[
https://issues.apache.org/jira/browse/MAPREDUCE-4661?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13709099#comment-13709099
]
Michael Weng commented on MAPREDUCE-4661:
-----------------------------------------
Tested:
Full unit tests during compilation. There are a couple or a few failures that I
think it’s not related to the change. For the system tests, I had it on a
5-machine VM cluster and then a 60-machine real cluster, both with security
enabled. Many sample operations being done. Also tested the case to turn https
off in the config. SecondaryNameNode was on during testing, also verify
download/upload of fsimage.
> Add HTTPS for WebUIs on Branch-1
> --------------------------------
>
> Key: MAPREDUCE-4661
> URL: https://issues.apache.org/jira/browse/MAPREDUCE-4661
> Project: Hadoop Map/Reduce
> Issue Type: Improvement
> Components: security, webapps
> Affects Versions: 1.0.3
> Reporter: Plamen Jeliazkov
> Assignee: Michael Weng
> Attachments: branch-1.2-patch.txt, branch-1.2-patch.txt2,
> branch-1.2-patch.txt3, MAPREDUCE-4461.patch, MAPREDUCE-4661.patch,
> MAPREDUCE-4661.patch, MAPREDUCE-4661.patch
>
>
> After investigating the methodology used to add HTTPS support in branch-2, I
> feel that this same approach should be back-ported to branch-1. I have taken
> many of the patches used for branch-2 and merged them in.
> I was working on top of HDP 1 at the time - I will provide a patch for trunk
> soon once I can confirm I am adding only the necessities for supporting HTTPS
> on the webUIs.
> As an added benefit -- this patch actually provides HTTPS webUI to HBase by
> extension. If you take a hadoop-core jar compiled with this patch and put it
> into the hbase/lib directory and apply the necessary configs to hbase/conf.
> ========= OLD IDEA(s) BEHIND ADDING HTTPS (look @ Sept 17th patch) ==========
> In order to provide full security around the cluster, the webUI should also
> be secure if desired to prevent cookie theft and user masquerading.
> Here is my proposed work. Currently I can only add HTTPS support. I do not
> know how to switch reliance of the HttpServer from HTTP to HTTPS fully.
> In order to facilitate this change I propose the following configuration
> additions:
> CONFIG PROPERTY -> DEFAULT VALUE
> mapred.https.enable -> false
> mapred.https.need.client.auth -> false
> mapred.https.server.keystore.resource -> "ssl-server.xml"
> mapred.job.tracker.https.port -> 50035
> mapred.job.tracker.https.address -> "<IP_ADDR>:50035"
> mapred.task.tracker.https.port -> 50065
> mapred.task.tracker.https.address -> "<IP_ADDR>:50065"
> I tested this on my local box after using keytool to generate a SSL
> certficate. You will need to change ssl-server.xml to point to the .keystore
> file after. Truststore may not be necessary; you can just point it to the
> keystore.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
