[
https://issues.apache.org/jira/browse/TEZ-4096?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16968068#comment-16968068
]
Eric Yang commented on TEZ-4096:
--------------------------------
[[email protected]], Application can explicitly ignore server
certificates, if additional code are implemented and easy to be spotted by code
scan. Content of ssl-client.xml isn't converted to tez-conf protobuf is a
interesting bug of inconsistency with Hadoop, but Tez is actually more secure
without the patch. Java cacerts truststore will remain authoritative source
for validating CA certificates. This patch allows job configuration to
override ssl.server.keystore.location, hence it is harder for code scan to pick
up vulnerabilities. Because Hadoop has a weak way of allowing truststore
override by non-privileged user, doesn't mean that Tez should follow the same
pattern to weaken CA certificate management privileges.
> SSLFactory should make an attempt to add ssl config resources as "Path"
> -----------------------------------------------------------------------
>
> Key: TEZ-4096
> URL: https://issues.apache.org/jira/browse/TEZ-4096
> Project: Apache Tez
> Issue Type: Improvement
> Reporter: Rajesh Balamohan
> Priority: Major
> Attachments: TEZ-4096.1.patch, TEZ-4096.2.patch
>
>
> SSLFactory uses "String" instead of "Path" for adding "ssl-client.xml". When
> addResource is invoked with string, {{Configuration}} tries to find it in
> classloader and does not load the file correctly.
> [https://github.com/apache/tez/blob/master/tez-runtime-library/src/main/java/org/apache/tez/http/SSLFactory.java#L107]
> Conf:
> [https://github.com/apache/hadoop/blob/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/conf/Configuration.java#L3064]
> This creates issue when ssl-client.xml is located in different path other
> than the classpath.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
