You are viewing a plain text version of this content. The canonical link for it is here.

Posted to mapreduce-issues@hadoop.apache.org by "Plamen Jeliazkov (JIRA)" <ji...@apache.org> on 2012/10/02 19:51:07 UTC

[jira] [Commented] (MAPREDUCE-4661) Add HTTPS for JobTracker and TaskTracker

    [ https://issues.apache.org/jira/browse/MAPREDUCE-4661?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13467900#comment-13467900 ] 

Plamen Jeliazkov commented on MAPREDUCE-4661:
---------------------------------------------

I am aware there is a patch in branch-2.
Namely, https://issues.apache.org/jira/browse/HADOOP-8581.

I guess I would like this back-ported in branch-1 as well; however there appears to be a lot of work that needs to be done to do so. Is it necessary to grab everything from this patch? Is a backport possible?
                
> Add HTTPS for JobTracker and TaskTracker
> ----------------------------------------
>
>                 Key: MAPREDUCE-4661
>                 URL: https://issues.apache.org/jira/browse/MAPREDUCE-4661
>             Project: Hadoop Map/Reduce
>          Issue Type: Improvement
>    Affects Versions: 1.0.0, 2.0.0-alpha
>            Reporter: Plamen Jeliazkov
>            Assignee: Plamen Jeliazkov
>         Attachments: MAPREDUCE-4461.patch
>
>
> In order to provide full security around the cluster, the webUI should also be secure if desired to prevent cookie theft and user masquerading. 
> Here is my proposed work. Currently I can only add HTTPS support. I do not know how to switch reliance of the HttpServer from HTTP to HTTPS fully.
> In order to facilitate this change I propose the following configuration additions:
> CONFIG PROPERTY -> DEFAULT VALUE
> mapred.https.enable -> false
> mapred.https.need.client.auth -> false
> mapred.https.server.keystore.resource -> "ssl-server.xml"
> mapred.job.tracker.https.port -> 50035
> mapred.job.tracker.https.address -> "<IP_ADDR>:50035"
> mapred.task.tracker.https.port -> 50065
> mapred.task.tracker.https.address -> "<IP_ADDR>:50065"
> I tested this on my local box after using keytool to generate a SSL certficate. You will need to change ssl-server.xml to point to the .keystore file after. Truststore may not be necessary; you can just point it to the keystore.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira