Review Request 59102: LDAPS connections to an Active Directory when enabling Kerberos should validate the server's SSL certificate

Tue, 09 May 2017 09:12:37 -0700 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/59102/
-----------------------------------------------------------

Review request for Ambari, Attila Magyar, Balázs Bence Sári, Eugene Chekanskiy, 
Laszlo Puskas, and Sebastian Toader.


Bugs: AMBARI-20938
    https://issues.apache.org/jira/browse/AMBARI-20938


Repository: ambari


Description
-------

LDAPS connections to an Active Directory when enabling Kerberos should validate 
the server's SSL certificate.  The current implementation skips validation 
checks to help avoid SSL issues; however this is not secure. Also the 
_trusting_ SSL connection may not support the more secure SSL protocols when 
Java 1.7 is used. For example `TLSv1.2`

A flag in the `ambari.properties` file (`kerberos.operation.verify.kdc.trust`) 
should be available to allow for the user to select either a _trusting_ SSL 
connection or a validating (non-trusting) SSL connection to be used.  The 
default should be to use a (non-trusting) SSL connection.


Diffs
-----

  ambari-server/conf/unix/ambari.properties b8b645d7be 
  ambari-server/docs/configuration/index.md ff9ce54b69 
  
ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java
 114046f7f6 
  
ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java
 6687942b3f 
  
ambari-server/src/main/java/org/apache/ambari/server/security/InternalSSLSocketFactoryNonTrusting.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/security/InternalSSLSocketFactoryTrusting.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/ADKerberosOperationHandler.java
 cd19174431 
  
ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosKDCSSLConnectionException.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/TrustingSSLSocketFactory.java
 52b3703fcb 
  
ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/ADKerberosOperationHandlerTest.java
 603f744352 
  ambari-web/app/controllers/main/admin/kerberos/step1_controller.js 2e41e3d774 
  ambari-web/app/messages.js 8f8d981af7 


Diff: https://reviews.apache.org/r/59102/diff/1/


Testing
-------

Manually tested using Java 1.7 and Java 1.8 using both trusing and non-trusting 
SSL sockets to ensure expected behavior.

# Local test results: PENDING

# Jenkins test results: PENDING


Thanks,

Robert Levas

Reply via email to