----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/59102/ -----------------------------------------------------------
Review request for Ambari, Attila Magyar, Balázs Bence Sári, Eugene Chekanskiy, Laszlo Puskas, and Sebastian Toader. Bugs: AMBARI-20938 https://issues.apache.org/jira/browse/AMBARI-20938 Repository: ambari Description ------- LDAPS connections to an Active Directory when enabling Kerberos should validate the server's SSL certificate. The current implementation skips validation checks to help avoid SSL issues; however this is not secure. Also the _trusting_ SSL connection may not support the more secure SSL protocols when Java 1.7 is used. For example `TLSv1.2` A flag in the `ambari.properties` file (`kerberos.operation.verify.kdc.trust`) should be available to allow for the user to select either a _trusting_ SSL connection or a validating (non-trusting) SSL connection to be used. The default should be to use a (non-trusting) SSL connection. Diffs ----- ambari-server/conf/unix/ambari.properties b8b645d7be ambari-server/docs/configuration/index.md ff9ce54b69 ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java 114046f7f6 ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java 6687942b3f ambari-server/src/main/java/org/apache/ambari/server/security/InternalSSLSocketFactoryNonTrusting.java PRE-CREATION ambari-server/src/main/java/org/apache/ambari/server/security/InternalSSLSocketFactoryTrusting.java PRE-CREATION ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/ADKerberosOperationHandler.java cd19174431 ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosKDCSSLConnectionException.java PRE-CREATION ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/TrustingSSLSocketFactory.java 52b3703fcb ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/ADKerberosOperationHandlerTest.java 603f744352 ambari-web/app/controllers/main/admin/kerberos/step1_controller.js 2e41e3d774 ambari-web/app/messages.js 8f8d981af7 Diff: https://reviews.apache.org/r/59102/diff/1/ Testing ------- Manually tested using Java 1.7 and Java 1.8 using both trusing and non-trusting SSL sockets to ensure expected behavior. # Local test results: PENDING # Jenkins test results: PENDING Thanks, Robert Levas