You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-dev@hadoop.apache.org by "Chris Douglas (JIRA)" <ji...@apache.org> on 2008/10/02 05:20:44 UTC

[jira] Commented: (HADOOP-4284) Support for user configurable global filters on HttpServer

    [ https://issues.apache.org/jira/browse/HADOOP-4284?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12636277#action_12636277 ] 

Chris Douglas commented on HADOOP-4284:
---------------------------------------

This looks good. A few suggestions:
* This could use some forrest documentation (maybe in the distcp guide?) and javadoc for public classes/methods
* {{dfs.https.permission.file.recheck.interval}} probably belongs in ssl-server.xml instead of hadoop-default.xml
* Iterator/Enumeration loops in HttpsFilter are more readable as foreach loops
* Would it be possible to make this available to FsShell as well as DistCp using the ssl.client.\* config?
* The comment on HFTP_PATTERN should be javadoc
* Run with assertions disabled, there's a possible NPE/AIOOBE in HttpsFilter::doFilter. The assertion should be replaced with a runtime check. Also, instead of checking for filterConfig == null, checking isRunning might be more readable/reliable (as volatile)
* The parsing of the X509 distinguished name using String::split may hit some corner cases in RFC 2253 (the quoting and whitespace, in particular, could be troublesome). Using CANONICAL as the string representation may handle more of the corner cases, which is probably sufficient.

Has this been tested at scale?

> Support for user configurable global filters on HttpServer
> ----------------------------------------------------------
>
>                 Key: HADOOP-4284
>                 URL: https://issues.apache.org/jira/browse/HADOOP-4284
>             Project: Hadoop Core
>          Issue Type: New Feature
>    Affects Versions: 0.20.0
>            Reporter: Kan Zhang
>            Assignee: Kan Zhang
>         Attachments: 4284_20080925_78.patch, 4284_20080926_79.patch, 4284_20080929_83.patch
>
>
> HADOOP-3854 introduced a framework for adding filters to filter browser facing urls. Sometimes, there is a need to filter all urls. For example, at Yahoo, we need to open an SSL port on the HttpServer and only accept hsftp requests from clients who can authenticate themselves using client certificate and is authorized according to certain policy file. For this to happen, we need a method to add a user configurable "global" filter, which filters on all client requests. For our purposes, such a global filter will block all https requests except those accessing the hsftp interface (it will let all http requests go through, so accesses through the normal http ports are unaffected). Moreover, those hsftp requests will be subject to further authorization checking according to the policy file.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.