[jira] [Updated] (HADOOP-8855) SSL-based image transfer does not work when Kerberos is disabled
[
https://issues.apache.org/jira/browse/HADOOP-8855?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Todd Lipcon updated HADOOP-8855:
Attachment: hadoop-8855.txt
SSL-based image transfer does not work when Kerberos is disabled
Key: HADOOP-8855
URL: https://issues.apache.org/jira/browse/HADOOP-8855
Project: Hadoop Common
Issue Type: Bug
Components: security
Affects Versions: 3.0.0, 2.0.2-alpha
Reporter: Todd Lipcon
Assignee: Todd Lipcon
Priority: Minor
Attachments: hadoop-8855.txt
In SecurityUtil.openSecureHttpConnection, we first check
{{UserGroupInformation.isSecurityEnabled()}}. However, this only checks the
kerberos config, which is independent of {{hadoop.ssl.enabled}}. Instead, we
should check {{HttpConfig.isSecure()}}.
Credit to Wing Yew Poon for discovering this bug
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HADOOP-8855) SSL-based image transfer does not work when Kerberos is disabled
[
https://issues.apache.org/jira/browse/HADOOP-8855?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Todd Lipcon updated HADOOP-8855:
Status: Patch Available (was: Open)
SSL-based image transfer does not work when Kerberos is disabled
Key: HADOOP-8855
URL: https://issues.apache.org/jira/browse/HADOOP-8855
Project: Hadoop Common
Issue Type: Bug
Components: security
Affects Versions: 3.0.0, 2.0.2-alpha
Reporter: Todd Lipcon
Assignee: Todd Lipcon
Priority: Minor
Attachments: hadoop-8855.txt
In SecurityUtil.openSecureHttpConnection, we first check
{{UserGroupInformation.isSecurityEnabled()}}. However, this only checks the
kerberos config, which is independent of {{hadoop.ssl.enabled}}. Instead, we
should check {{HttpConfig.isSecure()}}.
Credit to Wing Yew Poon for discovering this bug
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HADOOP-8855) SSL-based image transfer does not work when Kerberos is disabled
[
https://issues.apache.org/jira/browse/HADOOP-8855?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Todd Lipcon updated HADOOP-8855:
Attachment: hadoop-8855.txt
This turned out to be more complicated:
- actually need to use the secure URL open code when either SSL or krb5 is
enabled (or both), since it's also used for SPNEGO
- the SPNEGO client code had a bug where, at least on my test setup, the JDK
itself was performing the SPNEGO negotiation. So, by the time it got back to
our code, it was already complete and the Set-Cookie was present with the auth
token, and a HTTP 200 result. This was causing fallback to the
PseudoAuthenticator, which had a separate bug that it wasn't setting the SSL
configuration in its connection
- I also found a separate bug that the dfsadmin -fetchImage code needed a doAs
to work properly in this type of secure cluster
With this patch in place I'm able to fetch the image on a krb5+ssl cluster.
I'll swing back and double-check that it also works on a krb5 (no ssl) and ssl
(no krb5) cluster.
I'd also like someone who knows this code to comment whether we need the SPNEGO
code in KerberosAuthenticator at all. In my environment at least, it's not
running at all, since JDK itself supports SPNEGO auth.
SSL-based image transfer does not work when Kerberos is disabled
Key: HADOOP-8855
URL: https://issues.apache.org/jira/browse/HADOOP-8855
Project: Hadoop Common
Issue Type: Bug
Components: security
Affects Versions: 3.0.0, 2.0.2-alpha
Reporter: Todd Lipcon
Assignee: Todd Lipcon
Priority: Minor
Attachments: hadoop-8855.txt, hadoop-8855.txt
In SecurityUtil.openSecureHttpConnection, we first check
{{UserGroupInformation.isSecurityEnabled()}}. However, this only checks the
kerberos config, which is independent of {{hadoop.ssl.enabled}}. Instead, we
should check {{HttpConfig.isSecure()}}.
Credit to Wing Yew Poon for discovering this bug
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HADOOP-8855) SSL-based image transfer does not work when Kerberos is disabled
[
https://issues.apache.org/jira/browse/HADOOP-8855?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Todd Lipcon updated HADOOP-8855:
Attachment: hadoop-8855.txt
retrying patch upload - the patch depended on HDFS-3972 for some utility method
in SecurityUtil, and that was just checked in a minute ago
SSL-based image transfer does not work when Kerberos is disabled
Key: HADOOP-8855
URL: https://issues.apache.org/jira/browse/HADOOP-8855
Project: Hadoop Common
Issue Type: Bug
Components: security
Affects Versions: 3.0.0, 2.0.2-alpha
Reporter: Todd Lipcon
Assignee: Todd Lipcon
Priority: Minor
Attachments: hadoop-8855.txt, hadoop-8855.txt, hadoop-8855.txt
In SecurityUtil.openSecureHttpConnection, we first check
{{UserGroupInformation.isSecurityEnabled()}}. However, this only checks the
kerberos config, which is independent of {{hadoop.ssl.enabled}}. Instead, we
should check {{HttpConfig.isSecure()}}.
Credit to Wing Yew Poon for discovering this bug
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HADOOP-8855) SSL-based image transfer does not work when Kerberos is disabled
[
https://issues.apache.org/jira/browse/HADOOP-8855?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Eli Collins updated HADOOP-8855:
Resolution: Fixed
Fix Version/s: 2.0.3-alpha
Target Version/s: (was: 3.0.0, 2.0.3-alpha)
Hadoop Flags: Reviewed
Status: Resolved (was: Patch Available)
I've committed this. Thanks Todd!
SSL-based image transfer does not work when Kerberos is disabled
Key: HADOOP-8855
URL: https://issues.apache.org/jira/browse/HADOOP-8855
Project: Hadoop Common
Issue Type: Bug
Components: security
Affects Versions: 3.0.0, 2.0.2-alpha
Reporter: Todd Lipcon
Assignee: Todd Lipcon
Priority: Minor
Fix For: 2.0.3-alpha
Attachments: hadoop-8855.txt, hadoop-8855.txt, hadoop-8855.txt
In SecurityUtil.openSecureHttpConnection, we first check
{{UserGroupInformation.isSecurityEnabled()}}. However, this only checks the
kerberos config, which is independent of {{hadoop.ssl.enabled}}. Instead, we
should check {{HttpConfig.isSecure()}}.
Credit to Wing Yew Poon for discovering this bug
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
