hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Wei-Chiu Chuang (JIRA)" <j...@apache.org>
Subject [jira] [Created] (HADOOP-12862) LDAP Group Mapping over SSL can not specify trust store
Date Tue, 01 Mar 2016 18:53:18 GMT
Wei-Chiu Chuang created HADOOP-12862:

             Summary: LDAP Group Mapping over SSL can not specify trust store
                 Key: HADOOP-12862
                 URL: https://issues.apache.org/jira/browse/HADOOP-12862
             Project: Hadoop Common
          Issue Type: Bug
            Reporter: Wei-Chiu Chuang

In a secure environment, SSL is used to encrypt LDAP request for group mapping resolution.
We (+[~yoderme], +[~tgrayson]) have found that its implementation is strange.

For information, Hadoop name node, as an LDAP client, talks to a LDAP server to resolve the
group mapping of a user. In the case of LDAP over SSL, a typical scenario is to establish
one-way authentication (the client verifies the server's certificate is real) by storing the
server's certificate in the client's truststore.

A rarer scenario is to establish two-way authentication: in addition to store truststore for
the client to verify the server, the server also verifies the client's certificate is real,
and the client stores its own certificate in its keystore.

However, the current implementation for LDAP over SSL does not seem to be correct in that
it only configures keystore but no truststore (so LDAP server can verify Hadoop's certificate,
but Hadoop may not be able to verify LDAP server's certificate)

I think there should an extra pair of properties to specify the truststore/password for LDAP
server, and use that to configure system properties {{javax.net.ssl.trustStore}}/{{javax.net.ssl.trustStorePassword}}

I am a security layman so my words can be imprecise. But I hope this makes sense.

Oracle's SSL LDAP documentation: http://docs.oracle.com/javase/jndi/tutorial/ldap/security/ssl.html
JSSE reference guide: http://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/JSSERefGuide.html

This message was sent by Atlassian JIRA

View raw message