-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/47715/
-----------------------------------------------------------

Review request for Ambari and Dmitro Lisnichenko.


Bugs: AMBARI-16810
    https://issues.apache.org/jira/browse/AMBARI-16810


Repository: ambari


Description
-------

We hard-coded the Ambari Agents to ignore certification
verification. But the reason why this was required was Python be un-secure by
default:  
<https://access.redhat.com/articles/2039753>  
<https://www.python.org/dev/peps/pep-0476/>

That method will cause signed certificates to not serve any purpose & is
discouraged by RedHat & Python security experts:

> "It is also possible, though highly discouraged , to globally disable
verification by monkeypatching the ssl module in versions of Python"

Instead we should abstract it to a setting (e.g. ssl_verify_cert) in the
ambari-agent.ini such that users can turn certification verification if they
provide a signed/trusted certificate.


Diffs
-----

  ambari-agent/conf/unix/ambari-agent.ini 4ec16d6 
  ambari-agent/src/main/python/ambari_agent/AmbariConfig.py f849fd1 
  ambari-agent/src/main/python/ambari_agent/Controller.py aee0eec 
  ambari-agent/src/main/python/ambari_agent/NetUtil.py 1d5cb29 
  ambari-agent/src/main/python/ambari_agent/main.py 5340239 

Diff: https://reviews.apache.org/r/47715/diff/


Testing
-------

mvn clean test


Thanks,

Andrew Onischuk

Reply via email to