Apache
/
hadoop
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

HDFS-11579. Make HttpFS Tomcat SSL property sslEnabledProtocols and clientAuth configurable. Contributed by John Zhuge.

This commit is contained in:
John Zhuge 2017-05-17 22:59:48 -07:00
parent 145d716a2b
commit 85f7b7e8e4
5 changed files with 43 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/conf/httpfs-env.sh
View File

@ -44,6 +44,19 @@
# #
# export HTTPFS_SSL_ENABLED=false # export HTTPFS_SSL_ENABLED=false
# Set to 'true' if you want the SSL stack to require a valid certificate chain
# from the client before accepting a connection. Set to 'want' if you want the
# SSL stack to request a client Certificate, but not fail if one isn't
# presented. A 'false' value (which is the default) will not require a
# certificate chain unless the client requests a resource protected by a
# security constraint that uses CLIENT-CERT authentication.
#
# export HTTPFS_SSL_CLIENT_AUTH=false
# The comma separated list of SSL protocols to support
#
# export HTTPFS_SSL_ENABLED_PROTOCOLS="TLSv1,TLSv1.1,TLSv1.2,SSLv2Hello"
# The comma separated list of encryption ciphers for SSL # The comma separated list of encryption ciphers for SSL
# #
# export HTTPFS_SSL_CIPHERS= # export HTTPFS_SSL_CIPHERS=

14
hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/libexec/httpfs-config.sh
View File

@ -156,6 +156,20 @@ else
print "Using HTTPFS_SSL_ENABLED: ${HTTPFS_SSL_ENABLED}" print "Using HTTPFS_SSL_ENABLED: ${HTTPFS_SSL_ENABLED}"
fi fi
if [ "${HTTPFS_SSL_CLIENT_AUTH}" = "" ]; then
export HTTPFS_SSL_CLIENT_AUTH="false"
print "Setting HTTPFS_SSL_CLIENT_AUTH: ${HTTPFS_SSL_CLIENT_AUTH}"
else
print "Using HTTPFS_SSL_CLIENT_AUTH: ${HTTPFS_SSL_CLIENT_AUTH}"
fi
if [ "${HTTPFS_SSL_ENABLED_PROTOCOLS}" = "" ]; then
export HTTPFS_SSL_ENABLED_PROTOCOLS="TLSv1,TLSv1.1,TLSv1.2,SSLv2Hello"
print "Setting HTTPFS_SSL_ENABLED_PROTOCOLS: ${HTTPFS_SSL_ENABLED_PROTOCOLS}"
else
print "Using HTTPFS_SSL_ENABLED_PROTOCOLS: ${HTTPFS_SSL_ENABLED_PROTOCOLS}"
fi
if [ "${HTTPFS_SSL_CIPHERS}" = "" ]; then if [ "${HTTPFS_SSL_CIPHERS}" = "" ]; then
export HTTPFS_SSL_CIPHERS="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" export HTTPFS_SSL_CIPHERS="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
HTTPFS_SSL_CIPHERS+=",TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" HTTPFS_SSL_CIPHERS+=",TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"

3
hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/sbin/httpfs.sh
View File

@ -68,6 +68,9 @@ if [[ "${1}" = "start" || "${1}" = "run" ]]; then
catalina_set_property "httpfs.http.port" "${HTTPFS_HTTP_PORT}" catalina_set_property "httpfs.http.port" "${HTTPFS_HTTP_PORT}"
catalina_set_property "httpfs.http.hostname" "${HTTPFS_HTTP_HOSTNAME}" catalina_set_property "httpfs.http.hostname" "${HTTPFS_HTTP_HOSTNAME}"
catalina_set_property "httpfs.ssl.enabled" "${HTTPFS_SSL_ENABLED}" catalina_set_property "httpfs.ssl.enabled" "${HTTPFS_SSL_ENABLED}"
catalina_set_property "httpfs.ssl.client.auth" "${HTTPFS_SSL_CLIENT_AUTH}"
catalina_set_property "httpfs.ssl.enabled.protocols" \
"${HTTPFS_SSL_ENABLED_PROTOCOLS}"
catalina_set_property "httpfs.ssl.ciphers" "${HTTPFS_SSL_CIPHERS}" catalina_set_property "httpfs.ssl.ciphers" "${HTTPFS_SSL_CIPHERS}"
catalina_set_property "httpfs.ssl.keystore.file" \ catalina_set_property "httpfs.ssl.keystore.file" \
"${HTTPFS_SSL_KEYSTORE_FILE}" "${HTTPFS_SSL_KEYSTORE_FILE}"

3
hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/tomcat/ssl-server.xml
View File

@ -71,7 +71,8 @@
<Connector port="${httpfs.http.port}" protocol="HTTP/1.1" SSLEnabled="true" <Connector port="${httpfs.http.port}" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true" maxThreads="150" scheme="https" secure="true"
maxHttpHeaderSize="${httpfs.max.http.header.size}" maxHttpHeaderSize="${httpfs.max.http.header.size}"
clientAuth="false" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2,SSLv2Hello" clientAuth="${httpfs.ssl.client.auth}"
sslEnabledProtocols="${httpfs.ssl.enabled.protocols}"
ciphers="${httpfs.ssl.ciphers}" ciphers="${httpfs.ssl.ciphers}"
keystoreFile="${httpfs.ssl.keystore.file}" keystoreFile="${httpfs.ssl.keystore.file}"
keystorePass="${httpfs.ssl.keystore.pass}"/> keystorePass="${httpfs.ssl.keystore.pass}"/>

14
hadoop-hdfs-project/hadoop-hdfs-httpfs/src/site/markdown/ServerSetup.md.vm
View File

@ -120,8 +120,16 @@ Start HttpFS. It should work over HTTPS.
Using the Hadoop `FileSystem` API or the Hadoop FS shell, use the `swebhdfs://` scheme. Make sure the JVM is picking up the truststore containing the public key of the SSL certificate if using a self-signed certificate. Using the Hadoop `FileSystem` API or the Hadoop FS shell, use the `swebhdfs://` scheme. Make sure the JVM is picking up the truststore containing the public key of the SSL certificate if using a self-signed certificate.
Set environment variable `HTTPFS_SSL_CLIENT_AUTH` to change client
authentication. The default is `false`. See `clientAuth` in
[Tomcat 6.0 SSL Support](https://tomcat.apache.org/tomcat-6.0-doc/config/http.html#SSL_Support).
Set environment variable `HTTPFS_SSL_ENABLED_PROTOCOLS` to specify a list of
enabled SSL protocols. The default list includes `TLSv1`, `TLSv1.1`,
`TLSv1.2`, and `SSLv2Hello`. See `sslEnabledProtocols` in
[Tomcat 6.0 SSL Support](https://tomcat.apache.org/tomcat-6.0-doc/config/http.html#SSL_Support).
In order to support some old SSL clients, the default encryption ciphers In order to support some old SSL clients, the default encryption ciphers
include a few relatively weaker ciphers. Set environment variable include a few relatively weaker ciphers. Set environment variable
`HTTPFS_SSL_CIPHERS` or property `httpfs.ssl.ciphers` to override. The value `HTTPFS_SSL_CIPHERS` to override. The value is a comma separated list of
is a comma separated list of ciphers documented in this ciphers in [Tomcat Wiki](https://wiki.apache.org/tomcat/Security/Ciphers).
[Tomcat Wiki](https://wiki.apache.org/tomcat/Security/Ciphers).