You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-dev@hadoop.apache.org by "Erik Krogen (JIRA)" <ji...@apache.org> on 2019/04/10 18:14:00 UTC
[jira] [Created] (HADOOP-16245) Enabling SSL within
LdapGroupsMapping can break system SSL configs
Erik Krogen created HADOOP-16245:
------------------------------------
Summary: Enabling SSL within LdapGroupsMapping can break system SSL configs
Key: HADOOP-16245
URL: https://issues.apache.org/jira/browse/HADOOP-16245
Project: Hadoop Common
Issue Type: Bug
Components: common, security
Affects Versions: 3.0.3, 3.1.1, 2.7.6, 2.8.4, 2.9.1
Reporter: Erik Krogen
Assignee: Erik Krogen
When debugging an issue where one of our server components was unable to communicate with other components via SSL, we realized that LdapGroupsMapping sets its SSL configurations globally, rather than scoping them to the HTTP clients it creates.
{code:title=LdapGroupsMapping}
DirContext getDirContext() throws NamingException {
if (ctx == null) {
// Set up the initial environment for LDAP connectivity
Hashtable<String, String> env = new Hashtable<String, String>();
env.put(Context.INITIAL_CONTEXT_FACTORY,
com.sun.jndi.ldap.LdapCtxFactory.class.getName());
env.put(Context.PROVIDER_URL, ldapUrl);
env.put(Context.SECURITY_AUTHENTICATION, "simple");
// Set up SSL security, if necessary
if (useSsl) {
env.put(Context.SECURITY_PROTOCOL, "ssl");
if (!keystore.isEmpty()) {
System.setProperty("javax.net.ssl.keyStore", keystore);
}
if (!keystorePass.isEmpty()) {
System.setProperty("javax.net.ssl.keyStorePassword", keystorePass);
}
if (!truststore.isEmpty()) {
System.setProperty("javax.net.ssl.trustStore", truststore);
}
if (!truststorePass.isEmpty()) {
System.setProperty("javax.net.ssl.trustStorePassword",
truststorePass);
}
}
env.put(Context.SECURITY_PRINCIPAL, bindUser);
env.put(Context.SECURITY_CREDENTIALS, bindPassword);
env.put("com.sun.jndi.ldap.connect.timeout", conf.get(CONNECTION_TIMEOUT,
String.valueOf(CONNECTION_TIMEOUT_DEFAULT)));
env.put("com.sun.jndi.ldap.read.timeout", conf.get(READ_TIMEOUT,
String.valueOf(READ_TIMEOUT_DEFAULT)));
ctx = new InitialDirContext(env);
}
{code}
Notice the {{System.setProperty()}} calls, which will change settings JVM-wide. This causes issues for other SSL clients, which may rely on the default JVM truststore being used. This behavior was initially introduced by HADOOP-8121, and extended to include the truststore configurations in HADOOP-12862.
The correct approach is to use a mechanism which is scoped to the LDAP requests only. The right approach appears to be to use the {{java.naming.ldap.factory.socket}} parameter to set the socket factory to a custom SSL socket factory which correctly sets the key and trust store parameters. See an example [here|https://stackoverflow.com/a/4615497/4979203].
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-dev-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-dev-help@hadoop.apache.org