[jira] [Updated] (HADOOP-8855) SSL-based image transfer does not work when Kerberos is disabled
[ https://issues.apache.org/jira/browse/HADOOP-8855?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Todd Lipcon updated HADOOP-8855: Attachment: hadoop-8855.txt SSL-based image transfer does not work when Kerberos is disabled Key: HADOOP-8855 URL: https://issues.apache.org/jira/browse/HADOOP-8855 Project: Hadoop Common Issue Type: Bug Components: security Affects Versions: 3.0.0, 2.0.2-alpha Reporter: Todd Lipcon Assignee: Todd Lipcon Priority: Minor Attachments: hadoop-8855.txt In SecurityUtil.openSecureHttpConnection, we first check {{UserGroupInformation.isSecurityEnabled()}}. However, this only checks the kerberos config, which is independent of {{hadoop.ssl.enabled}}. Instead, we should check {{HttpConfig.isSecure()}}. Credit to Wing Yew Poon for discovering this bug -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HADOOP-8855) SSL-based image transfer does not work when Kerberos is disabled
[ https://issues.apache.org/jira/browse/HADOOP-8855?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Todd Lipcon updated HADOOP-8855: Status: Patch Available (was: Open) SSL-based image transfer does not work when Kerberos is disabled Key: HADOOP-8855 URL: https://issues.apache.org/jira/browse/HADOOP-8855 Project: Hadoop Common Issue Type: Bug Components: security Affects Versions: 3.0.0, 2.0.2-alpha Reporter: Todd Lipcon Assignee: Todd Lipcon Priority: Minor Attachments: hadoop-8855.txt In SecurityUtil.openSecureHttpConnection, we first check {{UserGroupInformation.isSecurityEnabled()}}. However, this only checks the kerberos config, which is independent of {{hadoop.ssl.enabled}}. Instead, we should check {{HttpConfig.isSecure()}}. Credit to Wing Yew Poon for discovering this bug -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HADOOP-8855) SSL-based image transfer does not work when Kerberos is disabled
[ https://issues.apache.org/jira/browse/HADOOP-8855?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Todd Lipcon updated HADOOP-8855: Attachment: hadoop-8855.txt This turned out to be more complicated: - actually need to use the secure URL open code when either SSL or krb5 is enabled (or both), since it's also used for SPNEGO - the SPNEGO client code had a bug where, at least on my test setup, the JDK itself was performing the SPNEGO negotiation. So, by the time it got back to our code, it was already complete and the Set-Cookie was present with the auth token, and a HTTP 200 result. This was causing fallback to the PseudoAuthenticator, which had a separate bug that it wasn't setting the SSL configuration in its connection - I also found a separate bug that the dfsadmin -fetchImage code needed a doAs to work properly in this type of secure cluster With this patch in place I'm able to fetch the image on a krb5+ssl cluster. I'll swing back and double-check that it also works on a krb5 (no ssl) and ssl (no krb5) cluster. I'd also like someone who knows this code to comment whether we need the SPNEGO code in KerberosAuthenticator at all. In my environment at least, it's not running at all, since JDK itself supports SPNEGO auth. SSL-based image transfer does not work when Kerberos is disabled Key: HADOOP-8855 URL: https://issues.apache.org/jira/browse/HADOOP-8855 Project: Hadoop Common Issue Type: Bug Components: security Affects Versions: 3.0.0, 2.0.2-alpha Reporter: Todd Lipcon Assignee: Todd Lipcon Priority: Minor Attachments: hadoop-8855.txt, hadoop-8855.txt In SecurityUtil.openSecureHttpConnection, we first check {{UserGroupInformation.isSecurityEnabled()}}. However, this only checks the kerberos config, which is independent of {{hadoop.ssl.enabled}}. Instead, we should check {{HttpConfig.isSecure()}}. Credit to Wing Yew Poon for discovering this bug -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HADOOP-8855) SSL-based image transfer does not work when Kerberos is disabled
[ https://issues.apache.org/jira/browse/HADOOP-8855?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Todd Lipcon updated HADOOP-8855: Attachment: hadoop-8855.txt retrying patch upload - the patch depended on HDFS-3972 for some utility method in SecurityUtil, and that was just checked in a minute ago SSL-based image transfer does not work when Kerberos is disabled Key: HADOOP-8855 URL: https://issues.apache.org/jira/browse/HADOOP-8855 Project: Hadoop Common Issue Type: Bug Components: security Affects Versions: 3.0.0, 2.0.2-alpha Reporter: Todd Lipcon Assignee: Todd Lipcon Priority: Minor Attachments: hadoop-8855.txt, hadoop-8855.txt, hadoop-8855.txt In SecurityUtil.openSecureHttpConnection, we first check {{UserGroupInformation.isSecurityEnabled()}}. However, this only checks the kerberos config, which is independent of {{hadoop.ssl.enabled}}. Instead, we should check {{HttpConfig.isSecure()}}. Credit to Wing Yew Poon for discovering this bug -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HADOOP-8855) SSL-based image transfer does not work when Kerberos is disabled
[ https://issues.apache.org/jira/browse/HADOOP-8855?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Eli Collins updated HADOOP-8855: Resolution: Fixed Fix Version/s: 2.0.3-alpha Target Version/s: (was: 3.0.0, 2.0.3-alpha) Hadoop Flags: Reviewed Status: Resolved (was: Patch Available) I've committed this. Thanks Todd! SSL-based image transfer does not work when Kerberos is disabled Key: HADOOP-8855 URL: https://issues.apache.org/jira/browse/HADOOP-8855 Project: Hadoop Common Issue Type: Bug Components: security Affects Versions: 3.0.0, 2.0.2-alpha Reporter: Todd Lipcon Assignee: Todd Lipcon Priority: Minor Fix For: 2.0.3-alpha Attachments: hadoop-8855.txt, hadoop-8855.txt, hadoop-8855.txt In SecurityUtil.openSecureHttpConnection, we first check {{UserGroupInformation.isSecurityEnabled()}}. However, this only checks the kerberos config, which is independent of {{hadoop.ssl.enabled}}. Instead, we should check {{HttpConfig.isSecure()}}. Credit to Wing Yew Poon for discovering this bug -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira