From 85f7b7e8e4cfebf53b05f1ee89bb4180be965f95 Mon Sep 17 00:00:00 2001 From: John Zhuge Date: Wed, 17 May 2017 22:59:48 -0700 Subject: [PATCH] HDFS-11579. Make HttpFS Tomcat SSL property sslEnabledProtocols and clientAuth configurable. Contributed by John Zhuge. --- .../hadoop-hdfs-httpfs/src/main/conf/httpfs-env.sh | 13 +++++++++++++ .../src/main/libexec/httpfs-config.sh | 14 ++++++++++++++ .../hadoop-hdfs-httpfs/src/main/sbin/httpfs.sh | 3 +++ .../src/main/tomcat/ssl-server.xml | 3 ++- .../src/site/markdown/ServerSetup.md.vm | 14 +++++++++++--- 5 files changed, 43 insertions(+), 4 deletions(-) diff --git a/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/conf/httpfs-env.sh b/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/conf/httpfs-env.sh index 48be812bfe4..d0b50693259 100644 --- a/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/conf/httpfs-env.sh +++ b/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/conf/httpfs-env.sh @@ -44,6 +44,19 @@ # # export HTTPFS_SSL_ENABLED=false +# Set to 'true' if you want the SSL stack to require a valid certificate chain +# from the client before accepting a connection. Set to 'want' if you want the +# SSL stack to request a client Certificate, but not fail if one isn't +# presented. A 'false' value (which is the default) will not require a +# certificate chain unless the client requests a resource protected by a +# security constraint that uses CLIENT-CERT authentication. +# +# export HTTPFS_SSL_CLIENT_AUTH=false + +# The comma separated list of SSL protocols to support +# +# export HTTPFS_SSL_ENABLED_PROTOCOLS="TLSv1,TLSv1.1,TLSv1.2,SSLv2Hello" + # The comma separated list of encryption ciphers for SSL # # export HTTPFS_SSL_CIPHERS= diff --git a/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/libexec/httpfs-config.sh b/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/libexec/httpfs-config.sh index 0f5c25e72a6..91bda4ee0ba 100644 --- a/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/libexec/httpfs-config.sh +++ b/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/libexec/httpfs-config.sh @@ -156,6 +156,20 @@ else print "Using HTTPFS_SSL_ENABLED: ${HTTPFS_SSL_ENABLED}" fi +if [ "${HTTPFS_SSL_CLIENT_AUTH}" = "" ]; then + export HTTPFS_SSL_CLIENT_AUTH="false" + print "Setting HTTPFS_SSL_CLIENT_AUTH: ${HTTPFS_SSL_CLIENT_AUTH}" +else + print "Using HTTPFS_SSL_CLIENT_AUTH: ${HTTPFS_SSL_CLIENT_AUTH}" +fi + +if [ "${HTTPFS_SSL_ENABLED_PROTOCOLS}" = "" ]; then + export HTTPFS_SSL_ENABLED_PROTOCOLS="TLSv1,TLSv1.1,TLSv1.2,SSLv2Hello" + print "Setting HTTPFS_SSL_ENABLED_PROTOCOLS: ${HTTPFS_SSL_ENABLED_PROTOCOLS}" +else + print "Using HTTPFS_SSL_ENABLED_PROTOCOLS: ${HTTPFS_SSL_ENABLED_PROTOCOLS}" +fi + if [ "${HTTPFS_SSL_CIPHERS}" = "" ]; then export HTTPFS_SSL_CIPHERS="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" HTTPFS_SSL_CIPHERS+=",TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" diff --git a/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/sbin/httpfs.sh b/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/sbin/httpfs.sh index e6b1f35ec96..75b398eafc9 100644 --- a/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/sbin/httpfs.sh +++ b/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/sbin/httpfs.sh @@ -68,6 +68,9 @@ if [[ "${1}" = "start" || "${1}" = "run" ]]; then catalina_set_property "httpfs.http.port" "${HTTPFS_HTTP_PORT}" catalina_set_property "httpfs.http.hostname" "${HTTPFS_HTTP_HOSTNAME}" catalina_set_property "httpfs.ssl.enabled" "${HTTPFS_SSL_ENABLED}" + catalina_set_property "httpfs.ssl.client.auth" "${HTTPFS_SSL_CLIENT_AUTH}" + catalina_set_property "httpfs.ssl.enabled.protocols" \ + "${HTTPFS_SSL_ENABLED_PROTOCOLS}" catalina_set_property "httpfs.ssl.ciphers" "${HTTPFS_SSL_CIPHERS}" catalina_set_property "httpfs.ssl.keystore.file" \ "${HTTPFS_SSL_KEYSTORE_FILE}" diff --git a/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/tomcat/ssl-server.xml b/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/tomcat/ssl-server.xml index 021accfeef2..408d4e30b24 100644 --- a/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/tomcat/ssl-server.xml +++ b/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/tomcat/ssl-server.xml @@ -71,7 +71,8 @@ diff --git a/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/site/markdown/ServerSetup.md.vm b/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/site/markdown/ServerSetup.md.vm index 671ef2c963a..35c3822fe7c 100644 --- a/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/site/markdown/ServerSetup.md.vm +++ b/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/site/markdown/ServerSetup.md.vm @@ -120,8 +120,16 @@ Start HttpFS. It should work over HTTPS. Using the Hadoop `FileSystem` API or the Hadoop FS shell, use the `swebhdfs://` scheme. Make sure the JVM is picking up the truststore containing the public key of the SSL certificate if using a self-signed certificate. +Set environment variable `HTTPFS_SSL_CLIENT_AUTH` to change client +authentication. The default is `false`. See `clientAuth` in +[Tomcat 6.0 SSL Support](https://tomcat.apache.org/tomcat-6.0-doc/config/http.html#SSL_Support). + +Set environment variable `HTTPFS_SSL_ENABLED_PROTOCOLS` to specify a list of +enabled SSL protocols. The default list includes `TLSv1`, `TLSv1.1`, +`TLSv1.2`, and `SSLv2Hello`. See `sslEnabledProtocols` in +[Tomcat 6.0 SSL Support](https://tomcat.apache.org/tomcat-6.0-doc/config/http.html#SSL_Support). + In order to support some old SSL clients, the default encryption ciphers include a few relatively weaker ciphers. Set environment variable -`HTTPFS_SSL_CIPHERS` or property `httpfs.ssl.ciphers` to override. The value -is a comma separated list of ciphers documented in this -[Tomcat Wiki](https://wiki.apache.org/tomcat/Security/Ciphers). \ No newline at end of file +`HTTPFS_SSL_CIPHERS` to override. The value is a comma separated list of +ciphers in [Tomcat Wiki](https://wiki.apache.org/tomcat/Security/Ciphers). \ No newline at end of file