... I have a feeling I'm correct.)
> Replaced Kerberized SSL for image transfer and fsck with SPNEGO-based solution
> ------------------------------------------------------------------------------
>
> Key: HDFS-2617
> URL: https://issues.apache.org/jira/browse/HDFS-2617
> Project: Hadoop HDFS
> Issue Type: Improvement
> Components: security
> Reporter: Jakob Homan
> Assignee: Jakob Homan
> Fix For: 2.0.1-alpha
>
> Attachments: HDFS-2617-a.patch, HDFS-2617-b.patch,
> HDFS-2617-config.patch, HDFS-2617-trunk.patch, HDFS-2617-trunk.patch,
> HDFS-2617-trunk.patch, HDFS-2617-trunk.patch, hdfs-2617-1.1.patch
>
>
> The current approach to secure and authenticate nn web services is based on
> Kerberized SSL and was developed when a SPNEGO solution wasn't available. Now
> that we have one, we can get rid of the non-standard KSSL and use SPNEGO
> throughout. This will simplify setup and configuration. Also, Kerberized
> SSL is a non-standard approach with its own quirks and dark corners
> (HDFS-2386).
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
