[jira] [Commented] (HDFS-2617) Replaced Kerberized SSL for image transfer and fsck with SPNEGO-based solution

Sat, 21 Jul 2012 00:41:45 -0700 

    [ 
https://issues.apache.org/jira/browse/HDFS-2617?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13419757#comment-13419757
 ] 

Aaron T. Myers commented on HDFS-2617:
--------------------------------------

Hi Eric,

bq. 1) We patch 1.0 as proposed here

Agree.

bq. 2) We do not take these patches to 2.0.

I'm not entirely sure what you mean by this. SPNEGO support is already in 
branch-2. Are you saying that you just want to leave that as-is, and not add an 
option to use KSSL on the server side to branch-2? If so, I agree with that.

bq. 3) We additionally patch the client to try first the SPNEGO token protocol 
and then KSSL if that fails. We patch both 1.0 and 2.0 HFTP clients to do this.

That seems fine to me, but I think that should be done as a separate JIRA, 
along the lines of "HftpFileSystem should try both KSSL and SPNEGO when 
authentication is required". If you agree, mind filing that JIRA? If you post a 
patch, I'll be happy to review it.
                
> Replaced Kerberized SSL for image transfer and fsck with SPNEGO-based solution
> ------------------------------------------------------------------------------
>
>                 Key: HDFS-2617
>                 URL: https://issues.apache.org/jira/browse/HDFS-2617
>             Project: Hadoop HDFS
>          Issue Type: Improvement
>          Components: security
>            Reporter: Jakob Homan
>            Assignee: Jakob Homan
>             Fix For: 1.2.0, 2.1.0-alpha
>
>         Attachments: HDFS-2617-a.patch, HDFS-2617-b.patch, 
> HDFS-2617-branch-1.patch, HDFS-2617-branch-1.patch, HDFS-2617-branch-1.patch, 
> HDFS-2617-config.patch, HDFS-2617-trunk.patch, HDFS-2617-trunk.patch, 
> HDFS-2617-trunk.patch, HDFS-2617-trunk.patch, hdfs-2617-1.1.patch
>
>
> The current approach to secure and authenticate nn web services is based on 
> Kerberized SSL and was developed when a SPNEGO solution wasn't available. Now 
> that we have one, we can get rid of the non-standard KSSL and use SPNEGO 
> throughout.  This will simplify setup and configuration.  Also, Kerberized 
> SSL is a non-standard approach with its own quirks and dark corners 
> (HDFS-2386).

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to