You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-commits@hadoop.apache.org by jz...@apache.org on 2017/05/19 01:06:47 UTC
[2/2] hadoop git commit: HDFS-11579. Make HttpFS Tomcat SSL property sslEnabledProtocols and clientAuth configurable. Contributed by John Zhuge.

HDFS-11579. Make HttpFS Tomcat SSL property sslEnabledProtocols and clientAuth configurable. Contributed by John Zhuge.


Project: http://git-wip-us.apache.org/repos/asf/hadoop/repo
Commit: http://git-wip-us.apache.org/repos/asf/hadoop/commit/85f7b7e8
Tree: http://git-wip-us.apache.org/repos/asf/hadoop/tree/85f7b7e8
Diff: http://git-wip-us.apache.org/repos/asf/hadoop/diff/85f7b7e8

Branch: refs/heads/branch-2
Commit: 85f7b7e8e4cfebf53b05f1ee89bb4180be965f95
Parents: 145d716
Author: John Zhuge <jz...@apache.org>
Authored: Wed May 17 22:59:48 2017 -0700
Committer: John Zhuge <jz...@apache.org>
Committed: Thu May 18 18:04:05 2017 -0700

----------------------------------------------------------------------
 .../hadoop-hdfs-httpfs/src/main/conf/httpfs-env.sh    | 13 +++++++++++++
 .../src/main/libexec/httpfs-config.sh                 | 14 ++++++++++++++
 .../hadoop-hdfs-httpfs/src/main/sbin/httpfs.sh        |  3 +++
 .../hadoop-hdfs-httpfs/src/main/tomcat/ssl-server.xml |  3 ++-
 .../src/site/markdown/ServerSetup.md.vm               | 14 +++++++++++---
 5 files changed, 43 insertions(+), 4 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/hadoop/blob/85f7b7e8/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/conf/httpfs-env.sh
----------------------------------------------------------------------
diff --git a/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/conf/httpfs-env.sh b/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/conf/httpfs-env.sh
index 48be812..d0b5069 100644
--- a/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/conf/httpfs-env.sh
+++ b/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/conf/httpfs-env.sh
@@ -44,6 +44,19 @@
 #
 # export HTTPFS_SSL_ENABLED=false
 
+# Set to 'true' if you want the SSL stack to require a valid certificate chain
+# from the client before accepting a connection. Set to 'want' if you want the
+# SSL stack to request a client Certificate, but not fail if one isn't
+# presented. A 'false' value (which is the default) will not require a
+# certificate chain unless the client requests a resource protected by a
+# security constraint that uses CLIENT-CERT authentication.
+#
+# export HTTPFS_SSL_CLIENT_AUTH=false
+
+# The comma separated list of SSL protocols to support
+#
+# export HTTPFS_SSL_ENABLED_PROTOCOLS="TLSv1,TLSv1.1,TLSv1.2,SSLv2Hello"
+
 # The comma separated list of encryption ciphers for SSL
 #
 # export HTTPFS_SSL_CIPHERS=

http://git-wip-us.apache.org/repos/asf/hadoop/blob/85f7b7e8/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/libexec/httpfs-config.sh
----------------------------------------------------------------------
diff --git a/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/libexec/httpfs-config.sh b/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/libexec/httpfs-config.sh
index 0f5c25e..91bda4e 100644
--- a/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/libexec/httpfs-config.sh
+++ b/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/libexec/httpfs-config.sh
@@ -156,6 +156,20 @@ else
   print "Using   HTTPFS_SSL_ENABLED: ${HTTPFS_SSL_ENABLED}"
 fi
 
+if [ "${HTTPFS_SSL_CLIENT_AUTH}" = "" ]; then
+  export HTTPFS_SSL_CLIENT_AUTH="false"
+  print "Setting HTTPFS_SSL_CLIENT_AUTH: ${HTTPFS_SSL_CLIENT_AUTH}"
+else
+  print "Using   HTTPFS_SSL_CLIENT_AUTH: ${HTTPFS_SSL_CLIENT_AUTH}"
+fi
+
+if [ "${HTTPFS_SSL_ENABLED_PROTOCOLS}" = "" ]; then
+  export HTTPFS_SSL_ENABLED_PROTOCOLS="TLSv1,TLSv1.1,TLSv1.2,SSLv2Hello"
+  print "Setting HTTPFS_SSL_ENABLED_PROTOCOLS: ${HTTPFS_SSL_ENABLED_PROTOCOLS}"
+else
+  print "Using   HTTPFS_SSL_ENABLED_PROTOCOLS: ${HTTPFS_SSL_ENABLED_PROTOCOLS}"
+fi
+
 if [ "${HTTPFS_SSL_CIPHERS}" = "" ]; then
   export HTTPFS_SSL_CIPHERS="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
   HTTPFS_SSL_CIPHERS+=",TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"

http://git-wip-us.apache.org/repos/asf/hadoop/blob/85f7b7e8/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/sbin/httpfs.sh
----------------------------------------------------------------------
diff --git a/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/sbin/httpfs.sh b/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/sbin/httpfs.sh
index e6b1f35..75b398e 100644
--- a/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/sbin/httpfs.sh
+++ b/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/sbin/httpfs.sh
@@ -68,6 +68,9 @@ if [[ "${1}" = "start" || "${1}" = "run" ]]; then
   catalina_set_property "httpfs.http.port" "${HTTPFS_HTTP_PORT}"
   catalina_set_property "httpfs.http.hostname" "${HTTPFS_HTTP_HOSTNAME}"
   catalina_set_property "httpfs.ssl.enabled" "${HTTPFS_SSL_ENABLED}"
+  catalina_set_property "httpfs.ssl.client.auth" "${HTTPFS_SSL_CLIENT_AUTH}"
+  catalina_set_property "httpfs.ssl.enabled.protocols" \
+    "${HTTPFS_SSL_ENABLED_PROTOCOLS}"
   catalina_set_property "httpfs.ssl.ciphers" "${HTTPFS_SSL_CIPHERS}"
   catalina_set_property "httpfs.ssl.keystore.file" \
     "${HTTPFS_SSL_KEYSTORE_FILE}"

http://git-wip-us.apache.org/repos/asf/hadoop/blob/85f7b7e8/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/tomcat/ssl-server.xml
----------------------------------------------------------------------
diff --git a/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/tomcat/ssl-server.xml b/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/tomcat/ssl-server.xml
index 021accf..408d4e3 100644
--- a/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/tomcat/ssl-server.xml
+++ b/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/tomcat/ssl-server.xml
@@ -71,7 +71,8 @@
     <Connector port="${httpfs.http.port}" protocol="HTTP/1.1" SSLEnabled="true"
                maxThreads="150" scheme="https" secure="true"
                maxHttpHeaderSize="${httpfs.max.http.header.size}"
-               clientAuth="false" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2,SSLv2Hello"
+               clientAuth="${httpfs.ssl.client.auth}"
+               sslEnabledProtocols="${httpfs.ssl.enabled.protocols}"
                ciphers="${httpfs.ssl.ciphers}"
                keystoreFile="${httpfs.ssl.keystore.file}"
                keystorePass="${httpfs.ssl.keystore.pass}"/>

http://git-wip-us.apache.org/repos/asf/hadoop/blob/85f7b7e8/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/site/markdown/ServerSetup.md.vm
----------------------------------------------------------------------
diff --git a/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/site/markdown/ServerSetup.md.vm b/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/site/markdown/ServerSetup.md.vm
index 671ef2c..35c3822 100644
--- a/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/site/markdown/ServerSetup.md.vm
+++ b/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/site/markdown/ServerSetup.md.vm
@@ -120,8 +120,16 @@ Start HttpFS. It should work over HTTPS.
 
 Using the Hadoop `FileSystem` API or the Hadoop FS shell, use the `swebhdfs://` scheme. Make sure the JVM is picking up the truststore containing the public key of the SSL certificate if using a self-signed certificate.
 
+Set environment variable `HTTPFS_SSL_CLIENT_AUTH` to change client
+authentication. The default is `false`. See `clientAuth` in
+[Tomcat 6.0 SSL Support](https://tomcat.apache.org/tomcat-6.0-doc/config/http.html#SSL_Support).
+
+Set environment variable `HTTPFS_SSL_ENABLED_PROTOCOLS` to specify a list of
+enabled SSL protocols. The default list includes `TLSv1`, `TLSv1.1`,
+`TLSv1.2`, and `SSLv2Hello`. See `sslEnabledProtocols` in
+[Tomcat 6.0 SSL Support](https://tomcat.apache.org/tomcat-6.0-doc/config/http.html#SSL_Support).
+
 In order to support some old SSL clients, the default encryption ciphers
 include a few relatively weaker ciphers. Set environment variable
-`HTTPFS_SSL_CIPHERS` or property `httpfs.ssl.ciphers` to override. The value
-is a comma separated list of ciphers documented in this
-[Tomcat Wiki](https://wiki.apache.org/tomcat/Security/Ciphers).
\ No newline at end of file
+`HTTPFS_SSL_CIPHERS` to override. The value is a comma separated list of
+ciphers in [Tomcat Wiki](https://wiki.apache.org/tomcat/Security/Ciphers).
\ No newline at end of file


---------------------------------------------------------------------
To unsubscribe, e-mail: common-commits-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-commits-help@hadoop.apache.org