You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-issues@hadoop.apache.org by "Kihwal Lee (JIRA)" <ji...@apache.org> on 2019/08/15 20:06:00 UTC
[jira] [Commented] (HADOOP-16517) Allow optional mutual TLS in
HttpServer2
[ https://issues.apache.org/jira/browse/HADOOP-16517?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16908445#comment-16908445 ]
Kihwal Lee commented on HADOOP-16517:
-------------------------------------
YARN's WebAppUtils#loadSslConfiguration() does not support this, so will need to be modified as well.
> Allow optional mutual TLS in HttpServer2
> ----------------------------------------
>
> Key: HADOOP-16517
> URL: https://issues.apache.org/jira/browse/HADOOP-16517
> Project: Hadoop Common
> Issue Type: Improvement
> Reporter: Kihwal Lee
> Assignee: Kihwal Lee
> Priority: Major
> Attachments: HADOOP-16517.patch
>
>
> Currently the webservice can enforce mTLS by setting "dfs.client.https.need-auth" on the server side. (The config name is misleading, as it is actually server-side config. It has been deprecated from the client config) A hadoop client can talk to mTLS enforced web service by setting "hadoop.ssl.require.client.cert" with proper ssl config.
> We have seen use case where mTLS needs to be enabled optionally for only those clients who supplies their cert. In a mixed environment like this, individual services may still enforce mTLS for a subset of endpoints by checking the existence of x509 cert in the request.
>
--
This message was sent by Atlassian JIRA
(v7.6.14#76016)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org